[FUGSPBR] VPN IPSec entre Windows XP e FreeBSD 4.8 Stable
Edson Brandi
Edson.Brandi em corp.ibest.com.br
Seg Ago 25 15:16:13 BRT 2003
Boa tarde pessoal,
Estou tentando configurar uma VPN IPSec em casa entre meu box FreeBSD e o
notebook que roda windows XP (host a host), estou usando racoon para troca
de chaves e autenticação por chave pré "pré conhecida", pelo que entendo a
minha maquina WinXP esta conseguindo falar com a maquina FreeBSD, chega a
autenticar mas o canal criptografao não é estabelecido. Até agora eu não
descobri o porque não esta funcionando :\ , estou enviando minhas
configurações, se puderem me dar alguma luz eu agradeço :)
Logs:
################################################################
2003-08-25 11:51:56: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE
message
2003-08-25 11:51:56: DEBUG2: plog.c:193:plogdump():
02060003 26000000 05000000 00000000 03000500 ff200000 10020000 0a0a0a02
00000000 00000000 03000600 ff200000 10020000 0a0a0a03 00000000 00000000
02001200 02000200 01000000 00000000 1c000d00 20000000 00030000 00000000
00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000
00040000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 00000000 00000000 80510100 00000000 80700000 00000000
00000000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
2003-08-25 11:51:56: DEBUG: pfkey.c:1557:pk_recvacquire(): suitable outbound
SP found: 192.168.192.2/32[0] 192.168.192.3/32[0] proto=any dir=out.
2003-08-25 11:51:56: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbffad4:
192.168.192.3/32[0] 192.168.192.2/32[0] proto=any dir=in
2003-08-25 11:51:56: DEBUG: policy.c:185:cmpspidxstrict(): db :0x80a1c08:
192.168.192.3/32[0] 192.168.192.2/32[0] proto=any dir=in
2003-08-25 11:51:56: DEBUG: pfkey.c:1573:pk_recvacquire(): suitable inbound
SP found: 192.168.192.3/32[0] 192.168.192.2/32[0] proto=any dir=in.
2003-08-25 11:51:56: DEBUG: pfkey.c:1612:pk_recvacquire(): new acquire
192.168.192.2/32[0] 192.168.192.3/32[0] proto=any dir=out
2003-08-25 11:51:56: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo
selected.
2003-08-25 11:51:56: DEBUG: proposal.c:825:printsaproto(): (proto_id=ESP
spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns(): (trns_id=3DES
encklen=0 authtype=2)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns(): (trns_id=3DES
encklen=0 authtype=1)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns():
(trns_id=BLOWFISH encklen=128 authtype=2)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns():
(trns_id=BLOWFISH encklen=128 authtype=1)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns(): (trns_id=DES
encklen=0 authtype=2)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns(): (trns_id=DES
encklen=0 authtype=1)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns():
(trns_id=RIJNDAEL encklen=128 authtype=2)
2003-08-25 11:51:56: DEBUG: proposal.c:859:printsatrns():
(trns_id=RIJNDAEL encklen=128 authtype=1)
2003-08-25 11:51:56: DEBUG: remoteconf.c:129:getrmconf(): anonymous
configuration selected for 192.168.192.3.
2003-08-25 11:51:56: INFO: isakmp.c:1684:isakmp_post_acquire(): IPsec-SA
request for 192.168.192.3 queued due to no phase1 found.
2003-08-25 11:51:56: DEBUG: isakmp.c:793:isakmp_ph1begin_i(): ===
2003-08-25 11:51:56: INFO: isakmp.c:798:isakmp_ph1begin_i(): initiate new
phase 1 negotiation: 192.168.192.2[500]<=>192.168.192.3[500]
2003-08-25 11:51:56: INFO: isakmp.c:803:isakmp_ph1begin_i(): begin
Aggressive mode.
2003-08-25 11:51:56: DEBUG: isakmp.c:1996:isakmp_newcookie(): new cookie:
debffcfaaf133754
2003-08-25 11:51:56: DEBUG: ipsec_doi.c:3225:ipsecdoi_setid1(): use ID type
of IPv4_address
2003-08-25 11:51:56: DEBUG: oakley.c:256:oakley_dh_generate(): compute DH's
private.
2003-08-25 11:51:56: DEBUG: plog.c:193:plogdump():
6452d129 a84417e5 39eb4f51 85e43c2c a27fc721 bf1de67d 7477d17c 03e84176
fab42d63 fd69e27a 22ef4353 b4cd07d6 022aed0f 96027899 2fd74e5a 0eee66f5
a7411f61 2ffcae51 eb9f285d a7dbc843 84f0b893 463a566c 9b1d547e c16d53ca
e1593981 3f25565b 4a9747bf ee2972da 5cdecbd4 ba965bce 22ab1c16 2bd8a9f3
2003-08-25 11:51:56: DEBUG: oakley.c:258:oakley_dh_generate(): compute DH's
public.
2003-08-25 11:51:56: DEBUG: plog.c:193:plogdump():
e747d04d 75d82fad 36fdea37 1af0b3d9 ff1765ef 23d17461 69b5af5c 561642e3
52660b2a 36f92036 6ce78374 a514d472 970a6700 3713fc4c dc776e65 3f82a477
4e08ae3e e2f806e4 3b8e28fc 61044697 6e6438dc 14fbb1fa 303c001f baba7b7b
d494c04b f767b992 df839d7b c87dcfa1 88b91ed8 a4ba81db cb641df9 05102cdf
2003-08-25 11:51:56: DEBUG: isakmp_agg.c:162:agg_i1send(): authmethod is
pre-shared key
2003-08-25 11:51:56: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload
of len 48, next type 4
2003-08-25 11:51:56: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload
of len 128, next type 10
2003-08-25 11:51:56: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload
of len 16, next type 5
2003-08-25 11:51:56: DEBUG: isakmp.c:2113:set_isakmp_payload(): add payload
of len 8, next type 0
2003-08-25 11:51:56: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin.
2003-08-25 11:51:56: DEBUG: sockmisc.c:421:sendfromto(): sockname
192.168.192.2[500]
2003-08-25 11:51:56: DEBUG: sockmisc.c:423:sendfromto(): send packet from
192.168.192.2[500]
2003-08-25 11:51:56: DEBUG: sockmisc.c:425:sendfromto(): send packet to
192.168.192.3[500]
2003-08-25 11:51:56: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 244
bytes message will be sent to 192.168.192.3[500]
2003-08-25 11:51:56: DEBUG: plog.c:193:plogdump():
debffcfa af133754 00000000 00000000 01100400 00000000 000000f4 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10
80010005 80030001 80020002 80040002 0a000084 e747d04d 75d82fad 36fdea37
1af0b3d9 ff1765ef 23d17461 69b5af5c 561642e3 52660b2a 36f92036 6ce78374
a514d472 970a6700 3713fc4c dc776e65 3f82a477 4e08ae3e e2f806e4 3b8e28fc
61044697 6e6438dc 14fbb1fa 303c001f baba7b7b d494c04b f767b992 df839d7b
c87dcfa1 88b91ed8 a4ba81db cb641df9 05102cdf 05000014 90aa244a bea84159
74d6b6c6 45a1c9e4 0000000c 011101f4 0a0a0a02
2003-08-25 11:51:56: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1
packet debffcfaaf133754:0000000000000000
2003-08-25 11:51:56: DEBUG: isakmp.c:221:isakmp_handler(): ===
2003-08-25 11:51:56: DEBUG: isakmp.c:222:isakmp_handler(): 56 bytes message
received from 192.168.192.3[500]
2003-08-25 11:51:56: DEBUG: plog.c:193:plogdump():
debffcfa af133754 00000000 00000000 0b100500 5ee1faae 00000038 0000001c
00000001 01100007 debffcfa af133754 00000000 00000000
2003-08-25 11:51:56: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin.
2003-08-25 11:51:56: DEBUG: isakmp.c:346:isakmp_main(): malformed cookie
received or the initiator's cookies collide.
2003-08-25 11:52:08: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE
message
2003-08-25 11:52:08: DEBUG2: plog.c:193:plogdump():
02060003 26000000 05000000 00000000 03000500 ff200000 10020000 0a0a0a02
00000000 00000000 03000600 ff200000 10020000 0a0a0a03 00000000 00000000
02001200 02000200 01000000 00000000 1c000d00 20000000 00030000 00000000
00010008 00000000 01000000 01000000 00000000 00000000 00000000 00000000
00000000 00000000 80510100 00000000 80700000 00000000 00000000 00000000
00040000 00000000 0001c001 00000000 01000000 01000000 00000000 00000000
00000000 00000000 00000000 00000000 80510100 00000000 80700000 00000000
00000000 00000000 000c0000 00000000 00010001 00000000 01000000 01000000
00000000 00000000 00000000 00000000 00000000 00000000 80510100 00000000
80700000 00000000 00000000 00000000
2003-08-25 11:52:08: DEBUG: pfkey.c:1541:pk_recvacquire(): ignore the
acquire becuase ph2 found
2003-08-25 11:52:16: DEBUG: sockmisc.c:421:sendfromto(): sockname
192.168.192.2[500]
2003-08-25 11:52:16: DEBUG: sockmisc.c:423:sendfromto(): send packet from
192.168.192.2[500]
2003-08-25 11:52:16: DEBUG: sockmisc.c:425:sendfromto(): send packet to
192.168.192.3[500]
2003-08-25 11:52:16: DEBUG: sockmisc.c:570:sendfromto(): 1 times of 244
bytes message will be sent to 192.168.192.3[500]
2003-08-25 11:52:16: DEBUG: plog.c:193:plogdump():
debffcfa af133754 00000000 00000000 01100400 00000000 000000f4 04000034
00000001 00000001 00000028 01010001 00000020 01010000 800b0001 800c0e10
80010005 80030001 80020002 80040002 0a000084 e747d04d 75d82fad 36fdea37
1af0b3d9 ff1765ef 23d17461 69b5af5c 561642e3 52660b2a 36f92036 6ce78374
a514d472 970a6700 3713fc4c dc776e65 3f82a477 4e08ae3e e2f806e4 3b8e28fc
61044697 6e6438dc 14fbb1fa 303c001f baba7b7b d494c04b f767b992 df839d7b
c87dcfa1 88b91ed8 a4ba81db cb641df9 05102cdf 05000014 90aa244a bea84159
74d6b6c6 45a1c9e4 0000000c 011101f4 0a0a0a02
2003-08-25 11:52:16: DEBUG: isakmp.c:1449:isakmp_ph1resend(): resend phase1
packet debffcfaaf133754:0000000000000000
2003-08-25 11:52:16: DEBUG: isakmp.c:221:isakmp_handler(): ===
2003-08-25 11:52:16: DEBUG: isakmp.c:222:isakmp_handler(): 56 bytes message
received from 192.168.192.3[500]
2003-08-25 11:52:16: DEBUG: plog.c:193:plogdump():
debffcfa af133754 00000000 00000000 0b100500 42741e98 00000038 0000001c
00000001 01100007 debffcfa af133754 00000000 00000000
2003-08-25 11:52:16: DEBUG: isakmp.c:2248:isakmp_printpacket(): begin.
2003-08-25 11:52:16: DEBUG: isakmp.c:346:isakmp_main(): malformed cookie
received or the initiator's cookies collide.
2003-08-25 11:52:28: ERROR: isakmp.c:1776:isakmp_chkph1there(): phase2
negotiation failed due to time up waiting for phase1. ESP
192.168.192.3->192.168.192.2
2003-08-25 11:52:28: INFO: isakmp.c:1781:isakmp_chkph1there(): delete phase
2 handler.
Arquivos de configuração
################################################################
* Kernel
-----
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/
IPSEC)
options IPSEC_DEBUG #debug for IP security
* /etc/rc.conf
-----
ipsec_enable="YES" # Set to YES to run setkey on ipsec_file
ipsec_file="/etc/ipsec.conf" # Name of config file for setkey
* /etc/ipsec.conf
-----
spdflush;
spdadd 192.168.192.2/32 192.168.192.3/32 any -P out ipsec
esp/transport/192.168.192.2-192.168.192.3/require;
spdadd 192.168.192.3/32 192.168.192.2/32 any -P in ipsec
esp/transport/192.168.192.3-192.168.192.2/require;
* /usr/local/etc/racoon/spk.txt
-----
192.168.192.2 senha_1
192.168.192.3 senha_2
* /usr/local/etc/racoon/racoon.conf
-----
path certificate "/usr/cert" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;
log debug2;
# "padding" defines some parameter of padding. You should not touch these.
padding
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}
remote anonymous
{
exchange_mode aggressive,main;
doi ipsec_doi;
situation identity_only;
nonce_size 16;
lifetime time 1 hour; # sec,min,hour
support_mip6 on;
proposal_check strict; # obey, strict or claim
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}
sainfo anonymous
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
############################################################
[]´s Edson
_______________________________________________________________
Sair da Lista: http://www2.fugspbr.org/mailman/listinfo/fugspbr
Historico: http://www4.fugspbr.org/lista/html/FUG-BR/
Mais detalhes sobre a lista de discussão freebsd