[FUG-BR] VPN IPSEC [racoon ou strongswan]

Saul Figueiredo saulfelipecf em gmail.com
Quinta Agosto 9 16:17:50 BRT 2012 

Em 9 de agosto de 2012 15:58, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:

>
>
> Em 9 de agosto de 2012 15:37, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>
>
>>
>> Em 9 de agosto de 2012 12:13, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>
>>
>>>
>>> Em 9 de agosto de 2012 10:59, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>>
>>>
>>>>
>>>> Em 8 de agosto de 2012 14:47, Saul Figueiredo <saulfelipecf em gmail.com>escreveu:
>>>>
>>>> Boa tarde.
>>>>>
>>>>> Estou tentando fechar uma vpn ipsec entre um router e um FreeBSD 8.2.
>>>>> Já tentei com o strongswan e com o raccon mas não funciona de jeito
>>>>> nenhum com os dois.
>>>>>
>>>>> Duvidando que seria as configurações, peguei a conf do strongswan e
>>>>> coloquei em um servidor CentOS [Linux] que tem o OpenSwan Instalado, apenas
>>>>> me atentando de mudar os ips externos e a faixa de rede. RESULTADO:
>>>>> Funcionou no Openswan. A VPN fechou e consegui pingar nas duas pontas.
>>>>>
>>>>> Para usar o StrongSwan e o Racoon tive que compilar o kernel com essas
>>>>> opções:
>>>>> options         IPSEC
>>>>> options         IPSEC_DEBUG
>>>>> options         IPSEC_NAT_T
>>>>> options         IPSEC_FILTERTUNNEL
>>>>> #options                IPSEC_ESP
>>>>>
>>>>> Com o mesmo router e o mesmo conf funciona no Linux. O que estaria
>>>>> errado ?
>>>>> Valeu!!!
>>>>>
>>>>>
>>>>> --
>>>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>>>> (Isaac Newton)
>>>>>
>>>>> Atenciosamente,
>>>>> Saul Figueiredo
>>>>> Analista FreeBSD/Linux
>>>>> Linux Professional Institute Certification Level 2
>>>>> saulfelipecf em gmail.com
>>>>>  <saul-felipe em hotmail.com>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Quando o cliente router tenta conectar no meu servidor racoon dá esse
>>>> erro:
>>>>
>>>> 2012-08-08 17:02:23: ERROR: no suitable proposal found.
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to get valid
>>>> proposal.
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: failed to pre-process ph1
>>>> packet (side: 1, status 1).
>>>> 2012-08-08 17:02:23: [177.xx8.1xx.173] ERROR: phase1 negotiation failed.
>>>>
>>>>
>>>> Quebrando a cabeça com isso viu...
>>>>
>>>>
>>>> --
>>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>>> (Isaac Newton)
>>>>
>>>> Atenciosamente,
>>>> Saul Figueiredo
>>>> Analista FreeBSD/Linux
>>>> Linux Professional Institute Certification Level 2
>>>> saulfelipecf em gmail.com
>>>> <saul-felipe em hotmail.com>
>>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> Novo erro agora:
>>> ERROR: exchange Identity Protection not allowed in any applicable rmconf
>>>
>>>
>>>
>>> --
>>> "Deve-se aprender sempre, até mesmo com um inimigo."
>>> (Isaac Newton)
>>>
>>> Atenciosamente,
>>> Saul Figueiredo
>>> Analista FreeBSD/Linux
>>> Linux Professional Institute Certification Level 2
>>> saulfelipecf em gmail.com
>>> <saul-felipe em hotmail.com>
>>>
>>
>>
>>
>>
>>
>> Agora o tunel fechou, mas as redes não se comunicam :(
>>
>>
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb4), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb5), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb6), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb7), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb8), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xb9), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xba), length
>> 92
>> IP 187.xxx.xxx.30.500 > 187.xxx.xxx.44.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbb), length
>> 92
>> IP 187.xxx.xxx.44.500 > 187.xxx.xxx.30.500: UDP, length 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbc), length
>> 92
>> IP 187.xxx.xxx.44 > 187.xxx.xxx.30: ESP(spi=0x03eaec0f,seq=0xbd), length
>> 92
>>
>>
>>
>>
>> e no ipfw a policy está allow
>>
>>
>>
>>
>> --
>> "Deve-se aprender sempre, até mesmo com um inimigo."
>> (Isaac Newton)
>>
>> Atenciosamente,
>> Saul Figueiredo
>> Analista FreeBSD/Linux
>> Linux Professional Institute Certification Level 2
>> saulfelipecf em gmail.com
>> <saul-felipe em hotmail.com>
>>
>
>
>
>
>
>
> no log do racoon:
>
> 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out.
> 2012-08-09 15:56:29: DEBUG: sub:0xbfbfe594: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in
> 2012-08-09 15:56:29: DEBUG: db :0x28547148: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in
> 2012-08-09 15:56:29: DEBUG: suitable inbound SP found: 192.168.70.0/24[0]<http://192.168.70.0/24%5B0%5D>
> 192.168.1.0/24[0] <http://192.168.1.0/24%5B0%5D> proto=any dir=in.
> 2012-08-09 15:56:29: DEBUG: new acquire 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf
> "anonymous" anonymous.
> 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches.
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous"
> selected.
> 2012-08-09 15:56:29: DEBUG: getsainfo params: loc='192.168.1.0/24' rmt='
> 192.168.70.0/24' peer='NULL' client='NULL' id=0
> 2012-08-09 15:56:29: DEBUG: evaluating sainfo: loc='ANONYMOUS',
> rmt='ANONYMOUS', peer='ANY', id=0
> 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched
> (ANONYMOUS)
> 2012-08-09 15:56:29: DEBUG: check and compare ids : values matched
> (ANONYMOUS)
> 2012-08-09 15:56:29: DEBUG: selected sainfo: loc='ANONYMOUS',
> rmt='ANONYMOUS', peer='ANY', id=0
> 2012-08-09 15:56:29: DEBUG:  (proto_id=ESP spisize=4 spi=00000000
> spi_p=00000000 encmode=Tunnel reqid=0:0)
> 2012-08-09 15:56:29: DEBUG:   (trns_id=3DES encklen=0 authtype=hmac-sha)
> 2012-08-09 15:56:29: DEBUG: in post_acquire
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG2: Checking remote conf
> "anonymous" anonymous.
> 2012-08-09 15:56:29: DEBUG2: enumrmconf: "anonymous" matches.
> 2012-08-09 15:56:29: [187.xxx.xxx.44] DEBUG: configuration "anonymous"
> selected.
> 2012-08-09 15:56:29: DEBUG2: getph1: start
> 2012-08-09 15:56:29: DEBUG2: local: 187.xxx.xxx.30[500]
> 2012-08-09 15:56:29: DEBUG2: remote: 187.xxx.xxx.44[500]
> 2012-08-09 15:56:29: DEBUG2: no match
> 2012-08-09 15:56:29: INFO: IPsec-SA request for 187.xxx.xxx.44 queued due
> to no phase1 found.
> 2012-08-09 15:56:29: DEBUG: ===
> 2012-08-09 15:56:29: INFO: initiate new phase 1 negotiation:
> 187.xxx.xxx.30[500]<=>187.xxx.xxx.44[500]
> 2012-08-09 15:56:29: INFO: begin Identity Protection mode.
> 2012-08-09 15:56:29: DEBUG: new cookie:
> 5d18382ba03058d4
> 2012-08-09 15:56:29: DEBUG: add payload of len 52, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 13
> 2012-08-09 15:56:29: DEBUG: add payload of len 16, next type 0
> 2012-08-09 15:56:29: ERROR: phase1 negotiation failed due to send error.
> 5d18382ba03058d4:0000000000000000
> 2012-08-09 15:56:29: ERROR: failed to begin ipsec sa negotication.
> 2012-08-09 15:56:29: DEBUG: got pfkey ACQUIRE message
> 2012-08-09 15:56:29: DEBUG: suitable outbound SP found: 192.168.1.0/24[0]<http://192.168.1.0/24%5B0%5D>
> 192.168.70.0/24[0] <http://192.168.70.0/24%5B0%5D> proto=any dir=out.
> 2012-08-09 15:56:29: DEBUG: ignore the acquire because ph2 found
> 2012-08-09 15:56:37: DEBUG: ===
> 2012-08-09 15:56:37: DEBUG: 92 bytes message received from
> 187.xxx.xxx.44[500] to 187.xxx.xxx.30[500]
>
>
> Esse error na phase1 acontece mas a vpn fecha... estranho...
>
> --
> "Deve-se aprender sempre, até mesmo com um inimigo."
> (Isaac Newton)
>
> Atenciosamente,
> Saul Figueiredo
> Analista FreeBSD/Linux
> Linux Professional Institute Certification Level 2
> saulfelipecf em gmail.com
> <saul-felipe em hotmail.com>
>



Meus confs:

-rw-r--r--   1 root  wheel    18 Aug  8 15:37 ipsec.conf

fw# cat ipsec.conf
flush;
spdflush;

_____________________________________________________
-rwx------   1 root  wheel    25 Aug  9 15:00 psk.txt

fw# cat psk.txt
187.xxx.xxx.44 Pre-Shared

onde 187.xxx.xxx.44 é o ip do router
_________________________________________________________


-rw-r--r--   1 root  wheel  1485 Aug  9 14:50 racoon.conf

fw# cat racoon.conf
path pre_shared_key "/usr/local/etc/racoon/psk.txt";

log debug;
#log notify;

listen
{
        isakmp          187.32.229.30 [500];
        isakmp_natt     187.32.229.30 [4500];
        adminsock disabled;
}


timer
{
       # These value can be changed per remote node.
        counter 5;              # maximum trying count to send.
        interval 10 sec;        # maximum interval to resend.
        persend 1;              # the number of packets per a send.

        # timer for waiting to complete each phase.
        phase1 300 sec;
        phase2 300 sec;
}


remote anonymous
{
        exchange_mode main, aggressive;
        lifetime time 86400 sec;
        #passive off;
        generate_policy on;
        nat_traversal on;
        dpd_delay 20;           # DPD poll every 20 seconds
        ike_frag on;            # use IKE fragmentation
        #esp_frag 552;          # use ESP fragmentation at 552 bytes
        proposal_check strict;

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group 2;
        }

        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }

}


sainfo anonymous
{
        lifetime time 3600 sec;
        encryption_algorithm 3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}



-- 
"Deve-se aprender sempre, até mesmo com um inimigo."
(Isaac Newton)

Atenciosamente,
Saul Figueiredo
Analista FreeBSD/Linux
Linux Professional Institute Certification Level 2
saulfelipecf em gmail.com
<saul-felipe em hotmail.com>

Mais detalhes sobre a lista de discussão freebsd