DLINK DFL-800 OBSD4 vpn
|
View:
New views
7 Messages
—
Rating Filter:
Alert me
|
 |
DLINK DFL-800 OBSD4 vpn
by Чернявский Андрей
::
Rate this Message:
Коллеги, никто не подскажет как настроить OpenBSD 4.0 в кач-ве VPN
клиента к DLINK DFL-800 ? как ни пробовал конфигурить, постоянно NO_PROPOSAL_CHOSEN |
|
|
Re: DLINK DFL-800 OBSD4 vpn
by admin@phpcode.us
::
Rate this Message:
Чернявский Андрей пишет:
> Коллеги, никто не подскажет как настроить OpenBSD 4.0 в кач-ве VPN > клиента к DLINK DFL-800 ? > > как ни пробовал конфигурить, постоянно NO_PROPOSAL_CHOSEN > > 4.0 древнее, поставьте 4.5. Посмотрите http://www.openbsd.ru/docs/steps/pptp-client.html Пробовали по образу и подобию настроить? |
|
|
Re[2]: DLINK DFL-800 OBSD4 vpn
by Чернявский Андрей
::
Rate this Message:
Здравствуйте, Max.
Вы писали 8 июля 2009 г., 17:17:22: > Чернявский Андрей пишет: >> Коллеги, никто не подскажет как настроить OpenBSD 4.0 в кач-ве VPN >> клиента к DLINK DFL-800 ? >> как ни пробовал конфигурить, постоянно NO_PROPOSAL_CHOSEN > 4.0 древнее, поставьте 4.5. > Посмотрите http://www.openbsd.ru/docs/steps/pptp-client.html > Пробовали по образу и подобию настроить? Пробовал через ipsecctl & isakmpd... или мне все-таки надо pptp пользовать? |
|
|
Re: DLINK DFL-800 OBSD4 vpn
by Grigoriy Orlov
::
Rate this Message:
On Thu, Jul 09, 2009 at 10:18:53AM +0359, Чернявский Андрей wrote:
> Здравствуйте, Max. > > Вы писали 8 июля 2009 г., 17:17:22: > > > Чернявский Андрей пишет: > >> Коллеги, никто не подскажет как настроить OpenBSD 4.0 в кач-ве VPN > >> клиента к DLINK DFL-800 ? > > >> как ни пробовал конфигурить, постоянно NO_PROPOSAL_CHOSEN > > > > 4.0 древнее, поставьте 4.5. > > Посмотрите http://www.openbsd.ru/docs/steps/pptp-client.html > > Пробовали по образу и подобию настроить? > > Пробовал через ipsecctl & isakmpd... или мне все-таки надо pptp > пользовать? конфиги в студию. /etc/ipsec.conf, /etc/isakmpd/isakmpd.conf, ключи запуска isakmpd вероятно не совпадают параметры криптования. Делаем так: Запускаем isakmpd c ключем -L или при запущенном isakmpd: echo "p on" >/var/run/isakmpd.fifo Ждем пока появятся данные и смотрим о чем пытаются договорится стороны: tcpdump -n -v -r /var/run/isakmpd.pcap Тут видны все параметры, ты увидишь, чего хочет твой dlink и сможешь выставить такие же алгоритмы в OpenBSD. Выключаем логирование сессий. echo "p off" >/var/run/isakmpd.fifo /gluk |
|
|
Re[3]: DLINK DFL-800 OBSD4 vpn
by Val-Amart
::
Rate this Message:
> Здравствуйте, Max.
> > Вы писали 8 июля 2009 г., 17:17:22: > > > Чернявский Андрей пишет: > >> Коллеги, никто не подскажет как настроить OpenBSD 4.0 в кач-ве VPN > >> клиента к DLINK DFL-800 ? > > >> как ни пробовал конфигурить, постоянно NO_PROPOSAL_CHOSEN > > > 4.0 древнее, поставьте 4.5. > > Посмотрите http://www.openbsd.ru/docs/steps/pptp-client.html > > Пробовали по образу и подобию настроить? > > Пробовал через ipsecctl & isakmpd... или мне все-таки надо pptp > пользовать? VPN - это технология, принцип. Реализации есть разные, на основе разных протоколов. isakmpd - это IPSec, pptp-client - PPTP. Еще есть L2TP, например. Вопрос в том, сервер какого именно VPN на твоем длинке. Поскольку дефолтный впн для виндовых клиентов pptp, то скорее всего именно он на длинке, а значит isakmpd тебе не поможет. |
|
|
Re[2]: DLINK DFL-800 OBSD4 vpn
by Чернявский Андрей
::
Rate this Message:
>gluk конфиги в студию:
# cat /etc/ipsec.conf ike esp from 10.0.4.0/24 to 172.16.61.0/24 peer 92.50.146.38 ike esp from 217.65.0.211 to 172.16.61.0/24 peer 92.50.146.38 ike esp from 217.65.0.211 to 92.50.146.38 # cat /etc/isakmpd/isakmpd.conf [General] Retransmits= 5 Exchange-max-time= 120 Listen-on= 217.65.0.211 [Phase 1] 92.50.146.38= local-remote [local-remote] Phase= 1 Transport= udp Local-address= 217.65.0.211 Address= 92.50.146.38 Configuration= Default-main-mode Authentication= pwd [Phase 2] Connections= VPN-local-remote-172.16.61.0/255.255.255.0 [VPN-local-remote-172.16.61.0/255.255.255.0] Phase= 2 ISAKMP-peer= local-remote Configuration= Default-quick-mode Local-ID= network-10.0.4.0/255.0.0.0 Remote-ID= network-172.16.61.0/255.255.255.0 [network-10.0.4.0/255.0.0.0] ID-type= IPV4_ADDR_SUBNET Network= 10.0.4.0 Netmask= 255.0.0.0 [network-172.16.61.0/255.255.255.0] ID-type= IPV4_ADDR_SUBNET Network= 172.16.61.0 Netmask= 255.255.255.0 [Default-main-mode] DOI= IPSEC EXCHANGE_TYPE= ID_PROT Transforms= 3DES-SHA [Default-quick-mode] DOI= IPSEC EXCHANGE_TYPE= QUICK_MODE Suites= QM-ESP-3DES-SHA-SUITE ключи запуска isakmpd - запускаю isakmpd -L как советовали, еще -K тоже пробовал # tcpdump -n -v -r /var/run/isakmpd.pcap tcpdump: WARNING: snaplen raised from 96 to 65536 16:37:22.910284 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 3a458481c652c78b->0000000000000000 msgid: 00000000 len: 180 payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 payload: TRANSFORM len: 32 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_1024 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 3600 payload: VENDOR len: 20 (supports OpenBSD-4.0) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208) 16:37:22.955226 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 3a458481c652c78b->27c53ddf01435e02 msgid: f2585c1d len: 102 payload: NOTIFICATION len: 74 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 130) 16:37:22.955350 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 25977c253e161084->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: INVALID FLAGS [ttl 0] (id 1, len 68) 16:37:29.970621 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 0973cac2948626e0->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 16:37:30.310895 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 5811d8d5bbee94a8->0000000000000000 msgid: 00000000 len: 416 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 216 proposal: 0 proto: ISAKMP spisz: 0 xforms: 6 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 2 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 3 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 4 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 5 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\n) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len 444) 16:37:30.311197 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: de1588bc077ae113->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68) 16:37:38.974187 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: d6e3095452da786e->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 16:37:49.986446 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 87765c3c38b74e23->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 16:38:02.997185 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 0905a8c5cf66a4f5->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 16:38:18.006441 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 2fd8c33717acc0ca->0000000000000000 msgid: 00000000 len: 56 payload: NOTIFICATION len: 28 notification: INVALID COOKIE [ttl 0] (id 1, len 84) 16:38:40.261206 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: aa04d0614636b1a5->0000000000000000 msgid: 00000000 len: 416 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 216 proposal: 0 proto: ISAKMP spisz: 0 xforms: 6 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 2 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 3 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 4 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 5 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\n) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len 444) 16:38:40.261517 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: b94845016deb3776->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68) 16:39:50.211566 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: f3ab6234f8f2d118->0000000000000000 msgid: 00000000 len: 416 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 216 proposal: 0 proto: ISAKMP spisz: 0 xforms: 6 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 2 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 3 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 4 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 5 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02\n) payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) payload: VENDOR len: 20 (supports NAT-T, RFC 3947) [ttl 0] (id 1, len 444) 16:39:50.211862 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO cookie: 3602a641e16b2a79->0000000000000000 msgid: 00000000 len: 40 payload: NOTIFICATION len: 12 notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 68) 16:41:00.162097 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange ID_PROT cookie: 7adf7839f905ddad->0000000000000000 msgid: 00000000 len: 416 payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY payload: PROPOSAL len: 216 proposal: 0 proto: ISAKMP spisz: 0 xforms: 6 payload: TRANSFORM len: 36 transform: 0 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 36 transform: 1 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = AES_CBC attribute KEY_LENGTH = 128 attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 2 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = MD5 attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 attribute LIFE_TYPE = SECONDS attribute LIFE_DURATION = 28800 payload: TRANSFORM len: 32 transform: 3 ID: ISAKMP attribute ENCRYPTION_ALGORITHM = 3DES_CBC attribute HASH_ALGORITHM = SHA attribute AUTHENTICATION_METHOD = PRE_SHARED attribute GROUP_DESCRIPTION = MODP_768 |
|
|
Re: DLINK DFL-800 OBSD4 vpn
by Grigoriy Orlov
::
Rate this Message:
On Thu, Jul 09, 2009 at 04:49:46PM +0400, Чернявский Андрей wrote:
> >gluk конфиги в студию: > > # cat /etc/ipsec.conf > ike esp from 10.0.4.0/24 to 172.16.61.0/24 peer 92.50.146.38 > ike esp from 217.65.0.211 to 172.16.61.0/24 peer 92.50.146.38 > ike esp from 217.65.0.211 to 92.50.146.38 тут все OK. Но для начала я бы посоветовал оставить только первую строчку. Всего быстрее тебе только она и нужна. К ней нужно еще кое чего добавить - об этом ниже. > # cat /etc/isakmpd/isakmpd.conf > [General] > Retransmits= 5 > Exchange-max-time= 120 > Listen-on= 217.65.0.211 Все что ниже - выкидывай. По сути тебе нужно только: [General] Listen-on= 217.65.0.211 > > [Phase 1] > 92.50.146.38= local-remote > > [local-remote] > Phase= 1 > Transport= udp > Local-address= 217.65.0.211 > Address= 92.50.146.38 > Configuration= Default-main-mode > Authentication= pwd > > [Phase 2] > Connections= VPN-local-remote-172.16.61.0/255.255.255.0 > > > [VPN-local-remote-172.16.61.0/255.255.255.0] > Phase= 2 > ISAKMP-peer= local-remote > Configuration= Default-quick-mode > Local-ID= network-10.0.4.0/255.0.0.0 > Remote-ID= network-172.16.61.0/255.255.255.0 > > > > [network-10.0.4.0/255.0.0.0] > ID-type= IPV4_ADDR_SUBNET > Network= 10.0.4.0 > Netmask= 255.0.0.0 > > > > [network-172.16.61.0/255.255.255.0] > ID-type= IPV4_ADDR_SUBNET > Network= 172.16.61.0 > Netmask= 255.255.255.0 > > > [Default-main-mode] > DOI= IPSEC > EXCHANGE_TYPE= ID_PROT > Transforms= 3DES-SHA > > [Default-quick-mode] > DOI= IPSEC > EXCHANGE_TYPE= QUICK_MODE > Suites= QM-ESP-3DES-SHA-SUITE > > ключи запуска isakmpd - запускаю isakmpd -L как советовали, еще -K > тоже пробовал -K обязательно, чтобы работать с ipsec.conf. После перезапуска isakmpd, не забудь сказать ipsecctl -f /etc/ipsec.conf Далее самое интересное. > # tcpdump -n -v -r /var/run/isakmpd.pcap > tcpdump: WARNING: snaplen raised from 96 to 65536 > 16:37:22.910284 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 3a458481c652c78b->0000000000000000 msgid: 00000000 len: 180 > payload: SA len: 52 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 40 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1 > payload: TRANSFORM len: 32 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_1024 Твоя openbsd в твой текущей конфигурации хочет 3DES, SHA и MODP_1024 (dh group 2). После того как уберешь лишнее из isakmpd.conf openbsd станет сговорчивее. > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 3600 > payload: VENDOR len: 20 (supports OpenBSD-4.0) > payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02) > payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03) > payload: VENDOR len: 20 (supports NAT-T, RFC 3947) > payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1, len 208) > 16:37:22.955226 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 3a458481c652c78b->27c53ddf01435e02 msgid: f2585c1d len: 102 > payload: NOTIFICATION len: 74 > notification: NO PROPOSAL CHOSEN [ttl 0] (id 1, len 130) > 16:37:22.955350 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 25977c253e161084->0000000000000000 msgid: 00000000 len: 40 > payload: NOTIFICATION len: 12 > notification: INVALID FLAGS [ttl 0] (id 1, len 68) > 16:37:29.970621 217.65.0.211.500 > 92.50.146.38.500: [udp sum ok] isakmp v1.0 exchange INFO > cookie: 0973cac2948626e0->0000000000000000 msgid: 00000000 len: 56 > payload: NOTIFICATION len: 28 > notification: INVALID COOKIE [ttl 0] (id 1, len 84) > 16:37:30.310895 92.50.146.38.500 > 217.65.0.211.500: [udp sum ok] isakmp v1.0 exchange ID_PROT > cookie: 5811d8d5bbee94a8->0000000000000000 msgid: 00000000 len: 416 > payload: SA len: 228 DOI: 1(IPSEC) situation: IDENTITY_ONLY > payload: PROPOSAL len: 216 proposal: 0 proto: ISAKMP spisz: 0 xforms: 6 > payload: TRANSFORM len: 36 > transform: 0 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = AES_CBC > attribute KEY_LENGTH = 128 > attribute HASH_ALGORITHM = MD5 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > payload: TRANSFORM len: 36 > transform: 1 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = AES_CBC > attribute KEY_LENGTH = 128 > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > payload: TRANSFORM len: 32 > transform: 2 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = MD5 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > payload: TRANSFORM len: 32 > transform: 3 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = 3DES_CBC > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > payload: TRANSFORM len: 36 > transform: 4 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC > attribute KEY_LENGTH = 128 > attribute HASH_ALGORITHM = MD5 > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 > payload: TRANSFORM len: 36 > transform: 5 ID: ISAKMP > attribute ENCRYPTION_ALGORITHM = BLOWFISH_CBC > attribute KEY_LENGTH = 128 > attribute HASH_ALGORITHM = SHA > attribute AUTHENTICATION_METHOD = PRE_SHARED > attribute GROUP_DESCRIPTION = MODP_768 > attribute LIFE_TYPE = SECONDS > attribute LIFE_DURATION = 28800 Тут как можно понять dlink допускает различные варианты. В том числе есть и 3DES+SHA. Но GROUP_DESCRIPTION = MODP_768 aka dh group 1. Если ты можешь поправить параметры на dlink, то лучше на нем выставить DH group 2 (modp1024). Если dlink этого не позволяет, то выставляй на OpenBSD. Твой конфиг ipsec.conf должен выглядеть примерно так: ike esp from 10.0.4.0/24 to 172.16.61.0/24 peer 92.50.146.38 \ main auth hmac-sha1 enc 3des group modp768 \ quick auth hmac-sha1 enc 3des group modp768 \ После этого должно все взлететь. Я также думаю, что после удаления лишнего из isakmpd.conf взлетит и вот это: ike esp from 10.0.4.0/24 to 172.16.61.0/24 peer 92.50.146.38 \ psk secretphrase Рекомендуется использовать aes вместо 3des, благо dlink его поддерживает. /gluk |
| Free embeddable forum powered by Nabble | Forum Help |
