LINUX.ORG.RU
ФорумAdmin

Не могу подключиться по ipsec к серверу

 , ,


0

2

Сервер zywall 35

Настройки ipsec на нем (да, des древний как г но нужно завести с этим)

Negotiation Mode Main
Encryption Algorithm DES
Authentication Algorithm MD5
SA Life Time (Seconds)  28800
Key Group DH1

Клиент strongswan

 conn TESTING
   left=my_client_ip
   leftauth=psk
   right=zywall_35_ip
   rightsubnet=10.133.16.0/24
   rightauth=psk
   ike=3des-md5-modp768!
   esp=3des-md5-modp768!
   dpddelay=30
   dpdtimeout=150
   mediation=no
   keyexchange=ikev1

При подключении всегда одна и та же ошибка

Aug  3 12:37:40 debian-1 charon: 04[IKE] IKE_SA TESTING[1] established between my_client_ip[my_client_ip]...my_server_ip[my_server_ip]
Aug  3 12:37:40 debian-1 charon: 04[IKE] IKE_SA TESTING[1] state change: CONNECTING => ESTABLISHED
Aug  3 12:37:40 debian-1 charon: 04[IKE] scheduling reauthentication in 3270s
Aug  3 12:37:40 debian-1 charon: 04[IKE] maximum IKE_SA lifetime 3450s
Aug  3 12:37:40 debian-1 charon: 04[IKE] activating new tasks
Aug  3 12:37:40 debian-1 charon: 04[IKE]   activating QUICK_MODE task
Aug  3 12:37:40 debian-1 charon: 04[CFG] configured proposals: ESP:3DES_CBC/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
Aug  3 12:37:40 debian-1 charon: 04[CFG] configured proposals: ESP:3DES_CBC/HMAC_MD5_96/MODP_768/NO_EXT_SEQ
Aug  3 12:37:40 debian-1 charon: 04[CFG] proposing traffic selectors for us:
Aug  3 12:37:40 debian-1 charon: 04[CFG]  my_client_ip/32
Aug  3 12:37:40 debian-1 charon: 04[CFG] proposing traffic selectors for other:
Aug  3 12:37:40 debian-1 charon: 04[CFG]  my_server_ip/32
Aug  3 12:37:40 debian-1 charon: 04[IKE] Hash(1) => 16 bytes @ 0xaed01460
Aug  3 12:37:40 debian-1 charon: 04[IKE]    0: A0 5F 1B 19 97 D5 E6 04 AB 9A 74 4B 6A D1 4A D1  ._........tKj.J.
Aug  3 12:37:40 debian-1 charon: 04[ENC] generating QUICK_MODE request 1862884692 [ HASH SA No KE ID ID ]
Aug  3 12:37:40 debian-1 charon: 04[IKE] next IV for MID 1862884692 => 8 bytes @ 0xaed00878
Aug  3 12:37:40 debian-1 charon: 04[IKE]    0: CE A7 EB 42 29 5D 88 0B                          ...B)]..
Aug  3 12:37:40 debian-1 charon: 04[IKE] next IV for MID 1862884692 => 8 bytes @ 0xaed02920
Aug  3 12:37:40 debian-1 charon: 04[IKE]    0: 7C 4E 91 E5 24 2A EC 78                          |N..$*.x
Aug  3 12:37:40 debian-1 charon: 04[NET] sending packet: from my_client_ip[500] to my_server_ip[500] (268 bytes)
Aug  3 12:37:40 debian-1 charon: 05[NET] received packet: from my_server_ip[500] to my_client_ip[500] (76 bytes)
Aug  3 12:37:40 debian-1 charon: 05[IKE] next IV for MID 1909653617 => 8 bytes @ 0xaef01578
Aug  3 12:37:40 debian-1 charon: 05[IKE]    0: 5E 97 AD A1 3B EE C6 42                          ^...;..B
Aug  3 12:37:40 debian-1 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1909653617 [ HASH N(INVAL_ID) ]
Aug  3 12:37:40 debian-1 charon: 05[IKE] Hash => 16 bytes @ 0xaef00a20
Aug  3 12:37:40 debian-1 charon: 05[IKE]    0: F5 D2 24 D0 F9 EC CC FD 87 B3 C5 C8 29 31 43 42  ..$.........)1CB
Aug  3 12:37:40 debian-1 charon: 05[IKE] received INVALID_ID_INFORMATION error notify
Aug  3 12:37:40 debian-1 charon: 05[NET] received packet: from my_server_ip[500] to my_client_ip[500] (76 bytes)
Aug  3 12:37:40 debian-1 charon: 05[IKE] next IV for MID 1882852347 => 8 bytes @ 0xaef01708
Aug  3 12:37:40 debian-1 charon: 05[IKE]    0: 6C 1F 33 B8 AF 48 15 52                          l.3..H.R
Aug  3 12:37:40 debian-1 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1882852347 [ HASH D ]
Aug  3 12:37:40 debian-1 charon: 05[IKE] Hash => 16 bytes @ 0xaef009d0
Aug  3 12:37:40 debian-1 charon: 05[IKE]    0: AF 2B 14 D7 0E 64 6E 99 5C 14 75 EC E5 34 97 B0  .+...dn.\.u..4..
Aug  3 12:37:40 debian-1 charon: 05[IKE] received DELETE for IKE_SA TESTING[1]
Aug  3 12:37:40 debian-1 charon: 05[IKE] deleting IKE_SA TESTING[1] between my_client_ip[my_client_ip]...my_server_ip[my_server_ip]
Aug  3 12:37:40 debian-1 charon: 05[IKE] IKE_SA TESTING[1] state change: ESTABLISHED => DELETING
Aug  3 12:37:40 debian-1 charon: 05[IKE] IKE_SA TESTING[1] state change: DELETING => DELETING
Aug  3 12:37:40 debian-1 charon: 05[IKE] IKE_SA TESTING[1] state change: DELETING => DESTROYING

т.е. соединение вроде бы устанавливается и сразу отваливается


Чуть выше моя тема zywal 60! Вроде все а не работает.

petav ★★★★★ ()

прописать leftid rightid ?
Не ваше, но, вдруг пригодиться или натолкнет на мысль. Настраивалось давно и сейчас именно это соединение не использую, поэтому закоментировано.

#conn CON-NAME
#       keyexchange=ikev1
#       leftauth=psk
#       rightauth=psk
#       left=REAL_IP_LEFT
#       leftid="REAL_IP_LEFT"
#       right=REAL_IP_RIGHT
#       rightid="REAL_IP_RIGHT"
#       aggressive = yes
#       ike=3des-md5-modp768
#       esp=3des-md5-modp768
#       leftsubnet=192.168.7.0/24
#       rightsubnet=172.17.0.0/24
#       ikelifetime = 28800s
#       dpddelay=60s
#       rekey=yes
##      authby=psk
##      eap_identity=%identity
##      reauth=yes
#       leftcert=
#       auto=start

anc ★★★★★ ()

id ошибка

Aug  3 12:37:40 debian-1 charon: 05[ENC] parsed INFORMATIONAL_V1 request 1909653617 [ HASH N(INVAL_ID) ]

arto ★★ ()

использую ZyWall 20/20W/50/100/300, на них есть волшебная команда crypto algorithm-hide disable разрешающая алгоритмы AES, и в режиме PSK со strongswan подружить не удалось, использовал сертификаты, заводится с пол-пинка

Bloody ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.