Люди, подскажите, как организовать "ipsec transport mode" с автоматической генерацией ключей между двумя хостами?
Пусть есть два хоста,
net(10.10.0.0/24)=10.0.0.1 --- 10.0.0.2=net(10.20.0.0/24)
как между ними организовать трафик ipsec соединение в режиме транспорта? С туннелем все впорядке, в простейшем случае для левой машины(10.0.0.1) конфиги выглядят так:
/etc/ipsec.conf
spdadd 10.10.0.0/24 10.20.0.0/24 any -P out ipsec
esp/tunnel/10.0.0.1-10.0.0.2/require;
spdadd 10.20.0.0/24 10.10.0.0/24 any -P in ipsec
esp/tunnel/10.0.0.2-10.0.0.1/require;
/etc/racoon.conf
remote 10.0.0.2 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.10.0.0/24 any address 10.20.0.0/24 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
Для правой все зеркально отображаем. Запускаем демон racoon, туннель
поднимается, трафик ходит.
А как подобного (с автоматической генерацией ключей) добиться для
"transport mode"?
Делаю по аналогии
/etc/ipsec.conf
spdadd 10.0.0.1/32 10.0.0.2/32 any -P out ipsec
esp/transport//require
ah/transport//require
spdadd 10.0.0.2/32 10.0.0.1/32 any -P in ipsec
esp/transport//require
ah/transport//require
/etc/racoon.conf
remote 10.0.0.2 {
exchange_mode main;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo address 10.0.0.1 any address 10.0.0.2 any {
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
На www.ipsec-howto.org про transport mode with auto keyed connection
, к сожалению, ничего не сказано.
В логах пишется:
/usr/sbin/racoon -f /etc/racoon/racoon.conf -4 -F
INFO: @(#)ipsec-tools 0.3.3 (http://ipsec-tools.sourceforge.net)
INFO: @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
INFO: IPsec-SA request for 10.0.0.2 queued due to no phase1 found.
INFO: initiate new phase 1 negotiation: 10.0.0.1[500]<=>10.0.0.2[500]
INFO: begin Identity Protection mode.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
NOTIFY: the packet is retransmitted by 10.0.0.2[500].
ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 10.0.0.2->10.0.0.1
INFO: delete phase 2 handler.
INFO: request for establishing IPsec-SA was queued due to no phase1 found.
а на 10.0.0.2
INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
INFO: begin Identity Protection mode.
ERROR: phase1 negotiation failed due to time up. 894021715a4b0fba:0da61a7661898aa9
INFO: respond new phase 1 negotiation: 10.0.0.2[500]<=>10.0.0.1[500]
INFO: begin Identity Protection mode.
т.е. на чем то оно тормозится, но где?