История изменений
Исправление Humaxoid, (текущая версия) :
Попробую дать наиболее полную картину. Это настройки туполинка на удаленной стороне.
IKE Proposal:
Authentification - MD5
Encryption - 3DES
HD Group -DH2
preshare key 12345678
--------------------------------
IPSec Proposal:
Security Protocol - ESP
ESP Authentification - MD5
ESP Encryption - 3DES
--------------------------------
IPSec Policy:
Mode - "lan-to-lan"# ipsec.conf - strongSwan IPsec configuration file
config setup
conn site2site
authby=psk
keyexchange=ikev1
ike=3des-md5-modp1024
esp=3des-md5
keyingtries=%forever
rekey=no
dpdaction=hold
dpddelay=30
dpdtimeout=150
auto=start
left=XX.XXX.XX.XXX
leftsubnet=192.168.66.0/24
leftfirewall=yes
rightfirewall=yes
lefthostaccess=yes
righthostaccess=yes
right=YYY.YYY.YY.YYY
rightid=YYY.YYY.YY.YYY
rightsubnet=192.168.50.0/24
#
# Где XX.XXX.XX.XXX мой внешний ip Strongswan
# YYY.YYY.YY.YYY ip Внешний ip удаленного ТП-Линка# /etc/ipsec.secrets - strongSwan IPsec secrets file
XX.XXX.XX.XXX YYY.YYY.YY.YYY : PSK 12345678# strongswan.conf - strongSwan configuration file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confЕго логи
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64):
uptime: 8 minutes, since Oct 09 22:43:12 2015
malloc: sbrk 270336, mmap 0, used 207552, free 62784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
XX.XXX.XX.XXX
192.168.66.1
Connections:
site2site: XX.XXX.XX.XXX...YYY.YYY.YY.YYY IKEv1, dpddelay=30s
site2site: local: [XX.XXX.XX.XXX] uses pre-shared key authentication
site2site: remote: [YYY.YYY.YY.YYY] uses pre-shared key authentication
site2site: child: 192.168.66.0/24 === 192.168.50.0/24 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
site2site[1]: CONNECTING, XX.XXX.XX.XXX[%any]...YYY.YYY.YY.YYY[%any]
site2site[1]: IKEv1 SPIs: 451cbbeb8f1be377_i* 0000000000000000_r
site2site[1]: Tasks queued: QUICK_MODE
site2site[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATDOct 9 22:43:12 proxy ipsec_starter[2250]: Starting strongSwan 5.3.2 IPsec [starter]...
Oct 9 22:43:13 proxy ipsec_starter[2260]: charon (2261) started after 160 ms
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYYOct 9 22:43:12 proxy charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64)
Oct 9 22:43:13 proxy charon: 00[KNL] received netlink error: Address family not supported by protocol (97)
Oct 9 22:43:13 proxy charon: 00[KNL] unable to create IPv6 routing table rule
Oct 9 22:43:13 proxy charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 9 22:43:13 proxy charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 9 22:43:13 proxy charon: 00[CFG] loaded IKE secret for XX.XXX.XX.XXX YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs$
Oct 9 22:43:13 proxy charon: 00[JOB] spawning 16 worker threads
Oct 9 22:43:13 proxy charon: 05[CFG] received stroke: add connection 'site2site'
Oct 9 22:43:13 proxy charon: 05[CFG] added configuration 'site2site'
Oct 9 22:43:13 proxy charon: 06[CFG] received stroke: initiate 'site2site'
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 9 22:43:13 proxy charon: 06[NET] sending packet: from XX.XXX.XX.XXX[500] to YYY.YYY.YY.YYY[500] (188 bytes)Исправление Humaxoid, :
Попробую дать наиболее полную картину. Это настройки туполинка на удаленной стороне.
IKE Proposal:
Authentification - MD5
Encryption - 3DES
HD Group -DH2
preshare key 12345678
--------------------------------
IPSec Proposal:
Security Protocol - ESP
ESP Authentification - MD5
ESP Encryption - 3DES
--------------------------------
IPSec Policy:
Mode - "lan-to-lan"# ipsec.conf - strongSwan IPsec configuration file
config setup
conn site2site
authby=psk
keyexchange=ikev1
ike=3des-md5-modp1024
esp=3des-md5
keyingtries=%forever
rekey=no
dpdaction=hold
dpddelay=30
dpdtimeout=150
auto=start
left=XX.XXX.XX.XXX
leftsubnet=192.168.66.0/24
leftfirewall=yes
rightfirewall=yes
lefthostaccess=yes
righthostaccess=yes
right=YYY.YYY.YY.YYY
rightid=YYY.YYY.YY.YYY
rightsubnet=192.168.50.0/24
#
# Где XX.XXX.XX.XXX мой внешний ip Strongswan
# YYY.YYY.YY.YYY ip Внешний ip удаленного ТП-Линка# /etc/ipsec.secrets - strongSwan IPsec secrets file
XX.XXX.XX.XXX YYY.YYY.YY.YYY : PSK 12345678# strongswan.conf - strongSwan configuration file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confЕго логи
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64):
uptime: 8 minutes, since Oct 09 22:43:12 2015
malloc: sbrk 270336, mmap 0, used 207552, free 62784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
XX.XXX.XX.XXX
192.168.66.1
Connections:
site2site: XX.XXX.XX.XXX...YYY.YYY.YY.YYY IKEv1, dpddelay=30s
site2site: local: [XX.XXX.XX.XXX] uses pre-shared key authentication
site2site: remote: [YYY.YYY.YY.YYY] uses pre-shared key authentication
site2site: child: 192.168.66.0/24 === 192.168.50.0/24 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
site2site[1]: CONNECTING, XX.XXX.XX.XXX[%any]...YYY.YYY.YY.YYY[%any]
site2site[1]: IKEv1 SPIs: 451cbbeb8f1be377_i* 0000000000000000_r
site2site[1]: Tasks queued: QUICK_MODE
site2site[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATDOct 9 22:43:12 proxy ipsec_starter[2250]: Starting strongSwan 5.3.2 IPsec [starter]...
Oct 9 22:43:13 proxy ipsec_starter[2260]: charon (2261) started after 160 ms
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYYOct 9 22:43:12 proxy charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64)
Oct 9 22:43:13 proxy charon: 00[KNL] received netlink error: Address family not supported by protocol (97)
Oct 9 22:43:13 proxy charon: 00[KNL] unable to create IPv6 routing table rule
Oct 9 22:43:13 proxy charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 9 22:43:13 proxy charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 9 22:43:13 proxy charon: 00[CFG] loaded IKE secret for XX.XXX.XX.XXX YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs$
Oct 9 22:43:13 proxy charon: 00[JOB] spawning 16 worker threads
Oct 9 22:43:13 proxy charon: 05[CFG] received stroke: add connection 'site2site'
Oct 9 22:43:13 proxy charon: 05[CFG] added configuration 'site2site'
Oct 9 22:43:13 proxy charon: 06[CFG] received stroke: initiate 'site2site'
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 9 22:43:13 proxy charon: 06[NET] sending packet: from XX.XXX.XX.XXX[500] to YYY.YYY.YY.YYY[500] (188 bytes)Исходная версия Humaxoid, :
Попробую дать наиболее полную картину. Это настройки туполинка на удаленной стороне.
IKE Proposal:
Authentification - MD5
Encryption - 3DES
HD Group -DH2
preshare key 12345678
--------------------------------
IPSec Proposal:
Security Protocol - ESP
ESP Authentification - MD5
ESP Encryption - 3DES
--------------------------------
IPSec Policy:
Ьщву - "lan-to-lan"# ipsec.conf - strongSwan IPsec configuration file
config setup
conn site2site
authby=psk
keyexchange=ikev1
ike=3des-md5-modp1024
esp=3des-md5
keyingtries=%forever
rekey=no
dpdaction=hold
dpddelay=30
dpdtimeout=150
auto=start
left=XX.XXX.XX.XXX
leftsubnet=192.168.66.0/24
leftfirewall=yes
rightfirewall=yes
lefthostaccess=yes
righthostaccess=yes
right=YYY.YYY.YY.YYY
rightid=YYY.YYY.YY.YYY
rightsubnet=192.168.50.0/24
#
# Где XX.XXX.XX.XXX мой внешний ip Strongswan
# YYY.YYY.YY.YYY ip Внешний ip удаленного ТП-Линка# /etc/ipsec.secrets - strongSwan IPsec secrets file
XX.XXX.XX.XXX YYY.YYY.YY.YYY : PSK 12345678# strongswan.conf - strongSwan configuration file
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.confЕго логи
ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64):
uptime: 8 minutes, since Oct 09 22:43:12 2015
malloc: sbrk 270336, mmap 0, used 207552, free 62784
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
XX.XXX.XX.XXX
192.168.66.1
Connections:
site2site: XX.XXX.XX.XXX...YYY.YYY.YY.YYY IKEv1, dpddelay=30s
site2site: local: [XX.XXX.XX.XXX] uses pre-shared key authentication
site2site: remote: [YYY.YYY.YY.YYY] uses pre-shared key authentication
site2site: child: 192.168.66.0/24 === 192.168.50.0/24 TUNNEL, dpdaction=hold
Security Associations (1 up, 0 connecting):
site2site[1]: CONNECTING, XX.XXX.XX.XXX[%any]...YYY.YYY.YY.YYY[%any]
site2site[1]: IKEv1 SPIs: 451cbbeb8f1be377_i* 0000000000000000_r
site2site[1]: Tasks queued: QUICK_MODE
site2site[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATDOct 9 22:43:12 proxy ipsec_starter[2250]: Starting strongSwan 5.3.2 IPsec [starter]...
Oct 9 22:43:13 proxy ipsec_starter[2260]: charon (2261) started after 160 ms
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYYOct 9 22:43:12 proxy charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.2, Linux 3.2.29, x86_64)
Oct 9 22:43:13 proxy charon: 00[KNL] received netlink error: Address family not supported by protocol (97)
Oct 9 22:43:13 proxy charon: 00[KNL] unable to create IPv6 routing table rule
Oct 9 22:43:13 proxy charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 9 22:43:13 proxy charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 9 22:43:13 proxy charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 9 22:43:13 proxy charon: 00[CFG] loaded IKE secret for XX.XXX.XX.XXX YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 00[LIB] loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs$
Oct 9 22:43:13 proxy charon: 00[JOB] spawning 16 worker threads
Oct 9 22:43:13 proxy charon: 05[CFG] received stroke: add connection 'site2site'
Oct 9 22:43:13 proxy charon: 05[CFG] added configuration 'site2site'
Oct 9 22:43:13 proxy charon: 06[CFG] received stroke: initiate 'site2site'
Oct 9 22:43:13 proxy charon: 06[IKE] initiating Main Mode IKE_SA site2site[1] to YYY.YYY.YY.YYY
Oct 9 22:43:13 proxy charon: 06[ENC] generating ID_PROT request 0 [ SA V V V V ]
Oct 9 22:43:13 proxy charon: 06[NET] sending packet: from XX.XXX.XX.XXX[500] to YYY.YYY.YY.YYY[500] (188 bytes)