Всем доброго времени суток! Прощу помощи в проблеме, сам создаю туннель в первый раз, уже прочитал много форумов. Все темы, в которых вижу похожие на мои проблемы обрываются на самом интересном: автор темы в году эдак 2008 говорит что проблему решил, пишите в лс:(
Собственно вот задача - надо создать IPsec туннель между моим серваком, и поставщиком.
Мой IP - 209.XXX.XXX.XXX
Поставщик мне дал публичный IP адрес VPN шлюза - 194.YYY.YYY.YYY
Внутренний IP до которого надо «достучаться» - 10.241.24.40
В требованиях написано, что я должен транслировать свой IP в 172.18.13.69
А так же дали параметры для создания туннеля:
IKE Parameters(PHASE 1)
Key Exchange encryption AES128
Data Integrity SHA-1
Diffie-Hellman group Group 5
KE lifetime (sec) 86400
Type Main mode
IPsec SA Parameters (PHASE 2)
Protocol ESP
IPsec AES128
Data Integrity SHA-1
PFS (Perfect Forward Secrecy) DH Group 5
Собственно, я создал виртуальный интерфейс у нас, назвал его eth0:0, вывод ifconfig:
eth0:0 Link encap:Ethernet HWaddr ae:95:bd:db:b6:35
inet addr:172.18.13.69 Bcast:172.18.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
До 172.18.13.69 пингуется успешно.
Далее с помощью racoon пытаюсь создать туннель, вот все конфиги:
===================/etc/racoon/racoon.conf==============
log debug;
path include «/etc/racoon»;
path pre_shared_key «/etc/racoon/psk.txt»;
remote 194.YYY.YYY.YYY
{
exchange_mode main;
my_identifier address;
lifetime time 24 hour;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 5;
}
}
sainfo anonymous {
lifetime time 24 hour;
pfs_group 5;
encryption_algorithm aes;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
======================================================
=====================/etc/racoon/psk.txt==================
10.241.24.40 private_key_here
======================================================
====================/etc/ipsec-tools.conf==================
flush;
spdflush;
spdadd 209.XXX.XXX.XXX/32 10.241.24.40/32 any -P out ipsec
esp/tunnel/172.18.13.69-194.YYY.YYY.YYY/unique;
spdadd 10.241.24.40/32 209.XXX.XXX.XXX/32 any -P in ipsec
esp/tunnel/194.YYY.YYY.YYY-172.18.13.69/unique;
====================================================
Пробую создать подключение, делаю пинг до 10.241.24.40, не пингует. Вывод setkey -D:
172.18.13.69 194.YYY.YYY.YYY
esp mode=tunnel spi=0(0x00000000) reqid=16458(0x0000404a)
seq=0x00000000 replay=0 flags=0x00000000 state=larval
created: Dec 10 15:30:17 2018 current: Dec 10 15:30:34 2018
diff: 17(s) hard: 165(s) soft: 0(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=0 pid=19219 refcnt=0
Краткий вывод setkey -DP, без per-socket policy:
10.241.24.40[any] 209.XXX.XXX.XXX[any] 255
fwd prio def ipsec
esp/tunnel/194.54.151.238-172.18.13.69/require
created: Dec 7 14:33:19 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17602 seq=33 pid=30987
refcnt=1
10.241.24.40[any] 209.XXX.XXX.XXX[any] 255
in prio def ipsec
esp/tunnel/194.54.151.238-172.18.13.69/unique#16459
created: Dec 7 14:33:19 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17592 seq=34 pid=30987
refcnt=1
209.XXX.XXX.XXX[any] 10.241.24.40[any] 255
out prio def ipsec
esp/tunnel/172.18.13.69-194.54.151.238/unique#16458
created: Dec 7 14:33:19 2018 lastused:
lifetime: 0(s) validtime: 0(s)
spid=17585 seq=0 pid=30987
refcnt=1
Логи ракуна:
Dec 10 15:30:17 ProductionServer racoon: DEBUG: pk_recv: retry[0] recv()
Dec 10 15:30:17 ProductionServer racoon: DEBUG: got pfkey ACQUIRE message
Dec 10 15:30:17 ProductionServer racoon: DEBUG: suitable outbound SP found: 209.XXX.XXX.XXX/32[0] 10.241.24.40/32[0] proto=any dir=out.
Dec 10 15:30:17 ProductionServer racoon: DEBUG: sub:0x7fffa83c2c60: 10.241.24.40/32[0] 209.XXX.XXX.XXX/32[0] proto=any dir=in
Dec 10 15:30:17 ProductionServer racoon: DEBUG: db :0x2299050: 10.241.24.40/32[0] 209.XXX.XXX.XXX/32[0] proto=any dir=fwd
Dec 10 15:30:17 ProductionServer racoon: DEBUG: sub:0x7fffa83c2c60: 10.241.24.40/32[0] 209.XXX.XXX.XXX/32[0] proto=any dir=in
Dec 10 15:30:17 ProductionServer racoon: DEBUG: db :0x22992d0: 10.241.24.40/32[0] 209.XXX.XXX.XXX/32[0] proto=any dir=in
Dec 10 15:30:17 ProductionServer racoon: DEBUG: suitable inbound SP found: 10.241.24.40/32[0] 209.XXX.XXX.XXX/32[0] proto=any dir=in.
Dec 10 15:30:17 ProductionServer racoon: DEBUG: new acquire 209.XXX.XXX.XXX/32[0] 10.241.24.40/32[0] proto=any dir=out
Dec 10 15:30:17 ProductionServer racoon: [194.YYY.YYY.YYY] DEBUG: configuration «194.YYY.YYY.YYY[500]» selected.
Dec 10 15:30:17 ProductionServer racoon: DEBUG: getsainfo params: loc='209.XXX.XXX.XXX' rmt='10.241.24.40' peer='NULL' client='NULL' id=0
Dec 10 15:30:17 ProductionServer racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Dec 10 15:30:17 ProductionServer racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Dec 10 15:30:17 ProductionServer racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Dec 10 15:30:17 ProductionServer racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Dec 10 15:30:17 ProductionServer racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=16459:16458)
Dec 10 15:30:17 ProductionServer racoon: DEBUG: (trns_id=AES encklen=128 authtype=hmac-sha)
Dec 10 15:30:17 ProductionServer racoon: DEBUG: in post_acquire
Dec 10 15:30:17 ProductionServer racoon: [194.YYY.YYY.YYY] DEBUG: configuration «194.YYY.YYY.YYY[500]» selected.
Dec 10 15:30:17 ProductionServer racoon: INFO: IPsec-SA request for 194.YYY.YYY.YYY queued due to no phase1 found.
Dec 10 15:30:17 ProductionServer racoon: DEBUG: ===
Dec 10 15:30:17 ProductionServer racoon: INFO: initiate new phase 1 negotiation: 172.18.13.69[500]<=>194.YYY.YYY.YYY[500]
Dec 10 15:30:17 ProductionServer racoon: INFO: begin Identity Protection mode.
Dec 10 15:30:17 ProductionServer racoon: DEBUG: new cookie:#0125290d8d29f5c60bf
Dec 10 15:30:17 ProductionServer racoon: DEBUG: add payload of len 56, next type 13
Dec 10 15:30:17 ProductionServer racoon: DEBUG: add payload of len 16, next type 0
Dec 10 15:30:17 ProductionServer racoon: DEBUG: 108 bytes from 172.18.13.69[500] to 194.YYY.YYY.YYY[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: sockname 172.18.13.69[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: send packet from 172.18.13.69[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: send packet to 194.YYY.YYY.YYY[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: src4 172.18.13.69[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: dst4 194.YYY.YYY.YYY[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: 1 times of 108 bytes message will be sent to 194.YYY.YYY.YYY[500]
Dec 10 15:30:17 ProductionServer racoon: DEBUG: #0125290d8d2 9f5c60bf 00000000 00000000 01100200 00000000 0000006c 0d00003c#01200000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004#01200015180 80010007 800e0080 80030001 80020002 80040005 00000014 afcad713#01268a1f1c9 6b8696fc 77570100
Dec 10 15:30:17 ProductionServer racoon: DEBUG: resend phase1 packet 5290d8d29f5c60bf:0000000000000000
Dec 10 15:30:37 ProductionServer racoon: DEBUG: 108 bytes from 172.18.13.69[500] to 194.YYY.YYY.YYY[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: sockname 172.18.13.69[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: send packet from 172.18.13.69[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: send packet to 194.YYY.YYY.YYY[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: src4 172.18.13.69[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: dst4 194.YYY.YYY.YYY[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: 1 times of 108 bytes message will be sent to 194.YYY.YYY.YYY[500]
Dec 10 15:30:37 ProductionServer racoon: DEBUG: #0125290d8d2 9f5c60bf 00000000 00000000 01100200 00000000 0000006c 0d00003c#01200000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004#01200015180 80010007 800e0080 80030001 80020002 80040005 00000014 afcad713#01268a1f1c9 6b8696fc 77570100
Dec 10 15:30:37 ProductionServer racoon: DEBUG: resend phase1 packet 5290d8d29f5c60bf:0000000000000000
Dec 10 15:30:48 ProductionServer racoon: [194.YYY.YYY.YYY] ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 194.YYY.YYY.YYY[0]->172.18.13.69[0]
Dec 10 15:30:48 ProductionServer racoon: INFO: delete phase 2 handler.
Dec 10 15:30:57 ProductionServer racoon: DEBUG: 108 bytes from 172.18.13.69[500] to 194.YYY.YYY.YYY[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: sockname 172.18.13.69[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: send packet from 172.18.13.69[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: send packet to 194.YYY.YYY.YYY[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: src4 172.18.13.69[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: dst4 194.YYY.YYY.YYY[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: 1 times of 108 bytes message will be sent to 194.YYY.YYY.YYY[500]
Dec 10 15:30:57 ProductionServer racoon: DEBUG: #0125290d8d2 9f5c60bf 00000000 00000000 01100200 00000000 0000006c 0d00003c#01200000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004#01200015180 80010007 800e0080 80030001 80020002 80040005 00000014 afcad713#01268a1f1c9 6b8696fc 77570100
Dec 10 15:30:57 ProductionServer racoon: DEBUG: resend phase1 packet 5290d8d29f5c60bf:0000000000000000
Dec 10 15:31:17 ProductionServer racoon: DEBUG: 108 bytes from 172.18.13.69[500] to 194.YYY.YYY.YYY[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: sockname 172.18.13.69[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: send packet from 172.18.13.69[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: send packet to 194.YYY.YYY.YYY[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: src4 172.18.13.69[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: dst4 194.YYY.YYY.YYY[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: 1 times of 108 bytes message will be sent to 194.YYY.YYY.YYY[500]
Dec 10 15:31:17 ProductionServer racoon: DEBUG: #0125290d8d2 9f5c60bf 00000000 00000000 01100200 00000000 0000006c 0d00003c#01200000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004#01200015180 80010007 800e0080 80030001 80020002 80040005 00000014 afcad713#01268a1f1c9 6b8696fc 77570100
Dec 10 15:31:17 ProductionServer racoon: DEBUG: resend phase1 packet 5290d8d29f5c60bf:0000000000000000
Dec 10 15:31:37 ProductionServer racoon: DEBUG: 108 bytes from 172.18.13.69[500] to 194.YYY.YYY.YYY[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: sockname 172.18.13.69[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: send packet from 172.18.13.69[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: send packet to 194.YYY.YYY.YYY[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: src4 172.18.13.69[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: dst4 194.YYY.YYY.YYY[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: 1 times of 108 bytes message will be sent to 194.YYY.YYY.YYY[500]
Dec 10 15:31:37 ProductionServer racoon: DEBUG: #0125290d8d2 9f5c60bf 00000000 00000000 01100200 00000000 0000006c 0d00003c#01200000001 00000001 00000030 01010001 00000028 01010000 800b0001 000c0004#01200015180 80010007 800e0080 80030001 80020002 80040005 00000014 afcad713#01268a1f1c9 6b8696fc 77570100
Dec 10 15:31:37 ProductionServer racoon: DEBUG: resend phase1 packet 5290d8d29f5c60bf:0000000000000000
Dec 10 15:31:57 ProductionServer racoon: ERROR: phase1 negotiation failed due to time up. 5290d8d29f5c60bf:0000000000000000
Dec 10 15:33:02 ProductionServer racoon: DEBUG: pk_recv: retry[0] recv()
Dec 10 15:33:02 ProductionServer racoon: DEBUG: got pfkey EXPIRE message
Dec 10 15:33:02 ProductionServer racoon: INFO: IPsec-SA expired: ESP/Tunnel 172.18.13.69[500]->194.YYY.YYY.YYY[500]
Dec 10 15:33:02 ProductionServer racoon: DEBUG: no such a SA found: ESP/Tunnel 172.18.13.69[500]->194.YYY.YYY.YYY[500]
ЧЯДНТ? Ошибок в логах нету вроде как. В какую сторону копать, может каких настроек нет, или я сделал что то не так. Всем заранее спасибо за помощь!
