Ipsec проблема
Добрый день,
пытаюсь поднять тунель между Firebox X Edge и Linux.
racoonctl vpn-connect remote_ip
в логах появляются сообщения:
Mar 27 10:03:53 uhm-dev racoon: INFO: accept a request to establish IKE-SA: remote_ip
Mar 27 10:03:53 uhm-dev racoon: INFO: initiate new phase 1 negotiation: my_ip[500]<=>remote_ip[500]
Mar 27 10:03:53 uhm-dev racoon: INFO: begin Aggressive mode.
Mar 27 10:03:53 uhm-dev racoon: oakley_dh_generate(MODP1024): 0.004148
Mar 27 10:03:53 uhm-dev racoon: phase1(agg I msg1): 0.005251
Mar 27 10:03:54 uhm-dev racoon: oakley_dh_compute(MODP1024): 0.001805
Mar 27 10:03:54 uhm-dev racoon: NOTIFY: couldn't find the proper pskey, try to get one by the peer's address.
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=36): 0.000027
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=145): 0.000005
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000005
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=165): 0.000005
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=1): 0.000004
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=20): 0.000004
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000004
Mar 27 10:03:54 uhm-dev racoon: oakley_validate_auth(pre-shared key): 0.000022
Mar 27 10:03:54 uhm-dev racoon: alg_oakley_hmacdef_one(hmac_sha1 size=328): 0.000005
Mar 27 10:03:54 uhm-dev racoon: phase1(agg I msg2): 0.002322
Mar 27 10:03:54 uhm-dev racoon: phase1(Aggressive): 0.935763
Mar 27 10:03:54 uhm-dev racoon: INFO: ISAKMP-SA established my_ip[500]-remote_ip[500] spi:c7bc2b5b864f3b7a:22fc1aad4ee36283
и тишина, phase 2 не начинается, новый интерфейс не появляется.
racoon.conf
path include «/etc/racoon»;
path pre_shared_key «/etc/racoon/psk.txt»;
path certificate «/etc/cert»;
log info;
padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}
listen
{
isakmp 62.49.133.166 [500];
}
timer
{
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.
phase1 30 sec;
phase2 15 sec;
}
## IKE phase 1
remote 195.60.16.4
{
my_identifier address 62.49.133.166;
exchange_mode aggressive,main;
initial_contact off;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
## IKE phase 2
sainfo address 192.168.1.0/24 any address 192.168.0.0/24 any {
#sainfo anonymous {
pfs_group 2; # pfs_group modp768;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
}
setkey.conf
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.1.0/24 192.168.0.0/24 any -P out ipsec esp/tunnel/my_ip-remote_ip/require;
spdadd 192.168.0.0/24 192.168.1.0/24 any -P in ipsec esp/tunnel/remote_ip-my_ip/require;
psk.txt
remote_ip *********