[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debian-users:53415] racoonのIPsec環境

From: Yoshikuni KAWAGUCHI <kawaguchi-yoshikuni@xxxxxxxxxxxx>
Subject: [debian-users:53415] racoonのIPsec環境
Date: Mon, 7 Dec 2009 21:07:16 +0900
List-help: <mailto:debian-users-ctl@debian.or.jp?body=help>
List-id: debian-users.debian.or.jp
List-owner: <mailto:debian-users-admin@debian.or.jp>
List-post: <mailto:debian-users@debian.or.jp>
List-software: fml [fml 4.0.3 release (20011202/4.0.3)]
List-unsubscribe: <mailto:debian-users-ctl@debian.or.jp?body=unsubscribe>
X-ml-info: If you have a question, send e-mail with the body "help" (without quotes) to the address debian-users-ctl@debian.or.jp; help=<mailto:debian-users-ctl@debian.or.jp?body=help>
X-ml-name: debian-users
X-mlserver: fml [fml 4.0.3 release (20011202/4.0.3)]; post only (only members can post)
X-spam-checker-version: SpamAssassin 3.1.7-deb3 (2006-10-05) on osdn.debian.or.jp
X-spam-level:
X-spam-status: No, score=-2.4 required=10.0 tests=KI autolearn=disabled version=3.1.7-deb3
X-virus-scanned: ClamAV using ClamSMTP
Message-id: <20091207210703.0DB3.296ABA89@xxxxxxxxxxxx>
X-mail-count: 53415
X-mailer: Becky! ver. 2.52.01 [ja]

こんにちわ。
川口です。


lennyを使ってracoonのIPsec環境を構築しようとしているのですが
それぞれのマシンで "negotiation failed due to time up" という
ログが上がって来てVPNがうまく張れません。構成は次の通りです。


[192.168.1.129]eth0 ---------------------- [192.168.1.130]eth0
                    トランスポートモード
                    事前共有鍵(Pre-Shared Key)

本来はトンネルモードをやりたいのですが、うまくいかないので
まずはトランスポートモードから実績を作っていこうを考えています。

各マシンの設定は次の通りです。事前共有鍵はダミーです。
各マシンのログをその次に書きました。

negotiationにタイムアウトしているようです。

何か原因がおわかりになればアドバイスを頂けないでしょうか。
よろしくお願いします。



【パッケージのインストール】

$ apt-get install ipsec-tools racoon


【192.168.1.129マシンの設定】

file: /etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.1.130 {
        exchange_mode main,aggressive;
        my_identifier address "192.168.1.129";
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        generate_policy off;
}
sainfo anonymous {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

file: /etc/racoon/policy
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.1.129 192.168.1.130 any -P out ipsec
        esp/transport//require;

spdadd 192.168.1.130 192.168.1.129 any -P in ipsec
        esp/transport//require;

file: /etc/racoon/psk.txt
192.168.1.130      hogehoge1

【192.168.1.130マシンの設定】
/etc/racoon/racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
remote 192.168.1.129 {
        exchange_mode main,aggressive;
        my_identifier address "192.168.1.130";
        proposal {
                encryption_algorithm 3des;
                hash_algorithm sha1;
                authentication_method pre_shared_key;
                dh_group modp1024;
        }
        generate_policy off;
}
sainfo anonymous {
        pfs_group modp768;
        encryption_algorithm 3des;
        authentication_algorithm hmac_md5;
        compression_algorithm deflate;
}

file: /etc/racoon/policy
#!/usr/sbin/setkey -f
flush;
spdflush;

spdadd 192.168.1.130 192.168.1.129 any -P out ipsec
        esp/transport//require;

spdadd 192.168.1.129 192.168.1.130 any -P in ipsec
        esp/transport//require;

file: /etc/racoon/psk.txt
192.168.1.129      hogehoge2


以下、それぞれのマシンのログ

at 192.168.1.129
Dec  6 23:39:10 debian2 racoon: INFO: IPsec-SA request for 192.168.1.130 queued due to no phase1 found.
Dec  6 23:39:10 debian2 racoon: INFO: initiate new phase 1 negotiation: 192.168.1.129[500]<=>192.168.1.130[500]
Dec  6 23:39:10 debian2 racoon: INFO: begin Identity Protection mode.
Dec  6 23:39:10 debian2 racoon: INFO: received Vendor ID: DPD
Dec  6 23:39:20 debian2 racoon: NOTIFY: the packet is retransmitted by 192.168.1.130[500].
Dec  6 23:39:30 debian2 racoon: NOTIFY: the packet is retransmitted by 192.168.1.130[500].
Dec  6 23:39:40 debian2 racoon: NOTIFY: the packet is retransmitted by 192.168.1.130[500].
Dec  6 23:39:41 debian2 racoon: ERROR: phase2 negotiation failed due to time up waiting for phase1. ESP 192.168.1.130[0]->192.168.1.129[0] 
Dec  6 23:39:41 debian2 racoon: INFO: delete phase 2 handler.
Dec  6 23:39:50 debian2 racoon: NOTIFY: the packet is retransmitted by 192.168.1.130[500].
Dec  6 23:40:00 debian2 racoon: ERROR: phase1 negotiation failed due to time up. 28bb1cb828679a15:a43ce8d100fd44db

at 192.168.1.130
Dec  6 23:38:19 debian racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
Dec  6 23:38:19 debian racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (http://www.openssl.org/)
Dec  6 23:38:19 debian racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
Dec  6 23:38:20 debian racoon: INFO: Resize address pool from 0 to 255
Dec  6 23:38:20 debian racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
Dec  6 23:38:20 debian racoon: INFO: 127.0.0.1[500] used for NAT-T
Dec  6 23:38:20 debian racoon: INFO: 192.168.1.130[500] used as isakmp port (fd=8)
Dec  6 23:38:20 debian racoon: INFO: 192.168.1.130[500] used for NAT-T
Dec  6 23:38:20 debian racoon: INFO: ::1[500] used as isakmp port (fd=9)
Dec  6 23:38:20 debian racoon: INFO: fe80::20a:e4ff:fe37:1df8%eth0[500] used as isakmp port (fd=10)
Dec  6 23:39:10 debian racoon: INFO: respond new phase 1 negotiation: 192.168.1.130[500]<=>192.168.1.129[500]
Dec  6 23:39:10 debian racoon: INFO: begin Identity Protection mode.
Dec  6 23:39:10 debian racoon: INFO: received Vendor ID: DPD
Dec  6 23:40:00 debian racoon: ERROR: phase1 negotiation failed due to time up. 28bb1cb828679a15:a43ce8d100fd44db

Prev by Date: [debian-users:53414] [Translate] [SECURITY] [DSA 1946-1] New belpic packages fix cryptographic weakness
Next by Date: [debian-users:53416] Re: nautilus-file-management-properties が segfault
Previous by thread: [debian-users:53414] [Translate] [SECURITY] [DSA 1946-1] New belpic packages fix cryptographic weakness
Next by thread: [debian-users:53416] Re: nautilus-file-management-properties が segfault
Index(es):
- Date
- Thread