Zum Inhalt springen
View in the app

A better way to browse. Learn more.
Fachinformatiker.de

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Themen

Problem beim Verbindungsaufbau mit racoon (Tunnel)

Gast engelinzivil71
Gast engelinzivil71
in Netzwerke

Empfohlene Antworten

Veröffentlicht

Hallo,

ich habe mich mal mit racoon versucht um den Aufbau einer IPSEC Verbindung nachvollziehen zu können.

Nun ist es so, das ich 2 Rechner habe : ubuvmsrv01 und ubuvmsrv02.

Ubuvmsrv01(eth2:10.0.0.1/30 // eth3:172.16.1.1/29) hat als Gegenstelle ubuvmsrv02(eth2:10.0.0.2/30 // eth3: 172.16.2.1/29)

wenn ich nacheinander /etc/init.d/racoon stop => /etc/init.d/setkey restart => /etc/init.d/racoon start ausführe sehe ich folgende Einträge im Log, was ja eigentlich ganz gut aussieht:

ubuvmsrv01:

Sep 21 15:13:26 ubuvmsrv01 racoon: INFO: caught signal 15

Sep 21 15:13:27 ubuvmsrv01 racoon: INFO: racoon shutdown

Sep 21 15:13:37 ubuvmsrv01 racoon: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage)

Sep 21 15:13:37 ubuvmsrv01 racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS)

Sep 21 15:13:37 ubuvmsrv01 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: Resize address pool from 0 to 255

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 127.0.0.1[500] used for NAT-T

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 192.168.1.10[500] used as isakmp port (fd=8)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 192.168.1.10[500] used for NAT-T

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 192.168.3.10[500] used as isakmp port (fd=9)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 192.168.3.10[500] used for NAT-T

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 10.0.0.1[500] used as isakmp port (fd=10)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 10.0.0.1[500] used for NAT-T

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: 172.16.1.1[500] used for NAT-T

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: ::1[500] used as isakmp port (fd=12)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

Sep 21 15:13:38 ubuvmsrv01 racoon: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

ubuvmsrv02

Sep 21 15:13:03 ubuvmsrv02 racoon: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage)

Sep 21 15:13:03 ubuvmsrv02 racoon: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS)

Sep 21 15:13:03 ubuvmsrv02 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: Resize address pool from 0 to 255

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 127.0.0.1[500] used for NAT-T

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 192.168.1.11[500] used as isakmp port (fd=8)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 192.168.1.11[500] used for NAT-T

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 192.168.3.11[500] used as isakmp port (fd=9)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 192.168.3.11[500] used for NAT-T

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 10.0.0.2[500] used as isakmp port (fd=10)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 10.0.0.2[500] used for NAT-T

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 172.16.2.1[500] used as isakmp port (fd=11)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: 172.16.2.1[500] used for NAT-T

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: ::1[500] used as isakmp port (fd=12)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: fe80::20c:29ff:fe7b:ff3%eth0[500] used as isakmp port (fd=13)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: fe80::20c:29ff:fe7b:ffd%eth1[500] used as isakmp port (fd=14)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: fe80::20c:29ff:fe7b:f07%eth2[500] used as isakmp port (fd=15)

Sep 21 15:13:04 ubuvmsrv02 racoon: INFO: fe80::20c:29ff:fe7b:f11%eth3[500] used as isakmp port (fd=16)

Ein ping von 172.16.1.1 nach 172.16.2.1 und umgekehrt ist erfolgreich , es baut sich aber kein Tunnel auf

hier die config

ubuvmsrv01

setkey.conf

#!/bin/sh

flush;

spdflush;

spdadd 172.16.1.0/29 172.16.2.0/29 any -P out ipsec

esp/tunnel/10.0.0.1-10.0.0.2/require;

# ah/tunnel/192.168.1.10-192.168.1.11/require;

spdadd 172.16.2.0/29 172.16.1.0/29 any -P in ipsec

esp/tunnel/10.0.0.2-10.0.0.1/require;

#

racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

#path certificate "/etc/racoon/certs";

remote 10.0.0.2 {

exchange_mode main;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy off;

}

sainfo address 172.16.1.0/29 any address 172.16.2.0/29 any {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

ubuvmsrv02

setkey.conf

#!/bin/sh

flush;

spdflush;

spdadd 172.16.2.0/29 172.16.1.0/29 any -P out

ipsec esp/tunnel/10.0.0.2-10.0.0.1/require;

# ah/tunnel/192.168.1.11-192.168.1.10/require;

spdadd 172.16.1.0/29 172.16.2.0/29 any -P in ipsec

esp/tunnel/10.0.0.1-10.0.0.2/require;

# ah/tunnel/192.168.1.10-192.168.1.11/require;

racoon.conf

path pre_shared_key "/etc/racoon/psk.txt";

#path certificate "/etc/racoon/certs";

remote 10.0.0.1 {

exchange_mode main;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy off;

}

sainfo address 172.16.2.0/29 any address 172.16.1.0/29 any {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

}

Destination Gateway Genmask Flags Metric Ref Use Iface

10.0.0.0 * 255.255.255.252 U 0 0 0 eth2

172.16.2.0 * 255.255.255.248 U 0 0 0 eth3

172.16.1.0 * 255.255.255.248 U 0 0 0 eth2

Die /etc/init.d/setkey habe ich natürlich angepasst, wegen der setkey.conf :-)

Ich frage mich, warum sich der Tunnel nicht aufbaut. Ist etwas mit den Policys nicht in Ordnung ??

Weil eigentlich sollte er ja bei einem ping von 172.16.1.1 auf 172.16.2.1 eine sa aufbauen, oder ??

Bearbeitet von engelinzivil71

Archiv

Dieses Thema wurde archiviert und kann nicht mehr beantwortet werden.

Zur Themenliste gehen

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.