racoon erzeugt keine policies

Veröffentlicht 29. September 200915 j

Hallo, hier ist meine server config:

RACOON.CONF

# Simple racoon.conf

path include "/etc/racoon";

include "ubudesklab02.conf";

#include "ubuvmsrv02.conf";

UBUDESKLAB02.CONF

path certificate "/etc/racoon/certs";

remote anonymous {

exchange_mode main;

passive on;

certificate_type x509 "ubuvmsrv01_cert.pem" "ubuvmsrv01_key.pem";

# peers_certfile x509 "ubudesklab02_cert.pem";

# verify_cert on;

my_identifier asn1dn;

peers_identifier asn1dn;

proposal {

encryption_algorithm 3des;

hash_algorithm sha1;

authentication_method rsasig;

# authentication_method pre_shared_key;

dh_group modp1024;

}

generate_policy on;

}

sainfo anonymous {

pfs_group modp768;

encryption_algorithm 3des;

authentication_algorithm hmac_md5;

compression_algorithm deflate;

setkey.conf

#!/bin/sh

flush;

spdflush;

log:

2009-09-29 22:29:19: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:19: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:19: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:19: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:19: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:31: INFO: caught signal 15

2009-09-29 22:29:32: INFO: racoon shutdown

2009-09-29 22:29:37: INFO: @(#)ipsec-tools 0.7 (IPsec Tools Homepage)

2009-09-29 22:29:37: INFO: @(#)This product linked OpenSSL 0.9.8g 19 Oct 2007 (OpenSSL: The Open Source toolkit for SSL/TLS)

2009-09-29 22:29:37: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for AH

2009-09-29 22:29:37: DEBUG: call pfkey_send_register for ESP

2009-09-29 22:29:38: DEBUG: call pfkey_send_register for IPCOMP

2009-09-29 22:29:38: INFO: Resize address pool from 0 to 255

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/racoon.conf

2009-09-29 22:29:38: DEBUG: filename: /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: reading config file /etc/racoon/ubudesklab02.conf

2009-09-29 22:29:38: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.

2009-09-29 22:29:38: DEBUG: getsainfo params: loc='ANONYMOUS', rmt='ANONYMOUS', peer='NULL', id=0

2009-09-29 22:29:38: DEBUG: getsainfo pass #2

2009-09-29 22:29:38: DEBUG: open /var/run/racoon/racoon.sock as racoon management.

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9387%eth3 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:937d%eth2 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9373%eth1 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: fe80::20c:29ff:fed9:9369%eth0 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: ::1 (lo)

2009-09-29 22:29:38: DEBUG: my interface: 172.16.1.1 (eth3)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.1.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 10.0.0.1 (eth2)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.3.10 (eth1)

2009-09-29 22:29:38: DEBUG: my interface: 192.168.1.10 (eth0)

2009-09-29 22:29:38: DEBUG: my interface: 127.0.0.1 (lo)

2009-09-29 22:29:38: DEBUG: configuring default isakmp port.

2009-09-29 22:29:38: DEBUG: 11 addrs are configured successfully

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used as isakmp port (fd=6)

2009-09-29 22:29:38: INFO: 127.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used as isakmp port (fd=7)

2009-09-29 22:29:38: INFO: 192.168.1.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used as isakmp port (fd=8)

2009-09-29 22:29:38: INFO: 192.168.3.10[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used as isakmp port (fd=9)

2009-09-29 22:29:38: INFO: 10.0.0.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used as isakmp port (fd=10)

2009-09-29 22:29:38: INFO: 10.0.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used as isakmp port (fd=11)

2009-09-29 22:29:38: INFO: 172.16.1.1[500] used for NAT-T

2009-09-29 22:29:38: INFO: ::1[500] used as isakmp port (fd=12)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9369%eth0[500] used as isakmp port (fd=13)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9373%eth1[500] used as isakmp port (fd=14)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:937d%eth2[500] used as isakmp port (fd=15)

2009-09-29 22:29:38: INFO: fe80::20c:29ff:fed9:9387%eth3[500] used as isakmp port (fd=16)

2009-09-29 22:29:38: DEBUG: pk_recv: retry[0] recv()

2009-09-29 22:29:38: DEBUG: get pfkey X_SPDDUMP message

2009-09-29 22:29:38: DEBUG: pfkey X_SPDDUMP failed: No such file or directory

...

2009-09-29 22:30:36: DEBUG: get pfkey UPDATE message

2009-09-29 22:30:36: DEBUG: pfkey UPDATE succeeded: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)

2009-09-29 22:30:36: INFO: IPsec-SA established: AH/Transport 10.0.1.4[0]->10.0.1.1[0] spi=8954949(0x88a445)