[Comm] FreeS/WAN
Peter Teslenko
=?iso-8859-1?q?inkyspot_=CE=C1_home=2Eru?=
Чт Июл 29 17:36:56 MSD 2004
Hello Peter,
Может кто-то все-таки в курсе...
После всех мытарств имею это.
На одной стороне
root на relay:/etc# ipsec auto --status
000 interface ipsec0/eth0 81.23.107.58
000 %myid = (none)
000 debug none
000
000 "mcicb-to-kirza": 192.168.1.0/24===81.23.107.58[@relay.mcbfa.ru]---81.23.107.57...82.140.78.49---82.140.78.50[@kirza]===192.168.4.0/24; erouted; eroute owner: #3
000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0;
000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3;
000
000 #3: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2227s; newest IPSEC; eroute owner
000 #3: "mcicb-to-kirza" esp.839d3fe5 на 82.140.78.50 esp.f3d562a на 81.23.107.58 tun.1004 на 82.140.78.50 tun.1003 на 81.23.107.58
000 #2: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1915s
000 #2: "mcicb-to-kirza" esp.839d3fe4 на 82.140.78.50 esp.f3d5629 на 81.23.107.58 tun.1002 на 82.140.78.50 tun.1001 на 81.23.107.58
000 #1: "mcicb-to-kirza" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1913s; newest ISAKMP
000
root на relay:/etc# ipsec look
relay Thu Jul 29 17:32:29 MSD 2004
192.168.1.0/24 -> 192.168.4.0/24 => tun0x1004 на 82.140.78.50 esp0x839d3fe5 на 82.140.78.50 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x839d3fe4 на 82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0xdba4202aa496401e ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=12
esp0x839d3fe5 на 82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0x24ee0969fa54db40 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=22
esp0xf3d5629 на 81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x6c1971b7b874ec50 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=7
esp0xf3d562a на 81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x0acc4398258c1634 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=17
tun0x1001 на 81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1149,0,0) refcount=4 ref=6
tun0x1002 на 82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=11
tun0x1003 на 81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1121,0,0) refcount=4 ref=16
tun0x1004 на 82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=21
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 81.23.107.57 0.0.0.0 UG 0 0 0 eth0
192.168.4.0 81.23.107.57 255.255.255.0 UG 0 0 0 ipsec0
81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 eth0
81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0
root на relay:/etc# ip route ls
81.23.107.56/29 dev eth0 proto kernel scope link src 81.23.107.58
81.23.107.56/29 dev ipsec0 proto kernel scope link src 81.23.107.58
192.168.4.0/24 via 81.23.107.57 dev ipsec0
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 81.23.107.57 dev eth0 metric 1
root на relay:/etc# ip link ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:75:86:b7:9b brd ff:ff:ff:ff:ff:ff
165: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff
166: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
167: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
168: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
на другой стороне
root на kirza-gw:/etc# ipsec auto --status
000 interface ipsec0/eth0 82.140.78.50
000 %myid = (none)
000 debug none
000
000 "mcicb-to-kirza": 192.168.4.0/24===82.140.78.50[@kirza]---82.140.78.49...81.23.107.57---81.23.107.58[@relay.mcbfa.ru]===192.168.1.0/24; erouted; eroute owner: #3
000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0;
000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3;
000
000 #3: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2015s; newest IPSEC; eroute owner
000 #3: "mcicb-to-kirza" esp.f3d562a на 81.23.107.58 esp.839d3fe5 на 82.140.78.50 tun.1004 на 81.23.107.58 tun.1003 на 82.140.78.50
000 #2: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2593s
000 #2: "mcicb-to-kirza" esp.f3d5629 на 81.23.107.58 esp.839d3fe4 на 82.140.78.50 tun.1002 на 81.23.107.58 tun.1001 на 82.140.78.50
000 #1: "mcicb-to-kirza" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2592s; newest ISAKMP
000
root на kirza-gw:/etc# ipsec look
kirza-gw Thu Jul 29 17:33:33 MSD 2004
192.168.4.0/24 -> 192.168.1.0/24 => tun0x1004 на 81.23.107.58 esp0xf3d562a на 81.23.107.58 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x839d3fe4 на 82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x2f15d51807468f83 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=7
esp0x839d3fe5 на 82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x7db1c68d6b4f0293 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=17
esp0xf3d5629 на 81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x9c76bb93305216de ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=12
esp0xf3d562a на 81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x8d21300139aa0ee0 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=22
tun0x1001 на 82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1232,0,0) refcount=4 ref=6
tun0x1002 на 81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=11
tun0x1003 на 82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1204,0,0) refcount=4 ref=16
tun0x1004 на 81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=21
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 82.140.78.49 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 82.140.78.49 255.255.255.0 UG 0 0 0 ipsec0
82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 eth0
82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
root на kirza-gw:/etc# ip route ls
82.140.78.48/30 dev eth0 proto kernel scope link src 82.140.78.50
82.140.78.48/30 dev ipsec0 proto kernel scope link src 82.140.78.50
192.168.4.0/24 dev eth1 proto kernel scope link src 192.168.4.1
192.168.1.0/24 via 82.140.78.49 dev ipsec0
127.0.0.0/8 dev lo scope link
default via 82.140.78.49 dev eth0 metric 1
root на kirza-gw:/etc# ip link ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:84:3c:54:2f brd ff:ff:ff:ff:ff:ff
12: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff
13: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
14: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
15: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
ping'и не ходят :(
Скоро заработаю вывих мозга.
--
Peter Teslenko
Подробная информация о списке рассылки community