IPsec und racoon im transport-mode
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hallo, vielleicht kann mir ja einer helfen, ich versuche gerade die verbindung zwischen zwei hosts via ipsec und racoon zu verschlüsseln. leider klappt das nicht so wie gewollt.... hier ein paar daten: - ----------------------------------------------------------------------- # /usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflsuh; spdadd 192.168.1.10[any] 192.168.1.12[any] any -P out ipsec esp/transport/192.168.1.10-192.168.1.12/require ah/transport/192.168.1.10-192.168.1.12/require; spdadd 192.168.1.12[any] 192.168.1.10[any] any -P in ipsec esp/transport/192.168.1.12-192.168.1.10/require ah/transport/192.168.1.12-192.168.1.10/require; - ----------------------------------------------------------------------- and racoon.conf - ----------------------------------------------------------------------- remote 192.168.1.12 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.1.0/24 any address 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } - ----------------------------------------------------------------------- nachdem ich racoon gestartet habe und den anderen host pinge bekomm ich diese meldung, jedoch keine verbindung 2004-03-12 22:58:19: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message 2004-03-12 22:58:19: DEBUG: pfkey.c:1548:pk_recvacquire(): suitable outbound SP found: 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out. 2004-03-12 22:58:19: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbffff480: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: policy.c:184:cmpspidxstrict(): db :0x809f490: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: pfkey.c:1564:pk_recvacquire(): suitable inbound SP found: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in. 2004-03-12 22:58:19: DEBUG: pfkey.c:1603:pk_recvacquire(): new acquire 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out 2004-03-12 22:58:19: ERROR: pfkey.c:1633:pk_recvacquire(): failed to get sainfo. vielleicht kann mir ja jemand helfen .... thx Frank -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) iQCVAwUBQFIz+/qrCi15ZonmAQKZrgP/T8HxzogEGV0ludaVxpQraBC9Aq6wy0nl PDCIiStDOHKo7mU6os1bZ3WjasmInRbll6TG0FHUnVVMEXd7GMKOJZX4G9yjqZSC tFgTKsiuMv7D7GZUZdlCJha3+4kw4m750R6LXcj0f27euQ7Xx3hspBigx4gpR1HQ FemrY3mFruA= =h/3D -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Oh sorry, ... here is the english version ;) possibly somone can help me. i'm trying to secure a connection between two hosts. i'v configured setkey: - ----------------------------------------------------------------------- # /usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflsuh; spdadd 192.168.1.10[any] 192.168.1.12[any] any -P out ipsec esp/transport/192.168.1.10-192.168.1.12/require ah/transport/192.168.1.10-192.168.1.12/require; spdadd 192.168.1.12[any] 192.168.1.10[any] any -P in ipsec esp/transport/192.168.1.12-192.168.1.10/require ah/transport/192.168.1.12-192.168.1.10/require; - ----------------------------------------------------------------------- and racoon.conf - ----------------------------------------------------------------------- remote 192.168.1.12 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.1.0/24 any address 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } - ----------------------------------------------------------------------- after starting racoon and trying to ping the other host, i get these messages and no connection: 2004-03-12 22:58:19: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message 2004-03-12 22:58:19: DEBUG: pfkey.c:1548:pk_recvacquire(): suitable outbound SP found: 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out. 2004-03-12 22:58:19: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbffff480: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: policy.c:184:cmpspidxstrict(): db :0x809f490: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: pfkey.c:1564:pk_recvacquire(): suitable inbound SP found: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in. 2004-03-12 22:58:19: DEBUG: pfkey.c:1603:pk_recvacquire(): new acquire 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out 2004-03-12 22:58:19: ERROR: pfkey.c:1633:pk_recvacquire(): failed to get sainfo. can smeone help me please ? what i've done wrong ? thx Frankhet (mailings):
Hallo,
vielleicht kann mir ja einer helfen, ich versuche gerade die verbindung zwischen zwei hosts via ipsec und racoon zu verschlüsseln. leider klappt das nicht so wie gewollt.... hier ein paar daten:
----------------------------------------------------------------------- # /usr/sbin/setkey -f
# Flush the SAD and SPD flush; spdflsuh;
spdadd 192.168.1.10[any] 192.168.1.12[any] any -P out ipsec esp/transport/192.168.1.10-192.168.1.12/require ah/transport/192.168.1.10-192.168.1.12/require;
spdadd 192.168.1.12[any] 192.168.1.10[any] any -P in ipsec esp/transport/192.168.1.12-192.168.1.10/require ah/transport/192.168.1.12-192.168.1.10/require; ----------------------------------------------------------------------- and racoon.conf ----------------------------------------------------------------------- remote 192.168.1.12 { exchange_mode main; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group modp1024; } } sainfo address 192.168.1.0/24 any address 192.168.1.0/24 any { pfs_group modp768; encryption_algorithm 3des; authentication_algorithm hmac_md5; compression_algorithm deflate; } ----------------------------------------------------------------------- nachdem ich racoon gestartet habe und den anderen host pinge bekomm ich diese meldung, jedoch keine verbindung
2004-03-12 22:58:19: DEBUG: pfkey.c:195:pfkey_handler(): get pfkey ACQUIRE message 2004-03-12 22:58:19: DEBUG: pfkey.c:1548:pk_recvacquire(): suitable outbound SP found: 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out. 2004-03-12 22:58:19: DEBUG: policy.c:183:cmpspidxstrict(): sub:0xbffff480: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: policy.c:184:cmpspidxstrict(): db :0x809f490: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in 2004-03-12 22:58:19: DEBUG: pfkey.c:1564:pk_recvacquire(): suitable inbound SP found: 192.168.1.10/32[0] 192.168.1.12/32[0] proto=any dir=in. 2004-03-12 22:58:19: DEBUG: pfkey.c:1603:pk_recvacquire(): new acquire 192.168.1.12/32[0] 192.168.1.10/32[0] proto=any dir=out 2004-03-12 22:58:19: ERROR: pfkey.c:1633:pk_recvacquire(): failed to get sainfo.
vielleicht kann mir ja jemand helfen ....
thx Frank -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux)
iQCVAwUBQFI02/qrCi15ZonmAQLraAP/cBqotKHfKFCxa+wB0z+cNugYjJ8avlzh btj/WshqIJH4qacL8am5aio8Hcqldq8py/q5AAvtTOH1xbfoBCVvQwJ8Ms4qWV87 J23nI4vd2So59LhiXivUGEIu3TVvWE3ar+C8K7p0ojBVbCeAaJcpM2T/HMU7H9nt AeZc+/dE/os= =lwKi -----END PGP SIGNATURE-----
participants (1)
-
Frank Herchet (mailings)