OpenForum RSS: ipsec ZYWALL � RACOON (Centos 6.3)

ipsec ZYWALL � RACOON (Centos 6.3) (AleR)

Thu, 21 Feb 2013 08:16:11 GMT

�� - �� IPTABLES, ��
iptables -t nat -I POSTROUTING -d 172.16.0.0/24 -j ACCEPT
iptables -I FORWARD -p all -d 172.16.0.0/24 -s 192.168.5.0/24 -j ACCEPT
iptables -I FORWARD -p all -s 172.16.0.0/24 -d 192.168.5.0/24 -j ACCEPT

� ��
��
iptables -t nat -I POSTROUTING -d 172.16.0.0/24 -j ACCEPT
�� .

ipsec ZYWALL � RACOON (Centos 6.3) (AleR)

Wed, 20 Feb 2013 13:25:11 GMT

> ��...
> �� generate_policy off � ��
> �� -- �� isakmp � ��.
> � �� .

�� racoon generate_policy off
��:
INFO: received INITIAL-CONTACT
INFO: ISAKMP-SA established 77.233.X.X[500]-109.172.Y.Y[500] spi:57ef63031a11111f:733387080b4db4cd
racoon: INFO: respond new phase 2 negotiation: 77.233.X.X[500]<=>109.172.Y.Y[500]
racoon: ERROR: no policy found: 172.16.0.0/24[0] 192.168.5.0/24[0] proto=any dir=in
racoon: ERROR: failed to get proposal for responder.

�� :
exchange_mode main, aggressive;
lifetime time 28800 sec;
generate_policy on;
nat_traversal off;
proposal
{
encryption_algorithm des;
hash_algorithm md5;
authentication_method pre_shared_key;
dh_group 2 ;
}
��, �� :
INFO: ISAKMP-SA established 77.233.X.X[500]-109.172.Y.Y[500] spi:1b1cfea85c85245a:a3d4223e8d

ipsec ZYWALL � RACOON (Centos 6.3) (a2l)

Tue, 19 Feb 2013 03:57:33 GMT

>[�� ]
> lifetime: 0(s) validtime: 0(s)
> spid=12 seq=4 pid=24844
> refcnt=1
> (per-socket policy)
> in(socket) none
> created: Feb 7
> 15:01:50 2013 lastused: Feb 13 18:52:42 2013
> lifetime: 0(s) validtime: 0(s)
> spid=3 seq=0 pid=24844
> refcnt=1

��...
�� generate_policy off � �� -- �� isakmp � ��. � �� .

ipsec ZYWALL � RACOON (Centos 6.3) (AleR)

Wed, 13 Feb 2013 15:42:09 GMT

��, �� .
� �� 192.168.5.0/24 �� 172.16.0.0/24 �� .
� �� 172.16.0.0/24 � 192.168.5.0/24 �� .
# setkey -D
77.233.X.X 109.172.Y.Y
esp mode=tunnel spi=1374467382(0x51ecb536) reqid=0(0x00000000)
E: des-cbc fcf0f034 ce49a5f2
A: hmac-sha1 02e6d408 59629bca de6f865e b37c6bb1 91db89f0
seq=0x00000000 replay=4 flags=0x00000000 state=dying
created: Feb 13 18:52:40 2013 current: Feb 13 19:44:21 2013
diff: 3101(s) hard: 3600(s) soft: 2880(s)
last: Feb 13 19:08:38 2013 hard: 0(s) soft: 0(s)
current: 1077627(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 1622 hard: 0 soft: 0
sadb_seq=1 pid=24841 refcnt=0
109.172.Y.Y 77.233.X.X
esp mode=tunnel spi=169212330(0x0a15f9aa) reqid=0(0x00000000)
E: des-cbc 587f7d54 a789e400
A: hmac-sha1 f10cc2fb 79f82122 b8cbac55 7ac56d85 7ed3ff2f
seq=0x00000000 replay=4 flags=0x00000000 state=dying

ipsec ZYWALL � RACOON (Centos 6.3) (a2l)

Wed, 13 Feb 2013 08:55:27 GMT

>> �� :
>> setkey -c << EOF
>> flush;
>> spdflush;
>> spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
>> spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;
>> EOF
> ��, �� ....

�� setkey -D � setkey -DP ?

> � ��

�� ? 192.168.5.2?
>[�� ]
> �� <1 �� 172.16.0.1
> 2 *
> *
> * �� .
> 3 *
> *
> * �� .
> 4 3 ms
> 5 ms 3 ms 192.168.5.2
> �� .

�� , ZYWALL �� 109.172.Y.Y �� 172.16.0.1 - ��, �
172.16.0.100 - �� .
77.233.X.X - �� , 192.168.5.6 - ��, 192.168.5.2 - ��
77.233.X.Z -default gateway ��

ipsec ZYWALL � RACOON (Centos 6.3) (AleR)

Wed, 13 Feb 2013 06:16:24 GMT

> �� :
> setkey -c << EOF
> flush;
> spdflush;
> spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
> spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;
> EOF

��, �� ....
� ��
tracert -d 172.16.0.100
�� 172.16.0.100 � �� 30
1 <1 �� <1 �� <1 �� 192.168.5.6
2 <1 �� <1 �� <1 �� 77.233.X.Z
3 1 ms 1 ms <1 �� 217.150.54.54
4 ^C
� ��
tracert -d 192.168.5.2
�� 192.168.5.2 � �� 30
1 <1 �� <1 �� <1 �� 172.16.0.1
2 * * * �� .
3 * * * �� .
4 3 ms 5 ms 3 ms 192.168.5.2
�� .

ipsec ZYWALL � RACOON (Centos 6.3) (a2l)

Wed, 13 Feb 2013 02:50:30 GMT

> � �� , ��
> spdadd 172.16.0.0/24 192.168.5.0/24
> ��, � ��
> spdadd 192.168.5.0/24 172.16.0.0/24
> ��.
> �� ...

�� #!/sbin/setkey -f
(�� -f ��)

�� :

setkey -c << EOF
flush;
spdflush;
spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;
EOF

ipsec ZYWALL � RACOON (Centos 6.3) (AleR)

Tue, 12 Feb 2013 10:31:39 GMT

> �� spdflush:
> spdflush ;
> spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
> spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;

� ��
[root@gtw ~]# cat /etc/racoon/setkey.conf
#!/sbin/setkey -f
flush;
spdflush;
spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;

� �� , ��
spdadd 172.16.0.0/24 192.168.5.0/24
��, � ��
spdadd 192.168.5.0/24 172.16.0.0/24
��.
�� ...

ipsec ZYWALL � RACOON (Centos 6.3) (a2l)

Tue, 12 Feb 2013 06:06:33 GMT

>> ��
> �� .

�, ��, �� , �� .

>�.�. �� forward �� 172.16.0.0/24[any] � 192.168.5.0/24[any] ��.
>� �� . � �� , �� setkey ��
>spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
>spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;

�� spdflush:
spdflush ;
spdadd 192.168.5.0/24 172.16.0.0/24 any -P out ipsec esp/tunnel/77.233.X.X-109.172.Y.Y/require;
spdadd 172.16.0.0/24 192.168.5.0/24 any -P in ipsec esp/tunnel/109.172.Y.Y-77.233.X.X/require;