The OpenNET Project / Index page

[ новости /+++ | форум | теги | ]

форумы
правила/FAQ
поиск
регистрация
вход
слежка
RSS



Версия для распечатки Пред. тема | След. тема
Новые ответы [ Отслеживать ]
pf gif ipsec. Или лыжи не едут или я ничего не понимаю, !*! Kvantos, 22-Мрт-07, 15:49  [смотреть все]
Есть gif тунель зашифрованный ipsec

ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet x.x.x.x netmask 0xffffffe0 broadcast x.x.x.x
        inet 192.168.4.111 netmask 0xffffff00 broadcast 192.168.4.255
        ether 00:30:4f:3b:7a:2e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
xl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=9<RXCSUM,VLAN_MTU>
        inet 192.168.80.1 netmask 0xffffff00 broadcast 192.168.80.255
        ether 00:50:da:35:f3:3e
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        ether 00:c1:26:05:4c:25
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33208
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet 127.0.0.1 netmask 0xff000000
pfsync0: flags=41<UP,RUNNING> mtu 1124
        pfsync: syncdev: gif0 maxupd: 128
gif0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1280
        tunnel inet 192.168.80.1 --> 192.168.80.200
        inet 10.240.80.1 --> 10.240.80.200 netmask 0xffffffff
tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet 91.124.214.209 --> 195.5.5.19 netmask 0xffffffff
        Opened by PID 241
tun1: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1492
        inet 10.240.80.1 --> 10.240.80.116 netmask 0xffffffff
        Opened by PID 3369
tun2: flags=8010<POINTOPOINT,MULTICAST> mtu 1500

/etc/pf.conf
---cut
pass out log on gif0 from 10.240.81.142 to any
pass in log on gif0 from any to 10.240.81.142
---cut

tcpdump -i gif0 host 10.240.81.142
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
14:38:19.840047 IP 10.240.81.142 > py-in-f99.google.com: ICMP echo request, id 512, seq 18693, length 40
14:38:20.007810 IP py-in-f99.google.com > 10.240.81.142: ICMP echo reply, id 512, seq 18693, length 40
14:38:26.318409 IP 10.240.81.142 > py-in-f99.google.com: ICMP echo request, id 512, seq 19205, length 40
14:38:26.486713 IP py-in-f99.google.com > 10.240.81.142: ICMP echo reply, id 512, seq 19205, length 40
14:38:32.817018 IP 10.240.81.142 > py-in-f99.google.com: ICMP echo request, id 512, seq 19717, length 40
14:38:32.984368 IP py-in-f99.google.com > 10.240.81.142: ICMP echo reply, id 512, seq 19717, length 40
14:38:39.317491 IP 10.240.81.142 > py-in-f99.google.com: ICMP echo request, id 512, seq 20229, length 40


tcpdump -i pflog0
tcpdump: WARNING: pflog0: no IPv4 address assigned
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes

ПУСТО !!!!

Что я не так делаю?

Ответить | Сообщить модератору
  • pf gif ipsec. Или лыжи не едут или я ничего не понимаю, !*! idle, 11:47 , 26-Мрт-07 (1)
    • pf gif ipsec. Или лыжи не едут или я ничего не понимаю, !*! Kvantos, 02:12 , 27-Мрт-07 (2)
      >>---cut
      >>pass out log on gif0 from 10.240.81.142 to any
      >>pass in log on gif0 from any to 10.240.81.142
      >>---cut
      >Возможно пакеты не попадают в эти правила.
      >Попробуйте добавить опцию quick, или показывайте правила целиком.

      Это ПОЛНЫЙ pf.conf для zeus

      set block-policy drop
      set skip on {lo0 rl0 xl0 rl1 pfsync0}
      # Отлавливается
      pass out log on gif0 from any to any
      # Не отлавливается
      pass in log on gif0 from any to any


      Имеем

      zeus# tcpdump -i pflog0 host 10.240.81.47
      tcpdump: WARNING: pflog0: no IPv4 address assigned
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on pflog0, link-type PFLOG (OpenBSD pflog file), capture size 96 bytes
      01:03:42.072060 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 41992, length 40
      01:03:43.091039 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 42248, length 40
      01:03:44.116168 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 42504, length 40
      01:03:45.123596 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 42760, length 40
      01:03:46.138983 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 43016, length 40
      01:03:47.151451 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 43272, length 40
      01:03:48.166094 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 43528, length 40

      zeus# tcpdump -i gif0 host 10.240.81.47
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
      01:04:47.972196 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 58632, length 40
      01:04:48.098186 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 58632, length 40
      01:04:48.998565 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 58888, length 40
      01:04:49.126072 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 58888, length 40
      01:04:49.993366 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 59144, length 40
      01:04:50.118500 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 59144, length 40
      01:04:51.009889 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 59400, length 40
      01:04:51.136739 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 59400, length 40

      это на противоположном конце тунеля
      astra#  tcpdump -i gif0 host 10.240.81.47
      tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
      listening on gif0, link-type NULL (BSD loopback), capture size 96 bytes
      19:02:54.323254 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 23048, length 40
      19:02:54.453409 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 23048, length 40
      19:02:55.341032 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 23304, length 40
      19:02:55.469907 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 23304, length 40
      19:02:56.352879 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 23560, length 40
      19:02:56.482053 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 23560, length 40
      19:02:57.370297 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 23816, length 40
      19:02:57.499830 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 23816, length 40
      19:02:58.384618 IP 10.240.81.47 > ya.ru: ICMP echo request, id 512, seq 24072, length 40
      19:02:58.516015 IP ya.ru > 10.240.81.47: ICMP echo reply, id 512, seq 24072, length 40

      P.S. 10.240.81.47 идет через шлюз astra по тунелю на zeus


      Ребята помогайте сил уже нету !!! :(

      Ответить | Сообщить модератору

Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей 		Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру