доброго дня.я первый раз трогаю палкой этот ipsec, прошу помощи!
имеется чужой неподконтрольный win2003/2008 сервер в диких интернетах с поднятым публичным сервером l2tp/ipsec с использованием 3des, pre-shared-key и ms-chap-v2 (уже для l2tp).
имеется подконтрольный gentoo-клиент с xl2tpd и racoon, через провайдера, не режущего трафик l2tp [1701] и ipsec [500].
в логах racoon на второй (quickmode) фазе высыпается это:
ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
проблема очевидно на стадии ipsec, по сему конфиги и логи xl2tpd приводить нет смысла.
конфиги racoon являют собой продукт гугления и экспериментов, поэтому прошу не плеваться =)
/etc/racoon/racoon.conf
path pre_shared_key "/etc/racoon/psk.txt";
log debug;
#remote x.x.x.x
remote anonymous
{
exchange_mode main,base;
initial_contact on;
my_identifier address;
nat_traversal on;
proposal_check obey;
proposal {
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
}
#sainfo anonymous address x.x.x.x any
sainfo anonymous #address x.x.x.x any
{
#pfs_group 2;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
/etc/racoon/psk.txt
x.x.x.x some-secret-phrase
/etc/ipsec.conf
flush;
spdflush;
spdadd 0.0.0.0/0 x.x.x.x/32 any -P out ipsec esp/transport//require; # ah/transport//require;
spdadd x.x.x.x/32 0.0.0.0/0 any -P in ipsec esp/transport//require; # ah/transport//require;
приведу циклический кусок лога
Aug 6 11:14:02 localhost racoon: [x.x.x.x] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
Aug 6 11:14:12 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:14:12 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:14:12 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:14:12 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:14:12 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:14:12 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:14:12 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:14:12 localhost racoon: DEBUG:
Aug 6 11:14:12 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:0000b7ef
Aug 6 11:14:22 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:14:22 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:14:22 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:14:22 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:14:22 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:14:22 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:14:22 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:14:22 localhost racoon: DEBUG:
Aug 6 11:14:22 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:0000b7ef
Aug 6 11:14:32 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:14:32 localhost racoon: DEBUG: got pfkey EXPIRE message
Aug 6 11:14:32 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500] spi=6397933(0x619fed)
Aug 6 11:14:32 localhost racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.
Aug 6 11:14:32 localhost racoon: DEBUG: IV freed
Aug 6 11:14:35 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:14:35 localhost racoon: DEBUG: got pfkey ACQUIRE message
Aug 6 11:14:35 localhost racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] x.x.x.x/32[0] proto=any dir=out.
Aug 6 11:14:35 localhost racoon: DEBUG: sub:0x7fffc6bf4ce0: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:14:35 localhost racoon: DEBUG: db :0x6c2810: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=fwd
Aug 6 11:14:35 localhost racoon: DEBUG: sub:0x7fffc6bf4ce0: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:14:35 localhost racoon: DEBUG: db :0x6c2a90: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:14:35 localhost racoon: DEBUG: suitable inbound SP found: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in.
Aug 6 11:14:35 localhost racoon: DEBUG: new acquire 0.0.0.0/0[0] x.x.x.x/32[0] proto=any dir=out
Aug 6 11:14:35 localhost racoon: [x.x.x.x] DEBUG: configuration "anonymous" selected.
Aug 6 11:14:35 localhost racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='x.x.x.x' peer='NULL' client='NULL' id=0
Aug 6 11:14:35 localhost racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Aug 6 11:14:35 localhost racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Aug 6 11:14:35 localhost racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Aug 6 11:14:35 localhost racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Aug 6 11:14:35 localhost racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
Aug 6 11:14:35 localhost racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
Aug 6 11:14:35 localhost racoon: DEBUG: in post_acquire
Aug 6 11:14:35 localhost racoon: [x.x.x.x] DEBUG: configuration "anonymous" selected.
Aug 6 11:14:35 localhost racoon: DEBUG: begin QUICK mode.
Aug 6 11:14:35 localhost racoon: DEBUG: ===
Aug 6 11:14:35 localhost racoon: DEBUG: begin QUICK mode.
Aug 6 11:14:35 localhost racoon: INFO: initiate new phase 2 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Aug 6 11:14:35 localhost racoon: DEBUG: compute IV for phase2
Aug 6 11:14:35 localhost racoon: DEBUG: phase1 last IV:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: hash(sha1)
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: phase2 IV computed:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: call pfkey_send_getspi
Aug 6 11:14:35 localhost racoon: DEBUG: pfkey GETSPI sent: ESP/Transport x.x.x.x[0]->y.y.y.y[0]
Aug 6 11:14:35 localhost racoon: DEBUG: pfkey getspi sent.
Aug 6 11:14:35 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:14:35 localhost racoon: DEBUG: got pfkey GETSPI message
Aug 6 11:14:35 localhost racoon: DEBUG: pfkey GETSPI succeeded: ESP/Transport x.x.x.x[500]->y.y.y.y[500] spi=24898789(0x17bece5)
Aug 6 11:14:35 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:14:35 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:14:35 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:14:35 localhost racoon: DEBUG: compute DH's private.
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: compute DH's public.
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: use local ID type IPv4_address
Aug 6 11:14:35 localhost racoon: DEBUG: use remote ID type IPv4_address
Aug 6 11:14:35 localhost racoon: DEBUG: IDci:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: IDcr:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 48, next type 10
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 16, next type 4
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 128, next type 5
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 8, next type 5
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 8, next type 0
Aug 6 11:14:35 localhost racoon: DEBUG: HASH with:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: hmac(hmac_sha1)
Aug 6 11:14:35 localhost racoon: DEBUG: HASH computed:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: add payload of len 20, next type 1
Aug 6 11:14:35 localhost racoon: DEBUG: begin encryption.
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: pad length = 4
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: with key:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: encrypted payload by IV:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: save IV for next:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: encrypted.
Aug 6 11:14:35 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:14:35 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:14:35 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:14:35 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:14:35 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:14:35 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:14:35 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:00009a33
Aug 6 11:14:35 localhost racoon: DEBUG: ===
Aug 6 11:14:35 localhost racoon: DEBUG: 68 bytes message received from x.x.x.x[500] to y.y.y.y[500]
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: receive Information.
Aug 6 11:14:35 localhost racoon: DEBUG: compute IV for phase2
Aug 6 11:14:35 localhost racoon: DEBUG: phase1 last IV:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: hash(sha1)
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: phase2 IV computed:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: begin decryption.
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: IV was saved for next processing:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:14:35 localhost racoon: DEBUG: with key:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: decrypted payload by IV:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: decrypted payload, but not trimed.
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: padding len=1
Aug 6 11:14:35 localhost racoon: DEBUG: skip to trim padding.
Aug 6 11:14:35 localhost racoon: DEBUG: decrypted.
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: IV freed
Aug 6 11:14:35 localhost racoon: DEBUG: HASH with:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: hmac(hmac_sha1)
Aug 6 11:14:35 localhost racoon: DEBUG: HASH computed:
Aug 6 11:14:35 localhost racoon: DEBUG:
Aug 6 11:14:35 localhost racoon: DEBUG: hash validated.
Aug 6 11:14:35 localhost racoon: DEBUG: begin.
Aug 6 11:14:35 localhost racoon: DEBUG: seen nptype=8(hash)
Aug 6 11:14:35 localhost racoon: DEBUG: seen nptype=11(notify)
Aug 6 11:14:35 localhost racoon: DEBUG: succeed.
Aug 6 11:14:35 localhost racoon: [x.x.x.x] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
Aug 6 11:14:45 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:14:45 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:14:45 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:14:45 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:14:45 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:14:45 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:14:45 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:14:45 localhost racoon: DEBUG:
Aug 6 11:14:45 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:00009a33
Aug 6 11:14:55 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:14:55 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:14:55 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:14:55 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:14:55 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:14:55 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:14:55 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:14:55 localhost racoon: DEBUG:
Aug 6 11:14:55 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:00009a33
Aug 6 11:15:05 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:15:05 localhost racoon: DEBUG: got pfkey EXPIRE message
Aug 6 11:15:05 localhost racoon: INFO: IPsec-SA expired: ESP/Transport x.x.x.x[500]->y.y.y.y[500] spi=24898789(0x17bece5)
Aug 6 11:15:05 localhost racoon: WARNING: PF_KEY EXPIRE message received from kernel for SA being negotiated. Stopping negotiation.
Aug 6 11:15:05 localhost racoon: DEBUG: IV freed
Aug 6 11:15:07 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:15:07 localhost racoon: DEBUG: got pfkey ACQUIRE message
Aug 6 11:15:07 localhost racoon: DEBUG: suitable outbound SP found: 0.0.0.0/0[0] x.x.x.x/32[0] proto=any dir=out.
Aug 6 11:15:07 localhost racoon: DEBUG: sub:0x7fffc6bf4ce0: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:15:07 localhost racoon: DEBUG: db :0x6c2810: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=fwd
Aug 6 11:15:07 localhost racoon: DEBUG: sub:0x7fffc6bf4ce0: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:15:07 localhost racoon: DEBUG: db :0x6c2a90: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in
Aug 6 11:15:07 localhost racoon: DEBUG: suitable inbound SP found: x.x.x.x/32[0] 0.0.0.0/0[0] proto=any dir=in.
Aug 6 11:15:07 localhost racoon: DEBUG: new acquire 0.0.0.0/0[0] x.x.x.x/32[0] proto=any dir=out
Aug 6 11:15:07 localhost racoon: [x.x.x.x] DEBUG: configuration "anonymous" selected.
Aug 6 11:15:07 localhost racoon: DEBUG: getsainfo params: loc='0.0.0.0/0' rmt='x.x.x.x' peer='NULL' client='NULL' id=0
Aug 6 11:15:07 localhost racoon: DEBUG: evaluating sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Aug 6 11:15:07 localhost racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Aug 6 11:15:07 localhost racoon: DEBUG: check and compare ids : values matched (ANONYMOUS)
Aug 6 11:15:07 localhost racoon: DEBUG: selected sainfo: loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0
Aug 6 11:15:07 localhost racoon: DEBUG: (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Transport reqid=0:0)
Aug 6 11:15:07 localhost racoon: DEBUG: (trns_id=3DES encklen=0 authtype=hmac-sha)
Aug 6 11:15:07 localhost racoon: DEBUG: in post_acquire
Aug 6 11:15:07 localhost racoon: [x.x.x.x] DEBUG: configuration "anonymous" selected.
Aug 6 11:15:07 localhost racoon: DEBUG: begin QUICK mode.
Aug 6 11:15:07 localhost racoon: DEBUG: ===
Aug 6 11:15:07 localhost racoon: DEBUG: begin QUICK mode.
Aug 6 11:15:07 localhost racoon: INFO: initiate new phase 2 negotiation: y.y.y.y[500]<=>x.x.x.x[500]
Aug 6 11:15:07 localhost racoon: DEBUG: compute IV for phase2
Aug 6 11:15:07 localhost racoon: DEBUG: phase1 last IV:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: hash(sha1)
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: phase2 IV computed:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: call pfkey_send_getspi
Aug 6 11:15:07 localhost racoon: DEBUG: pfkey GETSPI sent: ESP/Transport x.x.x.x[0]->y.y.y.y[0]
Aug 6 11:15:07 localhost racoon: DEBUG: pfkey getspi sent.
Aug 6 11:15:07 localhost racoon: DEBUG: pk_recv: retry[0] recv()
Aug 6 11:15:07 localhost racoon: DEBUG: got pfkey GETSPI message
Aug 6 11:15:07 localhost racoon: DEBUG: pfkey GETSPI succeeded: ESP/Transport x.x.x.x[500]->y.y.y.y[500] spi=155872566(0x94a6d36)
Aug 6 11:15:07 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:15:07 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:15:07 localhost racoon: DEBUG: hmac(modp1024)
Aug 6 11:15:07 localhost racoon: DEBUG: compute DH's private.
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: compute DH's public.
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: use local ID type IPv4_address
Aug 6 11:15:07 localhost racoon: DEBUG: use remote ID type IPv4_address
Aug 6 11:15:07 localhost racoon: DEBUG: IDci:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: IDcr:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 48, next type 10
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 16, next type 4
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 128, next type 5
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 8, next type 5
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 8, next type 0
Aug 6 11:15:07 localhost racoon: DEBUG: HASH with:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: hmac(hmac_sha1)
Aug 6 11:15:07 localhost racoon: DEBUG: HASH computed:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: add payload of len 20, next type 1
Aug 6 11:15:07 localhost racoon: DEBUG: begin encryption.
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: pad length = 4
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: with key:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: encrypted payload by IV:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: save IV for next:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: encrypted.
Aug 6 11:15:07 localhost racoon: DEBUG: 284 bytes from y.y.y.y[500] to x.x.x.x[500]
Aug 6 11:15:07 localhost racoon: DEBUG: sockname y.y.y.y[500]
Aug 6 11:15:07 localhost racoon: DEBUG: send packet from y.y.y.y[500]
Aug 6 11:15:07 localhost racoon: DEBUG: send packet to x.x.x.x[500]
Aug 6 11:15:07 localhost racoon: DEBUG: src4 y.y.y.y[500]
Aug 6 11:15:07 localhost racoon: DEBUG: dst4 x.x.x.x[500]
Aug 6 11:15:07 localhost racoon: DEBUG: 1 times of 284 bytes message will be sent to x.x.x.x[500]
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: resend phase2 packet 34e2ecd02f6d6a41:a70ff4628fd656d3:0000fc82
Aug 6 11:15:07 localhost racoon: DEBUG: ===
Aug 6 11:15:07 localhost racoon: DEBUG: 68 bytes message received from x.x.x.x[500] to y.y.y.y[500]
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: receive Information.
Aug 6 11:15:07 localhost racoon: DEBUG: compute IV for phase2
Aug 6 11:15:07 localhost racoon: DEBUG: phase1 last IV:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: hash(sha1)
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: phase2 IV computed:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: begin decryption.
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: IV was saved for next processing:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: encryption(3des)
Aug 6 11:15:07 localhost racoon: DEBUG: with key:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: decrypted payload by IV:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: decrypted payload, but not trimed.
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: padding len=1
Aug 6 11:15:07 localhost racoon: DEBUG: skip to trim padding.
Aug 6 11:15:07 localhost racoon: DEBUG: decrypted.
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: IV freed
Aug 6 11:15:07 localhost racoon: DEBUG: HASH with:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: hmac(hmac_sha1)
Aug 6 11:15:07 localhost racoon: DEBUG: HASH computed:
Aug 6 11:15:07 localhost racoon: DEBUG:
Aug 6 11:15:07 localhost racoon: DEBUG: hash validated.
Aug 6 11:15:07 localhost racoon: DEBUG: begin.
Aug 6 11:15:07 localhost racoon: DEBUG: seen nptype=8(hash)
Aug 6 11:15:07 localhost racoon: DEBUG: seen nptype=11(notify)
Aug 6 11:15:07 localhost racoon: DEBUG: succeed.
Aug 6 11:15:07 localhost racoon: [x.x.x.x] ERROR: notification INVALID-ID-INFORMATION received in informational exchange.
не могу понять, что не нравится виндосерверу, какая ID-информация ему нужна, и где это лечить?
обращаться к владельцу сервера пробовал, всё что удалось узнать, это
"l2tp/ipsec с использованием 3des, pre-shared-key и ms-chap-v2"
т.е. если на венде мышкой - работает, но мою проблему это не упрощает.
также при чтении лога настораживают пустые строки после строк о вычислении ключей, IV, и т.д., где вроде должны быть какие-то значения (основываясь на логах из гугля).
но тем не менее первая фаза вроде бы проходит успешно, если я правильно понимаю строку "initiate new phase 2 negotiation".
отображение значений где-то включается, или всё это попросту не генерируется и потому не работает?
у кого есть опыт во всём этом ipsec-колдунстве - помогите!