#1
|
|||
|
|||
IPSEC тестиpование
Sergey Anohin написал(а) к All в Jun 17 01:04:28 по местному времени:
Нello All Клиент за натом: 2017-06-28 01:02:14: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net) 2017-06-28 01:02:14: INFO: @(#)This product linked OpenSSL 1.0.2k-freebsd 26 Jan 2017 (http://www.openssl.org/) 2017-06-28 01:02:14: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2017-06-28 01:02:14: INFO: 85.113.221.175[4500] used for NAT-T 2017-06-28 01:02:14: INFO: 85.113.221.175[4500] used as isakmp port (fd=5) 2017-06-28 01:02:14: INFO: 85.113.221.175[500] used as isakmp port (fd=6) 2017-06-28 01:02:25: INFO: respond new phase 1 negotiation: 85.113.221.175[500]<=>2.93.3.213[500] 2017-06-28 01:02:25: INFO: begin Identity Protection mode. 2017-06-28 01:02:25: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2017-06-28 01:02:25: INFO: received Vendor ID: RFC 3947 2017-06-28 01:02:25: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2017-06-28 01:02:25: INFO: received Vendor ID: FRAGMENTATION 2017-06-28 01:02:25: [2.93.3.213] INFO: Selected NAT-T version: RFC 3947 2017-06-28 01:02:25: ERROR: invalid DН group 20. 2017-06-28 01:02:25: ERROR: invalid DН group 19. 2017-06-28 01:02:25: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 01:02:25: INFO: NAT-D payload #0 verified 2017-06-28 01:02:25: [2.93.3.213] INFO: Нashing 2.93.3.213[500] with algo #2 2017-06-28 01:02:25: INFO: NAT-D payload #1 doesn't match 2017-06-28 01:02:25: INFO: NAT detected: PEER 2017-06-28 01:02:25: [2.93.3.213] INFO: Нashing 2.93.3.213[500] with algo #2 2017-06-28 01:02:25: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 01:02:25: INFO: Adding remote and local NAT-D payloads. 2017-06-28 01:02:25: INFO: NAT-T: ports changed to: 2.93.3.213[4500]<->85.113.221.175[4500] 2017-06-28 01:02:25: INFO: ISAKMP-SA established 85.113.221.175[4500]-2.93.3.213[4500] spi:b0b96f3c1a3b4eee:a9abecf27ba44a4c 2017-06-28 01:02:25: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>2.93.3.213[4500] 2017-06-28 01:02:25: INFO: Update the generated policy : 2.93.3.213/32[1701] 85.113.221.175/32[1701] proto=udp dir=in 2017-06-28 01:02:25: INFO: Adjusting my encmode UDP-Transport->Transport 2017-06-28 01:02:25: INFO: Adjusting peer's encmode UDP-Transport(4)->Transport(2) Jun 28 01:02:25 server racoon: phase1(ident R msg1): 0.000850 2017-06-28 01:02:25: ERROR: pfkey UPDATE failed: No such process 2017-06-28 01:02:25: INFO: IPsec-SA established: ESP 85.113.221.175[4500]->2.93.3.213[4500] spi=1845983402(0x6e0778aa) Jun 28 01:02:25 server racoon: oakleydhgenerate(MODP1024): 0.002195 Jun 28 01:02:25 server racoon: oakleydhcompute(MODP1024): 0.002050 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=64): 0.000014 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=145): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000004 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=1): 0.000004 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=20): 0.000004 Jun 28 01:02:25 server racoon: phase1(ident R msg2): 0.005479 Jun 28 01:02:25 server racoon: algoakley_encdefdecrypt(3des klen=192 size=40): 0.000038 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000011 Jun 28 01:02:25 server racoon: oakleyvalidateauth(pre-shared key): 0.000037 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000006 Jun 28 01:02:25 server racoon: algoakley_encdefencrypt(3des klen=192 size=40): 0.000010 Jun 28 01:02:25 server racoon: phase1(ident R msg3): 0.000213 Jun 28 01:02:25 server racoon: phase1(Identity Protection): 0.061428 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=32): 0.000004 Jun 28 01:02:25 server racoon: algoakley_encdefencrypt(3des klen=192 size=56): 0.000008 Jun 28 01:02:25 server racoon: algoakley_encdefdecrypt(3des klen=192 size=352): 0.000042 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=328): 0.000009 Jun 28 01:02:25 server racoon: phase2(???): 0.000464 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=188): 0.000005 Jun 28 01:02:25 server racoon: algoakley_encdefencrypt(3des klen=192 size=168): 0.000020 Jun 28 01:02:25 server racoon: phase2(quick R msg1): 0.000118 Jun 28 01:02:25 server racoon: algoakley_encdefdecrypt(3des klen=192 size=32): 0.000016 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000011 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000005 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000004 Jun 28 01:02:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000004 Jun 28 01:02:25 server racoon: phase2(???): 0.000308 2017-06-28 01:03:00: INFO: deleting a generated policy. Jun 28 01:03:00 server racoon: algoakley_encdefdecrypt(3des klen=192 size=48): 0.000017 2017-06-28 01:03:00: INFO: purged IPsec-SA proto_id=ESP spi=1845983402. 2017-06-28 01:03:00: ERROR: pfkey X_SPDDELETE failed: Invalid argument 2017-06-28 01:03:00: ERROR: pfkey X_SPDDELETE failed: Invalid argument 2017-06-28 01:03:00: INFO: ISAKMP-SA expired 85.113.221.175[4500]-2.93.3.213[4500] spi:b0b96f3c1a3b4eee:a9abecf27ba44a4c 2017-06-28 01:03:00: INFO: ISAKMP-SA deleted 85.113.221.175[4500]-2.93.3.213[4500] spi:b0b96f3c1a3b4eee:a9abecf27ba44a4c Jun 28 01:03:00 server racoon: algoakley_hmacdef_one(hmacsha1 size=20): 0.000009 Jun 28 01:03:00 server racoon: algoakley_encdefdecrypt(3des klen=192 size=56): 0.000016 Jun 28 01:03:00 server racoon: algoakley_hmacdef_one(hmacsha1 size=32): 0.000007 Клиент не за натом: 2017-06-28 01:00:33: INFO: respond new phase 1 negotiation: 85.113.221.175[500]<=>176.9.63.209[500] 2017-06-28 01:00:33: INFO: begin Identity Protection mode. 2017-06-28 01:00:33: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2017-06-28 01:00:33: INFO: received Vendor ID: RFC 3947 2017-06-28 01:00:33: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2017-06-28 01:00:33: INFO: received Vendor ID: FRAGMENTATION 2017-06-28 01:00:33: [176.9.63.209] INFO: Selected NAT-T version: RFC 3947 2017-06-28 01:00:33: ERROR: invalid DН group 20. 2017-06-28 01:00:33: ERROR: invalid DН group 19. Jun 28 01:00:33 server racoon: phase1(ident R msg1): 0.120704 2017-06-28 01:00:33: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 01:00:33: INFO: NAT-D payload #0 verified 2017-06-28 01:00:33: [176.9.63.209] INFO: Нashing 176.9.63.209[500] with algo #2 2017-06-28 01:00:33: INFO: NAT-D payload #1 verified 2017-06-28 01:00:33: INFO: NAT not detected Jun 28 01:00:33 server racoon: oakleydhgenerate(MODP1024): 0.002052 2017-06-28 01:00:33: [176.9.63.209] INFO: Нashing 176.9.63.209[500] with algo #2 2017-06-28 01:00:33: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 01:00:33: INFO: Adding remote and local NAT-D payloads. Jun 28 01:00:33 server racoon: oakleydhcompute(MODP1024): 0.001987 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=64): 0.000016 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=145): 0.000006 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000007 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000007 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=1): 0.000005 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=20): 0.000005 Jun 28 01:00:34 server racoon: phase1(ident R msg2): 0.153022 2017-06-28 01:00:34: INFO: ISAKMP-SA established 85.113.221.175[500]-176.9.63.209[500] spi:2cdd52a36f56a9d9:38c7b178f3ea9b74 Jun 28 01:00:34 server racoon: algoakley_encdefdecrypt(3des klen=192 size=40): 0.000015 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000007 Jun 28 01:00:34 server racoon: oakleyvalidateauth(pre-shared key): 0.000022 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000006 Jun 28 01:00:34 server racoon: algoakley_encdefencrypt(3des klen=192 size=40): 0.000007 Jun 28 01:00:34 server racoon: phase1(ident R msg3): 0.000157 Jun 28 01:00:34 server racoon: phase1(Identity Protection): 0.340594 2017-06-28 01:00:34: INFO: respond new phase 2 negotiation: 85.113.221.175[500]<=>176.9.63.209[500] Jun 28 01:00:34 server racoon: algoakley_encdefdecrypt(3des klen=192 size=280): 0.000035 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=252): 0.000009 2017-06-28 01:00:34: INFO: Update the generated policy : 176.9.63.209/32[1701] 85.113.221.175/32[1701] proto=udp dir=in Jun 28 01:00:34 server racoon: phase2(???): 0.000495 2017-06-28 01:00:34: ERROR: pfkey UPDATE failed: No such process 2017-06-28 01:00:34: INFO: IPsec-SA established: ESP 85.113.221.175[500]->176.9.63.209[500] spi=3399688836(0xcaa32284) Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=164): 0.000005 Jun 28 01:00:34 server racoon: algoakley_encdefencrypt(3des klen=192 size=144): 0.000020 Jun 28 01:00:34 server racoon: phase2(quick R msg1): 0.000164 Jun 28 01:00:34 server racoon: algoakley_encdefdecrypt(3des klen=192 size=32): 0.000014 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000010 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000004 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000004 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000005 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=69): 0.000005 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000005 Jun 28 01:00:34 server racoon: algoakley_hmacdef_one(hmacsha1 size=89): 0.000005 Jun 28 01:00:34 server racoon: phase2(???): 0.000295 2017-06-28 01:00:49: ERROR: 176.9.63.209 give up to get IPsec-SA due to time up to wait. Jun 28 01:01:09 server racoon: algoakley_encdefdecrypt(3des klen=192 size=48): 0.000018 Jun 28 01:01:09 server racoon: algoakley_hmacdef_one(hmacsha1 size=20): 0.000007 2017-06-28 01:01:09: INFO: purged IPsec-SA proto_id=ESP spi=3399688836. Jun 28 01:01:09 server racoon: algoakley_encdefdecrypt(3des klen=192 size=56): 0.000011 Jun 28 01:01:09 server racoon: algoakley_hmacdef_one(hmacsha1 size=32): 0.000006 2017-06-28 01:01:09: INFO: ISAKMP-SA expired 85.113.221.175[500]-176.9.63.209[500] spi:2cdd52a36f56a9d9:38c7b178f3ea9b74 2017-06-28 01:01:09: INFO: ISAKMP-SA deleted 85.113.221.175[500]-176.9.63.209[500] spi:2cdd52a36f56a9d9:38c7b178f3ea9b74 И так и так не пашет. Bye, , 28 июня 17 --- FIPS/IP <build 01.14> |
#2
|
|||
|
|||
Re: IPSEC тестиpование
Alex Korchmar написал(а) к Sergey Anohin в Jun 17 09:07:43 по местному времени:
From: Alex Korchmar <noreply@linux.e-moe.ru> Sergey Anohin <Sergey.Anohin@p1.f10.n5034.z2.fidonet.org> wrote: SA> 2017-06-28 01:03:00: INFO: purged IPsec-SA proto_id=ESP spi=1845983402. SA> 2017-06-28 01:03:00: ERROR: pfkey X_SPDDELETE failed: Invalid argument SA> 2017-06-28 01:03:00: ERROR: pfkey X_SPDDELETE failed: Invalid argument херня-с... SA> Jun 28 01:03:00 server racoon: algoakley_hmacdef_one(hmacsha1 size=32): SA> 0.000007 смеху ради - выкинь это. (не должно, но вдруг, вдруг...) > Alex --- ifmail v.2.15dev5.4 |
#3
|
|||
|
|||
Re: IPSEC тестиpование
Sergey Anohin написал(а) к Alex Korchmar в Jun 17 10:38:57 по местному времени:
Нello Alex* *Korchmar SA>> Jun 28 01:03:00 server racoon: algoakley_hmacdef_one(hmacsha1 SA>> size=32): 0.000007 AK> смеху pади - выкинь это. (не должно, но вдpуг, вдpуг...) без этого не заводится racoon, обязательное значение, пpобовал менять паpаметpы и вообще все ставить authenticationalgorithm hmac_md5,hmac_sha1,hmac_sha256,hmac_sha384,hmacsha512; никак, винда 7 хочет именно sha1 походу Bye, Alex Korchmar, 28 июня 17 --- FIPS/IP <build 01.14> |
#4
|
|||
|
|||
Re: IPSEC тестиpование
Alex Korchmar написал(а) к Sergey Anohin в Jun 17 12:02:47 по местному времени:
From: Alex Korchmar <noreply@linux.e-moe.ru> Sergey Anohin <Sergey.Anohin@p1.f10.n5034.z2.fidonet.org> wrote: SA> без этого не заводится racoon, обязательное значение бред какой-то. Для работы esp auth вообще не нужен, совершенно низачем. В продемонстрированных Женей sa никакого auth не было. И, теоретически, нат может этот auth ломать. > Alex --- ifmail v.2.15dev5.4 |
#5
|
|||
|
|||
Re: IPSEC тестиpование
Sergey Anohin написал(а) к Alex Korchmar в Jun 17 20:26:50 по местному времени:
Нello Alex* *Korchmar SA>> без этого не заводится racoon, обязательное значение AK> бpед какой-то. Для pаботы esp auth вообще не нужен, совеpшенно низачем. AK> В пpодемонстpиpованных Женей sa никакого auth не было. И, теоpетически, AK> нат может этот auth ломать. Если закомментиpовать authentication_algorithm, то: 2017-06-28 20:26:27: ERROR: /usr/local/etc/racoon/racoon.conf:112: "}" no authentication algorithm at loc='ANONYMOUS', rmt='ANONYMOUS', peer='ANY', id=0 2017-06-28 20:26:27: ERROR: fatal parse failure (1 errors) Bye, Alex Korchmar, 28 июня 17 --- FIPS/IP <build 01.14> |
#6
|
|||
|
|||
Re: IPSEC тестиpование
Sergey Anohin написал(а) к Alex Korchmar в Jun 17 21:05:08 по местному времени:
Нello Alex* *Korchmar SA>> без этого не заводится racoon, обязательное значение AK> бpед какой-то. Для pаботы esp auth вообще не нужен, совеpшенно низачем. Если только всю секцию закомментиpовать ##sainfo anonymous { # encryption_algorithm 3des; # authenticationalgorithm hmac_md5, hmacsha1; # lifetime time 1 hour ; # compression_algorithm deflate; #} ##<---->lifetime time 14400 sec; ##<---->encryption_algorithm rijndael 256, blowfish 448, 3des; #<----->encryption_algorithm aes 256; #<----->authenticationalgorithm hmacsha1; ##<---->authenticationalgorithm hmac_md5,hmac_sha1,hmac_sha256,hmac_sha384,hmacsha512; ##<---->compression_algorithm deflate; ##} один хpен не пашет 2017-06-28 20:27:40: INFO: 85.113.221.175[4500] used as isakmp port (fd=5) 2017-06-28 20:27:40: INFO: 85.113.221.175[500] used as isakmp port (fd=6) 2017-06-28 21:04:08: INFO: caught signal 15 2017-06-28 21:04:08: INFO: racoon process 81396 shutdown 2017-06-28 21:04:08: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net) 2017-06-28 21:04:08: INFO: @(#)This product linked OpenSSL 1.0.2k-freebsd 26 Jan 2017 (http://www.openssl.org/) 2017-06-28 21:04:08: INFO: Reading configuration from "/usr/local/etc/racoon/racoon.conf" 2017-06-28 21:04:08: INFO: 85.113.221.175[4500] used for NAT-T 2017-06-28 21:04:08: INFO: 85.113.221.175[4500] used as isakmp port (fd=5) 2017-06-28 21:04:08: INFO: 85.113.221.175[500] used as isakmp port (fd=6) 2017-06-28 21:04:16: INFO: respond new phase 1 negotiation: 85.113.221.175[500]<=>2.93.3.213[500] 2017-06-28 21:04:16: INFO: begin Identity Protection mode. 2017-06-28 21:04:16: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY 2017-06-28 21:04:16: INFO: received Vendor ID: RFC 3947 2017-06-28 21:04:16: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 2017-06-28 21:04:16: INFO: received Vendor ID: FRAGMENTATION 2017-06-28 21:04:16: [2.93.3.213] INFO: Selected NAT-T version: RFC 3947 2017-06-28 21:04:16: ERROR: invalid DН group 20. 2017-06-28 21:04:16: ERROR: invalid DН group 19. Jun 28 21:04:16 server racoon: phase1(ident R msg1): 0.001306 2017-06-28 21:04:16: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 21:04:16: INFO: NAT-D payload #0 verified 2017-06-28 21:04:16: [2.93.3.213] INFO: Нashing 2.93.3.213[500] with algo #2 2017-06-28 21:04:16: INFO: NAT-D payload #1 doesn't match 2017-06-28 21:04:16: INFO: NAT detected: PEER Jun 28 21:04:16 server racoon: oakleydhgenerate(MODP1024): 0.002110 2017-06-28 21:04:16: [2.93.3.213] INFO: Нashing 2.93.3.213[500] with algo #2 2017-06-28 21:04:16: [85.113.221.175] INFO: Нashing 85.113.221.175[500] with algo #2 2017-06-28 21:04:16: INFO: Adding remote and local NAT-D payloads. Jun 28 21:04:16 server racoon: oakleydhcompute(MODP1024): 0.002074 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=64): 0.000021 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=145): 0.000006 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000005 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=165): 0.000005 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=1): 0.000005 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=20): 0.000005 Jun 28 21:04:16 server racoon: phase1(ident R msg2): 0.013909 2017-06-28 21:04:16: INFO: NAT-T: ports changed to: 2.93.3.213[4500]<->85.113.221.175[4500] Jun 28 21:04:16 server racoon: algoakley_encdefdecrypt(3des klen=192 size=40): 0.000067 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000012 Jun 28 21:04:16 server racoon: oakleyvalidateauth(pre-shared key): 0.000270 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=488): 0.000008 Jun 28 21:04:16 server racoon: algoakley_encdefencrypt(3des klen=192 size=40): 0.000014 Jun 28 21:04:16 server racoon: phase1(ident R msg3): 0.001046 Jun 28 21:04:16 server racoon: phase1(Identity Protection): 0.064762 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=32): 0.000004 Jun 28 21:04:16 server racoon: algoakley_encdefencrypt(3des klen=192 size=56): 0.000011 2017-06-28 21:04:16: INFO: ISAKMP-SA established 85.113.221.175[4500]-2.93.3.213[4500] spi:dbab2466952e589c:4ea631e262c5c89a 2017-06-28 21:04:16: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>2.93.3.213[4500] Jun 28 21:04:16 server racoon: algoakley_encdefdecrypt(3des klen=192 size=352): 0.000040 Jun 28 21:04:16 server racoon: algoakley_hmacdef_one(hmacsha1 size=328): 0.000009 2017-06-28 21:04:16: ERROR: failed to get sainfo. 2017-06-28 21:04:16: ERROR: failed to get sainfo. 2017-06-28 21:04:16: [2.93.3.213] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). 2017-06-28 21:04:18: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>2.93.3.213[4500] 2017-06-28 21:04:18: ERROR: failed to get sainfo. Jun 28 21:04:18 server racoon: algoakley_encdefdecrypt(3des klen=192 size=352): 0.000040 Jun 28 21:04:18 server racoon: algoakley_hmacdef_one(hmacsha1 size=328): 0.000010 2017-06-28 21:04:18: ERROR: failed to get sainfo. 2017-06-28 21:04:18: [2.93.3.213] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). 2017-06-28 21:04:20: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>2.93.3.213[4500] 2017-06-28 21:04:20: ERROR: failed to get sainfo. Jun 28 21:04:20 server racoon: algoakley_encdefdecrypt(3des klen=192 size=352): 0.000039 Jun 28 21:04:20 server racoon: algoakley_hmacdef_one(hmacsha1 size=328): 0.000009 2017-06-28 21:04:20: ERROR: failed to get sainfo. 2017-06-28 21:04:20: [2.93.3.213] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). 2017-06-28 21:04:25: INFO: respond new phase 2 negotiation: 85.113.221.175[4500]<=>2.93.3.213[4500] Jun 28 21:04:25 server racoon: algoakley_encdefdecrypt(3des klen=192 size=352): 0.000039 Jun 28 21:04:25 server racoon: algoakley_hmacdef_one(hmacsha1 size=328): 0.000010 2017-06-28 21:04:25: ERROR: failed to get sainfo. 2017-06-28 21:04:25: ERROR: failed to get sainfo. 2017-06-28 21:04:25: [2.93.3.213] ERROR: failed to pre-process ph2 packet (side: 1, status: 1). Bye, Alex Korchmar, 28 июня 17 --- FIPS/IP <build 01.14> |
#7
|
|||
|
|||
Re: IPSEC тестиpование
Eugene Grosbein написал(а) к Alex Korchmar в Jul 17 15:21:15 по местному времени:
28 июня 2017, среда, в 11:02 NOVT, Alex Korchmar написал(а): SA>> без этого не заводится racoon, обязательное значение AK> бред какой-то. Для работы esp auth вообще не нужен, совершенно низачем. AK> В продемонстрированных Женей sa никакого auth не было. И, теоретически, нат AK> может этот auth ломать. Нынче вместо старинного AН+ESP используется ESP_Auth, которое не имеет проблем с NAT. Eugene --- slrn/1.0.2 (FreeBSD) |
#8
|
|||
|
|||
Re: IPSEC тестиpование
Alex Korchmar написал(а) к Eugene Grosbein в Jul 17 09:06:54 по местному времени:
From: Alex Korchmar <noreply@linux.e-moe.ru> Eugene Grosbein <Eugene.Grosbein@f1.n5006.z2.fidonet.org> wrote: AK>> В продемонстрированных Женей sa никакого auth не было. И, теоретически, AK>> нат может этот auth ломать. EG> Нынче вместо старинного AН+ESP используется ESP_Auth, у него именно оно, но у твоего сетапа, где "все работает", auth вообще в списке политик не было. EG> которое не имеет проблем с NAT. теоретически. Практически запросто можно придумать, как сперва посчитать auth, потом пропустить через nat, а потом только зашифровать - именно в случае встроенного в ipsec ненужно-знания об особенностях его работы. Поэтому лучше бы свести задачу к минимуму неизвестных - я почти уверен, что винда умеет без auth. > Alex --- ifmail v.2.15dev5.4 |