[uanog] Linux vs Pix vs ipsec

Hi all пытаюсь спарить по ipsec linux с cisco pix построил ipsec и racoon ----------- uname -a Linux blackhole.adamant.net 2.6.10-cko3 #1 Fri Jan 21 17:28:57 EET 2005 i686 i686 i386 GNU/Linux ----------- #!/sbin/setkey -f flush; spdflush; spdadd 10.100.102.0/24 10.100.101.0/24 any -P out ipsec esp/tunnel/10.0.0.2-10.0.0.1/require; spdadd 10.100.101.0/24 10.100.102.0/24 any -P in ipsec esp/tunnel/10.0.0.1-10.0.0.2/require; ----------- remote 10.0.0.1 { exchange_mode main; lifetime time 24 hour; proposal { encryption_algorithm 3des; hash_algorithm md5; authentication_method pre_shared_key; dh_group 1; } } sainfo address 10.100.102.0/24 any address 10.100.101.0/24 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm non_auth; compression_algorithm deflate ; pfs_group 1; } -------------- на pix соответственно access-list remote-net permit ip 10.100.101.0 255.255.255.0 10.100.102.0 255.255.255.0 ip address outside 10.0.0.1 255.255.255.252 ip address inside 10.100.101.1 255.255.255.0 nat (inside) 0 0.0.0.0 0.0.0.0 0 0 route outside 10.100.102.0 255.255.255.0 10.0.0.2 1 sysopt connection tcpmss 1280 sysopt connection permit-ipsec crypto ipsec transform-set simple esp-3des crypto map ipsec-map 10 ipsec-isakmp crypto map ipsec-map 10 match address remote-net crypto map ipsec-map 10 set pfs crypto map ipsec-map 10 set peer 10.0.0.2 crypto map ipsec-map 10 set transform-set simple crypto map ipsec-map interface outside isakmp enable outside isakmp key ******** address 10.0.0.2 netmask 255.255.255.255 no-xauth no-config-mode isakmp identity address isakmp policy 10 authentication pre-share isakmp policy 10 encryption 3des isakmp policy 10 hash md5 isakmp policy 10 group 1 isakmp policy 10 lifetime 86400 --------------------------------- DH группу пробовал и 2, и 5 шифрование пробовал 3des и des результат одинаковый ------------------------ инфа с pix show crypto isakmp sa Total : 1 Embryonic : 0 dst src state pending created 10.0.0.1 10.0.0.2 QM_IDLE 0 1 show crypto ipsec sa interface: outside Crypto map tag: ipsec-map, local addr. 10.0.0.1 local ident (addr/mask/prot/port): (10.100.101.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (10.100.102.0/255.255.255.0/0/0) current_peer: 10.0.0.2:500 PERMIT, flags={origin_is_acl,} #pkts encaps: 5501, #pkts encrypt: 5501, #pkts digest 0 #pkts decaps: 4939, #pkts decrypt: 4942, #pkts verify 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 #send errors 30, #recv errors 3 local crypto endpt.: 10.0.0.1, remote crypto endpt.: 10.0.0.2 path mtu 1500, ipsec overhead 44, media mtu 1500 current outbound spi: 54eb4fb inbound esp sas: spi: 0x54b459b(88819099) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 3, crypto map: ipsec-map sa timing: remaining key lifetime (k/sec): (4607864/2263) IV size: 8 bytes replay detection support: N inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x54eb4fb(89044219) transform: esp-3des , in use settings ={Tunnel, } slot: 0, conn id: 4, crypto map: ipsec-map sa timing: remaining key lifetime (k/sec): (4607874/2259) IV size: 8 bytes replay detection support: N outbound ah sas: outbound pcp sas: ------------------------ setkey -D на линуксе 10.0.0.2 10.0.0.1 esp mode=tunnel spi=88819099(0x054b459b) reqid=0(0x00000000) E: 3des-cbc c02e061c ebb71f36 214a9740 fd0b9537 29d1e792 d5aa6e05 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 25 13:38:53 2005 current: Jan 25 14:06:16 2005 diff: 1643(s) hard: 3600(s) soft: 2880(s) last: Jan 25 13:38:54 2005 hard: 0(s) soft: 0(s) current: 203360(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 1640 hard: 0 soft: 0 sadb_seq=1 pid=7380 refcnt=0 10.0.0.1 10.0.0.2 esp mode=tunnel spi=89044219(0x054eb4fb) reqid=0(0x00000000) E: 3des-cbc ce0e427f 8f6c79e6 f166d527 d60c82b0 f3ed1031 0d4bce00 seq=0x00000000 replay=4 flags=0x00000000 state=mature created: Jan 25 13:38:53 2005 current: Jan 25 14:06:16 2005 diff: 1643(s) hard: 3600(s) soft: 2880(s) last: hard: 0(s) soft: 0(s) current: 0(bytes) hard: 0(bytes) soft: 0(bytes) allocated: 0 hard: 0 soft: 0 sadb_seq=0 pid=7380 refcnt=0 setkey -DP на линуксе 10.100.101.0/24[any] 10.100.102.0/24[any] any in ipsec esp/tunnel/10.0.0.1-10.0.0.2/require created: Jan 25 13:38:52 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=1000 seq=9 pid=7356 refcnt=1 10.100.102.0/24[any] 10.100.101.0/24[any] any out ipsec esp/tunnel/10.0.0.2-10.0.0.1/require created: Jan 25 13:38:52 2005 lastused: Jan 25 14:05:26 2005 lifetime: 0(s) validtime: 0(s) spid=993 seq=8 pid=7356 refcnt=2 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=963 seq=7 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=947 seq=6 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: Jan 25 13:33:15 2005 lastused: Jan 25 13:39:21 2005 lifetime: 0(s) validtime: 0(s) spid=931 seq=5 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any in none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=915 seq=4 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=972 seq=3 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=956 seq=2 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: Jan 25 13:33:15 2005 lastused: Jan 25 13:38:53 2005 lifetime: 0(s) validtime: 0(s) spid=940 seq=1 pid=7356 refcnt=1 0.0.0.0/0[any] 0.0.0.0/0[any] any out none created: Jan 25 13:33:15 2005 lastused: lifetime: 0(s) validtime: 0(s) spid=924 seq=0 pid=7356 refcnt=1 ------------------------- в обоих концов на "внутренних" интерфейсах повесил по пингвину таким образом - ключи согласовались pix пакеты от linux-а видит получает и передает дальшеs (их видно tcpdump-ом на оконечном пингвине) полученные ответы pix шифрует и передает на linux их ТОЖЕ видно tcpdump-ом 13:55:12.513078 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d2) 13:55:12.513516 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:13.512954 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d3) 13:55:13.513387 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:13.947616 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:14.512815 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d4) 13:55:14.513245 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:15.512682 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d5) 13:55:15.513117 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:16.512551 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d6) 13:55:16.513068 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) 13:55:17.522446 IP 10.0.0.2 > 10.0.0.1: ESP(spi=0x054b459b,seq=0x3d7) 13:55:17.522887 IP 10.0.0.1 > 10.0.0.2: ESP(spi=0x054eb4fb,seq=0x0) но linux эти пакеты или не дешифрует или фиг его знает, но на внутренний интерфейс ответы не уходят единственно что смущает - линукс seq ставит, а pix нет у кого-то есть идеи как это все заставить работать? -- Best regard, Aleksander Trotsai aka MAGE-RIPE aka MAGE-UANIC My PGP key at ftp://blackhole.adamant.ua/pgp/trotsai.key[.asc] Печатаю со скоростью 1200 знаков в минуту. Такой бред получается... =================================================================== uanog mailing list. To Unsubscribe: send mail to majordomo@uanog.kiev.ua with "unsubscribe uanog" in the body of the message