免费注册 查看新帖 |

Chinaunix

  平台 论坛 博客 文库
最近访问板块 发新帖
查看: 3056 | 回复: 2

关于IPsec的问题,请高手进来座谈。 [复制链接]

论坛徽章:
0
发表于 2011-03-11 18:07 |显示全部楼层
5可用积分
   
    我在搭建一个ipsec的实验环境,用的是sun公司的虚拟机,安装的是centOS(讲ipsec升级到0.8了,内核重新编译支持AH、ESP、IPCOMP了)

   大家请看的我实验一,我仅仅配置了setkey.conf代码如下:
  1. #SAD entries
  2. flush;
  3. #flush SPD entries
  4. spdflush;

  5. #注释掉SA的方式,我想用racoon来进行协商,所以这个入口就不要了。
  6. #add SA entries
  7. #add 10.11.112.208 10.11.112.209 esp 0x1234 -m transport -E 3des-cbc 0x84cc855d6892207565811df4edd6bff5cf53af9106b72461 -A hmac-sha1 0xb48408f4655000f588a1a22cc14697d1a4d259cd;
  8. #add 10.11.112.209 10.11.112.208 esp 0x5678 -m transport -E 3des-cbc 0x6df8e9fc37255c9ba467be460187abc29e20e808f17591aa -A hmac-sha1 0x760c7721c03cf906c7fd70d0c9b9afd5785a1548;

  9. #add SP entries
  10. spdadd 10.11.112.208 10.11.112.209 any -P in  ipsec esp/transport//require esp/transport//require;
  11. spdadd 10.11.112.209 10.11.112.208 any -P out ipsec esp/transport//require esp/transport//require;
复制代码
这个时候我上面的两个主机互相ping,抓包可以得到ESP的报文,试验一:成功。

    实验2,我想通过racoon的方式来进行协商,请看我的racoon.conf的配置:
  1. path include "/etc/racoon";
  2. path pre_shared_key "/etc/racoon/psk.txt";
  3. path certificate "/etc/racoon/certs";


  4. # $KAME: racoon.conf.sample,v 1.28 2002/10/18 14:33:28 itojun Exp $

  5. # "path" affects "include" directives.  "path" must be specified before any
  6. # "include" directive with relative file path.
  7. # you can overwrite "path" directive afterwards, however, doing so may add
  8. # more confusion.
  9. #path include "/usr/local/v6/etc" ;
  10. #include "remote.conf" ;

  11. # the file should contain key ID/key pairs, for pre-shared key authentication.

  12. # racoon will look for certificate file in the directory,
  13. # if the certificate/certificate request payload is received.
  14. #path certificate "/usr/local/openssl/certs" ;

  15. # "log" specifies logging level.  It is followed by either "notify", "debug"
  16. # or "debug2".
  17. log debug2;

  18. remote anonymous
  19. {
  20.         #exchange_mode main,aggressive,base;
  21.         exchange_mode main,base;

  22.         #my_identifier fqdn "server.kame.net";
  23.         #certificate_type x509 "foo@kame.net.cert" "foo@kame.net.priv" ;

  24.         lifetime time 24 hour ;        # sec,min,hour

  25.         #initial_contact off ;
  26.         #passive on ;

  27.         # phase 1 proposal (for ISAKMP SA)
  28.         proposal {
  29.                 encryption_algorithm 3des;
  30.                 hash_algorithm sha1;
  31.                 authentication_method pre_shared_key ;
  32.                 dh_group 2 ;
  33.         }

  34.         # the configuration could makes racoon (as a responder)
  35.         # to obey the initiator's lifetime and PFS group proposal,
  36.         # by setting proposal_check to obey.
  37.         # this would makes testing "so much easier", but is really
  38.         # *not* secure !!!
  39.         proposal_check strict;
  40. }

  41. # phase 2 proposal (for IPsec SA).
  42. # actual phase 2 proposal will obey the following items:
  43. # - kernel IPsec policy configuration (like "esp/transport//use)
  44. # - permutation of the crypto/hash/compression algorithms presented below
  45. sainfo anonymous
  46. {
  47.         pfs_group 2;
  48.         lifetime time 12 hour ;
  49.         encryption_algorithm 3des, cast128, blowfish 448, des, rijndael ;
  50.         authentication_algorithm hmac_sha1, hmac_md5 ;
  51.         compression_algorithm deflate ;
  52. }

复制代码
这是从源代码中的示例中找出来的,我现在对2个虚拟机ping,这时候ping不通了,我也在网上找了很多配置的方法,就是不成功,所以请熟悉的同学帮我看看,解读解读,如果要调试我要怎么调试,之前我racoon的时候加上-d,那个打印不知道是配置不对还是什么问题打印就这点点:
  1. 2011-03-11 03:05:58: INFO: @(#)ipsec-tools 0.8.0.RC (http://ipsec-tools.sourceforge.net)
  2. 2011-03-11 03:05:58: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
  3. 2011-03-11 03:05:58: INFO: Reading configuration from "racoon.conf"
  4. 2011-03-11 03:07:30: INFO: @(#)ipsec-tools 0.8.0.RC (http://ipsec-tools.sourceforge.net)
  5. 2011-03-11 03:07:30: INFO: @(#)This product linked OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 (http://www.openssl.org/)
  6. 2011-03-11 03:07:30: INFO: Reading configuration from "racoon.conf"
复制代码
请熟悉的同学帮我解读解读,分享分享,先谢谢了!

论坛徽章:
0
发表于 2011-03-14 12:58 |显示全部楼层
帮我看看啊,等几天了。

论坛徽章:
0
发表于 2011-03-15 17:01 |显示全部楼层
楼主你给的调试信息不太详细啊,在log目录里应该有racoon的详细输出吧。
你两边的preshared key怎么设置的?一致吗

# #include "remote.conf" ;
#

# # the file should contain key ID/key pairs, for pre-shared key authentication.
您需要登录后才可以回帖 登录 | 注册

本版积分规则 发表回复

  

北京盛拓优讯信息技术有限公司. 版权所有 京ICP备16024965号-6 北京市公安局海淀分局网监中心备案编号:11010802020122 niuxiaotong@pcpop.com 17352615567
未成年举报专区
中国互联网协会会员  联系我们:huangweiwei@itpub.net
感谢所有关心和支持过ChinaUnix的朋友们 转载本站内容请注明原作者名及出处

清除 Cookies - ChinaUnix - Archiver - WAP - TOP