[Vpn-help] vpn-release-1.1 communicate with racoon problem
Zhao Tongyi
zhaotongyi at gmail.com
Tue Nov 21 20:23:05 CST 2006
topology 192.168.20.240(vpn )-------------------
192.168.20.133(racoon,debian linux)-|192.168.1.1
|
192.168.1.122
the ipsec-tools config racoon.conf
path certificate "/var/run/cert/trusted";
path pidfile "/var/run/racoon.pid";
log notify;
listen {
isakmp 192.168.2.1 [500];
isakmp_natt 192.168.2.1 [4500];
isakmp 192.168.20.133 [500];
isakmp_natt 192.168.20.133 [4500];
isakmp 192.168.1.1 [500];
isakmp_natt 192.168.1.1 [4500];
adminsock "/var/run/racoon.sock";
}
timer{
natt_keepalive 20 second;
}
remote anonymous
{
exchange_mode main,aggressive;
generate_policy on;
passive on;
nat_traversal on;
dpd_delay 10;
dpd_retry 5;
dpd_maxfail 5;
initial_contact on;
support_proxy on;
proposal_check obey;
nonce_size 16;
ike_frag on;
certificate_type x509 "
mpki.6a005e3c.ed63c06b75836b8b3ae584b65c4fd634" "
mpki.6a005e3c.ed63c06b75836b8b3ae584b65c4fd634.k";
verify_cert on;
my_identifier asn1dn;
peers_identifier asn1dn;
proposal{
encryption_algorithm 3des;
hash_algorithm sha1;
authentication_method rsasig;
dh_group 2;
}
}
mode_cfg {
pool_size 253;
network4 192.168.1.0;
netmask4 255.255.255.0;
dns4 192.168.20.1;
auth_source system;
}
sainfo anonymous {
pfs_group 2;
encryption_algorithm 3des,blowfish,twofish,rijndael;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
the vpn client
remote host 192.168.20.133
ike upd port 500
natt negotitiation :enable
natt udp port:4500
enable fragmentation support
auth method:mutual rsa
local,remote asn1
phase1 :aggressive
dh:group2
chiper:3des
hash:sha1
phase2:
pfs:group2
hash:sha1
thansform:esp-3des
policy
remote inclusion:
192.168.1.0/255.255.255.0
when I write verify_cert on in racoon.conf ,I got racoon log verify remote
cert error.vpn client exit
when I write verify_cert off in racoon.conf,the vpn client show
connected,but I ping 192.168.1.122,no reply,but I use tcpdump can sniffer
ping esp ,but can't not sniffer any packets at 192.168.1.1 interfaces.
setkey -DP
/tmp/etc # /usr/local/sbin/setkey -DP
192.168.20.133[any] 192.168.20.240[any] any
in prio def ipsec
esp/tunnel/192.168.20.133-192.168.20.240/require
created: Nov 21 14:38:32 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=5648 seq=20 pid=8141
refcnt=1
192.168.1.1[any] 192.168.1.0/24[any] any
in prio def ipsec
esp/tunnel/192.168.20.240-192.168.20.133/require
created: Nov 22 09:57:01 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6288 seq=19 pid=8141
refcnt=1
192.168.1.0[any] 192.168.1.0/24[any] any
in prio def ipsec
esp/tunnel/192.168.20.240-192.168.20.133/require
created: Nov 22 09:57:12 2006 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=6312 seq=18 pid=8141
refcnt=2
192.168.20.240[any] 192.168.20.133[any] any
out prio def ipsec
esp/tunnel/192.168.20.240-192.168.20.133/require
created: Nov 21 14:38:32 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=5641 seq=17 pid=8141
refcnt=1
192.168.1.0/24[any] 192.168.1.1[any] any
out prio def ipsec
esp/tunnel/192.168.20.133-192.168.20.240/require
created: Nov 22 09:57:01 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6305 seq=16 pid=8141
refcnt=1
192.168.1.0/24[any] 192.168.1.0[any] any
out prio def ipsec
esp/tunnel/192.168.20.133-192.168.20.240/require
created: Nov 22 09:57:12 2006 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=6329 seq=15 pid=8141
refcnt=2
192.168.20.133[any] 192.168.20.240[any] any
fwd prio def ipsec
esp/tunnel/192.168.20.133-192.168.20.240/require
created: Nov 21 14:38:32 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=5658 seq=14 pid=8141
refcnt=1
192.168.1.1[any] 192.168.1.0/24[any] any
fwd prio def ipsec
esp/tunnel/192.168.20.240-192.168.20.133/require
created: Nov 22 09:57:01 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6298 seq=13 pid=8141
refcnt=1
192.168.1.0[any] 192.168.1.0/24[any] any
fwd prio def ipsec
esp/tunnel/192.168.20.240-192.168.20.133/require
created: Nov 22 09:57:12 2006 lastused:
lifetime: 3600(s) validtime: 0(s)
spid=6322 seq=12 pid=8141
refcnt=2
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6251 seq=11 pid=8141
refcnt=1
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6235 seq=10 pid=8141
refcnt=1
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused: Nov 22 09:57:12 2006
lifetime: 0(s) validtime: 0(s)
spid=6219 seq=9 pid=8141
refcnt=1
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6203 seq=8 pid=8141
refcnt=1
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6187 seq=7 pid=8141
refcnt=1
(per-socket policy)
in none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6171 seq=6 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6260 seq=5 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6244 seq=4 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused: Nov 22 09:57:12 2006
lifetime: 0(s) validtime: 0(s)
spid=6228 seq=3 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6212 seq=2 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6196 seq=1 pid=8141
refcnt=1
(per-socket policy)
out none
created: Nov 21 15:24:39 2006 lastused:
lifetime: 0(s) validtime: 0(s)
spid=6180 seq=0 pid=8141
refcnt=1
192.168.20.240
route print
E:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x50002 ...00 11 11 38 20 be ...... Intel(R) PRO/100 VE Network Connection -
Pac
ket Scheduler Miniport
0x60004 ...00 ff 79 1d 0f 43 ...... TAP-Win32 Adapter V8 - Packet Scheduler
Mini
port
0x60005 ...06 00 3c 47 56 01 ...... VCD VNC Adapter - Packet Scheduler
Miniport
0x60006 ...00 0f 3d 82 48 71 ...... D-Link DFE-530TX PCI Fast Ethernet
Adapter (
rev.C) - Packet Scheduler Miniport
0x2b0008 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter - Packet
Schedul
er Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.20.1 192.168.20.240 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.0 192.168.1.0 1
192.168.1.0 255.255.255.255 127.0.0.1 127.0.0.1 30
192.168.1.255 255.255.255.255 192.168.1.0 192.168.1.0 30
192.168.2.0 255.255.255.0 192.168.20.133 192.168.20.240 1
192.168.20.0 255.255.255.0 192.168.20.240 192.168.20.240 20
192.168.20.240 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.20.255 255.255.255.255 192.168.20.240 192.168.20.240 20
224.0.0.0 240.0.0.0 192.168.1.0 192.168.1.0 30
224.0.0.0 240.0.0.0 192.168.20.240 192.168.20.240 20
255.255.255.255 255.255.255.255 192.168.1.0 60005 1
255.255.255.255 255.255.255.255 192.168.1.0 192.168.1.0 1
255.255.255.255 255.255.255.255 192.168.1.0 50002 1
255.255.255.255 255.255.255.255 192.168.1.0 60004 1
255.255.255.255 255.255.255.255 192.168.20.240 192.168.20.240 1
Default Gateway: 192.168.20.1
===========================================================================
Persistent Routes:
None
E:\>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection 7:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter {262EA744-C278-4CC1-8485-E6DE341EA788}:
Media State . . . . . . . . . . . : Media disconnected
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.20.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
Ethernet adapter {83887F0C-07FA-486F-92ED-C1535C3CA01D}:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.0
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
E:\>
please help me check where is error append?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.shrew.net/pipermail/vpn-help/attachments/20061122/cad75c8a/attachment-0001.html>
More information about the vpn-help
mailing list