topology 192.168.20.240(vpn )-------------------192.168.20.133(racoon,debian linux)-|192.168.1.1<br> |
<br> <a href="http://192.168.1.122">192.168.1.122</a><br><br>the ipsec-tools config racoon.conf
<br> <br>path certificate "/var/run/cert/trusted";<br>path pidfile "/var/run/racoon.pid";<br>log notify;<br><br>listen {<br> isakmp <a href="http://192.168.2.1">
192.168.2.1</a> [500];<br> isakmp_natt <a href="http://192.168.2.1">192.168.2.1</a> [4500];<br> isakmp <a href="http://192.168.20.133">192.168.20.133</a> [500];<br> isakmp_natt <a href="http://192.168.20.133">
192.168.20.133</a> [4500];<br> isakmp <a href="http://192.168.1.1">192.168.1.1</a> [500];<br> isakmp_natt <a href="http://192.168.1.1">192.168.1.1</a> [4500];<br><br> adminsock "/var/run/racoon.sock";
<br>}<br>timer{<br> natt_keepalive 20 second;<br>}<br>remote anonymous<br>{<br> exchange_mode main,aggressive;<br> generate_policy on;<br> passive on;<br> nat_traversal on;<br><br> dpd_delay 10;
<br> dpd_retry 5;<br> dpd_maxfail 5;<br><br> initial_contact on;<br> support_proxy on;<br> proposal_check obey;<br> nonce_size 16;<br> ike_frag on;<br> certificate_type x509 "
mpki.6a005e3c.ed63c06b75836b8b3ae584b65c4fd634" "mpki.6a005e3c.ed63c06b75836b8b3ae584b65c4fd634.k";<br> verify_cert on;<br> my_identifier asn1dn;<br> peers_identifier asn1dn;<br> proposal{
<br> encryption_algorithm 3des;<br> hash_algorithm sha1;<br> authentication_method rsasig;<br> dh_group 2;<br><br> }<br><br>}<br>mode_cfg {<br> pool_size 253;
<br> network4 <a href="http://192.168.1.0">192.168.1.0</a>;<br> netmask4 <a href="http://255.255.255.0">255.255.255.0</a>;<br> dns4 <a href="http://192.168.20.1">192.168.20.1</a>;<br> auth_source system;
<br>}<br>sainfo anonymous {<br> pfs_group 2;<br> encryption_algorithm 3des,blowfish,twofish,rijndael;<br> authentication_algorithm hmac_sha1;<br> compression_algorithm deflate;<br><br>}<br><br>
the vpn client <br>remote host <a href="http://192.168.20.133">192.168.20.133</a><br>ike upd port 500<br>natt negotitiation :enable<br>natt udp port:4500<br>enable fragmentation support<br>auth method:mutual rsa<br>local,remote asn1
<br>phase1 :aggressive<br>dh:group2<br>chiper:3des<br>hash:sha1<br><br><br>phase2:<br>pfs:group2<br>hash:sha1<br>thansform:esp-3des<br><br>policy<br>remote inclusion:<br><a href="http://192.168.1.0/255.255.255.0">192.168.1.0/255.255.255.0
</a><br><br>when I write verify_cert on in racoon.conf ,I got racoon log verify remote cert error.vpn client exit<br>when I write verify_cert off in racoon.conf,the vpn client show connected,but I ping <a href="http://192.168.1.122">
192.168.1.122</a>,no reply,but I use tcpdump can sniffer ping esp ,but can't not sniffer any packets at <a href="http://192.168.1.1">192.168.1.1</a> interfaces.<br><br>setkey -DP<br>/tmp/etc # /usr/local/sbin/setkey -DP<br>
192.168.20.133[any] 192.168.20.240[any] any<br> in prio def ipsec<br> esp/tunnel/192.168.20.133-<a href="http://192.168.20.240/require">192.168.20.240/require</a><br> created: Nov 21 14:38:32 2006 lastused:
<br> lifetime: 0(s) validtime: 0(s)<br> spid=5648 seq=20 pid=8141<br> refcnt=1<br>192.168.1.1[any] <a href="http://192.168.1.0/24[any]">192.168.1.0/24[any]</a> any<br> in prio def ipsec<br> esp/tunnel/192.168.20.240-
<a href="http://192.168.20.133/require">192.168.20.133/require</a><br> created: Nov 22 09:57:01 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6288 seq=19 pid=8141<br>
refcnt=1<br>192.168.1.0[any] <a href="http://192.168.1.0/24[any]">192.168.1.0/24[any]</a> any<br> in prio def ipsec<br> esp/tunnel/192.168.20.240-<a href="http://192.168.20.133/require">192.168.20.133/require
</a><br> created: Nov 22 09:57:12 2006 lastused: <br> lifetime: 3600(s) validtime: 0(s)<br> spid=6312 seq=18 pid=8141<br> refcnt=2<br>192.168.20.240[any] 192.168.20.133[any] any
<br> out prio def ipsec<br> esp/tunnel/192.168.20.240-<a href="http://192.168.20.133/require">192.168.20.133/require</a><br> created: Nov 21 14:38:32 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)
<br> spid=5641 seq=17 pid=8141<br> refcnt=1<br><a href="http://192.168.1.0/24[any]">192.168.1.0/24[any]</a> 192.168.1.1[any] any<br> out prio def ipsec<br> esp/tunnel/192.168.20.133-<a href="http://192.168.20.240/require">
192.168.20.240/require</a><br> created: Nov 22 09:57:01 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6305 seq=16 pid=8141<br> refcnt=1<br><a href="http://192.168.1.0/24[any]">
192.168.1.0/24[any]</a> 192.168.1.0[any] any<br> out prio def ipsec<br> esp/tunnel/192.168.20.133-<a href="http://192.168.20.240/require">192.168.20.240/require</a><br> created: Nov 22 09:57:12 2006 lastused:
<br> lifetime: 3600(s) validtime: 0(s)<br> spid=6329 seq=15 pid=8141<br> refcnt=2<br>192.168.20.133[any] 192.168.20.240[any] any<br> fwd prio def ipsec<br> esp/tunnel/192.168.20.133-<a href="http://192.168.20.240/require">
192.168.20.240/require</a><br> created: Nov 21 14:38:32 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=5658 seq=14 pid=8141<br> refcnt=1<br>192.168.1.1[any] <a href="http://192.168.1.0/24[any]">
192.168.1.0/24[any]</a> any<br> fwd prio def ipsec<br> esp/tunnel/192.168.20.240-<a href="http://192.168.20.133/require">192.168.20.133/require</a><br> created: Nov 22 09:57:01 2006 lastused:
<br> lifetime: 0(s) validtime: 0(s)<br> spid=6298 seq=13 pid=8141<br> refcnt=1<br>192.168.1.0[any] <a href="http://192.168.1.0/24[any]">192.168.1.0/24[any]</a> any<br> fwd prio def ipsec<br> esp/tunnel/192.168.20.240-
<a href="http://192.168.20.133/require">192.168.20.133/require</a><br> created: Nov 22 09:57:12 2006 lastused: <br> lifetime: 3600(s) validtime: 0(s)<br> spid=6322 seq=12 pid=8141
<br> refcnt=2<br>(per-socket policy) <br> in none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6251 seq=11 pid=8141<br> refcnt=1
<br>(per-socket policy) <br> in none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6235 seq=10 pid=8141<br> refcnt=1<br>(per-socket policy)
<br> in none<br> created: Nov 21 15:24:39 2006 lastused: Nov 22 09:57:12 2006<br> lifetime: 0(s) validtime: 0(s)<br> spid=6219 seq=9 pid=8141<br> refcnt=1<br>(per-socket policy) <br> in none
<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6203 seq=8 pid=8141<br> refcnt=1<br>(per-socket policy) <br> in none<br> created: Nov 21 15:24:39 2006 lastused:
<br> lifetime: 0(s) validtime: 0(s)<br> spid=6187 seq=7 pid=8141<br> refcnt=1<br>(per-socket policy) <br> in none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)
<br> spid=6171 seq=6 pid=8141<br> refcnt=1<br>(per-socket policy) <br> out none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6260 seq=5 pid=8141
<br> refcnt=1<br>(per-socket policy) <br> out none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6244 seq=4 pid=8141<br> refcnt=1
<br>(per-socket policy) <br> out none<br> created: Nov 21 15:24:39 2006 lastused: Nov 22 09:57:12 2006<br> lifetime: 0(s) validtime: 0(s)<br> spid=6228 seq=3 pid=8141<br> refcnt=1<br>(per-socket policy)
<br> out none<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6212 seq=2 pid=8141<br> refcnt=1<br>(per-socket policy) <br> out none
<br> created: Nov 21 15:24:39 2006 lastused: <br> lifetime: 0(s) validtime: 0(s)<br> spid=6196 seq=1 pid=8141<br> refcnt=1<br>(per-socket policy) <br> out none<br> created: Nov 21 15:24:39 2006 lastused:
<br> lifetime: 0(s) validtime: 0(s)<br> spid=6180 seq=0 pid=8141<br> refcnt=1<br><br><a href="http://192.168.20.240">192.168.20.240</a><br>route print<br><br><br><br>E:\>route print<br>===========================================================================
<br>Interface List<br>0x1 ........................... MS TCP Loopback interface<br>0x50002 ...00 11 11 38 20 be ...... Intel(R) PRO/100 VE Network Connection - Pac<br>ket Scheduler Miniport<br>0x60004 ...00 ff 79 1d 0f 43 ...... TAP-Win32 Adapter V8 - Packet Scheduler Mini
<br>port<br>0x60005 ...06 00 3c 47 56 01 ...... VCD VNC Adapter - Packet Scheduler Miniport<br>0x60006 ...00 0f 3d 82 48 71 ...... D-Link DFE-530TX PCI Fast Ethernet Adapter (<br>rev.C) - Packet Scheduler Miniport<br>0x2b0008 ...aa aa aa aa aa 00 ...... Shrew Soft Virtual Adapter - Packet Schedul
<br>er Miniport<br>===========================================================================<br>===========================================================================<br>Active Routes:<br>Network Destination Netmask Gateway Interface Metric
<br> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://0.0.0.0">0.0.0.0</a> <a href="http://192.168.20.1">192.168.20.1</a> <a href="http://192.168.20.240">192.168.20.240</a> 1<br> <a href="http://127.0.0.0">
127.0.0.0</a> <a href="http://255.0.0.0">255.0.0.0</a> <a href="http://127.0.0.1">127.0.0.1</a> <a href="http://127.0.0.1">127.0.0.1</a> 1<br> <a href="http://192.168.1.0">192.168.1.0</a>
<a href="http://255.255.255.0">255.255.255.0</a> <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://192.168.1.0">192.168.1.0</a> 1<br> <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://255.255.255.255">
255.255.255.255</a> <a href="http://127.0.0.1">127.0.0.1</a> <a href="http://127.0.0.1">127.0.0.1</a> 30<br> <a href="http://192.168.1.255">192.168.1.255</a> <a href="http://255.255.255.255">255.255.255.255
</a> <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://192.168.1.0">192.168.1.0</a> 30<br> <a href="http://192.168.2.0">192.168.2.0</a> <a href="http://255.255.255.0">255.255.255.0</a>
<a href="http://192.168.20.133">192.168.20.133</a> <a href="http://192.168.20.240">192.168.20.240</a> 1<br> <a href="http://192.168.20.0">192.168.20.0</a> <a href="http://255.255.255.0">255.255.255.0</a> <a href="http://192.168.20.240">
192.168.20.240</a> <a href="http://192.168.20.240">192.168.20.240</a> 20<br> <a href="http://192.168.20.240">192.168.20.240</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://127.0.0.1">
127.0.0.1</a> <a href="http://127.0.0.1">127.0.0.1</a> 20<br> <a href="http://192.168.20.255">192.168.20.255</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://192.168.20.240">192.168.20.240
</a> <a href="http://192.168.20.240">192.168.20.240</a> 20<br> <a href="http://224.0.0.0">224.0.0.0</a> <a href="http://240.0.0.0">240.0.0.0</a> <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://192.168.1.0">
192.168.1.0</a> 30<br> <a href="http://224.0.0.0">224.0.0.0</a> <a href="http://240.0.0.0">240.0.0.0</a> <a href="http://192.168.20.240">192.168.20.240</a> <a href="http://192.168.20.240">192.168.20.240
</a> 20<br> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://192.168.1.0">192.168.1.0</a> 60005 1<br> <a href="http://255.255.255.255">
255.255.255.255</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://192.168.1.0">192.168.1.0</a> <a href="http://192.168.1.0">192.168.1.0</a> 1<br> <a href="http://255.255.255.255">255.255.255.255
</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://192.168.1.0">192.168.1.0</a> 50002 1<br> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://255.255.255.255">
255.255.255.255</a> <a href="http://192.168.1.0">192.168.1.0</a> 60004 1<br> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://255.255.255.255">255.255.255.255</a> <a href="http://192.168.20.240">
192.168.20.240</a> <a href="http://192.168.20.240">192.168.20.240</a> 1<br>Default Gateway: <a href="http://192.168.20.1">192.168.20.1</a><br>===========================================================================
<br>Persistent Routes:<br> None<br><br><br>E:\>ipconfig<br><br>Windows IP Configuration<br><br><br>Ethernet adapter Local Area Connection:<br><br> Media State . . . . . . . . . . . : Media disconnected<br><br>Ethernet adapter Local Area Connection 7:
<br><br> Media State . . . . . . . . . . . : Media disconnected<br><br>Ethernet adapter {262EA744-C278-4CC1-8485-E6DE341EA788}:<br><br> Media State . . . . . . . . . . . : Media disconnected<br><br>Ethernet adapter Local Area Connection 2:
<br><br> Connection-specific DNS Suffix . :<br> IP Address. . . . . . . . . . . . : <a href="http://192.168.20.240">192.168.20.240</a><br> Subnet Mask . . . . . . . . . . . : <a href="http://255.255.255.0">
255.255.255.0</a><br> Default Gateway . . . . . . . . . : <a href="http://192.168.20.1">192.168.20.1</a><br><br>Ethernet adapter {83887F0C-07FA-486F-92ED-C1535C3CA01D}:<br><br> Connection-specific DNS Suffix . :
<br> IP Address. . . . . . . . . . . . : <a href="http://192.168.1.0">192.168.1.0</a><br> Subnet Mask . . . . . . . . . . . : <a href="http://255.255.255.0">255.255.255.0</a><br> Default Gateway . . . . . . . . . :
<br><br>E:\><br><br><br><br>please help me check where is error append?<br>