Olá pessoal, estou conectado em uma VPN pelo Open Swan rodando num suse 9.2, conectado em um CISCO IOS
Eu estabeleci a VPN e conectou, como dá pra ver no log:
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: initiating Main Mode to replace #5
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: ignoring Vendor ID payload [3de620bdfd5839ceeebe247eb434e573]
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: I did not send a certificate because I do not have one.
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: Peer ID is ID_IPV4_ADDR: 'xxx.xxx.xxx.233'
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jan 2 15:52:52 linux-ar3 pluto[1484]: "movistar" #10: ISAKMP SA established
ateh ai tudo ok, o servico que eu preciso utilizar roda na maquina xxx.xxx.xxx.101 na porta 2000 a a partir de uma maquina yyy.yyy.yyy.119(em outra rede), e nao consigo conectar, falando com o suporte tecnico ele me disse que os pacotes nao estao passando pelo tunel da VPN que estão chegando sem encriptação, as configurações do ipsec.conf estao assim:
/etc/ipsec.conf-----------------------
config setup
interfaces="ipsec0=eth2"
klipsdebug=no
plutodebug=no
conn movistar
type=tunnel
left=xxx.xxx.xxx.233
leftnexthop=xxx.xxx.xxx.101
right=yyy.yyy.yyy.117
leftsubnet=xxx.xxx.xxx.101/32
auto=start
authby=secret
auth=esp
esp=3des
ah=sha1
pfs=yes
rightsubnet=yyy.yyy.yyy.yyy.119/32
rightnexthop=yyy.yyy.yyy.119
Pra entender xxx.xxx.xxx eh a rede que quero me conectar e yyy.yyy.yyy é a minha rede. Todos estes ips são válidos. Quando eu passei os dados pro suporte ele me disse que o encryption domain nao poderia ser o mesmo que o VPN Peer, por isso aparece yyy.yyy.yyy.119 como rightnexthop, pois eu quero conectar diretamente da yyy.yyy.yyy.119, essas mascaras foram que o suporte me passou e a unica que funciona pra conectar.
minhas rotas na maquina yyy.yyy.yyy.117 são :
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.101 yyy.yyy.yyy.119 255.255.255.255 UGH 0 0 0 eth2
yyy.yyy.yyy.112 0.0.0.0 255.255.255.240 U 0 0 0 eth2
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 200.123.137.126 0.0.0.0 UG 0 0 0 eth2
na maquina yyy.yyy.yyy.119 são:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.101 yyy.yyy.yyy.117 255.255.255.255 UGH 0 0 0 eth0
yyy.yyy.yyy.112 0.0.0.0 255.255.255.240 U 0 0 0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 200.123.137.126 0.0.0.0 UG 0 0 0 eth0
Resultado do ipsec whack --status
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface eth1/eth1 192.168.1.51
000 interface eth2/eth2 yyy.yyy.yyy.117
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,20,36} trans={0,20,336} attrs={0,20,224}
000
000 "movistar": yyy.yyy.yyy.119/32===yyy.yyy.yyy.117---yyy.yyy.yyy.119...xxx.xxx.xxx.101---xxx.xxx.xxx.233===xxx.xxx.xxx.101/32; erouted; eroute owner: #8
000 "movistar": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "movistar": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 32,32; interface: eth2;
000 "movistar": newest ISAKMP SA: #14; newest IPsec SA: #8;
000 "movistar": IKE algorithms wanted: 5_000-1-5, 5_000-1-2, 5_000-2-5, 5_000-2-2, flags=-strict
000 "movistar": IKE algorithms found: 5_192-1_128-5, 5_192-1_128-2, 5_192-2_160-5, 5_192-2_160-2,
000 "movistar": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "movistar": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "movistar": ESP algorithms loaded: 3_000-1, 3_000-2, flags=-strict
000 "movistar": ESP algorithm newest: 3DES_0-HMAC_MD5; pfsgroup=<Phase1>
000
000 #8: "movistar" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 25948s; newest IPSEC; eroute owner
000 #8: "movistar" [email protected].233 [email protected].117 [email protected].233 [email protected].117
000 #6: "movistar" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_EXPIRE in 851s
000 #14: "movistar" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2797s; newest ISAKMP
000
Alguém pode mandar umas dicas?
Grato Rangel