Problema com VPN

riva · 26-04-2005, 14:07

Estou tentando implementar uma VPN entre duas empresas, instalei o freeswan 2.06 + ipsec-tools no Slackware 10.1 nos Gateway`s das duas empresas com conexao ADSL, nao ocorrendo nenhum erro na instalacao.

segue abaixo o conteudo o ipsec.conf dos
dois gateway`s e o conteudo do /var/log/syslog e
/var/log/secure.

GATEWAY-A

Arquivo ipsec.conf do gateway-A

version 2.0
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
uniqueids=yes

conn %default
keyingtries=0
disablearrivalcheck=no
esp=3des-md5-96
authby=rsasig

conn unidas
type=tunnel
left=100.100.100.100
leftnexthop=100.100.100.101
leftid=192.168.10.1
leftsubnet=192.168.10.0/24
leftfirewall=yes
leftrsasigkey=0sAQOnDawgLTrz...
right=200.200.200.200
rightnexthop=200.200.200.201
rightid=172.16.0.1
rightsubnet=172.16.0.0/16
rightrsasigkey=0sAQNWsAqEpAj...
auto=add

a saida abaixo ocorre quando e executado o seguinte comando em uma das pontas (gateway's)
# ipsec auto --up unidas

root@sauron:/var/log# ipsec look
sauron Fri Apr 22 14:32:46 BRT 2005
ipsec0->eth0 mtu=16260(1500)->1500
[email protected] ESP_3DES_HMAC_MD5: dir=in src=200.200.200.200 iv_bits=64bits iv=0x4fed1dffab779acc ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addt
ime(25,0,0) refcount=4 ref=7
[email protected] IPIP: dir=in src=200.200.200.200 policy=172.16.0.0/16->192.168.10.0/24 flags=0x8<> life(c,s,h)=addtime(25,0,0) refcount=4 ref=6
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 100.100.100.101 0.0.0.0 UG 0 0 0 eth0
100.100.100.128 0.0.0.0 255.255.255.192 U 0 0 0 eth0
100.100.100.128 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0
root@sauron:/var/log#

e a saida abaixo ocorre antes de executar o (# ipsec auto --up unidas)

root@sauron:/var/log# ipsec look
sauron Fri Apr 22 14:49:21 BRT 2005
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 100.100.100.101 0.0.0.0 UG 0 0 0 eth0
100.100.100.128 0.0.0.0 255.255.255.192 U 0 0 0 eth0
100.100.100.128 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0
root@sauron:/var/log#

GATEWAY-B

Arquivo ipsec.conf gateway-B

version 2.0
config setup
interfaces="ipsec0=eth0"
klipsdebug=none
plutodebug=none
uniqueids=yes

conn %default
keyingtries=0
disablearrivalcheck=no
esp=3des-md5-96
authby=rsasig

conn unidas
type=tunnel
left=200.200.200.200
leftnexthop=200.200.200.201
leftid=172.16.0.1
leftsubnet=172.16.0.0/16
leftfirewall=yes
leftrsasigkey=0sAQNWsAqEpAj...
right=100.100.100.100
rightnexthop=100.100.100.101
rightid=192.168.10.1
rightsubnet=192.168.10.0/24
rightrsasigkey=0sAQOnDawgLTrz...
auto=add

root@hiei:/var/log# ipsec auto --up unidas
104 "unidas" #1: STATE_MAIN_I1: initiate
106 "unidas" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "unidas" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "unidas" #1: STATE_MAIN_I4: ISAKMP SA established
112 "unidas" #2: STATE_QUICK_I1: initiate
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
010 "unidas" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
010 "unidas" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "unidas" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "unidas" #2: starting keying attempt 2 of an unlimited number, but releasing whack
root@hiei:/var/log#

a saida abaixo ocorre quando e executado o seguinte comando em uma das pontas (gateway's)
# ipsec auto --up unidas (como demonstrado acima)
e executado o # ipsec look (como demonstrado abaixo)

root@hiei:/var/log# ipsec look
hiei Fri Apr 22 14:42:31 BRT 2005
ipsec0->eth0 mtu=16260(1500)->1500
[email protected] ESP_3DES_HMAC_MD5: dir=in src=100.100.100.100 iv_bits=64bits iv=0xa71dad7d94aa24a2 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addt
ime(5,0,0) refcount=4 ref=85
[email protected] IPIP: dir=in src=100.100.100.100 policy=192.168.10.0/24->172.16.0.0/16 flags=0x8<> life(c,s,h)=addtime(5,0,0) refcount=4 ref=84
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 200.200.200.201 0.0.0.0 UG 0 0 0 eth0
200.200.200.128 0.0.0.0 255.255.255.192 U 0 0 0 eth0
200.200.200.128 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0
root@hiei:/var/log#

e a saida abaixo ocorre antes de executar o (# ipsec auto --up unidas)

root@hiei:/var/log# ipsec look
hiei Fri Apr 22 14:36:33 BRT 2005
ipsec0->eth0 mtu=16260(1500)->1500
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 200.200.200.201 0.0.0.0 UG 0 0 0 eth0
200.200.200.128 0.0.0.0 255.255.255.192 U 0 0 0 eth0
200.200.200.128 0.0.0.0 255.255.255.192 U 0 0 0 ipsec0
root@hiei:/var/log#

root@hiei:/var/log# ipsec auto --up unidas
104 "unidas" #1: STATE_MAIN_I1: initiate
106 "unidas" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "unidas" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "unidas" #1: STATE_MAIN_I4: ISAKMP SA established
112 "unidas" #2: STATE_QUICK_I1: initiate
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
010 "unidas" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
003 "unidas" #2: up-client command exited with status 127
032 "unidas" #2: STATE_QUICK_I1: internal error
010 "unidas" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "unidas" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "unidas" #2: starting keying attempt 2 of an unlimited number, but releasing whack
root@hiei:/var/log#

Conteudo do /var/log/secure
Apr 22 14:18:38 hiei ipsec__plutorun: Starting Pluto subsystem...
Apr 22 14:18:38 hiei pluto[25663]: Starting Pluto (FreeS/WAN Version 2.06 PLUTO_USES_KEYRR)
Apr 22 14:18:38 hiei pluto[25663]: Using KLIPS IPsec interface code
Apr 22 14:18:42 hiei pluto[25663]: added connection description "unidas"
Apr 22 14:18:43 hiei pluto[25663]: listening for IKE messages
Apr 22 14:18:43 hiei pluto[25663]: adding interface ipsec0/eth0 200.200.200.200
Apr 22 14:18:43 hiei pluto[25663]: loading secrets from "/etc/ipsec.secrets"
Apr 22 14:19:20 hiei pluto[25663]: attempt to redefine connection "unidas"
Apr 22 14:19:31 hiei pluto[25663]: "unidas": deleting connection
Apr 22 14:19:39 hiei pluto[25663]: added connection description "unidas"
Apr 22 14:19:45 hiei pluto[25663]: "unidas" #1: initiating Main Mode
Apr 22 14:19:46 hiei pluto[25663]: "unidas" #1: ISAKMP SA established
Apr 22 14:19:46 hiei pluto[25663]: "unidas" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP {using isakmp#1}
Apr 22 14:19:46 hiei pluto[25663]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:19:46 hiei pluto[25663]: "unidas" #2: up-client command exited with status 127
Apr 22 14:19:56 hiei pluto[25663]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:19:56 hiei pluto[25663]: "unidas" #2: up-client command exited with status 127
Apr 22 14:20:15 hiei pluto[25663]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:20:15 hiei pluto[25663]: "unidas" #2: up-client command exited with status 127
Apr 22 14:20:56 hiei pluto[25663]: "unidas" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhap
s peer likes no proposal
Apr 22 14:20:56 hiei pluto[25663]: "unidas" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Apr 22 14:20:56 hiei pluto[25663]: "unidas" #3: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP to replace #2 {using isakmp#1}
Apr 22 14:20:57 hiei pluto[25663]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:20:57 hiei pluto[25663]: "unidas" #3: up-client command exited with status 127
Apr 22 14:21:07 hiei pluto[25663]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:21:07 hiei pluto[25663]: "unidas" #3: up-client command exited with status 127
Apr 22 14:21:26 hiei pluto[25663]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:21:26 hiei pluto[25663]: "unidas" #3: up-client command exited with status 127
Apr 22 14:22:06 hiei pluto[25663]: "unidas" #3: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhap
s peer likes no proposal
Apr 22 14:22:06 hiei pluto[25663]: "unidas" #3: starting keying attempt 3 of an unlimited number
Apr 22 14:22:06 hiei pluto[25663]: "unidas" #4: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP to replace #3 {using isakmp#1}
Apr 22 14:22:07 hiei pluto[25663]: "unidas" #4: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:22:07 hiei pluto[25663]: "unidas" #4: up-client command exited with status 127
Apr 22 14:22:17 hiei pluto[25663]: "unidas" #4: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:22:17 hiei pluto[25663]: "unidas" #4: up-client command exited with status 127
Apr 22 14:22:36 hiei pluto[25663]: "unidas" #4: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:22:36 hiei pluto[25663]: "unidas" #4: up-client command exited with status 127
Apr 22 14:23:16 hiei pluto[25663]: "unidas" #4: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhap
s peer likes no proposal
Apr 22 14:23:16 hiei pluto[25663]: "unidas" #4: starting keying attempt 4 of an unlimited number
Apr 22 14:23:16 hiei pluto[25663]: "unidas" #5: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP to replace #4 {using isakmp#1}
Apr 22 14:23:17 hiei pluto[25663]: "unidas" #5: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:23:17 hiei pluto[25663]: "unidas" #5: up-client command exited with status 127
Apr 22 14:23:26 hiei pluto[25663]: "unidas" #5: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:23:26 hiei pluto[25663]: "unidas" #5: up-client command exited with status 127
Apr 22 14:23:46 hiei pluto[25663]: "unidas" #5: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:23:46 hiei pluto[25663]: "unidas" #5: up-client command exited with status 127
Apr 22 14:24:10 hiei pluto[25663]: shutting down
Apr 22 14:24:10 hiei pluto[25663]: forgetting secrets
Apr 22 14:24:10 hiei pluto[25663]: "unidas": deleting connection
Apr 22 14:24:10 hiei pluto[25663]: "unidas" #5: deleting state (STATE_QUICK_I1)
Apr 22 14:24:10 hiei pluto[25663]: "unidas" #1: deleting state (STATE_MAIN_I4)
Apr 22 14:24:10 hiei pluto[25663]: shutting down interface ipsec0/eth0 200.200.200.200
Apr 22 14:24:18 hiei ipsec__plutorun: Starting Pluto subsystem...
Apr 22 14:24:18 hiei pluto[26225]: Starting Pluto (FreeS/WAN Version 2.06 PLUTO_USES_KEYRR)
Apr 22 14:24:18 hiei pluto[26225]: Using KLIPS IPsec interface code
Apr 22 14:24:23 hiei pluto[26225]: added connection description "unidas"
Apr 22 14:24:24 hiei pluto[26225]: listening for IKE messages
Apr 22 14:24:24 hiei pluto[26225]: adding interface ipsec0/eth0 200.200.200.200
Apr 22 14:24:24 hiei pluto[26225]: loading secrets from "/etc/ipsec.secrets"
Apr 22 14:25:31 hiei pluto[26225]: attempt to redefine connection "unidas"
Apr 22 14:25:41 hiei pluto[26225]: "unidas" #1: initiating Main Mode
Apr 22 14:25:42 hiei pluto[26225]: "unidas" #1: ISAKMP SA established
Apr 22 14:25:42 hiei pluto[26225]: "unidas" #2: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP {using isakmp#1}
Apr 22 14:25:42 hiei pluto[26225]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:25:42 hiei pluto[26225]: "unidas" #2: up-client command exited with status 127
Apr 22 14:25:52 hiei pluto[26225]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:25:52 hiei pluto[26225]: "unidas" #2: up-client command exited with status 127
Apr 22 14:26:12 hiei pluto[26225]: "unidas" #2: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:26:12 hiei pluto[26225]: "unidas" #2: up-client command exited with status 127
Apr 22 14:26:52 hiei pluto[26225]: "unidas" #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhap
s peer likes no proposal
Apr 22 14:26:52 hiei pluto[26225]: "unidas" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Apr 22 14:26:52 hiei pluto[26225]: "unidas" #3: initiating Quick Mode RSASIG+ENCRYPT+PFS+UP to replace #2 {using isakmp#1}
Apr 22 14:26:53 hiei pluto[26225]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:26:53 hiei pluto[26225]: "unidas" #3: up-client command exited with status 127
Apr 22 14:27:03 hiei pluto[26225]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:27:03 hiei pluto[26225]: "unidas" #3: up-client command exited with status 127
Apr 22 14:27:23 hiei pluto[26225]: "unidas" #3: up-client output: /usr/local/lib/ipsec/_updown: line 250: ipfwadm: command not found
Apr 22 14:27:23 hiei pluto[26225]: "unidas" #3: up-client command exited with status 127

Conteudo do arquivo /var/log/syslog

Apr 22 14:18:35 hiei ipsec_setup: Starting FreeS/WAN IPsec 2.06...
Apr 22 14:18:36 hiei ipsec_setup: Using /lib/modules/2.4.29/kernel/ipsec.o
Apr 22 14:18:37 hiei ipsec_setup: KLIPS debug `none'
Apr 22 14:18:37 hiei kernel:
Apr 22 14:18:37 hiei ipsec_setup: KLIPS ipsec0 on eth0 200.200.200.200/255.255.255.193 broadcast 200.200.200.194
Apr 22 14:18:38 hiei ipsec_setup: ...FreeS/WAN IPsec started
Apr 22 14:18:39 hiei ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Apr 22 14:18:40 hiei ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
Apr 22 14:18:40 hiei ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
Apr 22 14:18:41 hiei ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
Apr 22 14:18:42 hiei ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
Apr 22 14:18:43 hiei ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
Apr 22 14:18:43 hiei ipsec__plutorun: 021 no connection named "packetdefault"
Apr 22 14:18:43 hiei ipsec__plutorun: ...could not route conn "packetdefault"
Apr 22 14:18:43 hiei ipsec__plutorun: 021 no connection named "block"
Apr 22 14:18:43 hiei ipsec__plutorun: ...could not route conn "block"
Apr 22 14:18:43 hiei ipsec__plutorun: 021 no connection named "clear-or-private"
Apr 22 14:18:43 hiei ipsec__plutorun: ...could not route conn "clear-or-private"
Apr 22 14:18:44 hiei ipsec__plutorun: 021 no connection named "clear"
Apr 22 14:18:44 hiei ipsec__plutorun: ...could not route conn "clear"
Apr 22 14:18:44 hiei ipsec__plutorun: 021 no connection named "private-or-clear"
Apr 22 14:18:44 hiei ipsec__plutorun: ...could not route conn "private-or-clear"
Apr 22 14:18:44 hiei ipsec__plutorun: 021 no connection named "private"
Apr 22 14:18:44 hiei ipsec__plutorun: ...could not route conn "private"
Apr 22 14:24:10 hiei ipsec_setup: Stopping FreeS/WAN IPsec...
Apr 22 14:24:11 hiei kernel: IPSEC EVENT: KLIPS device ipsec0 shut down.
Apr 22 14:24:11 hiei kernel:
Apr 22 14:24:11 hiei kernel:
Apr 22 14:24:11 hiei ipsec_setup: ...FreeS/WAN IPsec stopped
Apr 22 14:24:15 hiei ipsec_setup: Starting FreeS/WAN IPsec 2.06...
Apr 22 14:24:17 hiei ipsec_setup: Using /lib/modules/2.4.29/kernel/ipsec.o
Apr 22 14:24:17 hiei ipsec_setup: KLIPS debug `none'
Apr 22 14:24:17 hiei kernel:
Apr 22 14:24:17 hiei ipsec_setup: KLIPS ipsec0 on eth0 200.200.200.200/255.255.255.193 broadcast 200.200.200.194
Apr 22 14:24:18 hiei ipsec_setup: ...FreeS/WAN IPsec started
Apr 22 14:24:20 hiei ipsec__plutorun: ipsec_auto: fatal error in "packetdefault": %defaultroute requested but not known
Apr 22 14:24:20 hiei ipsec__plutorun: ipsec_auto: fatal error in "block": %defaultroute requested but not known
Apr 22 14:24:21 hiei ipsec__plutorun: ipsec_auto: fatal error in "clear-or-private": %defaultroute requested but not known
Apr 22 14:24:22 hiei ipsec__plutorun: ipsec_auto: fatal error in "clear": %defaultroute requested but not known
Apr 22 14:24:23 hiei ipsec__plutorun: ipsec_auto: fatal error in "private-or-clear": %defaultroute requested but not known
Apr 22 14:24:24 hiei ipsec__plutorun: ipsec_auto: fatal error in "private": %defaultroute requested but not known
Apr 22 14:24:24 hiei ipsec__plutorun: 021 no connection named "packetdefault"
Apr 22 14:24:24 hiei ipsec__plutorun: ...could not route conn "packetdefault"
Apr 22 14:24:24 hiei ipsec__plutorun: 021 no connection named "block"
Apr 22 14:24:24 hiei ipsec__plutorun: ...could not route conn "block"
Apr 22 14:24:24 hiei ipsec__plutorun: 021 no connection named "clear-or-private"
Apr 22 14:24:24 hiei ipsec__plutorun: ...could not route conn "clear-or-private"
Apr 22 14:24:25 hiei ipsec__plutorun: 021 no connection named "clear"
Apr 22 14:24:25 hiei ipsec__plutorun: ...could not route conn "clear"
Apr 22 14:24:25 hiei ipsec__plutorun: 021 no connection named "private-or-clear"
Apr 22 14:24:25 hiei ipsec__plutorun: ...could not route conn "private-or-clear"
Apr 22 14:24:25 hiei ipsec__plutorun: 021 no connection named "private"
Apr 22 14:24:25 hiei ipsec__plutorun: ...could not route conn "private"
53,1 Command
74,1 Command
OBS1.: as memsagens do syslog e secure do Gateway-A sao iguais a estas do Gateway-B
OBS2.: As estacoes de ambas as redes sao WinXP.
Eu nao consigo pingar de uma estacao da Rede-A em outra estacao da Rede-B.
Se alguem puder dar uma analisada para tentar ver onde
estou errando.

grato pela atencao,
riva.

17-05-2005, 12:03

Desative o firewall das estacoes RuinXP

Problema com VPN

Ferramentas de Tópicos

Problema com VPN

Problema com VPN