Srs
Estou com o seguinte problema, copiei o pacote freeswan-module-1.99_2.4.18_3-0
e freeswan-1.99_2.4.18_3-0 do site www.freeswang.org (em RH7.3) para instalar entre duas speed bussines a vpn em dois servidores rh 7.3 kernel 2.4.18-3. Apos instalados os pacotes e configurar o ipsec.conf nao estou conseguindo executar a
comunicacao entres as redes.
Dados dos servidores e redes
servidor 1 eth0 200.x.x.21 eth1 192.168.0.10 rede interna 192.168.0.10/255.255.0.0 - EM LEFT
servidor 2 eth0 200.x.x.179 eth1 192.168.1.10 rede interna 192.168.1.0/255.255.255.0 - EM RIGHT
Servidores com firewall e MASQ em iptables que foram desativados com iptables -F e /etc/init.d/iptables stop
Configuracao ipsec.conf
config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
plutoload=%search
plutostart=%search
uniqueids=yes
conn %default
keyingtries=0
disablearrivalcheck=no
authby=rsasig
leftrsasigkey=%dnsondemand
rightrsasigkey=%dnsondemand
conn sample
left=200.x.x.211
leftsubnet=192.168.0.1/24
leftnexthop=200.x.x.193
leftrsasigkey=1234
right=200.x.x.179
rightsubnet=192.168.1.0/24
rightnexthop=200.x.x.129
rightrsasigkey=5678
auto=add
-----------------
Executei o service ipsec start no servidor 1
resposta:
service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/2.4.18-3/kernel/net/ipsec/ipsec.o
ipsec_setup: ipchains: Protocol not available -----> ???? (nao entendi)
Uso iptables
Executo o service ipsec start no servidor 2
resposta:
service ipsec start
ipsec_setup: Starting FreeS/WAN IPsec 1.99...
ipsec_setup: Using /lib/modules/2.4.18-3/kernel/net/ipsec/ipsec.o
Executo ipsec auto --up sample no servidor 1
reposta:
ipsec auto --up sample
104 "sample" #1: STATE_MAIN_I1: initiate
106 "sample" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "sample" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "sample" #1: STATE_MAIN_I4: ISAKMP SA established
112 "sample" #2: STATE_QUICK_I1: initiate
004 "sample" #2: STATE_QUICK_I2: sent QI2, IPsec SA established
Executo ipsec auto --up sample no servidor 2
112 "sample" #3: STATE_QUICK_I1: initiate
004 "sample" #3: STATE_QUICK_I2: sent QI2, IPsec SA established
Executo ipsec look no servidor 1
reposta:
192.168.0.0/24 -> 192.168.1.0/24 => [email protected] [email protected] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[email protected] ESP_3DES_HMAC_MD5: dir=in src=200.x.x.179 iv_bits=64bits iv=0x7966288086de620c ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(68,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=in src=200.x.x.179 iv_bits=64bits iv=0xbd6db2b593262bef ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(54,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=out src=200.x.x.211 iv_bits=64bits iv=0xe7fad5e32064a0b8 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(68,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=out src=200.x.x.211 iv_bits=64bits iv=0xf884df19604abbcb ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(54,0,0)
[email protected] IPIP: dir=in src=200.x.x.179 policy=192.168.1.0/24->192.168.0.0/24 flags=0x8<> life(c,s,h)=addtime(68,0,0)
[email protected] IPIP: dir=out src=200.x.x.211 life(c,s,h)=addtime(68,0,0)
[email protected] IPIP: dir=in src=200.x.x.179 policy=192.168.1.0/24->192.168.0.0/24 flags=0x8<> life(c,s,h)=addtime(54,0,0)
[email protected] IPIP: dir=out src=200.x.x.211 life(c,s,h)=addtime(54,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 200.x.x.193 0.0.0.0 UG 40 0 0 eth0
192.168.1.0 200.x.x.193 255.255.255.0 UG 40 0 0 ipsec0
200.x.x.192 0.0.0.0 255.255.255.192 U 40 0 0 eth0
200.x.x.192 0.0.0.0 255.255.255.192 U 40 0 0 ipsec0
Executo ipsec look no servidor 2
192.168.1.0/24 -> 192.168.0.0/24 => [email protected] [email protected] (0)
ipsec0->eth0 mtu=16260(1500)->1500
[email protected] ESP_3DES_HMAC_MD5: dir=out src=200.x.x.179 iv_bits=64bits iv=0x46518165804ad0ae ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(199,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=out src=200.x.x.179 iv_bits=64bits iv=0xe16e6c7828122b1c ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(184,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=in src=200.x.x.211 iv_bits=64bits iv=0xf7abf811dfc707fc ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(199,0,0)
[email protected] ESP_3DES_HMAC_MD5: dir=in src=200.x.x.211 iv_bits=64bits iv=0xde9c9f54d533ff0f ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(184,0,0)
[email protected] IPIP: dir=in src=200.x.x.211 policy=192.168.0.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(199,0,0)
[email protected] IPIP: dir=out src=200.x.x.179 life(c,s,h)=addtime(199,0,0)
[email protected] IPIP: dir=in src=200.x.x.211 policy=192.168.0.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(184,0,0)
[email protected] IPIP: dir=out src=200.x.x.179 life(c,s,h)=addtime(184,0,0)
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 200.x.x.129 0.0.0.0 UG 40 0 0 eth0
192.168.0.0 200.x.x.129 255.255.255.0 UG 40 0 0 ipsec0
200.x.x.128 0.0.0.0 255.255.255.192 U 40 0 0 eth0
200.x.x.128 0.0.0.0 255.255.255.192 U 40 0 0 ipsec0
--------------------
ipsec verify em servidor 1
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
Checking if IPchains has port 500 hole (all) ipchains: Protocol not available
[BLOCKED]
Checking if IPchains has port 500 hole (default) ipchains: Protocol not available
[BLOCKED]
Checking if IPchains has port 500 hole (eth0) ipchains: Protocol not available
[BLOCKED]
Checking if IPchains has port 500 hole (eth1) ipchains: Protocol not available
[BLOCKED]
Checking if IPchains has port 500 hole (ipsec0) ipchains: Protocol not available
[BLOCKED]
Checking if IPchains has port 500 hole (lo) ipchains: Protocol not available
[BLOCKED]
DNS checks.
Looking for forward key for servidor1.dominio1 [OK]
Does the machine have at least one non-private address [FAILED]
ipsec verify em servidor 2
Checking your system to see if IPsec got installed and started correctly
Version check and ipsec on-path [OK]
Checking for KLIPS support in kernel [OK]
Checking for RSA private key (/etc/ipsec.secrets) [OK]
Checking that pluto is running [OK]
DNS checks.
Looking for forward key for servidor2.dominio2 [OK]
Does the machine have at least one non-private address [FAILED]
Tento executar um simple do servidor 1 em workstation na outra ponta e nada (ping 192.168.1.23),
nao estou conseguindo a comunicacao efetiva
Aonde estou errando?
Desde ja agradeco ,
Darthv
<IMG SRC="images/forum/icons/icon_eek.gif">