[ pisac @ 26.05.2013. 13:35 ] @
IPSEC tunel radi, ali nakon što se jedan od hostova (B) restartuje veza ka njemu je u prekidu i ne može da se upostavi sve dok on ne inicira vezu ka prvome (A) koji nije restartovan. To je verovatno zato što prvi koji nije restartovan (A) ne uspeva da shvati da je veza mrtva i uporno šalje kroz mrtav tunel. Ako se oba restartuju, oba kreću iz početka i onda nema tih problema. Ubuntu/Debian serveri su u pitanju. Shared secret, 3DES/SHA1. Evo malo bolje objašnjeno: IPSEC veza (A)<-->(B) upostavljena. Pingujem (A) --> (B), uspešno. "setkey -D" na oba servera prikazuje dve veze (tj. dvosmernu konekciju) Restartujem (B), pingovanje više nije uspešno, paketi stižu preko ESP protokola na (B) po staroj vezi ali ovaj ne reaguje jer treba da se napravi nova veza. "setkey -D" na (A) pokazuje i dalje dve veze (tj. dvosmernu konekciju), a na (B) ne pokazuje ništa. To traje sve dok ne pingujem (B) --> (A), i onda se veza odmah uspostavlja (u oba smera). Posledica toga je da "setkey -D" više ne pokazuje 2 konekcije već 4, i to na oba servera. Ali bar veza radi. Probao sam da ubacim parametar "dpd_delay 30;" ali to nije pomoglo. E, sad, ima jedan detalj. Tako radi između dva linuxa, ali sa Windowsom to radi mnogo bolje! Windows ili odmah ili do nekoliko minuta ipak uspe da "probije" vezu ka linuxu koji je restartovan, i IPSEC tunel proradi! Evo šta se dešava kada linux restartujem, a windows uporno pokušava da pinguje kroz tunel. Logovi su sa linuxa. Od 5:11 veza je mrtva, oko 5:17 počinje nešto što posle minut dovodi do uspostavljanja nove veze. To se dešava samo kada je na drugoj strani Windows, a ako je isto linux onda se ništa posle 5:11 ne dešava ma koliko čekali. May 26 05:11:30 ubuntu1004srv64 racoon: ERROR: libipsec failed pfkey check (Invalid SA type) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf" May 26 05:11:32 ubuntu1004srv64 racoon: INFO: Resize address pool from 0 to 255 May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 127.0.0.1[500] used for NAT-T May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 172.22.99.11[500] used as isakmp port (fd=8) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 172.22.99.11[500] used for NAT-T May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 192.168.46.1[500] used as isakmp port (fd=9) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 192.168.46.1[500] used for NAT-T May 26 05:11:32 ubuntu1004srv64 racoon: INFO: ::1[500] used as isakmp port (fd=10) May 26 05:11:32 ubuntu1004srv64 racoon: INFO: fe80::a00:27ff:febb:4aa0%eth0[500] used as isakmp port (fd=11) May 26 05:17:44 ubuntu1004srv64 racoon: ERROR: unknown Informational exchange received. May 26 05:17:46 ubuntu1004srv64 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, ee75ac0c51123927:28c46f9af0a58878:0000ca3b May 26 05:18:49 ubuntu1004srv64 racoon: last message repeated 5 times May 26 05:18:49 ubuntu1004srv64 racoon: ERROR: unknown Informational exchange received. May 26 05:18:49 ubuntu1004srv64 racoon: INFO: respond new phase 1 negotiation: 172.22.99.11[500]<=>172.22.99.203[500] May 26 05:18:49 ubuntu1004srv64 racoon: INFO: begin Identity Protection mode. May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received Vendor ID: FRAGMENTATION May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 May 26 05:18:49 ubuntu1004srv64 racoon: INFO: ISAKMP-SA established 172.22.99.11[500]-172.22.99.203[500] spi:2fdeb1068300f149:285a0183353e1af2 May 26 05:18:49 ubuntu1004srv64 racoon: INFO: respond new phase 2 negotiation: 172.22.99.11[500]<=>172.22.99.203[500] May 26 05:18:49 ubuntu1004srv64 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.22.99.203[0]->172.22.99.11[0] spi=245838148(0xea73144) May 26 05:18:49 ubuntu1004srv64 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.22.99.11[500]->172.22.99.203[500] spi=3303174592(0xc4e271c0) Evo kako izgleda tcpdump na linuxu: 05:16:26.147949 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1cd), length 92 05:16:31.155130 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1ce), length 92 05:16:36.162528 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1cf), length 92 05:16:41.169727 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d0), length 92 05:16:46.177161 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d1), length 92 05:16:51.184472 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d2), length 92 05:16:56.191724 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d3), length 92 05:17:01.198522 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d4), length 92 05:17:06.205508 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d5), length 92 05:17:11.213604 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d6), length 92 05:17:16.220096 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d7), length 92 05:17:21.227344 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d8), length 92 05:17:26.234552 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d9), length 92 05:17:31.242159 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1da), length 92 05:17:36.250241 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1db), length 92 05:17:41.260447 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1dc), length 92 05:17:44.873691 ARP, Request who-has 172.22.99.11 tell 172.22.99.203, length 46 05:17:44.873713 ARP, Reply 172.22.99.11 is-at 08:00:27:bb:4a:a0 (oui Unknown), length 28 05:17:44.873974 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I inf[E] 05:17:46.266898 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:17:46.267196 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:17:47.757712 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:17:47.757896 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:17:49.760741 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:17:49.760878 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:17:51.257296 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28 05:17:51.257579 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46 05:17:53.766155 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:17:53.766349 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:18:01.778768 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:18:01.778906 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:18:04.923026 IP 172.22.99.203.netbios-dgm > 172.22.99.255.netbios-dgm: NBT UDP PACKET(138) 05:18:17.800770 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:18:17.800949 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf 05:18:22.797336 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28 05:18:22.797625 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46 05:18:49.848109 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I inf[E] 05:18:49.849188 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident 05:18:49.849448 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident 05:18:49.858978 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident 05:18:49.860096 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident 05:18:49.863877 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident[E] 05:18:49.863997 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident[E] 05:18:49.864104 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf[E] 05:18:49.864891 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:18:49.865141 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R oakley-quick[E] 05:18:49.865629 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E] 05:18:49.865634 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x1), length 92 05:18:49.866844 ARP, Request who-has 172.22.99.203 tell 172.22.99.1, length 46 05:18:51.357946 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x2), length 92 05:18:51.358050 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x1), length 92 05:18:52.359367 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x3), length 92 05:18:52.359443 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x2), length 92 05:18:53.360439 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x4), length 92 05:18:53.360515 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x3), length 92 05:18:54.362667 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x5), length 92 05:18:54.362750 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x4), length 92 05:18:54.847252 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28 05:18:54.847591 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46 05:18:55.309813 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x6), length 92 05:18:55.309899 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x5), length 92 05:18:56.341680 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x7), length 92 05:18:56.341763 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x6), length 92 05:18:57.366518 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x8), length 92 05:18:57.366604 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x7), length 92 05:18:58.367942 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x9), length 92 05:18:58.368019 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x8), length 92 05:18:59.369470 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0xa), length 92 [Ovu poruku je menjao pisac dana 26.05.2013. u 14:47 GMT+1] |