Freebsd (VPN) IPSEC+Racoon über Netgear Router?

[klausunicum]

Hallo Zusammen,

ich versuche eine VPN Verbindung über das Internet zu erstellen.
Vorgegangen bin ich nach den Beispiel http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/ipsec.html.
Ich habe natürlich es nicht genau so gelöst. Das Problem ist aber eigentlich ein anderes
Ich habe 2 Hardware Router von Netgear die auch das Postforwarding für IPSEC unterstützen.

Die Netgear Router folgende Interne IPs, das Portforwarding für IPSEC ist eingestellt!
server1.domain Netz = 192.168.0.10
server2.domain Netz = 192.168.1.10

nun einmal meine Konfiguration und meine Logdatei
a.b.c.d = öffentliche IP server1.domain
e.f.g.h = öffentliche IP server2.domain

tunnel.sh

#!/bin/sh
BSD1_PUB_IP="a.b.c.d"
BSD1_PRI_IP="192.168.0.1"
BSD1_NET="192.168.0.0/24"
BSD2_PUB_IP="e.f.g.h"
BSD2_PRI_IP="192.168.1.1"
BSD2_NET="192.168.1.0/24"
HOSTNAME=`/bin/hostname`
NETMASK="netmask 255.255.255.0"
echo "\nStarting ipsec tunnel..."
case $HOSTNAME in
server1.domain)
/sbin/ifconfig gif0 create tunnel $BSD1_PUB_IP $BSD2_PUB_IP
/sbin/ifconfig gif0 inet $BSD1_PRI_IP $BSD2_PRI_IP $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $BSD1_NET $BSD2_NET any -P out ipsec esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require;
spdadd $BSD2_NET $BSD1_NET any -P in ipsec esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require;
EOF
/sbin/route add $BSD2_NET $BSD1_PRI_IP
;;
server2.domain)
/sbin/ifconfig gif0 create tunnel $BSD2_PUB_IP $BSD1_PUB_IP
/sbin/ifconfig gif0 inet $BSD2_PRI_IP $BSD1_PRI_IP $NETMASK
/usr/sbin/setkey -FP
/usr/sbin/setkey -F
/usr/sbin/setkey -c << EOF
spdadd $BSD2_NET $BSD1_NET any -P out ipsec esp/tunnel/${BSD2_PUB_IP}-${BSD1_PUB_IP}/require;
spdadd $BSD1_NET $BSD2_NET any -P in ipsec esp/tunnel/${BSD1_PUB_IP}-${BSD2_PUB_IP}/require;
EOF
/sbin/route add $BSD1_NET $BSD2_PRI_IP
;;
esac

Kernel

# VPN
options IPSEC #IP security
options IPSEC_ESP #IP security (crypto; define w/ IPSEC)
options IPSEC_DEBUG #debug for IP security

/usr/local/etc/racoon/racoon.conf

path include "/usr/local/etc/racoon" ;
path pre_shared_key "/usr/local/etc/racoon/psk.txt" ;

log debug;

padding
{
maximum_length 20; # maximum padding length.
randomize off; # enable randomize length.
strict_check off; # enable strict check.
exclusive_tail off; # extract last one octet.
}

listen
{
#isakmp ::1 [7000];
#isakmp 202.249.11.124 [500];
#isakmp 62.138.175.130 [500];
#admin [7002]; # administrative's port by kmpstat.
#strict_address; # required all addresses must be bound.
}

# Specification of default various timer.
timer
{
# These value can be changed per remote node.
counter 5; # maximum trying count to send.
interval 20 sec; # maximum interval to resend.
persend 1; # the number of packets per a send.

# timer for waiting to complete each phase.
phase1 30 sec;
phase2 15 sec;
}

remote anonymous
{
exchange_mode main,aggressive;
nonce_size 16;
lifetime time 10 min; # sec,min,hour
initial_contact on;
support_mip6 on;
proposal_check obey; # obey, strict or claim

proposal {
encryption_algorithm 3des;
hash_algorithm md5;
authentication_method pre_shared_key ;
dh_group 2 ;
}
}

sainfo anonymous
{
pfs_group 1;
lifetime time 10 min;
encryption_algorithm 3des ;
authentication_algorithm hmac_md5;
compression_algorithm deflate ;
}

/usr/local/etc/racoon/psk.txt

# IPv4/v6 addresses
a.b.c.d passwort
e.f.g.h passwort

SERVER2 LOG /usr/local/etc/racoon/racoon.log

2005-02-12 18:06:50: INFO: main.c:172:main(): @(#)package version freebsd-20040818a
2005-02-12 18:06:50: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net
2005-02-12 18:06:50: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2005-02-12 18:06:50: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:42: "support_mip6" it is obsoleted. use "support_proxy".
2005-02-12 18:06:50: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
2005-02-12 18:06:50: DEBUG: pfkey.c:2379k_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 192.168.0.1 (sis0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::20a:e6ff:fed8:b55d%sis0 (sis0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 127.0.0.1 (lo0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: ::1 (lo0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::1%lo0 (lo0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 192.168.0.1 (gif0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::20a:e6ff:fed8:b55d%gif0 (gif0)
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:474:autoconf_myaddrsport(): configuring default isakmp port.
2005-02-12 18:06:50: DEBUG: grabmyaddr.c:496:autoconf_myaddrsport(): 7 addrs are configured successfully
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): fe80::20a:e6ff:fed8:b55d%gif0[500] used as isakmp port (fd=5)
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): 192.168.0.1[500] used as isakmp port (fd=6)
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=7)
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=8)
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=9)
2005-02-12 18:06:50: INFO: isakmp.c:1368:isakmp_open(): fe80::20a:e6ff:fed8:b55d%sis0[500] used as isakmp port (fd=10)
2005-02-12 18:06:50: ERROR: isakmp.c:1360:isakmp_open(): failed to bind (Address already in use).
2005-02-12 18:06:50: DEBUG: pfkey.c:197fkey_handler(): get pfkey X_SPDDUMP message
2005-02-12 18:06:50: DEBUG: pfkey.c:197fkey_handler(): get pfkey X_SPDDUMP message
2005-02-12 18:06:50: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9a0: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
2005-02-12 18:06:50: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2005-02-12 18:09:16: DEBUG: pfkey.c:197fkey_handler(): get pfkey ACQUIRE message
2005-02-12 18:09:16: DEBUG: pfkey.c:1620k_recvacquire(): suitable outbound SP found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out.
2005-02-12 18:09:16: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe980: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2005-02-12 18:09:16: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2005-02-12 18:09:16: DEBUG: pfkey.c:1636k_recvacquire(): suitable inbound SP found: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in.
2005-02-12 18:09:16: DEBUG: pfkey.c:1675k_recvacquire(): new acquire 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
2005-02-12 18:09:16: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected.
2005-02-12 18:09:16: DEBUG: proposal.c:828rintsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2005-02-12 18:09:16: DEBUG: proposal.c:862rintsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5)
2005-02-12 18:09:16: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for e.f.g.h.
2005-02-12 18:09:16: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for e.f.g.h queued due to no phase1 found.
2005-02-12 18:09:16: DEBUG: isakmp.c:803:isakmp_ph1begin_i(): ===
2005-02-12 18:09:16: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: a.b.c.d[500]<=>e.f.g.h[500]
2005-02-12 18:09:16: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode.
2005-02-12 18:09:16: DEBUG: isakmp.c:2006:isakmp_newcookie(): new cookie:
12c9409f2f59e8ff
2005-02-12 18:09:16: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 48, next type 1
2005-02-12 18:09:16: DEBUG: sockmisc.c:421:sendfromto(): sockname 127.0.0.1[500]
2005-02-12 18:09:16: DEBUG: sockmisc.c:423:sendfromto(): send packet from a.b.c.d[500]
2005-02-12 18:09:16: DEBUG: sockmisc.c:425:sendfromto(): send packet to e.f.g.h[500]
2005-02-12 18:09:16: ERROR: sockmisc.c:553:sendfromto(): bind 1 (Can't assign requested address)
2005-02-12 18:09:16: ERROR: isakmp.c:1427:isakmp_send(): sendfromto failed
2005-02-12 18:09:16: ERROR: pfkey.c:1724k_recvacquire(): failed to begin ipsec sa negotication.
2005-02-12 18:09:43: DEBUG: pfkey.c:197fkey_handler(): get pfkey ACQUIRE message
2005-02-12 18:09:43: DEBUG: pfkey.c:1620k_recvacquire(): suitable outbound SP found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out.
2005-02-12 18:09:43: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe980: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2005-02-12 18:09:43: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in
2005-02-12 18:09:43: DEBUG: pfkey.c:1636k_recvacquire(): suitable inbound SP found: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=in.
2005-02-12 18:09:43: DEBUG: pfkey.c:1675k_recvacquire(): new acquire 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=out
2005-02-12 18:09:43: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected.
2005-02-12 18:09:43: DEBUG: proposal.c:828rintsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2005-02-12 18:09:43: DEBUG: proposal.c:862rintsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5)
2005-02-12 18:09:43: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for e.f.g.h.
2005-02-12 18:09:43: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for e.f.g.h queued due to no phase1 found.
2005-02-12 18:09:43: DEBUG: isakmp.c:803:isakmp_ph1begin_i(): ===
2005-02-12 18:09:43: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: a.b.c.d[500]<=>e.f.g.h[500]
2005-02-12 18:09:43: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode.

SERVER1 LOG /usr/local/etc/racoon/racoon.log

2005-02-12 18:06:48: INFO: main.c:172:main(): @(#)package version freebsd-20040818a
2005-02-12 18:06:48: INFO: main.c:174:main(): @(#)internal version 20001216 sakane@kame.net
2005-02-12 18:06:48: INFO: main.c:175:main(): @(#)This product linked OpenSSL 0.9.7d 17 Mar 2004 (http://www.openssl.org/)
2005-02-12 18:06:48: WARNING: cftoken.l:514:yywarn(): /usr/local/etc/racoon/racoon.conf:42: "support_mip6" it is obsoleted. use "support_proxy".
2005-02-12 18:06:48: DEBUG: algorithm.c:614:alg_oakley_dhdef(): hmac(modp1024)
2005-02-12 18:06:48: DEBUG: pfkey.c:2379k_checkalg(): compression algorithm can not be checked because sadb message doesn't support it.
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 192.168.1.1 (sis0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::2d0:9ff:feec:2c3a%sis0 (sis0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 127.0.0.1 (lo0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: ::1 (lo0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::1%lo0 (lo0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: 192.168.1.1 (gif0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:206:grab_myaddrs(): my interface: fe80::2d0:9ff:feec:2c3a%gif0 (gif0)
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:474:autoconf_myaddrsport(): configuring default isakmp port.
2005-02-12 18:06:48: DEBUG: grabmyaddr.c:496:autoconf_myaddrsport(): 7 addrs are configured successfully
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): fe80::2d0:9ff:feec:2c3a%gif0[500] used as isakmp port (fd=5)
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): 192.168.1.1[500] used as isakmp port (fd=6)
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): fe80::1%lo0[500] used as isakmp port (fd=7)
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): ::1[500] used as isakmp port (fd=8)
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): 127.0.0.1[500] used as isakmp port (fd=9)
2005-02-12 18:06:48: INFO: isakmp.c:1368:isakmp_open(): fe80::2d0:9ff:feec:2c3a%sis0[500] used as isakmp port (fd=10)
2005-02-12 18:06:48: ERROR: isakmp.c:1360:isakmp_open(): failed to bind (Address already in use).
2005-02-12 18:06:48: DEBUG: pfkey.c:197fkey_handler(): get pfkey X_SPDDUMP message
2005-02-12 18:06:48: DEBUG: pfkey.c:197fkey_handler(): get pfkey X_SPDDUMP message
2005-02-12 18:06:48: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe9a0: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out
2005-02-12 18:06:48: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2005-02-12 18:09:35: DEBUG: grabmyaddr.c:444:update_myaddrs(): msg 1 not interesting
2005-02-12 18:10:39: DEBUG: pfkey.c:197fkey_handler(): get pfkey ACQUIRE message
2005-02-12 18:10:39: DEBUG: pfkey.c:1620k_recvacquire(): suitable outbound SP found: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out.
2005-02-12 18:10:39: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe980: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2005-02-12 18:10:39: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2005-02-12 18:10:39: DEBUG: pfkey.c:1636k_recvacquire(): suitable inbound SP found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in.
2005-02-12 18:10:39: DEBUG: pfkey.c:1675k_recvacquire(): new acquire 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out
2005-02-12 18:10:39: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected.
2005-02-12 18:10:39: DEBUG: proposal.c:828rintsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2005-02-12 18:10:39: DEBUG: proposal.c:862rintsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5)
2005-02-12 18:10:39: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for a.b.c.d.
2005-02-12 18:10:39: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for a.b.c.d queued due to no phase1 found.
2005-02-12 18:10:39: DEBUG: isakmp.c:803:isakmp_ph1begin_i(): ===
2005-02-12 18:10:39: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: e.f.g.h[500]<=>a.b.c.d[500]
2005-02-12 18:10:39: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode.
2005-02-12 18:10:39: DEBUG: isakmp.c:2006:isakmp_newcookie(): new cookie:
34af17afe135f1fb
2005-02-12 18:10:39: DEBUG: isakmp.c:2130:set_isakmp_payload_c(): add payload of len 48, next type 1
2005-02-12 18:10:39: DEBUG: sockmisc.c:421:sendfromto(): sockname 127.0.0.1[500]
2005-02-12 18:10:39: DEBUG: sockmisc.c:423:sendfromto(): send packet from e.f.g.h[500]
2005-02-12 18:10:39: DEBUG: sockmisc.c:425:sendfromto(): send packet to a.b.c.d[500]
2005-02-12 18:10:39: ERROR: sockmisc.c:553:sendfromto(): bind 1 (Can't assign requested address)
2005-02-12 18:10:39: ERROR: isakmp.c:1427:isakmp_send(): sendfromto failed
2005-02-12 18:10:39: ERROR: pfkey.c:1724k_recvacquire(): failed to begin ipsec sa negotication.
2005-02-12 18:10:51: DEBUG: pfkey.c:197fkey_handler(): get pfkey ACQUIRE message
2005-02-12 18:10:51: DEBUG: pfkey.c:1620k_recvacquire(): suitable outbound SP found: 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out.
2005-02-12 18:10:51: DEBUG: policy.c:184:cmpspidxstrict(): sub:0xbfbfe980: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2005-02-12 18:10:51: DEBUG: policy.c:185:cmpspidxstrict(): db :0x809dc08: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in
2005-02-12 18:10:51: DEBUG: pfkey.c:1636k_recvacquire(): suitable inbound SP found: 192.168.0.0/24[0] 192.168.1.0/24[0] proto=any dir=in.
2005-02-12 18:10:51: DEBUG: pfkey.c:1675k_recvacquire(): new acquire 192.168.1.0/24[0] 192.168.0.0/24[0] proto=any dir=out
2005-02-12 18:10:51: DEBUG: sainfo.c:112:getsainfo(): anonymous sainfo selected.
2005-02-12 18:10:51: DEBUG: proposal.c:828rintsaproto(): (proto_id=ESP spisize=4 spi=00000000 spi_p=00000000 encmode=Tunnel reqid=0:0)
2005-02-12 18:10:51: DEBUG: proposal.c:862rintsatrns(): (trns_id=3DES encklen=0 authtype=hmac-md5)
2005-02-12 18:10:51: DEBUG: remoteconf.c:129:getrmconf(): anonymous configuration selected for a.b.c.d.
2005-02-12 18:10:51: INFO: isakmp.c:1694:isakmp_post_acquire(): IPsec-SA request for a.b.c.d queued due to no phase1 found.
2005-02-12 18:10:51: DEBUG: isakmp.c:803:isakmp_ph1begin_i(): ===
2005-02-12 18:10:51: INFO: isakmp.c:808:isakmp_ph1begin_i(): initiate new phase 1 negotiation: e.f.g.h[500]<=>a.b.c.d[500]
2005-02-12 18:10:51: INFO: isakmp.c:813:isakmp_ph1begin_i(): begin Identity Protection mode.

Währe dankbar für jede Hilfe!!!