bei einem netstat -rn sollte doch irgendetwas unter Encap auftauchen bei mir leider nicht woran kann das liegen?
---- von vorher
hallo zusammen,
bin dabei 2 vpn gateways aufzubauen OpenBSD3.6
automatische verschlüsselung X509 Zertifikate stehe aber jetzt an
habe alles entsprechend diverser dokus auf beiden gateways konfiguriert und mal gestartet
isakmpd -d -DA=99 gibt den am ende gelisteten output der sich in ähnlicher weise immer wieder wiederholt und meiner meinung nach auch in ordnung zu sein scheint.
leider bekomme ich keinen traffic durch den tunnel
muss ich spezielle routen eintragen für ipsec traffic?
wie kann ich mir die kernel sa's sofern vorhanden anzeigen lassen?
muss ich enc0 speziell konfigurieren oder reicht einfach ifconfig enc0 up
oder ist im folgenden output doch was nicht in ordnung
tcpdump -x liefert sowas in der richtung
11:30:57.568541 x.x.x.x.65369 > y.y.y.y.isakmp: isakmp v1.0 exchange ID_PROT
cookie: 7de3562ccddf7998->0000000000000000 msgid: 00000000 len: 168
4500 00c4 f290 0000 3c11 fa3a d5eb f232
d5eb f353 ff59 01f4 00b0 846c 7de3 562c
cddf 7998 0000 0000 0000 0000 0110 0200
0000 0000 0000 00a8 0d00 003c 0000 0001
0000 0001 0000 0030 0101 0001 0000 0028
0001
im isakmpd.pcap sieht es so aus
11:41:01.566828 y.y.y.y.isakmp > x.x.x.x.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: fba7d90b4f0d09b8->b79998ec6af2b53d msgid: 00000000 len: 168
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 60
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 1000
payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1)
11:41:12.579445 x.x.x.x.isakmp > y.y.y.y.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: fba7d90b4f0d09b8->b79998ec6af2b53d msgid: 00000000 len: 168
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 60
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 1000
payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1)
827.574859 Exch 90 exchange_validate: checking for required SA
105827.574899 Cryp 60 hash_get: requested algorithm 0
105827.574939 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok
105827.574980 Mesg 20 message_free: freeing 0x3c06b680
105827.575020 Trpt 95 transport_release: transport 0x3c06c3c0 had 1 references
105827.575060 Trpt 70 transport_release: freeing 0x3c06c3c0
105827.575098 Trpt 90 udp_remove: removed transport 0x3c06c600
105827.575139 Trpt 90 udp_remove: removed transport 0x3c06c5c0
105827.575179 Trpt 90 virtual_remove: removed 0x3c06c3c0
105827.575218 SA 80 sa_release: SA 0x3c141300 had 6 references
105827.575259 Trpt 95 transport_reference: transport 0x3c06c080 now has 2 references
105827.575299 Trpt 95 transport_reference: transport 0x3c06c080 now has 3 references
105827.575327 Trpt 95 transport_reference: transport 0x3c06c400 now has 3 references
105827.575335 Trpt 95 transport_reference: transport 0x3c06c400 now has 4 references
105827.575343 Trpt 95 transport_reference: transport 0x3c06c280 now has 2 references
105827.575350 Trpt 95 transport_reference: transport 0x3c06c280 now has 3 references
105827.575357 Trpt 95 transport_reference: transport 0x3c1eddc0 now has 2 references
105827.575364 Trpt 95 transport_reference: transport 0x3c1eddc0 now has 3 references
105827.575371 Trpt 95 transport_release: transport 0x3c06c080 had 3 references
105827.575378 Trpt 95 transport_release: transport 0x3c06c080 had 2 references
105827.575385 Trpt 95 transport_release: transport 0x3c06c400 had 4 references
105827.575391 Trpt 95 transport_release: transport 0x3c06c400 had 3 references
105827.575398 Trpt 95 transport_release: transport 0x3c06c280 had 3 references
105827.575405 Trpt 95 transport_release: transport 0x3c06c280 had 2 references
105827.575412 Trpt 95 transport_release: transport 0x3c1eddc0 had 3 references
105827.575445 Trpt 95 transport_release: transport 0x3c1eddc0 had 2 references
105827.575456 Trpt 95 transport_fd_set: transport 0x3c1edfc0 (virtual 0x3c1eddc0) fd 10
105827.575463 Trpt 95 transport_fd_set: transport 0x3c1edf80 (virtual 0x3c1eddc0) fd 9
105833.485334 Timr 10 timer_handle_expirations: event connection_checker(0x3c1ebd30)
105833.485450 Misc 95 conf_get_str: configuration value not found [General]:check-interval
105833.485508 Timr 10 timer_add_event: event connection_checker(0x3c1ebd30) added before exchange_free_aux(0x3c141600), expiration in 60s
105833.485563 SA 90 sa_find: no SA matched query
105833.485623 Sdep 70 pf_key_v2_connection_check: SA for IPsec-Conn-infoGW-dmzGW missing
105833.485681 Misc 95 conf_get_str: [IPsec-Conn-infoGW-dmzGW]:Phase->2
105833.485734 Exch 90 exchange_lookup_by_name: IPsec-Conn-infoGW-dmzGW == ISAKMP-peer-dmzGW && 2 == 1?
105833.485800 Exch 90 exchange_lookup_by_name: IPsec-Conn-infoGW-dmzGW == ISAKMP-peer-dmzGW && 2 == 1?
105833.485855 Misc 95 conf_get_str: [IPsec-Conn-infoGW-dmzGW]:ISAKMP-peer->ISAKMP-peer-dmzGW
105833.485904 SA 90 sa_find: no SA matched query
105833.485962 Misc 95 conf_get_str: [ISAKMP-peer-dmzGW]:Phase->1
105833.486025 Misc 95 conf_get_str: [ISAKMP-peer-dmzGW]:Phase->1
105833.486067 Exch 90 exchange_lookup_by_name: ISAKMP-peer-dmzGW == ISAKMP-peer-dmzGW && 1 == 1?
105833.486110 Exch 40 exchange_establish: ISAKMP-peer-dmzGW exchange already exists as 0x3c141000
105833.486164 Exch 90 exchange_lookup_by_name: ISAKMP-peer-dmzGW == ISAKMP-peer-dmzGW && 1 == 1?
105833.486211 Trpt 95 transport_fd_set: transport 0x3c1edfc0 (virtual 0x3c1eddc0) fd 10
105833.486252 Trpt 95 transport_fd_set: transport 0x3c1edf80 (virtual 0x3c1eddc0) fd 9
---- von vorher
hallo zusammen,
bin dabei 2 vpn gateways aufzubauen OpenBSD3.6
automatische verschlüsselung X509 Zertifikate stehe aber jetzt an
habe alles entsprechend diverser dokus auf beiden gateways konfiguriert und mal gestartet
isakmpd -d -DA=99 gibt den am ende gelisteten output der sich in ähnlicher weise immer wieder wiederholt und meiner meinung nach auch in ordnung zu sein scheint.
leider bekomme ich keinen traffic durch den tunnel
muss ich spezielle routen eintragen für ipsec traffic?
wie kann ich mir die kernel sa's sofern vorhanden anzeigen lassen?
muss ich enc0 speziell konfigurieren oder reicht einfach ifconfig enc0 up
oder ist im folgenden output doch was nicht in ordnung
tcpdump -x liefert sowas in der richtung
11:30:57.568541 x.x.x.x.65369 > y.y.y.y.isakmp: isakmp v1.0 exchange ID_PROT
cookie: 7de3562ccddf7998->0000000000000000 msgid: 00000000 len: 168
4500 00c4 f290 0000 3c11 fa3a d5eb f232
d5eb f353 ff59 01f4 00b0 846c 7de3 562c
cddf 7998 0000 0000 0000 0000 0110 0200
0000 0000 0000 00a8 0d00 003c 0000 0001
0000 0001 0000 0030 0101 0001 0000 0028
0001
im isakmpd.pcap sieht es so aus
11:41:01.566828 y.y.y.y.isakmp > x.x.x.x.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: fba7d90b4f0d09b8->b79998ec6af2b53d msgid: 00000000 len: 168
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 60
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 1000
payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1)
11:41:12.579445 x.x.x.x.isakmp > y.y.y.y.isakmp: [udp sum ok] isakmp v1.0 exchange ID_PROT
cookie: fba7d90b4f0d09b8->b79998ec6af2b53d msgid: 00000000 len: 168
payload: SA len: 60 DOI: 1(IPSEC) situation: IDENTITY_ONLY
payload: PROPOSAL len: 48 proposal: 1 proto: ISAKMP spisz: 0 xforms: 1
payload: TRANSFORM len: 40
transform: 0 ID: ISAKMP
attribute ENCRYPTION_ALGORITHM = 3DES_CBC
attribute HASH_ALGORITHM = MD5
attribute AUTHENTICATION_METHOD = RSA_SIG
attribute GROUP_DESCRIPTION = MODP_1024
attribute LIFE_TYPE = SECONDS
attribute LIFE_DURATION = 60
attribute LIFE_TYPE = KILOBYTES
attribute LIFE_DURATION = 1000
payload: VENDOR len: 20 (supports v1 NAT-T, draft-ietf-ipsec-nat-t-ike-00)
payload: VENDOR len: 20 (supports v2 NAT-T, draft-ietf-ipsec-nat-t-ike-02)
payload: VENDOR len: 20 (supports v3 NAT-T, draft-ietf-ipsec-nat-t-ike-03)
payload: VENDOR len: 20 (supports DPD v1.0) [ttl 0] (id 1)
827.574859 Exch 90 exchange_validate: checking for required SA
105827.574899 Cryp 60 hash_get: requested algorithm 0
105827.574939 Negt 30 message_negotiate_sa: transform 0 proto 1 proposal 1 ok
105827.574980 Mesg 20 message_free: freeing 0x3c06b680
105827.575020 Trpt 95 transport_release: transport 0x3c06c3c0 had 1 references
105827.575060 Trpt 70 transport_release: freeing 0x3c06c3c0
105827.575098 Trpt 90 udp_remove: removed transport 0x3c06c600
105827.575139 Trpt 90 udp_remove: removed transport 0x3c06c5c0
105827.575179 Trpt 90 virtual_remove: removed 0x3c06c3c0
105827.575218 SA 80 sa_release: SA 0x3c141300 had 6 references
105827.575259 Trpt 95 transport_reference: transport 0x3c06c080 now has 2 references
105827.575299 Trpt 95 transport_reference: transport 0x3c06c080 now has 3 references
105827.575327 Trpt 95 transport_reference: transport 0x3c06c400 now has 3 references
105827.575335 Trpt 95 transport_reference: transport 0x3c06c400 now has 4 references
105827.575343 Trpt 95 transport_reference: transport 0x3c06c280 now has 2 references
105827.575350 Trpt 95 transport_reference: transport 0x3c06c280 now has 3 references
105827.575357 Trpt 95 transport_reference: transport 0x3c1eddc0 now has 2 references
105827.575364 Trpt 95 transport_reference: transport 0x3c1eddc0 now has 3 references
105827.575371 Trpt 95 transport_release: transport 0x3c06c080 had 3 references
105827.575378 Trpt 95 transport_release: transport 0x3c06c080 had 2 references
105827.575385 Trpt 95 transport_release: transport 0x3c06c400 had 4 references
105827.575391 Trpt 95 transport_release: transport 0x3c06c400 had 3 references
105827.575398 Trpt 95 transport_release: transport 0x3c06c280 had 3 references
105827.575405 Trpt 95 transport_release: transport 0x3c06c280 had 2 references
105827.575412 Trpt 95 transport_release: transport 0x3c1eddc0 had 3 references
105827.575445 Trpt 95 transport_release: transport 0x3c1eddc0 had 2 references
105827.575456 Trpt 95 transport_fd_set: transport 0x3c1edfc0 (virtual 0x3c1eddc0) fd 10
105827.575463 Trpt 95 transport_fd_set: transport 0x3c1edf80 (virtual 0x3c1eddc0) fd 9
105833.485334 Timr 10 timer_handle_expirations: event connection_checker(0x3c1ebd30)
105833.485450 Misc 95 conf_get_str: configuration value not found [General]:check-interval
105833.485508 Timr 10 timer_add_event: event connection_checker(0x3c1ebd30) added before exchange_free_aux(0x3c141600), expiration in 60s
105833.485563 SA 90 sa_find: no SA matched query
105833.485623 Sdep 70 pf_key_v2_connection_check: SA for IPsec-Conn-infoGW-dmzGW missing
105833.485681 Misc 95 conf_get_str: [IPsec-Conn-infoGW-dmzGW]:Phase->2
105833.485734 Exch 90 exchange_lookup_by_name: IPsec-Conn-infoGW-dmzGW == ISAKMP-peer-dmzGW && 2 == 1?
105833.485800 Exch 90 exchange_lookup_by_name: IPsec-Conn-infoGW-dmzGW == ISAKMP-peer-dmzGW && 2 == 1?
105833.485855 Misc 95 conf_get_str: [IPsec-Conn-infoGW-dmzGW]:ISAKMP-peer->ISAKMP-peer-dmzGW
105833.485904 SA 90 sa_find: no SA matched query
105833.485962 Misc 95 conf_get_str: [ISAKMP-peer-dmzGW]:Phase->1
105833.486025 Misc 95 conf_get_str: [ISAKMP-peer-dmzGW]:Phase->1
105833.486067 Exch 90 exchange_lookup_by_name: ISAKMP-peer-dmzGW == ISAKMP-peer-dmzGW && 1 == 1?
105833.486110 Exch 40 exchange_establish: ISAKMP-peer-dmzGW exchange already exists as 0x3c141000
105833.486164 Exch 90 exchange_lookup_by_name: ISAKMP-peer-dmzGW == ISAKMP-peer-dmzGW && 1 == 1?
105833.486211 Trpt 95 transport_fd_set: transport 0x3c1edfc0 (virtual 0x3c1eddc0) fd 10
105833.486252 Trpt 95 transport_fd_set: transport 0x3c1edf80 (virtual 0x3c1eddc0) fd 9
Last edited: