Makson
-
Posts
5 -
Joined
-
Last visited
Content Type
Profiles
Forums
Gallery
Downloads
Blogs
Events
Posts posted by Makson
-
-
Спасибо, сходим
-
[I] Nov 23 14:03:24 ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-5, mips)
[I] Nov 23 14:03:24 ipsec: 00[CFG] loading secrets
[I] Nov 23 14:03:24 ipsec: 00[CFG] loaded IKE secret for 31.132.209.49 82.116.X.X
[I] Nov 23 14:03:24 ipsec: 00[CFG] loaded 1 RADIUS server configuration
[I] Nov 23 14:03:24 ipsec: 00[CFG] starting system time check, interval: 10s
[I] Nov 23 14:03:24 ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity counters
[I] Nov 23 14:03:24 ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534
[I] Nov 23 14:03:24 ipsec: 05[CFG] received stroke: add connection 'vpn_tunnel_to_msk'
[I] Nov 23 14:03:24 ipsec: 05[CFG] added configuration 'vpn_tunnel_to_msk'
[I] Nov 23 14:03:42 ipsec: 05[IKE] received NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[I] Nov 23 14:03:42 ipsec: 05[IKE] 82.116.X.X is initiating a Main Mode IKE_SA
[I] Nov 23 14:03:42 ipsec: 05[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 23 14:03:42 ipsec: 05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:03:42 ipsec: 05[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:03:42 ipsec: 05[IKE] sending DPD vendor ID
[I] Nov 23 14:03:42 ipsec: 05[IKE] sending NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:03:52 ipsec: 06[IKE] received retransmit of request with ID 0, retransmitting response
[I] Nov 23 14:04:12 ipsec: Core::Syslog: last message repeated 2 times.
[I] Nov 23 14:04:12 ipsec: 05[JOB] deleting half open IKE_SA with 82.116.X.X after timeout
[I] Nov 23 14:04:13 ndm: UPnP::Service: "System": redirect rule added: tcp FastEthernet0/Vlan2:17000 -> 192.168.10.63:6036.
[I] Nov 23 14:04:13 ndm: UPnP::Service: "System": forward rule added: tcp FastEthernet0/Vlan2 -> 192.168.10.63:6036.
[I] Nov 23 14:04:22 ipsec: 07[IKE] received NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[I] Nov 23 14:04:22 ipsec: 07[IKE] 82.116.X.X is initiating a Main Mode IKE_SA
[I] Nov 23 14:04:22 ipsec: 07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 23 14:04:22 ipsec: 07[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:04:22 ipsec: 07[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:04:22 ipsec: 07[IKE] sending DPD vendor ID
[I] Nov 23 14:04:22 ipsec: 07[IKE] sending NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:04:32 ipsec: 07[IKE] received retransmit of request with ID 0, retransmitting response
[I] Nov 23 14:04:52 ipsec: 09[JOB] deleting half open IKE_SA with 82.116.X.X after timeout
[I] Nov 23 14:05:21 ipsec: 07[IKE] received NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[I] Nov 23 14:05:21 ipsec: 07[IKE] 82.116.X.X is initiating a Main Mode IKE_SA
[I] Nov 23 14:05:21 ipsec: 07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Nov 23 14:05:21 ipsec: 07[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:05:21 ipsec: 07[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
[I] Nov 23 14:05:21 ipsec: 07[IKE] sending DPD vendor ID
[I] Nov 23 14:05:21 ipsec: 07[IKE] sending NAT-T (RFC 3947) vendor ID
[I] Nov 23 14:05:31 ipsec: 06[IKE] received retransmit of request with ID 0, retransmitting response
-
Со стороны другого оборудования:
Nov 23 11:11:59.894: ISAKMP:(0): beginning Main Mode exchange
Nov 23 11:11:59.894: ISAKMP:(0): sending packet to 31.132.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 23 11:11:59.894: ISAKMP:(0):Sending an IKE IPv4 Packet.
atmservice#
Nov 23 11:12:06.046: ISAKMP (2756): received packet from 31.132.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Получается:
cisco ему шлет запрос на порт 500 а он отвечает с 4500, поскольку за NAT находится -
Доброго всем времени суток. Роутер EXTRA - Установленная версия 3.8.7
Прошу помощи в нескольких вопросах:1. Нужно ли открывать и как правильно открыть порты и протоколы для IPSec туннеля. 500, 4500? Это в политиках файрволла, в политиках NAT? В NAT попробовал сделать правило на разрешение ICMP - работает.
2. На wan порте по DHCP от провайдера получает устройство ip серый 10.174.5.17, но провайдер выдал и белый ip 31.132.X.X и при обращении на него - мы попадаем на keenetic, работает проброс 80, 443, 3389 итд.
Выкладываю настройки туннеля. Не работает.
с другой стороны Zywal 310, на нем десяток туннелей с разным оборудованием, все норм. не пойму куда тут копать.
настройка ipsec vpn tunnel
in Обсуждение IPsec, OpenVPN и других туннелей
Posted
спасибо, понимаю