Hero 4g IPSec/Gre c Allied Telesys

[Ilya_]

Добрый день, подскажите, возможно ли указать свой crypto map для Gre интерфейса?

2 роутера с белыми IP, просто Gre(без IPSec) создается без проблем, IPSec не проходит 3я часть первой фазы

Конфиг на кинетике:

!
interface Gre0
    rename AAA.AAA.AAA.AAA
    security-level private
    debug
    ip address 172.16.1.10 255.255.255.252
    ip mtu 1500
    ipsec preshared-key ns3 YFcbJO6J6Bn+Yj8iux1phU+f
    ipsec encryption-level high
    ipsec ikev2
    tunnel source UsbQmi0
    tunnel destination BBB.BBB.BBB.BBB
    up
!

Лог на нем же:

I [Dec 13 13:48:03] ipsec: Starting strongSwan 5.8.0 IPsec [starter]...
I [Dec 13 13:48:03] ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-4, mips)
I [Dec 13 13:48:05] ipsec: 00[CFG] loading secrets
I [Dec 13 13:48:05] ipsec: 00[CFG]   loaded IKE secret for cmap:Gre0
I [Dec 13 13:48:05] ipsec: 00[CFG] loaded 1 RADIUS server configuration
I [Dec 13 13:48:05] ipsec: 00[CFG] starting system time check, interval: 10s
I [Dec 13 13:48:05] ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket-
                    default stroke updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity
I [Dec 13 13:48:05] ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534
I [Dec 13 13:48:05] ipsec: 03[CFG] received stroke: add connection 'Gre0'
I [Dec 13 13:48:05] ipsec: 03[CFG] added configuration 'Gre0'
I [Dec 13 13:48:05] ipsec: 11[CFG] received stroke: initiate 'Gre0'
I [Dec 13 13:48:05] ipsec: 11[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB
I [Dec 13 13:48:05] ipsec: 14[IKE] peer didn't accept DH group MODP_1024, it requested MODP_2048
I [Dec 13 13:48:05] ipsec: 14[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB
I [Dec 13 13:48:06] ipsec: 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
I [Dec 13 13:48:06] ipsec: 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
                    IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
                    IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,
                    IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
                    IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
I [Dec 13 13:48:06] ipsec: 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
I [Dec 13 13:48:06] ipsec: 15[IKE] found linked key for crypto map 'Gre0'
I [Dec 13 13:48:06] ipsec: 15[IKE] establishing CHILD_SA Gre0{1}
I [Dec 13 13:48:07] ipsec: 10[IKE] received AUTHENTICATION_FAILED notify error
E [Dec 13 13:48:07] ndm: IpSec::Configurator: remote peer rejects to authenticate our crypto map "Gre0".
W [Dec 13 13:48:07] ndm: IpSec::Configurator: (possibly because of wrong local/remote ID).
I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0.
W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry.
I [Dec 13 13:48:07] ndm: IpSec::Configurator: "Gre0": schedule reconnect for crypto map.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": secured tunnel is down.
I [Dec 13 13:48:07] ndm: IpSec::Manager: "Gre0": IP secure connection and keys was deleted.
E [Dec 13 13:48:07] ndm: IpSec::Configurator: general error while establishing crypto map "Gre0" connection.
I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0.
W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer.

 

Зачем он подключает правила Radius? Как я понимаю, он пытается завершить авторизацию по сертификату

Лог с другой стороны:

13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
13:32:22 srv IPSEC: 06[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2876 bytes)
13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 41:f3:8f:66:50:fe:15:ff:4e:24:29:2d:c7:67:19:c4:4b:c8:1e:cd
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid c3:2e:e6:fd:16:60:3b:f5:d0:5f:fb:85:1d:41:46:ce:16:31:9d:6e
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ba:b7:43:e0:ed:c7:1e:72:8a:31:ad:da:65:7b:b9:4c:ca:63:ee:07
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 0f:73:b7:ce:46:fb:89:05:4b:02:97:75:95:97:58:1f:bb:22:59:f5
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 99:9b:76:54:0b:4a:9c:7a:35:ca:8f:0f:2e:aa:74:7a:0f:ae:c5:6e
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ca:0f:ad:e1:ca:f3:73:79:25:69:a5:b2:b6:29:ab:63:0a:bc:7a:1c
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 98:46:5e:8d:55:f2:bb:69:0c:d1:e6:c5:b0:81:2e:f2:fe:f2:38:a3
.
.
.
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid a7:e9:c8:0c:8c:4b:56:d6:37:fa:9e:0d:6c:69:58:1d:32:4e:91:c0
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 52:2c:46:fc:ee:2e:a4:be:b5:f1:01:a3:9d:d2:16:ba:d8:85:8e:b5
13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca
13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0]
13:32:22 srv IPSEC: 06[CFG] no matching peer config found
13:32:22 srv IPSEC: peer authentication failed
13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13:32:22 srv IPSEC: 06[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (76 bytes)
13:32:22 srv IPSEC: 04[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500]
13:32:22 srv IPSEC: 06[IKE] removing IP address AAA.AAA.AAA.AAA for peer Gre0
13:32:22 srv IPSEC: 06[MGR] checkin and destroy IKE_SA (unnamed)[3106]
13:32:22 srv IPSEC: 06[IKE] IKE_SA (unnamed)[3106] state change: CONNECTING => DESTROYING
13:32:22 srv IPSEC: 06[MGR] checkin and destroy of IKE_SA successful

Edited December 13, 2021 by Ilya_

[Ilya_]

Еще вопрос, как добавить в кинетик свой сертификат для авторизации ikev2?

или указать не использовать сертификат, а только по логин-паролю

 

13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca
13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0]
13:32:22 srv IPSEC: 06[CFG] no matching peer config found
13:32:22 srv IPSEC: peer authentication failed
13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Edited December 13, 2021 by Ilya_

[Le ecureuil]

Зачем вы пытаетесь именно IKEv2 использовать?

[Ilya_]

Ikev2 , т.к все остальные туннели на нем и раз у кинетика заявлена поддержка IPsec с Ikev2, решил на нем тоже тунель сделать. Но тут что то не по плану пошло. Я так понимаю надо заставить кинетик принимать мой сертификат, или отключить его использование, но у gre не редактируется криптомап 

пс: и производительность устраивает

Edited December 13, 2021 by Ilya_

[Le ecureuil]

Попробуйте все же без IKEv2. Там есть еще тонкость в том, что для IKEv2 ID на другой стороне туннеля должен быть такой же, как название интерфейса в Keenetic. То есть у вас Gre0, значит ID local и ID remote в AT должны быть тоже Gre0.

[Ilya_]

Без ikev2 работает, id пробовал указывать, но перепроверю ещё раз. Спасибо