Jump to content

Hero 4g IPSec/Gre c Allied Telesys


Recommended Posts

Добрый день, подскажите, возможно ли указать свой crypto map для Gre интерфейса?

2 роутера с белыми IP, просто Gre(без IPSec) создается без проблем, IPSec не проходит 3я часть первой фазы

Конфиг на кинетике:

!
interface Gre0
    rename AAA.AAA.AAA.AAA
    security-level private
    debug
    ip address 172.16.1.10 255.255.255.252
    ip mtu 1500
    ipsec preshared-key ns3 YFcbJO6J6Bn+Yj8iux1phU+f
    ipsec encryption-level high
    ipsec ikev2
    tunnel source UsbQmi0
    tunnel destination BBB.BBB.BBB.BBB
    up
!

Лог на нем же:

I [Dec 13 13:48:03] ipsec: Starting strongSwan 5.8.0 IPsec [starter]...
I [Dec 13 13:48:03] ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-4, mips)
I [Dec 13 13:48:05] ipsec: 00[CFG] loading secrets
I [Dec 13 13:48:05] ipsec: 00[CFG]   loaded IKE secret for cmap:Gre0
I [Dec 13 13:48:05] ipsec: 00[CFG] loaded 1 RADIUS server configuration
I [Dec 13 13:48:05] ipsec: 00[CFG] starting system time check, interval: 10s
I [Dec 13 13:48:05] ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket-
                    default stroke updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity
I [Dec 13 13:48:05] ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534
I [Dec 13 13:48:05] ipsec: 03[CFG] received stroke: add connection 'Gre0'
I [Dec 13 13:48:05] ipsec: 03[CFG] added configuration 'Gre0'
I [Dec 13 13:48:05] ipsec: 11[CFG] received stroke: initiate 'Gre0'
I [Dec 13 13:48:05] ipsec: 11[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB
I [Dec 13 13:48:05] ipsec: 14[IKE] peer didn't accept DH group MODP_1024, it requested MODP_2048
I [Dec 13 13:48:05] ipsec: 14[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB
I [Dec 13 13:48:06] ipsec: 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
I [Dec 13 13:48:06] ipsec: 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024,
                    IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536,
                    IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384,
                    IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048,
                    IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
I [Dec 13 13:48:06] ipsec: 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
I [Dec 13 13:48:06] ipsec: 15[IKE] found linked key for crypto map 'Gre0'
I [Dec 13 13:48:06] ipsec: 15[IKE] establishing CHILD_SA Gre0{1}
I [Dec 13 13:48:07] ipsec: 10[IKE] received AUTHENTICATION_FAILED notify error
E [Dec 13 13:48:07] ndm: IpSec::Configurator: remote peer rejects to authenticate our crypto map "Gre0".
W [Dec 13 13:48:07] ndm: IpSec::Configurator: (possibly because of wrong local/remote ID).
I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0.
W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry.
I [Dec 13 13:48:07] ndm: IpSec::Configurator: "Gre0": schedule reconnect for crypto map.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": secured tunnel is down.
I [Dec 13 13:48:07] ndm: IpSec::Manager: "Gre0": IP secure connection and keys was deleted.
E [Dec 13 13:48:07] ndm: IpSec::Configurator: general error while establishing crypto map "Gre0" connection.
I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0.
W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry.
I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer.

 

Зачем он подключает правила Radius? Как я понимаю, он пытается завершить авторизацию по сертификату

Лог с другой стороны:

13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
13:32:22 srv IPSEC: 06[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2876 bytes)
13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 41:f3:8f:66:50:fe:15:ff:4e:24:29:2d:c7:67:19:c4:4b:c8:1e:cd
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid c3:2e:e6:fd:16:60:3b:f5:d0:5f:fb:85:1d:41:46:ce:16:31:9d:6e
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ba:b7:43:e0:ed:c7:1e:72:8a:31:ad:da:65:7b:b9:4c:ca:63:ee:07
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 0f:73:b7:ce:46:fb:89:05:4b:02:97:75:95:97:58:1f:bb:22:59:f5
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 99:9b:76:54:0b:4a:9c:7a:35:ca:8f:0f:2e:aa:74:7a:0f:ae:c5:6e
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ca:0f:ad:e1:ca:f3:73:79:25:69:a5:b2:b6:29:ab:63:0a:bc:7a:1c
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 98:46:5e:8d:55:f2:bb:69:0c:d1:e6:c5:b0:81:2e:f2:fe:f2:38:a3
.
.
.
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid a7:e9:c8:0c:8c:4b:56:d6:37:fa:9e:0d:6c:69:58:1d:32:4e:91:c0
13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 52:2c:46:fc:ee:2e:a4:be:b5:f1:01:a3:9d:d2:16:ba:d8:85:8e:b5
13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca
13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0]
13:32:22 srv IPSEC: 06[CFG] no matching peer config found
13:32:22 srv IPSEC: peer authentication failed
13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
13:32:22 srv IPSEC: 06[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (76 bytes)
13:32:22 srv IPSEC: 04[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500]
13:32:22 srv IPSEC: 06[IKE] removing IP address AAA.AAA.AAA.AAA for peer Gre0
13:32:22 srv IPSEC: 06[MGR] checkin and destroy IKE_SA (unnamed)[3106]
13:32:22 srv IPSEC: 06[IKE] IKE_SA (unnamed)[3106] state change: CONNECTING => DESTROYING
13:32:22 srv IPSEC: 06[MGR] checkin and destroy of IKE_SA successful

Edited by Ilya_
Link to comment
Share on other sites

Еще вопрос, как добавить в кинетик свой сертификат для авторизации ikev2?

или указать не использовать сертификат, а только по логин-паролю

 

13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca
13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0]
13:32:22 srv IPSEC: 06[CFG] no matching peer config found
13:32:22 srv IPSEC: peer authentication failed
13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]

Edited by Ilya_
Link to comment
Share on other sites

Ikev2 , т.к все остальные туннели на нем и раз у кинетика заявлена поддержка IPsec с Ikev2, решил на нем тоже тунель сделать. Но тут что то не по плану пошло. Я так понимаю надо заставить кинетик принимать мой сертификат, или отключить его использование, но у gre не редактируется криптомап 

пс: и производительность устраивает

Edited by Ilya_
Link to comment
Share on other sites

Попробуйте все же без IKEv2. Там есть еще тонкость в том, что для IKEv2 ID на другой стороне туннеля должен быть такой же, как название интерфейса в Keenetic. То есть у вас Gre0, значит ID local и ID remote в AT должны быть тоже Gre0.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...