Jump to content

настройка ipsec vpn tunnel


Recommended Posts

Доброго всем времени суток. Роутер EXTRA - Установленная версия 3.8.7
Прошу помощи в нескольких вопросах:

1. Нужно ли открывать и как правильно открыть порты и протоколы для IPSec туннеля. 500, 4500? Это в политиках файрволла, в политиках NAT? В NAT попробовал сделать правило на разрешение ICMP - работает. 

2. На wan порте по DHCP от провайдера получает устройство ip серый 10.174.5.17, но провайдер выдал и белый ip 31.132.X.X и при обращении на него - мы попадаем на  keenetic, работает проброс 80, 443, 3389 итд. 

Выкладываю настройки туннеля. Не работает.
с другой стороны Zywal 310, на нем десяток туннелей с разным оборудованием, все норм. не пойму куда тут копать.

2022-11-22_18-49-34.png

2022-11-22_18-49-56.png

Edited by Makson
Link to comment
Share on other sites

Да ничего особо не надо делать, если он один к одному прокидывает, и в других местах подобная настройка взлетает, то и у вас должна.

А может не один к одному прокидывает, а что-то фильтрует.

У меня схожая схема была с инетом от Билайн, но всё завелось.

Может у вас в согласовании протоколов безопасности где-то нестыковка? Что в логах?

Link to comment
Share on other sites

Со стороны другого оборудования:

Nov 23 11:11:59.894: ISAKMP:(0): beginning Main Mode exchange
Nov 23 11:11:59.894: ISAKMP:(0): sending packet to 31.132.x.x my_port 500 peer_port 500 (I) MM_NO_STATE
Nov 23 11:11:59.894: ISAKMP:(0):Sending an IKE IPv4 Packet.
atmservice#
Nov 23 11:12:06.046: ISAKMP (2756): received packet from 31.132.x.x dport 4500 sport 4500 Global (R) QM_IDLE
Получается:
cisco ему шлет запрос на порт 500 а он отвечает с 4500, поскольку за NAT находится

Edited by Makson
Link to comment
Share on other sites

[I] Nov 23 14:03:24 ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-5, mips) 
[I] Nov 23 14:03:24 ipsec: 00[CFG] loading secrets 
[I] Nov 23 14:03:24 ipsec: 00[CFG]   loaded IKE secret for 31.132.209.49 82.116.X.X  
[I] Nov 23 14:03:24 ipsec: 00[CFG] loaded 1 RADIUS server configuration 
[I] Nov 23 14:03:24 ipsec: 00[CFG] starting system time check, interval: 10s 
[I] Nov 23 14:03:24 ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket-default stroke vici updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity counters 
[I] Nov 23 14:03:24 ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534 
[I] Nov 23 14:03:24 ipsec: 05[CFG] received stroke: add connection 'vpn_tunnel_to_msk' 
[I] Nov 23 14:03:24 ipsec: 05[CFG] added configuration 'vpn_tunnel_to_msk' 
[I] Nov 23 14:03:42 ipsec: 05[IKE] received NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID 
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 
[I] Nov 23 14:03:42 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
[I] Nov 23 14:03:42 ipsec: 05[IKE] 82.116.X.X is initiating a Main Mode IKE_SA 
[I] Nov 23 14:03:42 ipsec: 05[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
[I] Nov 23 14:03:42 ipsec: 05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:03:42 ipsec: 05[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:03:42 ipsec: 05[IKE] sending DPD vendor ID 
[I] Nov 23 14:03:42 ipsec: 05[IKE] sending NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:03:52 ipsec: 06[IKE] received retransmit of request with ID 0, retransmitting response 
[I] Nov 23 14:04:12 ipsec: Core::Syslog: last message repeated 2 times.
[I] Nov 23 14:04:12 ipsec: 05[JOB] deleting half open IKE_SA with 82.116.X.X after timeout 
[I] Nov 23 14:04:13 ndm: UPnP::Service: "System": redirect rule added: tcp FastEthernet0/Vlan2:17000 -> 192.168.10.63:6036. 
[I] Nov 23 14:04:13 ndm: UPnP::Service: "System": forward rule added: tcp FastEthernet0/Vlan2 -> 192.168.10.63:6036. 
[I] Nov 23 14:04:22 ipsec: 07[IKE] received NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID 
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 
[I] Nov 23 14:04:22 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
[I] Nov 23 14:04:22 ipsec: 07[IKE] 82.116.X.X is initiating a Main Mode IKE_SA 
[I] Nov 23 14:04:22 ipsec: 07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
[I] Nov 23 14:04:22 ipsec: 07[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:04:22 ipsec: 07[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:04:22 ipsec: 07[IKE] sending DPD vendor ID 
[I] Nov 23 14:04:22 ipsec: 07[IKE] sending NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:04:32 ipsec: 07[IKE] received retransmit of request with ID 0, retransmitting response 
[I] Nov 23 14:04:52 ipsec: 09[JOB] deleting half open IKE_SA with 82.116.X.X after timeout 
[I] Nov 23 14:05:21 ipsec: 07[IKE] received NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID 
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID 
[I] Nov 23 14:05:21 ipsec: 07[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID 
[I] Nov 23 14:05:21 ipsec: 07[IKE] 82.116.X.X is initiating a Main Mode IKE_SA 
[I] Nov 23 14:05:21 ipsec: 07[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 
[I] Nov 23 14:05:21 ipsec: 07[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:05:21 ipsec: 07[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 
[I] Nov 23 14:05:21 ipsec: 07[IKE] sending DPD vendor ID 
[I] Nov 23 14:05:21 ipsec: 07[IKE] sending NAT-T (RFC 3947) vendor ID 
[I] Nov 23 14:05:31 ipsec: 06[IKE] received retransmit of request with ID 0, retransmitting response 
 

Link to comment
Share on other sites

Да я просто высказал самое вероятное мнение.

Была похожая тема, тоже кстати с Билайном, давали внутренний, прокидывали внешний, есть у них такой Интернет vCPE

Половина сервисов заводится, половина нет... Выяснилось, что они там как то не все порты прокидывают, а некоторые не один к одному.

Пока не сделали один в один, не заработало!

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...