From: Peter Teslenko <inkyspot@home.ru>
To: Peter Teslenko <community@altlinux.ru>
Subject: Re[5]: [Comm] FreeS/WAN
Date: Thu, 29 Jul 2004 17:36:56 +0400
Message-ID: <53244741296.20040729173656@home.ru> (raw)
In-Reply-To: <151229866437.20040729132830@home.ru>
Hello Peter,
Может кто-то все-таки в курсе...
После всех мытарств имею это.
На одной стороне
root@relay:/etc# ipsec auto --status
000 interface ipsec0/eth0 81.23.107.58
000 %myid = (none)
000 debug none
000
000 "mcicb-to-kirza": 192.168.1.0/24===81.23.107.58[@relay.mcbfa.ru]---81.23.107.57...82.140.78.49---82.140.78.50[@kirza]===192.168.4.0/24; erouted; eroute owner: #3
000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0;
000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3;
000
000 #3: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2227s; newest IPSEC; eroute owner
000 #3: "mcicb-to-kirza" esp.839d3fe5@82.140.78.50 esp.f3d562a@81.23.107.58 tun.1004@82.140.78.50 tun.1003@81.23.107.58
000 #2: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1915s
000 #2: "mcicb-to-kirza" esp.839d3fe4@82.140.78.50 esp.f3d5629@81.23.107.58 tun.1002@82.140.78.50 tun.1001@81.23.107.58
000 #1: "mcicb-to-kirza" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1913s; newest ISAKMP
000
root@relay:/etc# ipsec look
relay Thu Jul 29 17:32:29 MSD 2004
192.168.1.0/24 -> 192.168.4.0/24 => tun0x1004@82.140.78.50 esp0x839d3fe5@82.140.78.50 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x839d3fe4@82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0xdba4202aa496401e ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=12
esp0x839d3fe5@82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0x24ee0969fa54db40 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=22
esp0xf3d5629@81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x6c1971b7b874ec50 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=7
esp0xf3d562a@81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x0acc4398258c1634 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=17
tun0x1001@81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1149,0,0) refcount=4 ref=6
tun0x1002@82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=11
tun0x1003@81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1121,0,0) refcount=4 ref=16
tun0x1004@82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=21
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 81.23.107.57 0.0.0.0 UG 0 0 0 eth0
192.168.4.0 81.23.107.57 255.255.255.0 UG 0 0 0 ipsec0
81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 eth0
81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0
root@relay:/etc# ip route ls
81.23.107.56/29 dev eth0 proto kernel scope link src 81.23.107.58
81.23.107.56/29 dev ipsec0 proto kernel scope link src 81.23.107.58
192.168.4.0/24 via 81.23.107.57 dev ipsec0
192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1
127.0.0.0/8 dev lo scope link
default via 81.23.107.57 dev eth0 metric 1
root@relay:/etc# ip link ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:04:75:86:b7:9b brd ff:ff:ff:ff:ff:ff
165: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff
166: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
167: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
168: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
на другой стороне
root@kirza-gw:/etc# ipsec auto --status
000 interface ipsec0/eth0 82.140.78.50
000 %myid = (none)
000 debug none
000
000 "mcicb-to-kirza": 192.168.4.0/24===82.140.78.50[@kirza]---82.140.78.49...81.23.107.57---81.23.107.58[@relay.mcbfa.ru]===192.168.1.0/24; erouted; eroute owner: #3
000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0;
000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3;
000
000 #3: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2015s; newest IPSEC; eroute owner
000 #3: "mcicb-to-kirza" esp.f3d562a@81.23.107.58 esp.839d3fe5@82.140.78.50 tun.1004@81.23.107.58 tun.1003@82.140.78.50
000 #2: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2593s
000 #2: "mcicb-to-kirza" esp.f3d5629@81.23.107.58 esp.839d3fe4@82.140.78.50 tun.1002@81.23.107.58 tun.1001@82.140.78.50
000 #1: "mcicb-to-kirza" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2592s; newest ISAKMP
000
root@kirza-gw:/etc# ipsec look
kirza-gw Thu Jul 29 17:33:33 MSD 2004
192.168.4.0/24 -> 192.168.1.0/24 => tun0x1004@81.23.107.58 esp0xf3d562a@81.23.107.58 (0)
ipsec0->eth0 mtu=16260(1500)->1500
esp0x839d3fe4@82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x2f15d51807468f83 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=7
esp0x839d3fe5@82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x7db1c68d6b4f0293 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=17
esp0xf3d5629@81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x9c76bb93305216de ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=12
esp0xf3d562a@81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x8d21300139aa0ee0 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=22
tun0x1001@82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1232,0,0) refcount=4 ref=6
tun0x1002@81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=11
tun0x1003@82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1204,0,0) refcount=4 ref=16
tun0x1004@81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=21
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 82.140.78.49 0.0.0.0 UG 0 0 0 eth0
192.168.1.0 82.140.78.49 255.255.255.0 UG 0 0 0 ipsec0
82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 eth0
82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0
root@kirza-gw:/etc# ip route ls
82.140.78.48/30 dev eth0 proto kernel scope link src 82.140.78.50
82.140.78.48/30 dev ipsec0 proto kernel scope link src 82.140.78.50
192.168.4.0/24 dev eth1 proto kernel scope link src 192.168.4.1
192.168.1.0/24 via 82.140.78.49 dev ipsec0
127.0.0.0/8 dev lo scope link
default via 82.140.78.49 dev eth0 metric 1
root@kirza-gw:/etc# ip link ls
1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:30:84:3c:54:2f brd ff:ff:ff:ff:ff:ff
12: ipsec0: <NOARP,UP> mtu 16260 qdisc pfifo_fast qlen 10
link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff
13: ipsec1: <NOARP> mtu 0 qdisc noop qlen 10
link/void
14: ipsec2: <NOARP> mtu 0 qdisc noop qlen 10
link/void
15: ipsec3: <NOARP> mtu 0 qdisc noop qlen 10
link/void
ping'и не ходят :(
Скоро заработаю вывих мозга.
--
Peter Teslenko
next prev parent reply other threads:[~2004-07-29 13:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-07-20 9:14 [Comm] Создание всех jabber-пользователей скопом community
2004-07-20 9:22 ` Mike Lykov
2004-07-20 9:38 ` community
2004-07-26 14:12 ` [Comm] FreeS/WAN Peter Teslenko
2004-07-26 14:57 ` Maxim Tyurin
2004-07-26 17:34 ` Re[2]: " Peter Teslenko
2004-07-27 2:16 ` Igor Solovyov
2004-07-27 7:54 ` Re[4]: " Peter Teslenko
2004-07-29 9:28 ` Peter Teslenko
2004-07-29 11:35 ` Igor Solovyov
2004-08-08 12:44 ` Maxim Tyurin
2004-08-08 14:57 ` Igor Solovyov
2004-07-29 13:36 ` Peter Teslenko [this message]
2004-07-31 5:04 ` Re[6]: " Dmitry Vodennikov
2004-07-27 3:37 ` Re[3]: " Dmitry Vodennikov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53244741296.20040729173656@home.ru \
--to=inkyspot@home.ru \
--cc=community@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Community general discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community/0 community/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community community/ http://lore.altlinux.org/community \
mandrake-russian@linuxteam.iplabs.ru community@lists.altlinux.org community@lists.altlinux.ru community@lists.altlinux.com
public-inbox-index community
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git