From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-AntiVirus: Checked by Dr.Web [version: 4.31a, engine: 4.31b, virus records: 52386, updated: 20.07.2004] Date: Thu, 29 Jul 2004 17:36:56 +0400 From: Peter Teslenko X-Priority: 3 (Normal) Message-ID: <53244741296.20040729173656@home.ru> To: Peter Teslenko Subject: Re[5]: [Comm] FreeS/WAN In-Reply-To: <151229866437.20040729132830@home.ru> References: <40FCE281.7020905@geoil.ru> <200407201422.42673.combr@vesna.ru> <40FCE804.4090003@geoil.ru> <2819594843.20040726181212@home.ru> <20040726145714.GA25451@mrkooll.tdr.pibhe.com> <49391109.20040726213457@home.ru> <20040727081606.1b9e64b1.gosha@anti.su> <151229866437.20040729132830@home.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit X-Virus-Scanned: clamd / ClamAV version 0.71, clamav-milter version 0.71 X-Virus-Status: Clean X-Spam-Status: No, hits=0.8 required=5.0 tests=PRIORITY_NO_NAME autolearn=no version=2.63 X-Spam-Report: * 0.8 PRIORITY_NO_NAME Message has priority setting, but no X-Mailer X-Spam-Checker-Version: SpamAssassin 2.63 (2004-01-11) on relay.mcbfa.ru X-BeenThere: community@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: community@altlinux.ru List-Id: Mailing list for ALT Linux users List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Jul 2004 13:36:57 -0000 Archived-At: List-Archive: List-Post: Hello Peter, Может кто-то все-таки в курсе... После всех мытарств имею это. На одной стороне root@relay:/etc# ipsec auto --status 000 interface ipsec0/eth0 81.23.107.58 000 %myid = (none) 000 debug none 000 000 "mcicb-to-kirza": 192.168.1.0/24===81.23.107.58[@relay.mcbfa.ru]---81.23.107.57...82.140.78.49---82.140.78.50[@kirza]===192.168.4.0/24; erouted; eroute owner: #3 000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0; 000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3; 000 000 #3: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2227s; newest IPSEC; eroute owner 000 #3: "mcicb-to-kirza" esp.839d3fe5@82.140.78.50 esp.f3d562a@81.23.107.58 tun.1004@82.140.78.50 tun.1003@81.23.107.58 000 #2: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 1915s 000 #2: "mcicb-to-kirza" esp.839d3fe4@82.140.78.50 esp.f3d5629@81.23.107.58 tun.1002@82.140.78.50 tun.1001@81.23.107.58 000 #1: "mcicb-to-kirza" STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 1913s; newest ISAKMP 000 root@relay:/etc# ipsec look relay Thu Jul 29 17:32:29 MSD 2004 192.168.1.0/24 -> 192.168.4.0/24 => tun0x1004@82.140.78.50 esp0x839d3fe5@82.140.78.50 (0) ipsec0->eth0 mtu=16260(1500)->1500 esp0x839d3fe4@82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0xdba4202aa496401e ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=12 esp0x839d3fe5@82.140.78.50 ESP_3DES_HMAC_MD5: dir=out src=81.23.107.58 iv_bits=64bits iv=0x24ee0969fa54db40 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=22 esp0xf3d5629@81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x6c1971b7b874ec50 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=7 esp0xf3d562a@81.23.107.58 ESP_3DES_HMAC_MD5: dir=in src=82.140.78.50 iv_bits=64bits iv=0x0acc4398258c1634 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=17 tun0x1001@81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1149,0,0) refcount=4 ref=6 tun0x1002@82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1149,0,0) refcount=4 ref=11 tun0x1003@81.23.107.58 IPIP: dir=in src=82.140.78.50 policy=192.168.4.0/24->192.168.1.0/24 flags=0x8<> life(c,s,h)=addtime(1121,0,0) refcount=4 ref=16 tun0x1004@82.140.78.50 IPIP: dir=out src=81.23.107.58 life(c,s,h)=addtime(1121,0,0) refcount=4 ref=21 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 81.23.107.57 0.0.0.0 UG 0 0 0 eth0 192.168.4.0 81.23.107.57 255.255.255.0 UG 0 0 0 ipsec0 81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 eth0 81.23.107.56 0.0.0.0 255.255.255.248 U 0 0 0 ipsec0 root@relay:/etc# ip route ls 81.23.107.56/29 dev eth0 proto kernel scope link src 81.23.107.58 81.23.107.56/29 dev ipsec0 proto kernel scope link src 81.23.107.58 192.168.4.0/24 via 81.23.107.57 dev ipsec0 192.168.2.0/24 dev eth1 proto kernel scope link src 192.168.2.1 192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.1 127.0.0.0/8 dev lo scope link default via 81.23.107.57 dev eth0 metric 1 root@relay:/etc# ip link ls 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:04:75:86:b7:9b brd ff:ff:ff:ff:ff:ff 165: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:04:75:d6:af:97 brd ff:ff:ff:ff:ff:ff 166: ipsec1: mtu 0 qdisc noop qlen 10 link/void 167: ipsec2: mtu 0 qdisc noop qlen 10 link/void 168: ipsec3: mtu 0 qdisc noop qlen 10 link/void на другой стороне root@kirza-gw:/etc# ipsec auto --status 000 interface ipsec0/eth0 82.140.78.50 000 %myid = (none) 000 debug none 000 000 "mcicb-to-kirza": 192.168.4.0/24===82.140.78.50[@kirza]---82.140.78.49...81.23.107.57---81.23.107.58[@relay.mcbfa.ru]===192.168.1.0/24; erouted; eroute owner: #3 000 "mcicb-to-kirza": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "mcicb-to-kirza": policy: RSASIG+ENCRYPT+PFS+UP; prio: 24,24; interface: eth0; 000 "mcicb-to-kirza": newest ISAKMP SA: #1; newest IPsec SA: #3; 000 000 #3: "mcicb-to-kirza" STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2015s; newest IPSEC; eroute owner 000 #3: "mcicb-to-kirza" esp.f3d562a@81.23.107.58 esp.839d3fe5@82.140.78.50 tun.1004@81.23.107.58 tun.1003@82.140.78.50 000 #2: "mcicb-to-kirza" STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 2593s 000 #2: "mcicb-to-kirza" esp.f3d5629@81.23.107.58 esp.839d3fe4@82.140.78.50 tun.1002@81.23.107.58 tun.1001@82.140.78.50 000 #1: "mcicb-to-kirza" STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 2592s; newest ISAKMP 000 root@kirza-gw:/etc# ipsec look kirza-gw Thu Jul 29 17:33:33 MSD 2004 192.168.4.0/24 -> 192.168.1.0/24 => tun0x1004@81.23.107.58 esp0xf3d562a@81.23.107.58 (0) ipsec0->eth0 mtu=16260(1500)->1500 esp0x839d3fe4@82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x2f15d51807468f83 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=7 esp0x839d3fe5@82.140.78.50 ESP_3DES_HMAC_MD5: dir=in src=81.23.107.58 iv_bits=64bits iv=0x7db1c68d6b4f0293 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=17 esp0xf3d5629@81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x9c76bb93305216de ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=12 esp0xf3d562a@81.23.107.58 ESP_3DES_HMAC_MD5: dir=out src=82.140.78.50 iv_bits=64bits iv=0x8d21300139aa0ee0 ooowin=64 alen=128 aklen=128 eklen=192 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=22 tun0x1001@82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1232,0,0) refcount=4 ref=6 tun0x1002@81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1232,0,0) refcount=4 ref=11 tun0x1003@82.140.78.50 IPIP: dir=in src=81.23.107.58 policy=192.168.1.0/24->192.168.4.0/24 flags=0x8<> life(c,s,h)=addtime(1204,0,0) refcount=4 ref=16 tun0x1004@81.23.107.58 IPIP: dir=out src=82.140.78.50 life(c,s,h)=addtime(1204,0,0) refcount=4 ref=21 Destination Gateway Genmask Flags MSS Window irtt Iface 0.0.0.0 82.140.78.49 0.0.0.0 UG 0 0 0 eth0 192.168.1.0 82.140.78.49 255.255.255.0 UG 0 0 0 ipsec0 82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 eth0 82.140.78.48 0.0.0.0 255.255.255.252 U 0 0 0 ipsec0 root@kirza-gw:/etc# ip route ls 82.140.78.48/30 dev eth0 proto kernel scope link src 82.140.78.50 82.140.78.48/30 dev ipsec0 proto kernel scope link src 82.140.78.50 192.168.4.0/24 dev eth1 proto kernel scope link src 192.168.4.1 192.168.1.0/24 via 82.140.78.49 dev ipsec0 127.0.0.0/8 dev lo scope link default via 82.140.78.49 dev eth0 metric 1 root@kirza-gw:/etc# ip link ls 1: lo: mtu 16436 qdisc noqueue link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff 3: eth1: mtu 1500 qdisc pfifo_fast qlen 1000 link/ether 00:30:84:3c:54:2f brd ff:ff:ff:ff:ff:ff 12: ipsec0: mtu 16260 qdisc pfifo_fast qlen 10 link/ether 00:e0:7d:8f:93:3a brd ff:ff:ff:ff:ff:ff 13: ipsec1: mtu 0 qdisc noop qlen 10 link/void 14: ipsec2: mtu 0 qdisc noop qlen 10 link/void 15: ipsec3: mtu 0 qdisc noop qlen 10 link/void ping'и не ходят :( Скоро заработаю вывих мозга. -- Peter Teslenko