[FUG-BR] IPSEC e ISAKMP

Wed, 24 Sep 2008 08:24:18 -0700 

Bom dia.

Estou erguendo uma VPN com Ipsec usando ISAKMP. O Cenário é:

FreeBSD(ISAKMP) -> CheckPoint

O que foi definido:

Fase1:
Cripto AES256
Hash: sha1

Fase2
Cripto: AES128
Hash: md5

Chave=123456

Rede1= 192.168.254.0
Rede2= 192.168.210.0

Peer Freebsd=100.1.1.1
Peer CheckPoint=100.1.1.2

Analisando os pacotes com tcpdump o checkpoint me manda o seguinte:

--------------------------------------------------------------------------------------------------

12:04:07.792500 00:19:e0:73:9b:0a > 00:00:5e:00:01:0b, ethertype IPv4
(0x0800), length 174: (tos 0x0, ttl  60, id 61431, offset 0, flags
[DF], proto: UDP (17), length: 160) 100.1.1.2.500 > 100.1.1.1.500:
[udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 I ident:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=aes)(type=keylen
value=0100)(type=hash value=sha1)(type=auth
value=preshared)(type=group desc value=modp1024)(type=lifetype
value=sec)(type=lifeduration len=4 value=00015180))))
    (vid: len=40
f4ed19e0c114eb516faaac0ee37daf2807b4381f000000010000138d48da54a20000000018200000)

--------------------------------------------------------------------------------------------------

E o FreeBSD retorna:

--------------------------------------------------------------------------------------------------

11:57:35.663230 00:60:97:0c:5d:10 > 00:00:5e:00:01:0a, ethertype IPv4
(0x0800), length 82: (tos 0x0, ttl  64, id 47232, offset 0, flags
[none], proto: UDP (17), length: 68) 100.1.1.1.500 > 100.1.1.2..500:
[udp sum ok] isakmp 1.0 msgid  cookie ->: phase 1 I inf:
    (n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)

--------------------------------------------------------------------------------------------------

No Debug do ISAKMP eu tenho apenas o seguinte:

--------------------------------------------------------------------------------------------------
115703.724192 Default dropped message from 100.1.1.2 port 500 due to
notification type NO_PROPOSAL_CHOSEN
--------------------------------------------------------------------------------------------------

O que tem de errado??????

Vejam as minhas configurações:

--------------------------------------------------------------------------------------------------
# cat isakmpd.conf
Retransmits=            5
Exchange-max-time=      120
Listen-on=              100.1.1.1

[Phase 1]
100.1.1.2=           ISAKMP-peer-checkpoint

[ISAKMP-peer-checkpoint]
Phase=                  1
Transport=              udp
Local-address=          100.1.1.1
Address=                100.1.1.2
Configuration=          Conf-fase1
Authentication=         123456

[Phase 2]
Connections=            VPN-freebsd-checkpoint

[VPN-freebsd-checkpoint]
Phase=                  2
ISAKMP-peer=            ISAKMP-peer-checkpoint
Configuration=          Conf-fase2
Local-ID=               rede-freebsd-192.168.254.0/255.255.255.0
Remote-ID=              rede-checkpoint-192.168.210.0/255.255.255.0

[rede-freebsd-192.168.254.0/255.255.255.0]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.254.0
Netmask=                255.255.255.0

[rede-checkpoint-192.168.210.0/255.255.255.0]
ID-type=                IPV4_ADDR_SUBNET
Network=                192.168.210.0
Netmask=                255.255.255.0

[Conf-fase1]
DOI=                    IPSEC
EXCHANGE_TYPE=          ID_PROT
Transforms=             CRIPTO-FASE1

[Conf-fase2]
DOI=                    IPSEC
EXCHANGE_TYPE=          QUICK_MODE
Suites=                 QM-ESP-AES-MD5-PFS-SUITE

[CRIPTO-FASE1]
ENCRYPTION_ALGORITHM=   AES
HASH_ALGORITHM=         SHA
AUTHENTICATION_METHOD=  PRESHARED
GROUP_DESCRIPTION=      modp1024
Life=                   TEMPO

[TEMPO]
LIFE_TYPE=              SECONDS
LIFE_DURATION=          86400,79200:93600
--------------------------------------------------------------------------------------------------



-- 
Matheus Cucoloto
System Admin.
Net Admin.
-------------------------
Histórico: http://www.fug.com.br/historico/html/freebsd/
Sair da lista: https://www.fug.com.br/mailman/listinfo/freebsd

Responder a