1楼 发表于 2008-12-8 14:02 
基于openswan的ipsec穿越NAT的环境搭建
搭建过程:
    1)制作证书
    2)在无NAT的情况下搭建×××环境
    3)在2)的基础上搭建有NAT时的×××环境
   
    但是现在我出现的问题是ipsec不能穿越NAT,我按上面
的1)2)3)详细记录下来,请各位前辈指导! 谢谢!
    上传的附件:
      抓包解压后为:
      Snif_without_nat.cap为无NAT时的抓包
    Snif_with_nat.cap为有NAT时的抓包

[ 本帖最后由 yrff 于 2008-12-10 10:27 编辑 ]



2008-12-10 10:26
  下载次数: 19
抓包.rar (10.17 KB)
  无NAT和有NAT时的抓包


您对本贴的看法:鲜花[0] 臭蛋[0]

__________________________________

联系电子邮件:[email protected]
《开源时代》杂志频道开张!邮件订阅开通! | IBM System x嘉年华惊喜多多 | 云计算大会第二轮幸运获赠者报名中
yrff
新手




CU编号: 722579
注册:2008-6-26
最后登录: 2008-12-29
帖子: 7
精华:0

可用积分:13 (白手起家)
信誉积分:0
专家积分:0 (本版:0)
空间积分:0
推广积分:0

状态: ...离线...

[个人空间] [短信] [博客]


[ 推广获积分]
2楼 发表于 2008-12-8 14:04 
利用openssl制作证书的过程详细记录

利用openssl制作证书的过程详细记录

1:环境
   CentOS-4.4,内核版本:Linux beijing5000 2.6.9-42.EL #1 Sat Aug 12 09:17:58 CDT 2006 i686 i686 i386 GNU/Linux
   openssl版本:OpenSSL 0.9.7a Feb 19 2003
   机器的ip地址为:192.168.3.9
2:制作思想
  先生成一个根证书,然后用根证书来生成其它证书
3:制作根证书
3.1查找系统所安装openssl的位置
   #find / -name openssl.cnf
    /usr/share/ssl/openssl.cnf
   #cd /usr/share/ssl
   # ls -a
   .  ..  CA  cert.pem  certs  lib  misc  openssl.cnf  private
3.2×××的失效天数
   # vi openssl.cnf
   找到63行的default_days    = 365 ,修改为:default_days    = 3650
   这样十年才过期.
3.3修改CA脚本
   #cd misc
   # ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name
   #vi CA
   编辑CA,把DAYS="-days 365"的365改成你希望的数值,注意要比openssl.cnf中的"default_days"要大,当时也不要太大,一般为15年到20年就好了。
   所以我改为DAYS="-days 7300"(20年)
3.4生成一个待签名的根证书,用来给其它证书进行签名认证
   #./CA -newca
   出现:
   CA certificate filename (or enter to create)
   然后回车
   出现:
   Making CA certificate ...
   Generating a 1024 bit RSA private key
   ................++++++
   .......++++++
   writing new private key to './demoCA/private/./cakey.pem'
   Enter PEM pass phrase:
   然后输入密码:root
   出现:
   Verifying - Enter PEM pass phrase:
   再输入一次密码:root
   出现:
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [GB]:
   输入:ro
   出现:
   State or Province Name (full name) [Berkshire]:
   输入:roots
   出现:
   Locality Name (eg, city) [Newbury]:
   输入:rootcity
   出现:
   Organization Name (eg, company) [My Company Ltd]:
   输入:rootorg
   出现:
   Organizational Unit Name (eg, section) []:
   输入:rootsection
   出现:
   Common Name (eg, your name or your server's hostname) []:
   输入:rootname
   出现:
   Email Address []:
   输入: [email protected]
   
3.5生成与证书相对应的crl文件
   #openssl ca -gencrl -out crl.pem
   当出现:
   Using configuration from /usr/share/ssl/openssl.cnf
   Enter pass phrase for ./demoCA/private/cakey.pem:
   输入密码:root
   #ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA
   
4:制作主机***gateway用的证书
  因为我在搭建ipsec的环境中需要两个主机分别为:***gateway和jim
  
4.1生成待签名认证的证书,默认名字为newreq.pem,输入的密码用在填写
   /etc/ipsec.secrets文件中
  #./CA -newreq
  出现:
  Generating a 1024 bit RSA private key
  ..++++++
  ..........++++++
  writing new private key to 'newreq.pem'
  Enter PEM pass phrase:
  输入:***gateway
  出现:
  Verifying - Enter PEM pass phrase:
  再输入一次密码:***gateway
  出现:
  -----
  You are about to be asked to enter information that will be incorporated
  into your certificate request.
  What you are about to enter is what is called a Distinguished Name or a DN.
  There are quite a few fields but you can leave some blank
  For some fields there will be a default value,
  If you enter '.', the field will be left blank.
  -----
  Country Name (2 letter code) [GB]:
  输入:ro
  出现:
  State or Province Name (full name) [Berkshire]:
  输入:roots
  出现:
  Locality Name (eg, city) [Newbury]:
  输入:rootcity
  出现:
  Organization Name (eg, company) [My Company Ltd]:
  输入:rootorg
  出现:
  Organizational Unit Name (eg, section) []:
  输入:rootsection
  出现:
  Common Name (eg, your name or your server's hostname) []:
  输入:***gateway
  出现:
  Email Address []:
  输入: ***[email protected]
  出现:
  Please enter the following 'extra' attributes
  to be sent with your certificate request
  A challenge password []:
  输入:***gatewaychall
  出现:
  An optional company name []:
  输入:***gatewaycompany
  出现:Request (and private key) is in newreq.pem
  #ls -a
  .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  newreq.pem
  
4.2 对生成的证书进行签名认证,默认名字为newcert.pem
  #./CA -sign
  出现:
  Using configuration from /usr/share/ssl/openssl.cnf
  Enter pass phrase for ./demoCA/private/cakey.pem:
  输入:root
  出现:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number: 1 (0x1)
          Validity
              Not Before: Nov  6 03:42:50 2008 GMT
              Not After : Nov  4 03:42:50 2018 GMT
          Subject:
              countryName               = ro
              stateOrProvinceName       = roots
              localityName              = rootcity
              organizationName          = rootorg
              organizationalUnitName    = rootsection
              commonName                = ***gateway
              emailAddress              = ***[email protected]
          X509v3 extensions:
              X509v3 Basic Constraints:
              CA:FALSE
              Netscape Comment:
              OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
              29:B6:59:AB:F6:4C:84:50:B0:96 6:9B:30:48:65:52:E2:7B:95:70
              X509v3 Authority Key Identifier:
              keyid:6F:F8:4B:9C:A1:F4:AF:84:47:88:BE:4C:2C:A3:0F:EE:C2:07:8C:E1
              DirName:/C=ro/ST=roots/L=rootcity/O=rootorg/OU=rootsection/CN=rootname/[email protected]
              serial:00

  Certificate is to be certified until Nov  4 03:42:50 2018 GMT (3650 days)
  Sign the certificate? [y/n]:
  输入:y
  出现:
  1 out of 1 certificate requests certified, commit? [y/n]
  输入:y
  出现:
  
    Signature Algorithm: md5WithRSAEncryption
        a9:c9:0d:2e:b1:43:f4:89:b1:8e:d4:26:d1:51:1f:3c:1a:2e:
        07:2c:e9:3c:74:e7:66:6b:7a:d5:f2:65:8c:95:30:df:10:ac:
        c9:73:30:f5:97:c4:f0:7d:64:f8:a9:4a:26:da:d9:21:2b:07:
        eb:8d:e2:8b:a0:50:f3:bb:1d:a3:bf:64:d4:0b:85:1a:db:37:
        75:98:be:0f:91:81:95:4f:e8:d7:cd:6a:8a:f9:af:cf:ee:f4:
        1c:63:f9:24:e8:88:9a:a8:be:fa:e1:ad:5f:82:d3:cf:84:d0:
        1b:db:db:0d:c8:1c:30:26:bf:ea:a3:6f:91:31:68:2f:31:5e:
        38:32
-----BEGIN CERTIFICATE-----
MIIDpDCCAw2gAwIBAgIBATANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCcm8x
DjAMBgNVBAgTBXJvb3RzMREwDwYDVQQHEwhyb290Y2l0eTEQMA4GA1UEChMHcm9v
dG9yZzEUMBIGA1UECxMLcm9vdHNlY3Rpb24xETAPBgNVBAMTCHJvb3RuYW1lMRsw
GQYJKoZIhvcNAQkBFgxyb290QDE2My5jb20wHhcNMDgxMTA2MDM0MjUwWhcNMTgx
MTA0MDM0MjUwWjCBjjELMAkGA1UEBhMCbWUxDzANBgNVBAgTBm1lbGluczESMBAG
A1UEBxMJbWVsaW5jaXR5MREwDwYDVQQKEwhtZWxpbm9yZzEVMBMGA1UECxMMbWVs
aW5zZWN0aW9uMRIwEAYDVQQDEwltZWxpbm5hbWUxHDAaBgkqhkiG9w0BCQEWDW1l
bGluQDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMx/kqizL1Fw
ZFaPGYnbcypycaXd0QsfnBzJqecY84zSaci3pWxMAVI9c6M+kLrty8MgW0TozJtL
gpVz+19uqPDBDoWo7zhEAqmdWIDN6/MpysMy8LuCPKQHu53Fr8YF/inJqB8ho7Zn
Jj4MoJ4M45VNg/7ssBTrDtsOcD2w+knzAgMBAAGjggEUMIIBEDAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQUKbZZq/ZMhFCwltabMEhlUuJ7lXAwgbUGA1UdIwSBrTCBqoAUb/hL
nKH0r4RHiL5MLKMP7sIHjOGhgY6kgYswgYgxCzAJBgNVBAYTAnJvMQ4wDAYDVQQI
EwVyb290czERMA8GA1UEBxMIcm9vdGNpdHkxEDAOBgNVBAoTB3Jvb3RvcmcxFDAS
BgNVBAsTC3Jvb3RzZWN0aW9uMREwDwYDVQQDEwhyb290bmFtZTEbMBkGCSqGSIb3
DQEJARYMcm9vdEAxNjMuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAKnJDS6xQ/SJ
sY7UJtFRHzwaLgcs6Tx052ZretXyZYyVMN8QrMlzMPWXxPB9ZPipSiba2SErB+uN
4ougUPO7HaO/ZNQLhRrbN3WYvg+RgZVP6NfNaor5r8/u9Bxj+SToiJqovvrhrV+C
08+E0Bvb2w3IHDAmv+qjb5ExaC8xXjgy
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

    #ls -a
    .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  newcert.pem  newreq.pem

4.3 认证检验一下被签名的证书
    #./CA -verify
    出现:newcert.pem: OK
4.4 重新命名文件
    #ls -a
    .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  newcert.pem  newreq.pem
    #mv newcert.pem ***gateway.cert
    # ls -a
    .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.cert  newreq.pem
    #mv newreq.pem ***gateway.key
    # ls -a
    .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.key  ***gateway.cert
   
5:制作主机Jim用的证书   

5.1:生成待签名认证的证书,默认名字为newreq.pem,输入的密码用在填写
   /etc/ipsec.secrets文件中
   #cd /usr/share/ssl/misc
   #./CA -newreq
   出现:
   Generating a 1024 bit RSA private key
   ........++++++
   ....................................++++++
   writing new private key to 'newreq.pem'
   Enter PEM pass phrase:
   输入密码:jimpass
   出现:
   Verifying - Enter PEM pass phrase:
   再输入密码一次:jimpass
   出现:
   -----
   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [GB]:
   输入:ro
   出现:
   State or Province Name (full name) [Berkshire]:
   输入:roots
   出现:
   Locality Name (eg, city) [Newbury]:
   输入:rootcity
   出现:
   Organization Name (eg, company) [My Company Ltd]:
   输入:rootorg
   出现:
   Organizational Unit Name (eg, section) []:
   输入:rootsection
   出现:
   Common Name (eg, your name or your server's hostname) []:
   输入:jimname
   出现:
   Email Address []:
   输入: [email protected]
   出现:
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   输入:jimchall
   出现:
   An optional company name []:
   输入:jimcompany
   出现:
   Request (and private key) is in newreq.pem
   #ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.key  ***gateway.cert  newreq.pem
   
5.2 对生成的证书进行签名认证,默认名字为newcert.pem
  #./CA -sign
  出现:
  Using configuration from /usr/share/ssl/openssl.cnf
  Enter pass phrase for ./demoCA/private/cakey.pem:
  输入:root   
  出现:
  Check that the request matches the signature
  Signature ok
  Certificate Details:
          Serial Number: 2 (0x2)
          Validity
              Not Before: Nov  6 05:51:03 2008 GMT
              Not After : Nov  4 05:51:03 2018 GMT
          Subject:
              countryName               = ro
              stateOrProvinceName       = roots
              localityName              = rootcity
              organizationName          = rootorg
              organizationalUnitName    = rootsection
              commonName                = jimname
              emailAddress              = [email protected]
          X509v3 extensions:
              X509v3 Basic Constraints:
              CA:FALSE
              Netscape Comment:
              OpenSSL Generated Certificate
              X509v3 Subject Key Identifier:
              EF:8B:78:F0:EE:22:AE:FF:78:EE:58:E0:5E:E3:96:6D:5B:52:A7:77
              X509v3 Authority Key Identifier:
              keyid:6F:F8:4B:9C:A1:F4:AF:84:47:88:BE:4C:2C:A3:0F:EE:C2:07:8C:E1
              DirName:/C=ro/ST=roots/L=rootcity/O=rootorg/OU=rootsection/CN=rootname/[email protected]
              serial:00

  Certificate is to be certified until Nov  4 05:51:03 2018 GMT (3650 days)
  Sign the certificate? [y/n]:
  输入:y
  出现:
  1 out of 1 certificate requests certified, commit? [y/n]
  输入:y
  出现:
      Signature Algorithm: md5WithRSAEncryption
        06:ed:87:1c:74:db:4a:e9:04:f9:80:6f:03:53:21:28:fd:4d:
        ae:a8:f1:b5:b2:2a:dd:e3:bc:a0:41:b7:53:b7:8b:a5:4b:6c:
        7e:a1:ea:29:48:16:d6:87:85:ed:a6:a2:a6:ed:59:14:dc:e2:
        67:7c:ab:54:ff:bc:f8:e1:b5:7e:64:58:df:c1:8b:44:50:cc:
        87:43:6f:8c:e9:3d:c3:53:21:f3:85:fa:a8:10:68:14:23:ad:
        1d:de:f3:89:c1:18:85:28:97:d2:39:a9:5a:cf:31:a1:2d:2c:
        95:9c:19:b4:0f:ac:ad:8b:25:2c:3a:9a:1d:8e:ae:73:71:bb:
        87:de
-----BEGIN CERTIFICATE-----
MIIDpDCCAw2gAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBiDELMAkGA1UEBhMCcm8x
DjAMBgNVBAgTBXJvb3RzMREwDwYDVQQHEwhyb290Y2l0eTEQMA4GA1UEChMHcm9v
dG9yZzEUMBIGA1UECxMLcm9vdHNlY3Rpb24xETAPBgNVBAMTCHJvb3RuYW1lMRsw
GQYJKoZIhvcNAQkBFgxyb290QDE2My5jb20wHhcNMDgxMTA2MDU1MTAzWhcNMTgx
MTA0MDU1MTAzWjCBjjELMAkGA1UEBhMCcmkxDzANBgNVBAgTBnJpZ2h0czESMBAG
A1UEBxMJcmlnaHRjaXR5MREwDwYDVQQKEwhyaWdodG9yZzEVMBMGA1UECxMMcmln
aHRzZWN0aW9uMRIwEAYDVQQDEwlyaWdodG5hbWUxHDAaBgkqhkiG9w0BCQEWDXJp
Z2h0QDE2My5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKJm4Pby0OOu
NICikvCuEfjZDazxSuA2rLYvh06+Q02aeCuxh1jtyxKAbVqmNnP7/UEOveR0SRKN
pgnVer4JATGBzj22JPdglJ5xiKJCj2U91fTkWvdSlvvZd58iWuC9g6pGGLwBI2JY
lw25UGUik1yMz/VN6O42mQLAMJHdB6ozAgMBAAGjggEUMIIBEDAJBgNVHRMEAjAA
MCwGCWCGSAGG+EIBDQQfFh1PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
BgNVHQ4EFgQU74t48O4irv947ljgXuOWbVtSp3cwgbUGA1UdIwSBrTCBqoAUb/hL
nKH0r4RHiL5MLKMP7sIHjOGhgY6kgYswgYgxCzAJBgNVBAYTAnJvMQ4wDAYDVQQI
EwVyb290czERMA8GA1UEBxMIcm9vdGNpdHkxEDAOBgNVBAoTB3Jvb3RvcmcxFDAS
BgNVBAsTC3Jvb3RzZWN0aW9uMREwDwYDVQQDEwhyb290bmFtZTEbMBkGCSqGSIb3
DQEJARYMcm9vdEAxNjMuY29tggEAMA0GCSqGSIb3DQEBBAUAA4GBAAbthxx020rp
BPmAbwNTISj9Ta6o8bWyKt3jvKBBt1O3i6VLbH6h6ilIFtaHhe2moqbtWRTc4md8
q1T/vPjhtX5kWN/Bi0RQzIdDb4zpPcNTIfOF+qgQaBQjrR3e84nBGIUol9I5qVrP
MaEtLJWcGbQPrK2LJSw6mh2OrnNxu4fe
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

5.3 认证检验一下被签名的证书
    #./CA -verify
    出现:newcert.pem: OK
   
5.4 重新命名文件
   #ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.key  ***gateway.cert  newcert.pem  newreq.pem
   #mv newcert.pem jim.cert
   #ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.key  ***gateway.cert  newreq.pem  jim.cert
   #mv newreq.pem jim.key
   #ls -a
   .  ..  CA  c_hash  c_info  c_issuer  c_name  crl.pem  demoCA  ***gateway.key  ***gateway.cert  jim.key  jim.cert



您对本贴的看法:鲜花[0] 臭蛋[0]

__________________________________

联系电子邮件:[email protected]
《开源时代》杂志频道开张!邮件订阅开通! | IBM System x嘉年华惊喜多多 | 云计算大会第二轮幸运获赠者报名中
yrff
新手




CU编号: 722579
注册:2008-6-26
最后登录: 2008-12-29
帖子: 7
精华:0

可用积分:13 (白手起家)
信誉积分:0
专家积分:0 (本版:0)
空间积分:0
推广积分:0

状态: ...离线...

[个人空间] [短信] [博客]


[ 推广获积分]
3楼 发表于 2008-12-8 14:05 
基于openswan的×××环境(无NAT)的搭建

基于openswan的×××环境(无NAT)的搭建


1:在两台用HUB连接的机器上分别安装openswan-2.4.7;
  这两台机器的IP地址分别为:
  192.168.3.9和192.168.3.33
  网络拓扑图为:
        ***gateway<--------->HUB<-------|------->jim
      eth0:192.168.1.25                          eth0:192.168.3.33
      eth1:192.168.3.9
      其中192.168.3.9和192.168.3.33通过HUB连接起来
1.1openswan-2.4.7安装过程
    假设openswan-2.4.7.tar.gz已经放在 /usr/src/目录下
    #tar xzfv openswan-2.4.7.tar.gz
    #cd openswan-2.4.7
    #make programs
    #make install
    #cd /etc/
    #vi sysctl.conf
    编辑为:
        # Kernel sysctl configuration file for Red Hat Linux
        #
        # For binary values, 0 is disabled, 1 is enabled.  See sysctl( and
        # sysctl.conf(5) for more details.
                     
        # Controls IP packet forwarding
        net.ipv4.ip_forward = 1
                                 
        # Controls source route verification
        net.ipv4.conf.default.rp_filter = 0

        # Do not accept source routing
        net.ipv4.conf.default.accept_source_route = 0

        # Controls the System Request debugging functionality of the kernel
        kernel.sysrq = 0

        # Controls whether core dumps will

        # Useful for debugging multi-threaded applications.
        kernel.core_uses_pid = 1

        net.ipv4.conf.all.send_redirects=0
        net.ipv4.conf.default.send_redirects=0

        net.ipv4.conf.all.accept_redirects=0
        net.ipv4.conf.default.accept_redirects=0
    继续执行下面的命令
    #sysctl -p
    #modprobe iptable_nat
    #service ipsec start                    
                                               
2:检验是否安装好

[root@shanghai5000 /]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.4.7/K2.6.9-42.ELsmp (netkey)
Checking for IPsec support in kernel                            [OK]
NETKEY detected, testing for disabled ICMP send_redirects       [OK]
NETKEY detected, testing for disabled ICMP accept_redirects     [OK]
Checking for RSA private key (/etc/ipsec.secrets)               [OK]
Checking that pluto is running                                  [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]
[root@shanghai5000 /]#

3: openswan主要配置文件

/etc/ipsec.secrets                 用来保存private RSA keys 和 preshared secrets (PSKs)
/etc/ipsec.conf                    配置文件(settings, options, defaults, connections)

4: openswan主要配置目录
/etc/ipsec.d/cacerts               存放X.509认证证书(根证书-"root certificates")
/etc/ipsec.d/certs                 存放X.509客户端证书(X.509 client Certificates)
/etc/ipsec.d/private               存放X.509认证私钥(X.509 Certificate private keys)
/etc/ipsec.d/crls                  存放X.509证书撤消列表(X.509 Certificate Revocation Lists)
/etc/ipsec.d/ocspcerts             存放X.500 OCSP证书(Online Certificate Status Protocol certificates)
/etc/ipsec.d/passwd                XAUTH密码文件(XAUTH password file)
/etc/ipsec.d/policies              存放Opportunistic Encryption策略组(The Opportunistic Encryption policy groups

5: 复制相关证书文件到指定目录
  在***gateway(192.168.3.9)机器上
  #cd /usr/share/ssl/misc/
  #cp demoCA/cacert.pem /etc/ipsec.d/cacerts      存放根证书
  #cp ***gateway.cert /etc/ipsec.d/certs          存放客户端证书
  #cp ***gateway.key /etc/ipsec.d/private         存放认证私钥
  #cp crl.pem /etc/ipsec.d/crls    存放X.509证书撤消列表(X.509 Certificate Revocation Lists)

  
6: SCP相关证书文件到Jim(192.168.3.33)机器上
  #cd /usr/share/ssl/misc/
  #scp demoCA/cacert.pem [email protected]:/etc/ipsec.d/cacerts  存放根证书
  #scp ***gateway.cert [email protected]:/etc/ipsec.d/certs      存放客户端证书
  #scp ***gateway.key [email protected]:/etc/ipsec.d/private/    存放认证私钥
  #scp crl.pem [email protected]:/etc/ipsec.d/crls/   存放X.509证书撤消列表(X.509 Certificate Revocation Lists)
  在jim(192.168.3.33)机器上除了上面三个文件要有外,还需要通过SCP得到下面的文件
  #scp jim.cert [email protected]:/etc/ipsec.d/certs             存放客户端证书
  #scp jim.key [email protected]:/etc/ipsec.d/private/           存放认证私钥

  
  
7:***gateway(192.168.3.9)机器上的ipsec.conf文件内容

[root@shanghai5000 etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here
conn %default
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn road
        left=192.168.3.9
        leftcert=***gateway.cert
        leftsubnet=192.168.1.0/24
        right=%any
        auto=add

# sample ××× connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf





8: jim(192.168.3.33)机器上的ipsec.conf文件为:
[root@beijing5000 etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here

conn %default
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn road
        left=192.168.3.33
        leftcert=jim.cert
        right=192.168.3.9
        rightcert=***gateway.cert
        rightsubnet=192.168.1.0/24
        auto=add

# sample ××× connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

9:给***gateway(192.168.3.9)机器上的ipsec.secrets文件最后一行添加如下内容
: RSA /etc/ipsec.d/private/***gateway.key "***gateway"

10:给jim(192.168.3.33)机器上的ipsec.secrets文件后面最后一行添加下面内容
: RSA /etc/ipsec.d/private/jim.key "jimpass"

11:在192.168.3.33的机器上ping另一个机器(192.168.3.9)的另一个网卡:192.168.1.25
   经检测ping不通
12:在jim(192.168.3.33)机器上执行下列命令进行ipsec连接
root@beijing5000 /]# ipsec auto --up road
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "road" #1: received Vendor ID payload [Dead Peer Detection]
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "road" #2: STATE_QUICK_I1: initiate
004 "road" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0xe604ad5f <0x942094db xfrm=AES_0-HMAC_SHA1 IPCOMP=>0x0000e2ba <0x0000bf01 NATD=none DPD=none}
[root@beijing5000 /]#
13:按照11步的做法ping 192.168.1.25
   经检测可以ping通
14:在13步ping的过程中用Sniffer进行抓包发现通过的是ESP包.



您对本贴的看法:鲜花[0] 臭蛋[0]

__________________________________

联系电子邮件:[email protected]
《开源时代》杂志频道开张!邮件订阅开通! | IBM System x嘉年华惊喜多多 | 云计算大会第二轮幸运获赠者报名中
yrff
新手




CU编号: 722579
注册:2008-6-26
最后登录: 2008-12-29
帖子: 7
精华:0

可用积分:13 (白手起家)
信誉积分:0
专家积分:0 (本版:0)
空间积分:0
推广积分:0

状态: ...离线...

[个人空间] [短信] [博客]


[ 推广获积分]
4楼 发表于 2008-12-8 14:07 
尝试ipsec穿越NAT

尝试ipsec穿越NAT
                                                     
1:网络拓扑图为:
        ***gateway<--------->Router<-------|------->jim
      eth0:192.168.1.25      WAN  LAN               eth0:192.168.3.33
      eth1:192.168.0.22
      其中:WAN:192.168.0.1
            LAN:192.168.3.1
            Router型号:Aolynk BR204+
                       内核版本 BR204+V100R008
                       应用程序版本 BR204+V100R008
                       编译时间 Mon, 13 Aug 2007 10:46:13 +0800
                       引导器版本 V1.0.1
                       硬件版本 V1.0.1
            把路由器的上网络控制-->访问控制-->里的端口全部打开(ip地址和时间设置好,端口号选择为1到65535,协议选择为ALL,操作选择为允许)
                       系统服务-->管理-->把响应来自WAN口的ping请求和关闭防火墙前面方框点为对号。

2:192.168.0.22机器上的ipsec.conf文件为
[root@shanghai5000 etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here
conn %default
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn road
        left=192.168.0.22
        leftcert=***gateway.cert
        leftsubnet=192.168.1.0/24
        right=%any
        auto=add

# sample ××× connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

3:192.168.3.33机器上的ipsec.conf文件为
[root@beijing5000 etc]# more ipsec.conf
# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id: ipsec.conf.in,v 1.15.2.6 2006/10/19 03:49:46 paul Exp $

# This file:  /usr/local/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        interfaces=%defaultroute
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 private"
        # eg: plutodebug="control parsing"
        #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:!192.168.0.0/24
        #
        # enable this if you see "failed to find any available worker"
        nhelpers=0

# Add connections here

conn %default
        compress=yes
        authby=rsasig
        leftrsasigkey=%cert
        rightrsasigkey=%cert

conn road
        left=192.168.3.33
        leftcert=jim.cert
        right=192.168.0.22
        rightcert=***gateway.cert
        rightsubnet=192.168.1.0/24
        auto=add

# sample ××× connections, see /etc/ipsec.d/examples/

#Disable Opportunistic Encryption
include /etc/ipsec.d/examples/no_oe.conf

4:在jim(192.168.3.33)机器上执行下列命令进行ipsec连接
[root@beijing5000 /]# ipsec auto --up road
104 "road" #1: STATE_MAIN_I1: initiate
003 "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
003 "road" #1: received Vendor ID payload [Dead Peer Detection]
003 "road" #1: received Vendor ID payload [RFC 3947] method set to=110
106 "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
004 "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
117 "road" #2: STATE_QUICK_I1: initiate
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "road" #2: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "road" #2: starting keying attempt 2 of an unlimited number, but releasing whack
[root@beijing5000 /]#

5:192.168.3.33机器上的日志为

Dec  2 17:12:11 beijing5000 ipsec__plutorun: Starting Pluto subsystem...
Dec  2 17:12:11 beijing5000 pluto[8349]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ
~BaB]r\134p_)
Dec  2 17:12:11 beijing5000 pluto[8349]: Setting NAT-Traversal port-4500 floating to on
Dec  2 17:12:11 beijing5000 pluto[8349]:    port floating activation criteria nat_t=1/port_fload=1
Dec  2 17:12:11 beijing5000 pluto[8349]:   including NAT-Traversal patch (Version 0.6c)
Dec  2 17:12:11 beijing5000 pluto[8349]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec  2 17:12:11 beijing5000 pluto[8349]: no helpers will be started, all cryptographic operations will be done inline
Dec  2 17:12:11 beijing5000 pluto[8349]: Using NETKEY IPsec interface code on 2.6.9-42.EL
Dec  2 17:12:11 beijing5000 pluto[8349]: Changing to directory '/etc/ipsec.d/cacerts'
Dec  2 17:12:11 beijing5000 pluto[8349]:   loaded CA cert file 'cacert.pem' (1253 bytes)
Dec  2 17:12:11 beijing5000 pluto[8349]: Changing to directory '/etc/ipsec.d/aacerts'
Dec  2 17:12:11 beijing5000 pluto[8349]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec  2 17:12:11 beijing5000 pluto[8349]: Changing to directory '/etc/ipsec.d/crls'
Dec  2 17:12:11 beijing5000 pluto[8349]:   loaded crl file 'crl.pem' (508 bytes)
Dec  2 17:12:11 beijing5000 pluto[8349]:   loaded host cert file '/etc/ipsec.d/certs/jim.cert' (3581 bytes)
Dec  2 17:12:11 beijing5000 pluto[8349]:   loaded host cert file '/etc/ipsec.d/certs/***gateway.cert' (3603 bytes)
Dec  2 17:12:11 beijing5000 pluto[8349]: added connection description "road"
Dec  2 17:12:11 beijing5000 pluto[8349]: listening for IKE messages
Dec  2 17:12:11 beijing5000 pluto[8349]: adding interface eth1/eth1 192.168.3.33:500
Dec  2 17:12:11 beijing5000 pluto[8349]: adding interface eth1/eth1 192.168.3.33:4500
Dec  2 17:12:11 beijing5000 pluto[8349]: adding interface lo/lo 127.0.0.1:500
Dec  2 17:12:11 beijing5000 pluto[8349]: adding interface lo/lo 127.0.0.1:4500
Dec  2 17:12:11 beijing5000 pluto[8349]: adding interface lo/lo ::1:500
Dec  2 17:12:11 beijing5000 pluto[8349]: loading secrets from "/etc/ipsec.secrets"
Dec  2 17:12:11 beijing5000 pluto[8349]:   loaded private key file '/etc/ipsec.d/private/jim.key' (1728 bytes)
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: initiating Main Mode
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: received Vendor ID payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID
PLUTO_USES_KEYRR]
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: received Vendor ID payload [Dead Peer Detection]
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: received Vendor ID payload [RFC 3947] method set to=110
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: I am sending my cert
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: I am sending a certificate request
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=ro, ST=roots, L=rootcity, O=rootorg, OU=
rootsection, CN=***gateway, E=***[email protected]'
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc
_192 prf=oakley_md5 group=modp1536}
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #2: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP {using isakmp#1}
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: ignoring informational payload, type INVALID_ID_INFORMATION
Dec  2 17:12:31 beijing5000 pluto[8349]: "road" #1: received and ignored informational message
Dec  2 17:12:41 beijing5000 pluto[8349]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID
Dec  2 17:12:41 beijing5000 pluto[8349]: "road" #1: received and ignored informational message
Dec  2 17:13:01 beijing5000 pluto[8349]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID
Dec  2 17:13:01 beijing5000 pluto[8349]: "road" #1: received and ignored informational message
Dec  2 17:13:41 beijing5000 pluto[8349]: "road" #2: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable respons
e to our first Quick Mode message: perhaps peer likes no proposal
Dec  2 17:13:41 beijing5000 pluto[8349]: "road" #2: starting keying attempt 2 of an unlimited number, but releasing whack
Dec  2 17:13:41 beijing5000 pluto[8349]: "road" #3: initiating Quick Mode RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP to replace #2 {using
isakmp#1}
Dec  2 17:13:41 beijing5000 pluto[8349]: "road" #1: ignoring informational payload, type INVALID_ID_INFORMATION
Dec  2 17:13:41 beijing5000 pluto[8349]: "road" #1: received and ignored informational message
Dec  2 17:13:51 beijing5000 pluto[8349]: "road" #1: ignoring informational payload, type INVALID_MESSAGE_ID
Dec  2 17:13:51 beijing5000 pluto[8349]: "road" #1: received and ignored informational message

6:192.168.0.22机器上的日志文件

Dec  2 10:59:50 shanghai5000 ipsec__plutorun: Starting Pluto subsystem...
Dec  2 10:59:50 shanghai5000 pluto[12365]: Starting Pluto (Openswan Version 2.4.7 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OEZ~BaB]r\134p_)
Dec  2 10:59:50 shanghai5000 pluto[12365]: Setting NAT-Traversal port-4500 floating to on
Dec  2 10:59:50 shanghai5000 pluto[12365]:    port floating activation criteria nat_t=1/port_fload=1
Dec  2 10:59:50 shanghai5000 pluto[12365]:   including NAT-Traversal patch (Version 0.6c)
Dec  2 10:59:50 shanghai5000 pluto[12365]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Dec  2 10:59:50 shanghai5000 pluto[12365]: no helpers will be started, all cryptographic operations will be done inline
Dec  2 10:59:50 shanghai5000 pluto[12365]: Using NETKEY IPsec interface code on 2.6.9-42.ELsmp
Dec  2 10:59:51 shanghai5000 pluto[12365]: Changing to directory '/etc/ipsec.d/cacerts'
Dec  2 10:59:51 shanghai5000 pluto[12365]:   loaded CA cert file 'cacert.pem' (1253 bytes)
Dec  2 10:59:51 shanghai5000 pluto[12365]: Changing to directory '/etc/ipsec.d/aacerts'
Dec  2 10:59:51 shanghai5000 pluto[12365]: Changing to directory '/etc/ipsec.d/ocspcerts'
Dec  2 10:59:51 shanghai5000 pluto[12365]: Changing to directory '/etc/ipsec.d/crls'
Dec  2 10:59:51 shanghai5000 pluto[12365]:   loaded crl file 'crl.pem' (508 bytes)
Dec  2 10:59:51 shanghai5000 pluto[12365]:   loaded host cert file '/etc/ipsec.d/certs/***gateway.cert' (3603 bytes)
Dec  2 10:59:51 shanghai5000 pluto[12365]: added connection description "road"
Dec  2 10:59:51 shanghai5000 pluto[12365]: listening for IKE messages
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface eth1/eth1 192.168.0.22:500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface eth1/eth1 192.168.0.22:4500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface eth0/eth0 192.168.1.25:500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface eth0/eth0 192.168.1.25:4500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface lo/lo 127.0.0.1:500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface lo/lo 127.0.0.1:4500
Dec  2 10:59:51 shanghai5000 pluto[12365]: adding interface lo/lo ::1:500
Dec  2 10:59:51 shanghai5000 pluto[12365]: loading secrets from "/etc/ipsec.secrets"
Dec  2 10:59:51 shanghai5000 pluto[12365]:   loaded private key file '/etc/ipsec.d/private/***gateway.key' (1761 bytes)
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [Openswan (this version) 2.4.7  PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR]
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [Dead Peer Detection]
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [RFC 3947] method set to=110
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 110
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 110
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 110
Dec  2 10:59:58 shanghai5000 pluto[12365]: packet from 192.168.0.1:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: responding to Main Mode from unknown peer 192.168.0.1
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: STATE_MAIN_R1: sent MR1, expecting MI2
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): peer is NATed
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: STATE_MAIN_R2: sent MR2, expecting MI3
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: Main mode peer ID is ID_DER_ASN1_DN: 'C=ro, ST=roots, L=rootcity, O=rootorg, OU=rootsection, CN=jimname, [email protected]'
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[1] 192.168.0.1 #1: switched from "road" to "road"
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: deleting connection "road" instance with peer 192.168.0.1 {isakmp=#0/ipsec=#0}
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: I am sending my cert
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Dec  2 10:59:58 shanghai5000 pluto[12365]: | NAT-T: new mapping 192.168.0.1:500/4500)
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_md5 group=modp1536}
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: cannot respond to IPsec SA request because no connection is known for 192.168.1.0/24===192.168.0.22[C=ro, ST=roots, L=rootcity, O=rootorg, OU=rootsection, CN=***gateway, E=***[email protected]]...192.168.0.1[C=ro, ST=roots, L=rootcity, O=rootorg, OU=rootsection, CN=jimname, [email protected]]===192.168.3.33/32
Dec  2 10:59:58 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.0.1:4500
Dec  2 11:00:08 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x2080082e (perhaps this is a duplicated packet)
Dec  2 11:00:08 shanghai5000 pluto[12365]: "road"[2] 192.168.0.1 #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.0.1:4500



您对本贴的看法:鲜花[0] 臭蛋[0]

__________________________________

联系电子邮件:[email protected]
《开源时代》杂志频道开张!邮件订阅开通! | IBM System x嘉年华惊喜多多 | 云计算大会第二轮幸运获赠者报名中
wenzk   
版主-大天使




CU编号: 140675
注册:2004-3-9
最后登录: 2009-05-14
帖子: 1678
精华: 4

可用积分:1053 (家境小康)
信誉积分:100
专家积分:0 (本版:0)
空间积分:0
推广积分:10

来自:辽宁沈阳
状态: ...离线...

[个人空间] [短信] [博客]


[ 推广获积分]
5楼 发表于 2008-12-12 08:30 
有空仔细看看:)



您对本贴的看法:鲜花[0] 臭蛋[0]

__________________________________

我没有专长
我要虚心学习
用事实证明一切
http://www.wenzk.net
http://imysql.cn
http://ELM.FreeTCP.COM
http://www.qinbang.cn
《开源时代》杂志频道开张!邮件订阅开通! | IBM System x嘉年华惊喜多多 | 云计算大会第二轮幸运获赠者报名中
smartlinux
光明使者




CU编号: 82582
注册:2003-8-11
最后登录: 2009-05-12
帖子: 762
精华:0

可用积分:1973 (家境小康)
信誉积分:100
专家积分:30 (本版:30)
空间积分:0
推广积分:0

状态: ...离线...

[个人空间] [短信] [博客]


[ 推广获积分]
6楼 发表于 2008-12-12 10:36 
从日志的最后看,你两边的保护子网配置的不一致啊