Ich habe mir vor lauter Frustration schon zu lange die Haare gerauft und bin zu dem Schluss gekommen, dass Serverfault vielleicht helfen könnte. Kann das irgendjemand irgendwie erklären?
Ich habe OpenSwan/IPSec mit Purge mehrmals neu installiert, ich habe die Schlüssel neu generiert und alles versucht, was mir eingefallen ist.
Server 1
[root@db1 ipsec.d]# ipsec auto --add db-to-db
conn 'db-to-db': not found (tried aliases)
[root@db1 ipsec.d]# cat /etc/ipsec.d/db1.conf
conn db-to-db
left=10.0.10.61
leftid=@db1
leftrsasigkey=0sAQO...co9sz
leftnexthop=%defaultroute
right=10.0.10.62
rightid=@db2
rightrsasigkey=0sAQP...7iex3cd
rightnexthop=%defaultroute
authby=rsasig
auto=start
[root]@db1 ipsec.d]# tail /var/log/secure
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [Dead Peer Detection]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [RFC 3947] method set to=109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: initial Main Mode message received on 10.0.10.61:500 but no connection has been authorized with policy=RSASIG
Server2
[root@db2 ipsec.d]# ipsec auto --add db-to-db
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@db2 ipsec.d]# cat /etc/ipsec.d/db2.conf
conn db-to-db
left=10.0.10.61
leftid=@db1
leftrsasigkey=0sAQO....co9sz
leftnexthop=%defaultroute
right=10.0.10.62
rightid=@db2
rightrsasigkey=0sAQP...7iex3cd
rightnexthop=%defaultroute
authby=rsasig
auto=start
[root@db2 ipsec.d]# tail /var/log/secure
Oct 17 06:35:04 db2 pluto[4514]: initiate on demand from 10.0.10.62:3306 to 10.0.10.61:34007 proto=6 state: fos_start because: acquire
Oct 17 06:35:06 db2 pluto[4514]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.0.10.61 port 500, complainant 10.0.10.61: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 06:35:46 db2 pluto[4514]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.0.10.61 port 500, complainant 10.0.10.61: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #1: starting keying attempt 2 of an unlimited number
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #2: initiating Main Mode to replace #1
Ich bin für jede Antwort sehr dankbar, danke.
Antwort1
Gelöst, indem man nicht völlig dumm ist. Entfernen Sie das Kommentarzeichen aus dieser Zeile in /etc/ipsec.conf
#include /etc/ipsec.d/*.conf