Estou tentando configurar o xauth com ipsec-tools no openwrt, minhas configurações são mostradas abaixo:
cat /etc/racoon.conf:
path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/cert";
listen {
adminsock disabled;
}
timer
{
natt_keepalive 10 sec;
}
remote anonymous
{
exchange_mode aggressive,main; #必须添加main,否则苹果的vpn client无法连接
initial_contact on ;
passive on ;
proposal {
encryption_algorithm aes;
hash_algorithm sha1;
authentication_method xauth_psk_server ;
dh_group 2 ;
}
proposal_check obey;
generate_policy on;
dpd_delay 20;
nat_traversal force;
ike_frag on;
esp_frag 552;
}
mode_cfg
{
network4 211.153.68.231; #VPN地址池
pool_size 4;
netmask4 255.255.255.0;
auth_source system; #使用pam作为xauth的用户认证
dns4 211.153.19.1;
pfs_group 2;
banner "/etc/racoon/motd" ;
}
sainfo anonymous
{
pfs_group 2;
lifetime time 1 hour ;
encryption_algorithm aes ;
authentication_algorithm hmac_sha1;
compression_algorithm deflate ;
}
gato /etc/setkey.conf
flush;
spdflush;
spdadd 0.0.0.0/0[0] 0.0.0.0/0[1701] udp -P out ipsec esp/transport//require;
spdadd 0.0.0.0/0[1701] 0.0.0.0/0[0] udp -P in ipsec esp/transport//require;
gato /etc/racoon/psk.txt
test test
gato /etc/racoon/motd
welcome!
gato /etc/init.d/racoon
#!/bin/sh /etc/rc.common
# Copyright (C) 2009-2011 OpenWrt.org
# Copyright (C) 2011 Artem Makhutov
START=49
SERVICE_USE_PID=1
start() {
mkdir -m 0700 -p /var/racoon
[ -f /etc/ipsec.conf ] && /usr/sbin/setkey -f /etc/setkey.conf
service_start /usr/sbin/racoon -f /etc/racoon.conf
}
stop() {
service_stop /usr/sbin/racoon
}
então ligue o servidor:
root@OpenWrt:~# setkey -f /etc/setkey.conf
root@OpenWrt:~# racoon -F -f /etc/racoon.conf
Foreground mode.
2013-09-06 15:52:19: INFO: @(#)ipsec-tools 0.8.0 (http://ipsec-tools.sourceforge.net)
2013-09-06 15:52:19: INFO: @(#)This product linked OpenSSL 1.0.1e 11 Feb 2013 (http://www.openssl.org/)
2013-09-06 15:52:19: INFO: Reading configuration from "/etc/racoon.conf"
2013-09-06 15:52:19: WARNING: /etc/racoon.conf:33: "552" Your kernel does not support esp_frag
2013-09-06 15:52:19: INFO: Resize address pool from 0 to 4
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[500] used as isakmp port (fd=6)
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 10.129.228.201[4500] used as isakmp port (fd=7)
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[500] used as isakmp port (fd=8)
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.0[4500] used as isakmp port (fd=9)
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[500] used as isakmp port (fd=10)
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used for NAT-T
2013-09-06 15:52:19: INFO: 127.0.0.1[4500] used as isakmp port (fd=11)
2013-09-06 15:52:19: INFO: ::1[500] used as isakmp port (fd=12)
2013-09-06 15:52:19: INFO: ::1[4500] used as isakmp port (fd=13)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[500] used as isakmp port (fd=14)
2013-09-06 15:52:19: INFO: fe80::a00:27ff:fec1:5c6b[4500] used as isakmp port (fd=15)
Eu executo ele em primeiro plano apenas para depuração, então vamos conectá-lo ao vpnc de outro sistema do ubuntu12.04.2:
liunx@ubuntu:~$ sudo vpnc
[sudo] password for liunx:
Enter IPSec gateway address: 10.129.228.201
Enter IPSec ID for 10.129.228.201: test
Enter IPSec secret for [email protected]:(test)
Enter username for 10.129.228.201: root
Enter password for [email protected]:(123456)
vpnc: authentication unsuccessful
Recebi mensagens de erro do racoon:
2013-09-06 15:55:14: INFO: respond new phase 1 negotiation: 10.129.228.201[500]<=>10.129.228.200[500]
2013-09-06 15:55:14: INFO: begin Aggressive mode.
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: received Vendor ID: RFC 3947
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-01
2013-09-06 15:55:14: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-00
2013-09-06 15:55:14: INFO: received Vendor ID: DPD
2013-09-06 15:55:14: [10.129.228.200] INFO: Selected NAT-T version: RFC 3947
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: ERROR: invalied encryption algorithm=0.
2013-09-06 15:55:14: INFO: Adding remote and local NAT-D payloads.
2013-09-06 15:55:14: [10.129.228.200] INFO: Hashing 10.129.228.200[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: [10.129.228.201] INFO: Hashing 10.129.228.201[500] with algo #2 (NAT-T forced)
2013-09-06 15:55:14: INFO: Adding xauth VID payload.
2013-09-06 15:55:14: INFO: NAT-T: ports changed to: 10.129.228.200[4500]<->10.129.228.201[4500]
2013-09-06 15:55:14: [10.129.228.200] ERROR: notification INITIAL-CONTACT received in aggressive exchange.
2013-09-06 15:55:14: INFO: received Vendor ID: CISCO-UNITY
2013-09-06 15:55:14: INFO: NAT-D payload #0 doesn't match
2013-09-06 15:55:14: INFO: NAT-D payload #1 doesn't match
2013-09-06 15:55:14: INFO: NAT detected: ME PEER
2013-09-06 15:55:14: INFO: Sending Xauth request
2013-09-06 15:55:14: INFO: ISAKMP-SA established 10.129.228.201[4500]-10.129.228.200[4500] spi:5f0e764b2ee4a7bd:a65bc2a2089f47f3
2013-09-06 15:55:14: INFO: Using port 0
2013-09-06 15:55:14: INFO: Released port 0
2013-09-06 15:55:14: INFO: login failed for user "root"
2013-09-06 15:55:14: ERROR: Attempt to release an unallocated address (port 0)
2013-09-06 15:55:14: ERROR: mode config 6 from 10.129.228.200[4500], but we have no ISAKMP-SA.
Tenho certeza de que configurei a senha do root como "123456", mas falhei, então alguma dica?
Responder1
É o problema da senha shadow, na hora da configuração, o ipsec-tools irá detectar a senha shadow ou não do sistema, se o ipsec-tools compilar com _HAVE_SHADOW_H_, então ele não irá analisar a senha correta com a senha não shadow, então falhou, ou vice-versa. Comparei com o sistema Ubuntu, buildroot, todos funcionam bem.