Ilya_ Posted December 13, 2021 Posted December 13, 2021 (edited) Добрый день, подскажите, возможно ли указать свой crypto map для Gre интерфейса? 2 роутера с белыми IP, просто Gre(без IPSec) создается без проблем, IPSec не проходит 3я часть первой фазы Конфиг на кинетике: ! interface Gre0 rename AAA.AAA.AAA.AAA security-level private debug ip address 172.16.1.10 255.255.255.252 ip mtu 1500 ipsec preshared-key ns3 YFcbJO6J6Bn+Yj8iux1phU+f ipsec encryption-level high ipsec ikev2 tunnel source UsbQmi0 tunnel destination BBB.BBB.BBB.BBB up ! Лог на нем же: I [Dec 13 13:48:03] ipsec: Starting strongSwan 5.8.0 IPsec [starter]... I [Dec 13 13:48:03] ipsec: 00[DMN] Starting IKE charon daemon (strongSwan 5.8.0, Linux 4.9-ndm-4, mips) I [Dec 13 13:48:05] ipsec: 00[CFG] loading secrets I [Dec 13 13:48:05] ipsec: 00[CFG] loaded IKE secret for cmap:Gre0 I [Dec 13 13:48:05] ipsec: 00[CFG] loaded 1 RADIUS server configuration I [Dec 13 13:48:05] ipsec: 00[CFG] starting system time check, interval: 10s I [Dec 13 13:48:05] ipsec: 00[LIB] loaded plugins: charon ndm-pem random save-keys nonce x509 pubkey openssl xcbc cmac hmac ctr attr kernel-netlink resolve socket- default stroke updown eap-identity eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-peap xauth-generic xauth-eap error-notify systime-fix unity I [Dec 13 13:48:05] ipsec: 00[LIB] dropped capabilities, running as uid 65534, gid 65534 I [Dec 13 13:48:05] ipsec: 03[CFG] received stroke: add connection 'Gre0' I [Dec 13 13:48:05] ipsec: 03[CFG] added configuration 'Gre0' I [Dec 13 13:48:05] ipsec: 11[CFG] received stroke: initiate 'Gre0' I [Dec 13 13:48:05] ipsec: 11[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB I [Dec 13 13:48:05] ipsec: 14[IKE] peer didn't accept DH group MODP_1024, it requested MODP_2048 I [Dec 13 13:48:05] ipsec: 14[IKE] initiating IKE_SA Gre0[1] to BBB.BBB.BBB.BBB I [Dec 13 13:48:06] ipsec: 15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 I [Dec 13 13:48:06] ipsec: 15[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_384, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536 I [Dec 13 13:48:06] ipsec: 15[CFG] selected proposal: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048 I [Dec 13 13:48:06] ipsec: 15[IKE] found linked key for crypto map 'Gre0' I [Dec 13 13:48:06] ipsec: 15[IKE] establishing CHILD_SA Gre0{1} I [Dec 13 13:48:07] ipsec: 10[IKE] received AUTHENTICATION_FAILED notify error E [Dec 13 13:48:07] ndm: IpSec::Configurator: remote peer rejects to authenticate our crypto map "Gre0". W [Dec 13 13:48:07] ndm: IpSec::Configurator: (possibly because of wrong local/remote ID). I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0. W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry. I [Dec 13 13:48:07] ndm: IpSec::Configurator: "Gre0": schedule reconnect for crypto map. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": secured tunnel is down. I [Dec 13 13:48:07] ndm: IpSec::Manager: "Gre0": IP secure connection and keys was deleted. E [Dec 13 13:48:07] ndm: IpSec::Configurator: general error while establishing crypto map "Gre0" connection. I [Dec 13 13:48:07] ndm: IpSec::CryptoMapInfo: "Gre0": crypto map active IKE SA: 0, active CHILD SA: 0. W [Dec 13 13:48:07] ndm: IpSec::Configurator: fallback peer is not defined for crypto map "Gre0", retry. I [Dec 13 13:48:07] ndm: Network::Interface::SecureIpTunnel: "Gre0": IPsec layer is down, shutdown tunnel layer. Зачем он подключает правила Radius? Как я понимаю, он пытается завершить авторизацию по сертификату Лог с другой стороны: 13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ] 13:32:22 srv IPSEC: 06[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2876 bytes) 13:32:22 srv IPSEC: 06[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr AUTH N(USE_TRANSP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 41:f3:8f:66:50:fe:15:ff:4e:24:29:2d:c7:67:19:c4:4b:c8:1e:cd 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid c3:2e:e6:fd:16:60:3b:f5:d0:5f:fb:85:1d:41:46:ce:16:31:9d:6e 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ba:b7:43:e0:ed:c7:1e:72:8a:31:ad:da:65:7b:b9:4c:ca:63:ee:07 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 0f:73:b7:ce:46:fb:89:05:4b:02:97:75:95:97:58:1f:bb:22:59:f5 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 99:9b:76:54:0b:4a:9c:7a:35:ca:8f:0f:2e:aa:74:7a:0f:ae:c5:6e 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid ca:0f:ad:e1:ca:f3:73:79:25:69:a5:b2:b6:29:ab:63:0a:bc:7a:1c 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 98:46:5e:8d:55:f2:bb:69:0c:d1:e6:c5:b0:81:2e:f2:fe:f2:38:a3 . . . 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid a7:e9:c8:0c:8c:4b:56:d6:37:fa:9e:0d:6c:69:58:1d:32:4e:91:c0 13:32:22 srv IPSEC: 06[IKE] received cert request for unknown ca with keyid 52:2c:46:fc:ee:2e:a4:be:b5:f1:01:a3:9d:d2:16:ba:d8:85:8e:b5 13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca 13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0] 13:32:22 srv IPSEC: 06[CFG] no matching peer config found 13:32:22 srv IPSEC: peer authentication failed 13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] 13:32:22 srv IPSEC: 06[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] (76 bytes) 13:32:22 srv IPSEC: 04[NET] sending packet: from BBB.BBB.BBB.BBB[500] to AAA.AAA.AAA.AAA[500] 13:32:22 srv IPSEC: 06[IKE] removing IP address AAA.AAA.AAA.AAA for peer Gre0 13:32:22 srv IPSEC: 06[MGR] checkin and destroy IKE_SA (unnamed)[3106] 13:32:22 srv IPSEC: 06[IKE] IKE_SA (unnamed)[3106] state change: CONNECTING => DESTROYING 13:32:22 srv IPSEC: 06[MGR] checkin and destroy of IKE_SA successful Edited December 13, 2021 by Ilya_ Quote
Ilya_ Posted December 13, 2021 Author Posted December 13, 2021 (edited) Еще вопрос, как добавить в кинетик свой сертификат для авторизации ikev2? или указать не использовать сертификат, а только по логин-паролю 13:32:22 srv IPSEC: 06[IKE] received 129 cert requests for an unknown ca 13:32:22 srv IPSEC: 06[CFG] looking for peer configs matching BBB.BBB.BBB.BBB[Gre0]...AAA.AAA.AAA.AAA[Gre0] 13:32:22 srv IPSEC: 06[CFG] no matching peer config found 13:32:22 srv IPSEC: peer authentication failed 13:32:22 srv IPSEC: 06[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ] Edited December 13, 2021 by Ilya_ Quote
Le ecureuil Posted December 13, 2021 Posted December 13, 2021 Зачем вы пытаетесь именно IKEv2 использовать? Quote
Ilya_ Posted December 13, 2021 Author Posted December 13, 2021 (edited) Ikev2 , т.к все остальные туннели на нем и раз у кинетика заявлена поддержка IPsec с Ikev2, решил на нем тоже тунель сделать. Но тут что то не по плану пошло. Я так понимаю надо заставить кинетик принимать мой сертификат, или отключить его использование, но у gre не редактируется криптомап пс: и производительность устраивает Edited December 13, 2021 by Ilya_ Quote
Le ecureuil Posted December 15, 2021 Posted December 15, 2021 Попробуйте все же без IKEv2. Там есть еще тонкость в том, что для IKEv2 ID на другой стороне туннеля должен быть такой же, как название интерфейса в Keenetic. То есть у вас Gre0, значит ID local и ID remote в AT должны быть тоже Gre0. 1 Quote
Ilya_ Posted December 15, 2021 Author Posted December 15, 2021 Без ikev2 работает, id пробовал указывать, но перепроверю ещё раз. Спасибо Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.