Diese Website existiert nur weil wir Werbung mit AdSense ausliefern.
Bitte den AdBlocker daher auf dieser Website ausschalten! Danke.

SuSEFirewall und Freeswan

Alles rund um das Internet, Internet-Anwendungen (E-Mail, Surfen, Cloud usw.) und das Einrichten von Netzwerken einschl. VPN unter Linux

Moderator: Moderatoren

Antworten
sage
Newbie
Newbie
Beiträge: 3
Registriert: 22. Mär 2004, 10:47

SuSEFirewall und Freeswan

Beitrag von sage »

Hallo,

bei mir läuft SuSE 8.1 und zusätzlich setze ich freeswan for SuSE von
http://www.suse.de/~garloff/linux/FreeSWAN

version 1.99_0.9.23 ein

Dabei habe ich Problme mit SuSEFirewall2 auf dem gateway.

Meine Installation

wired Lan 192.168.1.0/24
!
eth0 192.168.1.2/24
gateway------------------------------- eth2/pppp0--> Internet
eth1 192.168.3.2/24
!
wireless Lan 192.168.3.0/24


a) Mit der firewall wird kein ping beantwortet


/var/log/messages:21581:Mar 19 16:28:17 gateway kernel:
SuSE-FW-DROP-ANTI-SPOOF IN=eth1 OUT=... SRC=192.168.3.10 DST=192.168.3.2
LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=50369 PROTO=UDP SPT=500 DPT=500 LEN=64


I habe TCP und UDP-Ports für IPSEC gesetzt:

FW_QUICKMODE="no"
FW_DEV_EXT="ppp0 ipsec0"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="17 53 888 domain"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="... 500..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"


b) Ohne die firewall kann ich ein ping 192.168.3.2 vom wireless client, also
192.168.3.10 (after echo 1 > /proc/sys/net/ipv4/ip_forward) absetzen



Mar 19 16:20:18 gateway pluto[2988]: |
Mar 19 16:20:18 gateway pluto[2988]: | *time to handle event
Mar 19 16:20:18 gateway pluto[2988]: | event after this is EVENT_REINIT_SECRET
in 2400 seconds
Mar 19 16:20:18 gateway pluto[2988]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Mar 19 16:20:18 gateway pluto[2988]: | scanning for shunt eroutes
Mar 19 16:20:18 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 120
seconds
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 256 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | **parse ISAKMP Message:
Mar 19 16:21:20 gateway pluto[2988]: | initiator cookie:
Mar...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [4048b7d56ebce885...]
Mar 19 16:21:20 gateway pluto[2988]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7
de 7f 00 d6 c2 d3
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: responding to Main Mode
...
Mar 19 16:21:20 gateway pluto[2988]: | ike_alg_enc_ok(ealg=5,key_len=0):
blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192,
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 84 bytes for STATE_MAIN_R0
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 184 bytes from
192.168.3.10:500 on eth1
...
...
Mar 19 16:21:20 gateway pluto[2988]: | DH public value received:
...
Mar 19 16:21:20 gateway pluto[2988]: | Local DH secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | Public DH value sent:
...
Mar 19 16:21:20 gateway pluto[2988]: | DH shared secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 188 bytes for STATE_MAIN_R1
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | state object #2 found, in STATE_MAIN_R2
Mar 19 16:21:20 gateway pluto[2988]: | received encrypted packet from
192.168.3.10:500
Mar 19 16:21:20 gateway pluto[2988]: | decrypting 1536 bytes using algorithm
OAKLEY_3DES_CBC
Mar 19 16:21:20 gateway pluto[2988]: | decrypted:
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: Peer ID is
ID_DER_ASN1_DN: 'C=...
Mar 19 16:21:20 gateway pluto[2988]: | L0 - certificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L1 - tbsCertificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - DEFAULT v1:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - version:
Mar 19 16:21:20 gateway pluto[2988]: | 02
Mar 19 16:21:20 gateway pluto[2988]: | v3
Mar 19 16:21:20 gateway pluto[2988]: | L2 - serialNumber:
Mar 19 16:21:20 gateway pluto[2988]: | 03
Mar 19 16:21:20 gateway pluto[2988]: | L2 - signature:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - sigAlg:
Mar 19 16:21:20 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:20 gateway pluto[2988]: | L2 - issuer:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - validity:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notBefore:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 16 17:03:56 UTC 2004'
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notAfter:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 14 17:03:56 UTC 2014'
...
Mar 19 16:21:21 gateway pluto[2988]: | L4 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'rsaEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L3 - subjectPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - RSAPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - modulus:
...
Mar 19 16:21:21 gateway pluto[2988]: | L5 - publicExponent:
Mar 19 16:21:21 gateway pluto[2988]: | 01 00 01
Mar 19 16:21:21 gateway pluto[2988]: | L2 - optional extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L3 - extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'basicConstraints'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 30 00
Mar 19 16:21:21 gateway pluto[2988]: | L6 - basicConstraints:
Mar 19 16:21:21 gateway pluto[2988]: | L7 - CA:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'nsComment'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 16 1d 4f 70 65 6e 53 53 4c 20 47 65
6e 65 72 61
Mar 19 16:21:21 gateway pluto[2988]: | 74 65 64 20 43 65 72 74 69 66 69 63
61 74 65
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'subjectKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 04 14 37 8b d5 e2 42 2a e7 18 ae 44
1e bb e8 e5
Mar 19 16:21:21 gateway pluto[2988]: | 6e 39 a7 9a bb c3
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'authorityKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signatureAlgorithm:
Mar 19 16:21:21 gateway pluto[2988]: | L2 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signature:
Mar 19 16:21:21 gateway pluto[2988]: | Subject: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 17:03:56 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Mar 14 17:03:56 UTC
2014
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Subject: '...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Apr 15 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: '...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | digest: 87 be 74 35 bd 04 ff f7 7c
06 11 17 ef bc 7f 7d
Mar 19 16:21:21 gateway pluto[2988]: | decrypted signature:
...
Mar 19 16:21:21 gateway pluto[2988]: | certificate signature is valid
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Public key validated
Mar 19 16:21:21 gateway pluto[2988]: | hashing 160 bytes of SA
Mar 19 16:21:21 gateway pluto[2988]: | an RSA Sig check passed with *AwEAAeaiG
[preloaded key]
Mar 19 16:21:21 gateway pluto[2988]: | authentication succeeded
Mar 19 16:21:22 gateway pluto[2988]: "wanClient" #2: sent MR3, ISAKMP SA
established
Mar 19 16:21:22 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 56
seconds
Mar 19 16:21:22 gateway pluto[2988]: |
Mar 19 16:21:22 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
...
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500


Hat jemand einen Tip mit SuSEfirewall weiss, warum es diese freeswan Meldung gibt "Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xdbd7ba97 (perhaps this is a duplicated packet)" ?


Sage
jado
Member
Member
Beiträge: 170
Registriert: 4. Mär 2004, 11:00
Wohnort: Hamburg

Beitrag von jado »

Ich frag mich, warum du für den Ping von 192.168.3x auf 192.168.3.2
(ohne Firewall) IP_FORWARDING aktivieren musst.

- Poste doch mal dein "ipconfig" output.

"previously used Message ID":
Prüf mal, ob kurz vor der Meldung sich der IPSec-Session-Key geändert hat.
sage
Newbie
Newbie
Beiträge: 3
Registriert: 22. Mär 2004, 10:47

Beitrag von sage »

Hi,

ja, richtig: Fuer das ping im gleichen Netz nicht. Sobald wenn ipsec-Verbindung steht, möchte ich aus dem 3-er Netz je nach Ziel auf Resourcen im 1-er zugreifen können bzw. auch per Masquerading auf Ziele im Internet.
Ich habe also noch ein Routing-Problem !

Ein ping 192.168.3.2 (vpn-gw) funktioniert jetzt auch einwandfrei mit Firewall, nachdem ich die irrtümliche Angabe ipsec0 als EXT_DEV zum INT_DEV umgesetzt habe (Denn nichts anderes ist es bei mir, es sollen ja nur interne WLAN-Clients über einen am vpn-gateway angeschlossenen access point als eigenstängiges Netz geroutet werden, genauso wie die Rechner aus dem Kabelnetz.




ifconfig
====
eth0 Protokoll:Ethernet Hardware Adresse 00:C0:26:8C:89:D7
inet Adresse:192.168.1.2 Bcast:192.168.1.255 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe8c:89d7/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4847 errors:0 dropped:0 overruns:0 frame:0
TX packets:2795 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:415536 (405.7 Kb) TX bytes:1569250 (1.4 Mb)
Interrupt:9

eth1 Protokoll:Ethernet Hardware Adresse 00:C0:26:20:56:B3
inet Adresse:192.168.3.2 Bcast:192.168.3.255 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe20:56b3/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3112 errors:0 dropped:0 overruns:0 frame:0
TX packets:359 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:279292 (272.7 Kb) TX bytes:127433 (124.4 Kb)
Interrupt:11 Basisadresse:0x2000

eth2 Protokoll:Ethernet Hardware Adresse 00:50:FC:37:58:9A
inet Adresse:192.168.2.22 Bcast:192.168.2.255 Maske:255.255.255.0
inet6 Adresse: fe80::250:fcff:fe37:589a/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3417 errors:0 dropped:0 overruns:0 frame:9
TX packets:2729 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:3257931 (3.1 Mb) TX bytes:302263 (295.1 Kb)
Interrupt:12 Basisadresse:0xd000

ipsec0 Protokoll:Ethernet Hardware Adresse 00:C0:26:20:56:B3
inet Adresse:192.168.3.2 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe20:56b3/64 Gültigkeitsbereich:Verbindung
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18000 errors:0 dropped:0 overruns:0 frame:0
TX packets:18000 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:2325166 (2.2 Mb) TX bytes:2325166 (2.2 Mb)

ppp0 Protokoll:Punkt-zu-Punkt Verbindung
inet Adresse:xxxxx P-z-P:xxxx Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:3308 errors:0 dropped:0 overruns:0 frame:0
TX packets:2617 errors:0 dropped:9 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:3
RX bytes:3178615 (3.0 Mb) TX bytes:237866 (232.2 Kb)


Da habe ich also noch ein Routing Problem in den Firewall-Einstellungen:
grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v ^$ -
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1 ipsec0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="......."
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="-... 500 1701 53..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"


Hoffe das erschlägt jetzt nicht.

Gruss sage
sage
Newbie
Newbie
Beiträge: 3
Registriert: 22. Mär 2004, 10:47

Beitrag von sage »

Vielleicht ist es ja auch noch ein Problem mit freeswan.

ipsec auto --status zeigt die zwei konfigurierten Verbindungen für winxp und win98. Aktuell kämpfe ich mit der winxp-Connection.

000 interface ipsec0/eth1 192.168.3.2
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=16, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536
000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048
000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072
000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "wanXPClient": 192.168.1.0/24===192.168.3.2[C=.., ST=..., O=..., OU=..., CN=...]---192.168.1.2...192.168.3.10[C=.., ST=..., O=..., OU=..., CN=...]===192.168.3.0/24
000 "wanXPClient": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "wanXPClient": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; interface: eth1; unrouted
000 "wanXPClient": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "wanXPClient": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "wanXPClient": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "wanXPClient": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wanXPClient": ESP algorithms loaded:
000 "wan98Client": 192.168.1.0/24===192.168.3.2[C=.., ST=..., O=..., OU=..., CN=...]...192.168.3.3[C=..., ST=..., O=..., OU=..., CN=...]===192.168.3.0/24
000 "wan98Client": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "wan98Client": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; interface: eth1; unrouted
000 "wan98Client": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "wan98Client": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "wan98Client": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "wan98Client": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wan98Client": ESP algorithms loaded:
===================================


Was ich noch nicht verstehe sind folgende Logmeldungen:


ar 22 19:24:11 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.10:500
Mar 22 19:24:12 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:12 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:14 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:14 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:18 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:18 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:26 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:26 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:26 gateway popper[8030]: connect from 192.168.1.1 (192.168.1.1)
Mar 22 19:24:42 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a d

Gruss sage
Antworten