Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.

IPSEC / RACOON ne uspostavlja vezu nakon restarta jednog hosta

[es] :: Linux mreže :: IPSEC / RACOON ne uspostavlja vezu nakon restarta jednog hosta

[ Pregleda: 2693 | Odgovora: 1 ] > FB > Twit

Postavi temu Odgovori

Autor
Pretraga teme: Traži
Markiranje Štampanje RSS

pisac

Član broj: 13046
Poruke: 4578



+3341 Profil

icon IPSEC / RACOON ne uspostavlja vezu nakon restarta jednog hosta26.05.2013. u 13:35 - pre 132 meseci
IPSEC tunel radi, ali nakon što se jedan od hostova (B) restartuje veza ka njemu je u prekidu i ne može da se upostavi sve dok on ne inicira vezu ka prvome (A) koji nije restartovan. To je verovatno zato što prvi koji nije restartovan (A) ne uspeva da shvati da je veza mrtva i uporno šalje kroz mrtav tunel. Ako se oba restartuju, oba kreću iz početka i onda nema tih problema.

Ubuntu/Debian serveri su u pitanju. Shared secret, 3DES/SHA1.

Evo malo bolje objašnjeno:

IPSEC veza (A)<-->(B) upostavljena.
Pingujem (A) --> (B), uspešno. "setkey -D" na oba servera prikazuje dve veze (tj. dvosmernu konekciju)
Restartujem (B), pingovanje više nije uspešno, paketi stižu preko ESP protokola na (B) po staroj vezi ali ovaj ne reaguje jer treba da se napravi nova veza. "setkey -D" na (A) pokazuje i dalje dve veze (tj. dvosmernu konekciju), a na (B) ne pokazuje ništa.
To traje sve dok ne pingujem (B) --> (A), i onda se veza odmah uspostavlja (u oba smera). Posledica toga je da "setkey -D" više ne pokazuje 2 konekcije već 4, i to na oba servera. Ali bar veza radi.

Probao sam da ubacim parametar "dpd_delay 30;" ali to nije pomoglo.

E, sad, ima jedan detalj. Tako radi između dva linuxa, ali sa Windowsom to radi mnogo bolje! Windows ili odmah ili do nekoliko minuta ipak uspe da "probije" vezu ka linuxu koji je restartovan, i IPSEC tunel proradi!

Evo šta se dešava kada linux restartujem, a windows uporno pokušava da pinguje kroz tunel. Logovi su sa linuxa. Od 5:11 veza je mrtva, oko 5:17 počinje nešto što posle minut dovodi do uspostavljanja nove veze. To se dešava samo kada je na drugoj strani Windows, a ako je isto linux onda se ništa posle 5:11 ne dešava ma koliko čekali.


May 26 05:11:30 ubuntu1004srv64 racoon: ERROR: libipsec failed pfkey check (Invalid SA type)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: @(#)ipsec-tools 0.7.1 (http://ipsec-tools.sourceforge.net)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: @(#)This product linked OpenSSL 0.9.8k 25 Mar 2009 (http://www.openssl.org/)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: Reading configuration from "/etc/racoon/racoon.conf"
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: Resize address pool from 0 to 255
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 127.0.0.1[500] used as isakmp port (fd=7)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 127.0.0.1[500] used for NAT-T
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 172.22.99.11[500] used as isakmp port (fd=8)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 172.22.99.11[500] used for NAT-T
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 192.168.46.1[500] used as isakmp port (fd=9)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: 192.168.46.1[500] used for NAT-T
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: ::1[500] used as isakmp port (fd=10)
May 26 05:11:32 ubuntu1004srv64 racoon: INFO: fe80::a00:27ff:febb:4aa0%eth0[500] used as isakmp port (fd=11)

May 26 05:17:44 ubuntu1004srv64 racoon: ERROR: unknown Informational exchange received.
May 26 05:17:46 ubuntu1004srv64 racoon: ERROR: can't start the quick mode, there is no ISAKMP-SA, ee75ac0c51123927:28c46f9af0a58878:0000ca3b

May 26 05:18:49 ubuntu1004srv64 racoon: last message repeated 5 times
May 26 05:18:49 ubuntu1004srv64 racoon: ERROR: unknown Informational exchange received.
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: respond new phase 1 negotiation: 172.22.99.11[500]<=>172.22.99.203[500]
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: begin Identity Protection mode.
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received broken Microsoft ID: MS NT5 ISAKMPOAKLEY
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received Vendor ID: FRAGMENTATION
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: ISAKMP-SA established 172.22.99.11[500]-172.22.99.203[500] spi:2fdeb1068300f149:285a0183353e1af2
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: respond new phase 2 negotiation: 172.22.99.11[500]<=>172.22.99.203[500]
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.22.99.203[0]->172.22.99.11[0] spi=245838148(0xea73144)
May 26 05:18:49 ubuntu1004srv64 racoon: INFO: IPsec-SA established: ESP/Tunnel 172.22.99.11[500]->172.22.99.203[500] spi=3303174592(0xc4e271c0)


Evo kako izgleda tcpdump na linuxu:


05:16:26.147949 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1cd), length 92
05:16:31.155130 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1ce), length 92
05:16:36.162528 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1cf), length 92
05:16:41.169727 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d0), length 92
05:16:46.177161 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d1), length 92
05:16:51.184472 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d2), length 92
05:16:56.191724 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d3), length 92
05:17:01.198522 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d4), length 92
05:17:06.205508 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d5), length 92
05:17:11.213604 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d6), length 92
05:17:16.220096 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d7), length 92
05:17:21.227344 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d8), length 92
05:17:26.234552 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1d9), length 92
05:17:31.242159 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1da), length 92
05:17:36.250241 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1db), length 92
05:17:41.260447 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x09b8e703,seq=0x1dc), length 92
05:17:44.873691 ARP, Request who-has 172.22.99.11 tell 172.22.99.203, length 46
05:17:44.873713 ARP, Reply 172.22.99.11 is-at 08:00:27:bb:4a:a0 (oui Unknown), length 28
05:17:44.873974 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I inf[E]
05:17:46.266898 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:17:46.267196 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:17:47.757712 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:17:47.757896 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:17:49.760741 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:17:49.760878 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:17:51.257296 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28
05:17:51.257579 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46
05:17:53.766155 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:17:53.766349 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:18:01.778768 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:18:01.778906 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:18:04.923026 IP 172.22.99.203.netbios-dgm > 172.22.99.255.netbios-dgm: NBT UDP PACKET(138)
05:18:17.800770 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:18:17.800949 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf
05:18:22.797336 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28
05:18:22.797625 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46
05:18:49.848109 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I inf[E]
05:18:49.849188 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident
05:18:49.849448 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident
05:18:49.858978 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident
05:18:49.860096 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident
05:18:49.863877 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 1 I ident[E]
05:18:49.863997 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 1 R ident[E]
05:18:49.864104 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R inf[E]
05:18:49.864891 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:18:49.865141 IP 172.22.99.11.isakmp > 172.22.99.203.isakmp: isakmp: phase 2/others R oakley-quick[E]
05:18:49.865629 IP 172.22.99.203.isakmp > 172.22.99.11.isakmp: isakmp: phase 2/others I oakley-quick[E]
05:18:49.865634 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x1), length 92
05:18:49.866844 ARP, Request who-has 172.22.99.203 tell 172.22.99.1, length 46
05:18:51.357946 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x2), length 92
05:18:51.358050 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x1), length 92
05:18:52.359367 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x3), length 92
05:18:52.359443 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x2), length 92
05:18:53.360439 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x4), length 92
05:18:53.360515 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x3), length 92
05:18:54.362667 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x5), length 92
05:18:54.362750 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x4), length 92
05:18:54.847252 ARP, Request who-has 172.22.99.203 tell 172.22.99.11, length 28
05:18:54.847591 ARP, Reply 172.22.99.203 is-at 08:00:27:e1:83:26 (oui Unknown), length 46
05:18:55.309813 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x6), length 92
05:18:55.309899 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x5), length 92
05:18:56.341680 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x7), length 92
05:18:56.341763 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x6), length 92
05:18:57.366518 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x8), length 92
05:18:57.366604 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x7), length 92
05:18:58.367942 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0x9), length 92
05:18:58.368019 IP 172.22.99.11 > 172.22.99.203: ESP(spi=0xc4e271c0,seq=0x8), length 92
05:18:59.369470 IP 172.22.99.203 > 172.22.99.11: ESP(spi=0x0ea73144,seq=0xa), length 92


[Ovu poruku je menjao pisac dana 26.05.2013. u 14:47 GMT+1]
 
Odgovor na temu

pisac

Član broj: 13046
Poruke: 4578



+3341 Profil

icon Re: IPSEC / RACOON ne uspostavlja vezu nakon restarta jednog hosta27.05.2013. u 22:09 - pre 132 meseci
Vezu (phase 1) kada stane mogu da upostavim tako što na (A) serveru otkucam
racoonctl establish-sa isakmp inet (A) (B)


ili obrnuto na (B) serveu.

Samo, zašto to automatski ne radi?
 
Odgovor na temu

[es] :: Linux mreže :: IPSEC / RACOON ne uspostavlja vezu nakon restarta jednog hosta

[ Pregleda: 2693 | Odgovora: 1 ] > FB > Twit

Postavi temu Odgovori

Srodne teme
Navigacija
Lista poslednjih: 16, 32, 64, 128 poruka.