3 继续测试一下 esp

继续测试一下 esp_tunnel 用 racoon协商 用setkey设置 spd 网络结构这次写详细点儿. 之前可能太过简单了看不清楚. [10.0.10.2/24]<-->[10.0.10.1/24,192.168.125.10/30]<--(192.168.125.9/30,路由,192.168.125.13/30)-->[192.168.125.14/30,10.0.14.1/24]<-->[10.0.14.2/24] 最两端的 10.0.10.2和 10.0.14.2没有ipsec设置只进行测试 中间的路由只进行包转发. ipsec设置在 192.168.125.10,192.168.125.14上. ########################## 192.168.125.10 #cat /etc/racoon/racoon.conf log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen {         adminsock disabled; } timer {         # To keep the NAT-mappings on your NAT gateway, there must be         # The default is 20s. Set it to 0s to disable sending completely.         natt_keepalive 10 sec; } remote "remote14" { remote_address 192.168.125.14;         exchange_mode main;         proposal {                 encryption_algorithm aes;                 hash_algorithm sha1;                 authentication_method pre_shared_key;                 dh_group 5;         }         generate_policy off; nat_traversal force;         passive off;         #If you do not want to initiate the negotiation, set this to on.  The default value is off.  It is useful for a server.         weak_phase1_check on;         ph1id 1;         #An optional number to identify the remote proposal and to link it only with sainfos who have the same number.  Defaults to 0. } sainfo subnet 10.0.10.0/24[any] any subnet 10.0.14.0/24[any] any {         remoteid 1;         #Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1.  Defaults to 0,         pfs_group 5;         encryption_algorithm aes;         authentication_algorithm hmac_sha1;         compression_algorithm deflate; } sainfo subnet 192.168.125.10/32[any] any subnet 192.168.125.14/32[any] any {         remoteid 1;         #Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1.  Defaults to 0,         pfs_group 5;         encryption_algorithm aes;         authentication_algorithm hmac_sha1;         compression_algorithm deflate; } # cat /etc/racoon/psk.txt  192.168.125.14  jqka1234 # cat /home/10 spdadd -4 192.168.125.14/32 192.168.125.10/32 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require; spdadd -4 192.168.125.10/32 192.168.125.14/32 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require; spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P in ipsec esp/tunnel/192.168.125.14-192.168.125.10/require; spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P out ipsec esp/tunnel/192.168.125.10-192.168.125.14/require; #cat /home/10 |setkey -c ------------------------------------------- 192.168.125.14 # cat /etc/racoon/racoon.conf log notify; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; listen {         adminsock disabled; } timer {         natt_keepalive 10 sec; } remote "remote10" { remote_address 192.168.125.10;         exchange_mode main;         proposal {                 encryption_algorithm aes;                 hash_algorithm sha1;                 authentication_method pre_shared_key;                 dh_group 5;         }         generate_policy off; nat_traversal force; passive off; #If you do not want to initiate the negotiation, set this to on.  The default value is off.  It is useful for a server. weak_phase1_check on; ph1id 1;         #An optional number to identify the remote proposal and to link it only with sainfos who have the same number.  Defaults to 0. }  sainfo subnet 10.0.14.0/24[any] any subnet 10.0.10.0/24[any] any { remoteid 1;         #Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1.  Defaults to 0,          pfs_group 5;         encryption_algorithm aes;         authentication_algorithm hmac_sha1;         compression_algorithm deflate; } sainfo address 192.168.125.14/32[any] any address 192.168.125.10/32[any] any {         remoteid 1;         #Sainfos will only be used if their remoteid matches the ph1id of the remote section used for phase 1.  Defaults to 0,         pfs_group 5;         encryption_algorithm aes;         authentication_algorithm hmac_sha1;         compression_algorithm deflate; } # cat /etc/racoon/psk.txt  192.168.125.10  jqka1234 # cat /home/14  spdadd -4 192.168.125.14 192.168.125.10 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require; spdadd -4 192.168.125.10 192.168.125.14 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require; spdadd -4 10.0.14.0/24 10.0.10.0/24 any -P out ipsec esp/tunnel/192.168.125.14-192.168.125.10/require; spdadd -4 10.0.10.0/24 10.0.14.0/24 any -P in ipsec esp/tunnel/192.168.125.10-192.168.125.14/require; # cat /home/14|setkey -c --------------------------------------- 如果通信只包括 10.0.10.0/24 和 10.0.14.0/24之间可以去掉前面两个 sp条目及最后一个 sainfo 部分. ---------------------------------------- 瞎记点儿信息. 出错 哪种identifier对应哪一种方式在哪儿能查到? 2018-02-18 10:59:09: ERROR: ipsec_doi.c:3586:ipsecdoi_checkid1(): Expecting IP address type in main mode, but FQDN.

现在看用证书认证时用 FQDN的 identifier. 写对端 adress时对端也是用地址.

测试得到. ipsec esp tunnel模式在linux中转发时. 不用设置 ip_forward. 同时操作 ttl减1和路由方式是相同的. passive on的话. 这一端不会主动进行 过程1的协商. 通信会一直卡住. 唉... ipsec真是麻烦.和其他实现方法相比.太痛苦了.... 各种不同的组合种类太多. 太太太太复杂了. 下次我看看与 nat相关的部分? nat的session超时基本上可以解决.  ipsec sa的超时部分需要怎么测试? 写个很小的数进去让它重连啥地?