• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

SuSEFirewall und Freeswan

sage

Newbie
Hallo,

bei mir läuft SuSE 8.1 und zusätzlich setze ich freeswan for SuSE von
http://www.suse.de/~garloff/linux/FreeSWAN

version 1.99_0.9.23 ein

Dabei habe ich Problme mit SuSEFirewall2 auf dem gateway.

Meine Installation

wired Lan 192.168.1.0/24
!
eth0 192.168.1.2/24
gateway------------------------------- eth2/pppp0--> Internet
eth1 192.168.3.2/24
!
wireless Lan 192.168.3.0/24


a) Mit der firewall wird kein ping beantwortet


/var/log/messages:21581:Mar 19 16:28:17 gateway kernel:
SuSE-FW-DROP-ANTI-SPOOF IN=eth1 OUT=... SRC=192.168.3.10 DST=192.168.3.2
LEN=84 TOS=0x00 PREC=0x00 TTL=128 ID=50369 PROTO=UDP SPT=500 DPT=500 LEN=64


I habe TCP und UDP-Ports für IPSEC gesetzt:

FW_QUICKMODE="no"
FW_DEV_EXT="ppp0 ipsec0"
FW_DEV_INT="eth0 eth1"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="no"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="17 53 888 domain"
FW_SERVICES_EXT_UDP="500"
FW_SERVICES_EXT_IP="50 51"
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="... 500..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix
SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"


b) Ohne die firewall kann ich ein ping 192.168.3.2 vom wireless client, also
192.168.3.10 (after echo 1 > /proc/sys/net/ipv4/ip_forward) absetzen



Mar 19 16:20:18 gateway pluto[2988]: |
Mar 19 16:20:18 gateway pluto[2988]: | *time to handle event
Mar 19 16:20:18 gateway pluto[2988]: | event after this is EVENT_REINIT_SECRET
in 2400 seconds
Mar 19 16:20:18 gateway pluto[2988]: | inserting event EVENT_SHUNT_SCAN,
timeout in 120 seconds
Mar 19 16:20:18 gateway pluto[2988]: | scanning for shunt eroutes
Mar 19 16:20:18 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 120
seconds
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 256 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | **parse ISAKMP Message:
Mar 19 16:21:20 gateway pluto[2988]: | initiator cookie:
Mar...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
...
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [4048b7d56ebce885...]
Mar 19 16:21:20 gateway pluto[2988]: | VID: 40 48 b7 d5 6e bc e8 85 25 e7
de 7f 00 d6 c2 d3
Mar 19 16:21:20 gateway pluto[2988]: packet from 192.168.3.10:500: ignoring
Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: responding to Main Mode
...
Mar 19 16:21:20 gateway pluto[2988]: | ike_alg_enc_ok(ealg=5,key_len=0):
blocksize=8, keyminlen=192, keydeflen=192, keymaxlen=192,
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 84 bytes for STATE_MAIN_R0
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 184 bytes from
192.168.3.10:500 on eth1
...
...
Mar 19 16:21:20 gateway pluto[2988]: | DH public value received:
...
Mar 19 16:21:20 gateway pluto[2988]: | Local DH secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | Public DH value sent:
...
Mar 19 16:21:20 gateway pluto[2988]: | DH shared secret:
...
Mar 19 16:21:20 gateway pluto[2988]: | sending 188 bytes for STATE_MAIN_R1
through eth1 to 192.168.3.10:500:
...
Mar 19 16:21:20 gateway pluto[2988]: | inserting event EVENT_RETRANSMIT,
timeout in 10 seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: | next event EVENT_RETRANSMIT in 10
seconds for #2
Mar 19 16:21:20 gateway pluto[2988]: |
Mar 19 16:21:20 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:20 gateway pluto[2988]: | state object #2 found, in STATE_MAIN_R2
Mar 19 16:21:20 gateway pluto[2988]: | received encrypted packet from
192.168.3.10:500
Mar 19 16:21:20 gateway pluto[2988]: | decrypting 1536 bytes using algorithm
OAKLEY_3DES_CBC
Mar 19 16:21:20 gateway pluto[2988]: | decrypted:
...
Mar 19 16:21:20 gateway pluto[2988]: "wanClient" #2: Peer ID is
ID_DER_ASN1_DN: 'C=...
Mar 19 16:21:20 gateway pluto[2988]: | L0 - certificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L1 - tbsCertificate:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - DEFAULT v1:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - version:
Mar 19 16:21:20 gateway pluto[2988]: | 02
Mar 19 16:21:20 gateway pluto[2988]: | v3
Mar 19 16:21:20 gateway pluto[2988]: | L2 - serialNumber:
Mar 19 16:21:20 gateway pluto[2988]: | 03
Mar 19 16:21:20 gateway pluto[2988]: | L2 - signature:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - sigAlg:
Mar 19 16:21:20 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:20 gateway pluto[2988]: | L2 - issuer:
...
Mar 19 16:21:20 gateway pluto[2988]: | L2 - validity:
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notBefore:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 16 17:03:56 UTC 2004'
Mar 19 16:21:20 gateway pluto[2988]: | L3 - notAfter:
Mar 19 16:21:20 gateway pluto[2988]: | 'Mar 14 17:03:56 UTC 2014'
...
Mar 19 16:21:21 gateway pluto[2988]: | L4 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'rsaEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L3 - subjectPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - RSAPublicKey:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - modulus:
...
Mar 19 16:21:21 gateway pluto[2988]: | L5 - publicExponent:
Mar 19 16:21:21 gateway pluto[2988]: | 01 00 01
Mar 19 16:21:21 gateway pluto[2988]: | L2 - optional extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L3 - extensions:
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'basicConstraints'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 30 00
Mar 19 16:21:21 gateway pluto[2988]: | L6 - basicConstraints:
Mar 19 16:21:21 gateway pluto[2988]: | L7 - CA:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'nsComment'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 16 1d 4f 70 65 6e 53 53 4c 20 47 65
6e 65 72 61
Mar 19 16:21:21 gateway pluto[2988]: | 74 65 64 20 43 65 72 74 69 66 69 63
61 74 65
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'subjectKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | 04 14 37 8b d5 e2 42 2a e7 18 ae 44
1e bb e8 e5
Mar 19 16:21:21 gateway pluto[2988]: | 6e 39 a7 9a bb c3
Mar 19 16:21:21 gateway pluto[2988]: | L4 - extension:
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnID:
Mar 19 16:21:21 gateway pluto[2988]: | 'authorityKeyIdentifier'
Mar 19 16:21:21 gateway pluto[2988]: | L5 - critical:
Mar 19 16:21:21 gateway pluto[2988]: | FALSE
Mar 19 16:21:21 gateway pluto[2988]: | L5 - extnValue:
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signatureAlgorithm:
Mar 19 16:21:21 gateway pluto[2988]: | L2 - algorithm:
Mar 19 16:21:21 gateway pluto[2988]: | 'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | L1 - signature:
Mar 19 16:21:21 gateway pluto[2988]: | Subject: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 17:03:56 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Mar 14 17:03:56 UTC
2014
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: 'C=...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Subject: '...
Mar 19 16:21:21 gateway pluto[2988]: | not before : Mar 16 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | current time: Mar 19 15:21:21 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | not after : Apr 15 16:44:49 UTC
2004
Mar 19 16:21:21 gateway pluto[2988]: | certificate is valid
Mar 19 16:21:21 gateway pluto[2988]: | Issuer: '...
Mar 19 16:21:21 gateway pluto[2988]: | issuer CA certificate found
Mar 19 16:21:21 gateway pluto[2988]: | Signature Algorithm:
'md5WithRSAEncryption'
Mar 19 16:21:21 gateway pluto[2988]: | digest: 87 be 74 35 bd 04 ff f7 7c
06 11 17 ef bc 7f 7d
Mar 19 16:21:21 gateway pluto[2988]: | decrypted signature:
...
Mar 19 16:21:21 gateway pluto[2988]: | certificate signature is valid
Mar 19 16:21:21 gateway pluto[2988]: "wanClient" #2: Issuer CRL not found
Mar 19 16:21:21 gateway pluto[2988]: | Public key validated
Mar 19 16:21:21 gateway pluto[2988]: | hashing 160 bytes of SA
Mar 19 16:21:21 gateway pluto[2988]: | an RSA Sig check passed with *AwEAAeaiG
[preloaded key]
Mar 19 16:21:21 gateway pluto[2988]: | authentication succeeded
Mar 19 16:21:22 gateway pluto[2988]: "wanClient" #2: sent MR3, ISAKMP SA
established
Mar 19 16:21:22 gateway pluto[2988]: | next event EVENT_SHUNT_SCAN in 56
seconds
Mar 19 16:21:22 gateway pluto[2988]: |
Mar 19 16:21:22 gateway pluto[2988]: | *received 1564 bytes from
192.168.3.10:500 on eth1
...
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:23 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500
...
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: Quick Mode I1 message is
unacceptable because it uses a previously used Message ID 0xdbd7ba97 (perhaps
this is a duplicated packet)
Mar 19 16:21:25 gateway pluto[2988]: "wanClient" #2: sending encrypted
notification INVALID_MESSAGE_ID to 192.168.3.10:500


Hat jemand einen Tip mit SuSEfirewall weiss, warum es diese freeswan Meldung gibt "Quick Mode
I1 message is unacceptable because it uses a previously used Message ID
0xdbd7ba97 (perhaps this is a duplicated packet)" ?


Sage
 

jado

Member
Ich frag mich, warum du für den Ping von 192.168.3x auf 192.168.3.2
(ohne Firewall) IP_FORWARDING aktivieren musst.

- Poste doch mal dein "ipconfig" output.

"previously used Message ID":
Prüf mal, ob kurz vor der Meldung sich der IPSec-Session-Key geändert hat.
 
OP
S

sage

Newbie
Hi,

ja, richtig: Fuer das ping im gleichen Netz nicht. Sobald wenn ipsec-Verbindung steht, möchte ich aus dem 3-er Netz je nach Ziel auf Resourcen im 1-er zugreifen können bzw. auch per Masquerading auf Ziele im Internet.
Ich habe also noch ein Routing-Problem !

Ein ping 192.168.3.2 (vpn-gw) funktioniert jetzt auch einwandfrei mit Firewall, nachdem ich die irrtümliche Angabe ipsec0 als EXT_DEV zum INT_DEV umgesetzt habe (Denn nichts anderes ist es bei mir, es sollen ja nur interne WLAN-Clients über einen am vpn-gateway angeschlossenen access point als eigenstängiges Netz geroutet werden, genauso wie die Rechner aus dem Kabelnetz.




ifconfig
====
eth0 Protokoll:Ethernet Hardware Adresse 00:C0:26:8C:89:D7
inet Adresse:192.168.1.2 Bcast:192.168.1.255 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe8c:89d7/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4847 errors:0 dropped:0 overruns:0 frame:0
TX packets:2795 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:415536 (405.7 Kb) TX bytes:1569250 (1.4 Mb)
Interrupt:9

eth1 Protokoll:Ethernet Hardware Adresse 00:C0:26:20:56:B3
inet Adresse:192.168.3.2 Bcast:192.168.3.255 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe20:56b3/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3112 errors:0 dropped:0 overruns:0 frame:0
TX packets:359 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:279292 (272.7 Kb) TX bytes:127433 (124.4 Kb)
Interrupt:11 Basisadresse:0x2000

eth2 Protokoll:Ethernet Hardware Adresse 00:50:FC:37:58:9A
inet Adresse:192.168.2.22 Bcast:192.168.2.255 Maske:255.255.255.0
inet6 Adresse: fe80::250:fcff:fe37:589a/64 Gültigkeitsbereich:Verbindung
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:3417 errors:0 dropped:0 overruns:0 frame:9
TX packets:2729 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:3257931 (3.1 Mb) TX bytes:302263 (295.1 Kb)
Interrupt:12 Basisadresse:0xd000

ipsec0 Protokoll:Ethernet Hardware Adresse 00:C0:26:20:56:B3
inet Adresse:192.168.3.2 Maske:255.255.255.0
inet6 Adresse: fe80::2c0:26ff:fe20:56b3/64 Gültigkeitsbereich:Verbindung
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:3 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

lo Protokoll:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
inet6 Adresse: ::1/128 Gültigkeitsbereich:Maschine
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:18000 errors:0 dropped:0 overruns:0 frame:0
TX packets:18000 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:2325166 (2.2 Mb) TX bytes:2325166 (2.2 Mb)

ppp0 Protokoll:punkt-zu-Punkt Verbindung
inet Adresse:xxxxx P-z-P:xxxx Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1492 Metric:1
RX packets:3308 errors:0 dropped:0 overruns:0 frame:0
TX packets:2617 errors:0 dropped:9 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:3
RX bytes:3178615 (3.0 Mb) TX bytes:237866 (232.2 Kb)


Da habe ich also noch ein Routing Problem in den Firewall-Einstellungen:
grep -v ^# /etc/sysconfig/SuSEfirewall2 | grep -v ^$ -
FW_QUICKMODE="no"
FW_DEV_EXT="ppp0"
FW_DEV_INT="eth0 eth1 ipsec0"
FW_DEV_DMZ=""
FW_ROUTE="yes"
FW_MASQUERADE="yes"
FW_MASQ_DEV="ppp0"
FW_MASQ_NETS="192.168.1.0/24 192.168.3.0/24"
FW_PROTECT_FROM_INTERNAL="yes"
FW_AUTOPROTECT_SERVICES="yes"
FW_SERVICES_EXT_TCP="......."
FW_SERVICES_EXT_UDP=""
FW_SERVICES_EXT_IP=""
FW_SERVICES_DMZ_TCP=""
FW_SERVICES_DMZ_UDP=""
FW_SERVICES_DMZ_IP=""
FW_SERVICES_INT_TCP="..."
FW_SERVICES_INT_UDP="-... 500 1701 53..."
FW_SERVICES_INT_IP="50 51"
FW_SERVICES_QUICK_TCP=""
FW_SERVICES_QUICK_UDP=""
FW_SERVICES_QUICK_IP=""
FW_TRUSTED_NETS="192.168.1.0/24 192.168.3.0/24"
FW_ALLOW_INCOMING_HIGHPORTS_TCP="no"
FW_ALLOW_INCOMING_HIGHPORTS_UDP="DNS"
FW_SERVICE_AUTODETECT="yes"
FW_SERVICE_DNS="no"
FW_SERVICE_DHCLIENT="no"
FW_SERVICE_DHCPD="no"
FW_SERVICE_SQUID="yes"
FW_SERVICE_SAMBA="yes"
FW_FORWARD=""
FW_FORWARD_MASQ=""
FW_REDIRECT="192.168.1.3/32,0/0,tcp,80,3128"
FW_LOG_DROP_CRIT="yes"
FW_LOG_DROP_ALL="no"
FW_LOG_ACCEPT_CRIT="yes"
FW_LOG_ACCEPT_ALL="no"
FW_LOG="--log-level warning --log-tcp-options --log-ip-option --log-prefix SuSE-FW"
FW_KERNEL_SECURITY="no"
FW_STOP_KEEP_ROUTING_STATE="no"
FW_ALLOW_PING_FW="yes"
FW_ALLOW_PING_DMZ="no"
FW_ALLOW_PING_EXT="no"
FW_ALLOW_FW_TRACEROUTE="yes"
FW_ALLOW_FW_SOURCEQUENCH="yes"
FW_ALLOW_FW_BROADCAST="no"
FW_IGNORE_FW_BROADCAST="yes"
FW_ALLOW_CLASS_ROUTING="no"
FW_CUSTOMRULES=""
FW_REJECT="no"


Hoffe das erschlägt jetzt nicht.

Gruss sage
 
OP
S

sage

Newbie
Vielleicht ist es ja auch noch ein Problem mit freeswan.

ipsec auto --status zeigt die zwei konfigurierten Verbindungen für winxp und win98. Aktuell kämpfe ich mit der winxp-Connection.

000 interface ipsec0/eth1 192.168.3.2
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=16, keysizemin=128, keysizemax=128
000
000 algorithm IKE encrypt: id=65289, name=OAKLEY_SSH_PRIVATE_65289, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=65005, name=OAKLEY_TWOFISH_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=3, name=OAKLEY_BLOWFISH_CBC, blocksize=8, keydeflen=128
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64
000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32
000 algorithm IKE hash: id=2, name=OAKLEY_SHA, hashsize=20
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536 (extension), bits=1536
000 algorithm IKE dh group: id=42048, name=OAKLEY_GROUP_MODP2048 (extension), bits=2048
000 algorithm IKE dh group: id=43072, name=OAKLEY_GROUP_MODP3072 (extension), bits=3072
000 algorithm IKE dh group: id=44096, name=OAKLEY_GROUP_MODP4096 (extension), bits=4096
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "wanXPClient": 192.168.1.0/24===192.168.3.2[C=.., ST=..., O=..., OU=..., CN=...]---192.168.1.2...192.168.3.10[C=.., ST=..., O=..., OU=..., CN=...]===192.168.3.0/24
000 "wanXPClient": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "wanXPClient": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; interface: eth1; unrouted
000 "wanXPClient": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "wanXPClient": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "wanXPClient": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "wanXPClient": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wanXPClient": ESP algorithms loaded:
000 "wan98Client": 192.168.1.0/24===192.168.3.2[C=.., ST=..., O=..., OU=..., CN=...]...192.168.3.3[C=..., ST=..., O=..., OU=..., CN=...]===192.168.3.0/24
000 "wan98Client": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 5
000 "wan98Client": policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+DONTREKEY; interface: eth1; unrouted
000 "wan98Client": newest ISAKMP SA: #0; newest IPsec SA: #0; eroute owner: #0
000 "wan98Client": IKE algorithms wanted: 5_000-1-5, 5_000-2-5, 5_000-1-2, 5_000-2-2, flags=-strict
000 "wan98Client": IKE algorithms found: 5_192-1_128-5, 5_192-2_160-5, 5_192-1_128-2, 5_192-2_160-2,
000 "wan98Client": ESP algorithms wanted: 3_000-1, 3_000-2, flags=-strict
000 "wan98Client": ESP algorithms loaded:
===================================


Was ich noch nicht verstehe sind folgende Logmeldungen:


ar 22 19:24:11 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_ID_INFORMATION to 192.168.3.10:500
Mar 22 19:24:12 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:12 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:14 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:14 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:18 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:18 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:26 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a duplicated packet)
Mar 22 19:24:26 gateway pluto[7853]: "wanXPClient" #1: sending encrypted notification INVALID_MESSAGE_ID to 192.168.3.10:500
Mar 22 19:24:26 gateway popper[8030]: connect from 192.168.1.1 (192.168.1.1)
Mar 22 19:24:42 gateway pluto[7853]: "wanXPClient" #1: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0
xde21efb1 (perhaps this is a d

Gruss sage
 
Oben