我有两个主持人,一个是IP 67.207.128.184的慈善机构,另一个是希望IP 67.207.130.204。 我已经在每台主机上安装了ipsec-tools软件包。 我没有在任何一台主机上安装racoon。 慈善有IPTablesconfiguration,而希望没有。 以下是关于如何在每台主机上configurationIPTables的报告(删除了无关的敏感信息):
慈善#iptables -L -v
Chain INPUT (policy ACCEPT 63 packets, 6072 bytes) pkts bytes target prot opt in out source destination 49 3160 ACCEPT all -- lo any anywhere anywhere 6012 989K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 208 12536 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 13 824 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 6 364 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh 0 0 ACCEPT esp -- any any anywhere anywhere 0 0 ACCEPT ah -- any any anywhere anywhere 3 245 ACCEPT icmp -- any any anywhere anywhere icmp echo-request 31 1759 LOG all -- any any anywhere anywhere LOG level debug prefix `iptables debug: ' 31 1759 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT esp -- any any anywhere anywhere 0 0 ACCEPT ah -- any any anywhere anywhere 0 0 REJECT all -- any any anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT 47 packets, 4920 bytes) pkts bytes target prot opt in out source destination 5121 3650K ACCEPT all -- any any anywhere anywhere 希望#iptables -L -v
Chain INPUT (policy ACCEPT 1194 packets, 195K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1035 packets, 452K bytes) pkts bytes target prot opt in out source destination
我已经使用/etc/ipsec-tools.conf文件configuration了慈善(67.207.128.184),如下所示:
#!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # AH SAs using 128 bit long keys add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5 0x18caf1d5d58297471cd63a21fd02adb6; add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5 0xde8ba4d945acbe6e85db0978b0c30184; # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc 0xa3f3baeaff7ad1cc3c00df7ad4b2bd26e4af4a703308431b; add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc 0xf51e36bb6640072612366e134b5919f60f5a0af22fefa7fb; # Security policies spdadd 67.207.128.184 67.207.130.204 any -P out ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P in ipsec esp/transport//require ah/transport//require;
我已经使用/etc/ipsec-tools.conf文件configuration了Hope(67.207.130.204),如下所示:
#!/usr/sbin/setkey -f # Flush the SAD and SPD flush; spdflush; # AH SAs using 128 bit long keys add 67.207.128.184 67.207.130.204 ah 0x200 -A hmac-md5 0x18caf1d5d58297471cd63a21fd02adb6; add 67.207.130.204 67.207.128.184 ah 0x300 -A hmac-md5 0xde8ba4d945acbe6e85db0978b0c30184; # ESP SAs using 192 bit long keys (168 + 24 parity) add 67.207.128.184 67.207.130.204 esp 0x201 -E 3des-cbc 0xa3f3baeaff7ad1cc3c00df7ad4b2bd26e4af4a703308431b; add 67.207.130.204 67.207.128.184 esp 0x301 -E 3des-cbc 0xf51e36bb6640072612366e134b5919f60f5a0af22fefa7fb; # Security policies spdadd 67.207.128.184 67.207.130.204 any -P in ipsec esp/transport//require ah/transport//require; spdadd 67.207.130.204 67.207.128.184 any -P out ipsec esp/transport//require ah/transport//require;
在对这些文件进行更改后,我已经重新启动了/etc/init.d/setkey。 我在希望运行tcpdump,并从慈善希望SSH,并在tcpdump日志中看到以下内容:
18:46:11.218238 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x40): ESP(spi=0x00000201,seq=0x40), length 64 18:46:11.218361 IP hope > charity.progclub.org: AH(spi=0x00000300,seq=0x22): ESP(spi=0x00000301,seq=0x22), length 64 18:46:11.218822 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x41): ESP(spi=0x00000201,seq=0x41), length 56 18:46:11.232615 IP hope > charity.progclub.org: AH(spi=0x00000300,seq=0x23): ESP(spi=0x00000301,seq=0x23), length 96 18:46:11.233099 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x42): ESP(spi=0x00000201,seq=0x42), length 56 18:46:11.233205 IP charity.progclub.org > hope: AH(spi=0x00000200,seq=0x43): ESP(spi=0x00000201,seq=0x43), length 96
然而,SSH会话只是挂在那里,“没有任何反应”。 我必须按Ctrl + C取消尝试的SSH连接。
所以,我已经在每台主机上configuration了IPSec,并且根据tcpdump IPSec被使用,但是testing连接只是挂起。 我不知道接下来要做什么。 我怎样才能debugging这个问题? 我在configuration中错过了什么? 在此先感谢您的任何build议。
ps我会改变我公开发布的这些关键。