Můžete mi prosím někdo zkouknout proč to nefrčí.
Původní konfig se mi nespojil, tak to zkouším nasimulovat na stole.
Oba MK (ether1) jsou pripojeny na lokalni router, ze ktereho dostavaji IP
Ale nejde mi ping z MK1 na 10.34.66.1 a naopak z MK2 na 10.34.34.1
MK1
ether1 10.123.0.222/24 WAN
ether2 10.34.34.1/24 LAN
FW:
0 chain=srcnat action=accept src-address=10.34.34.0/24
dst-address=10.34.66.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
IPsec policy
1 T group=default src-address=10.34.34.0/24 dst-address=10.34.66.0/24
protocol=all proposal=default template=yes
IPsec peer
0 address=10.123.0.221/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="test" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
IPsec proposal
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des,aes-128-cbc
lifetime=30m pfs-group=modp1024
MK2
ether1 10.123.0.221/24 WAN
ether2 10.34.66.1/24 LAN
FW:
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=accept src-address=10.34.66.0/24
dst-address=10.34.34.0/24 log=no log-prefix=""
1 chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""
IPsec policy
1 T group=default src-address=10.34.66.0/24 dst-address=10.34.34.0/24
protocol=all proposal=default template=yes
IPsec peer
0 address=10.123.0.222/32 local-address=0.0.0.0 passive=no port=500
auth-method=pre-shared-key secret="test" generate-policy=no
policy-template-group=default exchange-mode=main
send-initial-contact=yes nat-traversal=no proposal-check=obey
hash-algorithm=sha1 enc-algorithm=3des,aes-128 dh-group=modp1024
lifetime=1d lifebytes=0 dpd-interval=2m dpd-maximum-failures=5
IPsec proposal
0 * name="default" auth-algorithms=sha1 enc-algorithms=3des,aes-128-cbc
lifetime=30m pfs-group=modp1024
LOG:
22:40:29 ipsec,debug,packet HASH with:
22:40:29 ipsec,debug,packet b37c97cf 00000020 00000001 01108d28 e9cc6305 6c6fc3a 9 59bfc666 caadea3f
22:40:29 ipsec,debug,packet 000008b9
22:40:29 ipsec,debug,packet hmac(hmac_sha1)
22:40:29 ipsec,debug,packet HASH computed:
22:40:29 ipsec,debug,packet b077b6a8 178137a9 b9c03a8e 9c506b9e dd3803aa
22:40:29 ipsec,debug,packet hash validated.
22:40:29 ipsec,debug,packet begin.
22:40:29 ipsec,debug,packet seen nptype=8(hash)
22:40:29 ipsec,debug,packet seen nptype=11(notify)
22:40:29 ipsec,debug,packet succeed.
22:40:29 ipsec,debug,packet DPD R-U-There received
22:40:29 ipsec,debug,packet compute IV for phase2
22:40:29 ipsec,debug,packet phase1 last IV:
22:40:29 ipsec,debug,packet c9abe895 41bfd054 d9919107
22:40:29 ipsec,debug,packet hash(sha1)
22:40:29 ipsec,debug,packet encryption(3des)
22:40:29 ipsec,debug,packet phase2 IV computed:
22:40:29 ipsec,debug,packet 2956610a 464886b6
22:40:29 ipsec,debug,packet HASH with:
22:40:29 ipsec,debug,packet d9919107 00000020 00000001 01108d29 e9cc6305 6c6fc3a 9 59bfc666 caadea3f
22:40:29 ipsec,debug,packet 000008b9
22:40:29 ipsec,debug,packet hmac(hmac_sha1)
22:40:29 ipsec,debug,packet HASH computed:
22:40:29 ipsec,debug,packet 9553b91b 85c2bc81 00f93c81 b851c05f 8a683ff6
22:40:29 ipsec,debug,packet begin encryption.
22:40:29 ipsec,debug,packet encryption(3des)
22:40:29 ipsec,debug,packet pad length = 8
22:40:29 ipsec,debug,packet 0b000018 9553b91b 85c2bc81 00f93c81 b851c05f 8a683ff 6 00000020 00000001
22:40:29 ipsec,debug,packet 01108d29 e9cc6305 6c6fc3a9 59bfc666 caadea3f 000008b 9 f8ac8faf a4aacd07
22:40:29 ipsec,debug,packet encryption(3des)
22:40:29 ipsec,debug,packet with key:
22:40:29 ipsec,debug,packet 3732a6ab 59b5b39c a26d3101 b984c464 1f2e12cc b8bcee8 7
22:40:29 ipsec,debug,packet encrypted payload by IV:
22:40:29 ipsec,debug,packet 2956610a 464886b6
22:40:29 ipsec,debug,packet save IV for next:
22:40:29 ipsec,debug,packet 3c1f8f0c 9978c282
22:40:29 ipsec,debug,packet encrypted.
22:40:29 ipsec,debug,packet 92 bytes from 10.123.0.221[500] to 10.123.0.222[500]
22:40:29 ipsec,debug,packet sockname 10.123.0.221[500]
22:40:29 ipsec,debug,packet send packet from 10.123.0.221[500]
22:40:29 ipsec,debug,packet send packet to 10.123.0.222[500]
22:40:29 ipsec,debug,packet src4 10.123.0.221[500]
22:40:29 ipsec,debug,packet dst4 10.123.0.222[500]
22:40:29 ipsec,debug,packet 1 times of 92 bytes message will be sent to 10.123.0 .222[500]
22:40:29 ipsec,debug,packet e9cc6305 6c6fc3a9 59bfc666 caadea3f 08100501 d991910 7 0000005c e68d798c
22:40:29 ipsec,debug,packet 714e9902 e4c640f2 b0ce071c 9c188ccf 28319d51 aaa2a94 c 2836b0b2 90bc637f
22:40:29 ipsec,debug,packet 77b5a1eb edc39376 0a8342b1 5f09af60 156e512e 3c1f8f0 c 9978c282
22:40:29 ipsec,debug,packet sendto Information notify.
22:40:29 ipsec,debug,packet received a valid R-U-THERE, ACK sent
22:40:30 ipsec,debug,packet DPD monitoring....
22:40:30 ipsec,debug,packet compute IV for phase2
22:40:30 ipsec,debug,packet phase1 last IV:
22:40:30 ipsec,debug,packet c9abe895 41bfd054 ad8631c3
22:40:30 ipsec,debug,packet hash(sha1)
22:40:30 ipsec,debug,packet encryption(3des)
22:40:30 ipsec,debug,packet phase2 IV computed:
22:40:30 ipsec,debug,packet 9550d575 63041d62
❗️Toto je původní verze internetového fóra ISPforum.cz do února 2020 bez možnosti registrace nových uživatelů. Aktivní verzi fóra naleznete na adrese https://telekomunikace.cz