Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
A
A
Artyom2016-03-08 13:25:06
linux
Artyom, 2016-03-08 13:25:06

How to properly build a GRE+IPSEC tunnel from Linux to Cisco?

Hello Dear Users!
For quite a long time, I can not properly build encryption between a Linux server (Debian 7) and Cisco, using a GRE tunnel and IPSEC.
I tried to just raise the GRE tunnel, everything works fine, like clockwork. But as soon as encryption is turned on on the side of Cisco, dancing with a tambourine and shamanism immediately begin.
The server is used to connect (Debian 7) racoon+ipsec-tools Here are the
configs:
racoon.conf

log debug2;
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
padding
{
    maximum_length 20;    # maximum padding length.
    randomize off;        # enable randomize length.
    strict_check off;    # enable strict check.
    exclusive_tail off;    # extract last one octet.
}
listen
{
    #isakmp ::1 [7000];
    isakmp Белый IP основного сервера [500];
    #admin [7002];        # administrative port for racoonctl.
    #strict_address;     # requires that all addresses must be bound.
}

remote Белый IP удаленного Cisco
{
    exchange_mode main, aggressive;
    my_identifier address Белый IP основного сервера;
    lifetime time 3600 sec;
    generate_policy on;
    snat_traversal on;
    proposal {
        encryption_algorithm aes 128;
        hash_algorithm sha1;
        authentication_method pre_shared_key;
        dh_group 2;
    }
}
sainfo address Белый IP удаленного Cisco any address Белый IP основного сервера any 
{
      pfs_group 2;
      lifetime time 3600 sec;
      encryption_algorithm aes 128;
      authentication_algorithm hmac_sha1;
      compression_algorithm deflate;
  }
}

ipsec-tools.conf
flush;
spdflush;
spdadd 10.0.66.33 10.0.66.34 any -P out ipsec esp/tunnel/Белый IP основного сервера- Белый IP удаленного Cisco/use;
spdadd 10.0.66.34 10.0.66.33 any -P in ipsec esp/tunnel/ Белый IP удаленного Cisco-Белый IP основного сервера/use;

Inside the tunnel, my server is designated IP: 10.0.66.33, and Cisco: 10.0.66.34
The problem starts at the 2nd phase of the negotiation, that is, the cisco drivers see that the tunnel has risen, but the second phase has not been negotiated, here is its log:
217afaec f6baddd8 5b97ea43 20e1059f 0e8ba4fb
2016-03-08 11:16:24: DEBUG: getsainfo params: loc='IP server' rmt='IP cisco' peer='IP cisco' client='IP cisco' id=0
2016-03-08 11:16:24: DEBUG: evaluating sainfo: loc='IP cisco', rmt='IP server', peer='ANY', id=0
2016-03-08 11:16:24: DEBUG: check and compare ids : proto_id mismatch 0 != 47
2016-03-08 11:16:24: ERROR: failed to get sainfo.
2016-03-08 11:16:24: ERROR: failed to get sainfo.
2016-03-08 11:16:24: [IP cisco] ERROR: failed to pre-process ph2 packet (side: 1, status: 1).
2016-03-08 11:16:24: DEBUG: IV freed

setkey -DP output
(per-socket policy)
        out(socket) none
        created: Mar  8 11:17:45 2016  lastused: Mar  8 11:18:55 2016
        lifetime: 0(s) validtime: 0(s)
        spid=11532 seq=1 pid=21344
        refcnt=1
(per-socket policy)
        in(socket) none
        created: Mar  8 11:17:45 2016  lastused: Mar  8 11:18:55 2016
        lifetime: 0(s) validtime: 0(s)
        spid=11523 seq=2 pid=21344
        refcnt=1
10.0.66.34[any] 10.0.66.33[any] 255
        fwd prio def ipsec
        esp/tunnel/IP cisco-IP-server/use
        created: Mar  8 11:15:01 2016  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=11498 seq=3 pid=21344
        refcnt=1
10.0.66.34[any] 10.0.66.33[any] 255
        in prio def ipsec
        esp/tunnel/IP cisco-IP server/use
        created: Mar  8 11:15:01 2016  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=11488 seq=4 pid=21344
        refcnt=1
10.0.66.33[any] 10.0.66.34[any] 255
        out prio def ipsec
        esp/tunnel/IP server-IP cisco/use
        created: Mar  8 11:15:01 2016  lastused: Mar  8 11:18:57 2016
        lifetime: 0(s) validtime: 0(s)
        spid=11481 seq=0 pid=21344
        refcnt=4

setkey -D Tell me
No SAD entries.
, please, in which direction to dig? On the Cisco side, everything is configured correctly, as it was checked by 3 different specialists. I've already smoked a bunch of sites and mans, but I still can't figure it out.
Thank you in advance!
PS I raise the GRE tunnel with the following script:
#!/bin/sh
#   insmod ip_gre
    tnl=tnl0
    remote=IP Cisco
    local=IP server
    ip=10.0.66.33
    range=10.0.66.32/30
#   ip tunnel del $tnl
    ip tunnel add $tnl mode gre local $local remote $remote ttl 255
    ip addr add $ip dev $tnl
    ip link set $tnl up
    ip route add $range dev $tnl

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

1 answer(s)
Report
A
Artyom, 2016-03-08
@Art1000

This issue has been resolved! If someone needs an answer, then on the Cisco side there was no entry about pfs_group 2.
After adding it, everything started up successfully.

Similar questions
Z
Zar7472020-07-08 16:56:08
Who has a linux iso image for polycom rss4000? 1Reply
N
NoN2013-11-14 10:10:33
Unexpected restart of EJabberd - how is this possible? 1Reply
T
Tremo2016-02-26 06:46:26
Help with trigger expression in zabbix? 1Reply
M
macksimich2020-07-09 00:02:39
Is there a convenient document scanning program for Linux? 3Reply
N
Nikita2018-07-15 20:30:23
How to choose a budget laptop for Linux? 2Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question