> A cert kornyeken nem nagyon van mit konfiguralni, a win-nel megetetted a
> root certet is, es a megfelelo folderbe importaltad oket?
Meg, mmc-n keresztul, a gep certje rendesen hivatkozik a root certre a
tanusitvanylancban, es a win szerint a cert-ek rendben vannak.
az IP biztonsagi hazirendek kozott latszik a FreeSwan hazirendnev, a
biztonsagi modszerek kozott az IKE-3de-sha1 es IKE-3des-md5,...
szerepel, es az authenticated method alatt bedig a ca subjectje
mindket filter mellett.
csatolom amit sikerult kiszednem a win-bol mint log. Kicsit hosszu.
hatha Te ertesz belolle valamit.
Zoli
Receive: (get) SA = 0x00000000 from 192.168.11.254.500
ISAKMP Header: (V1.0), len = 216
I-COOKIE edf58db1173df605
R-COOKIE 0000000000000000
exchange: Oakley Main Mode
flags: 0
next payload: SA
message ID: 00000000
Filter to match: Src 192.168.11.254 Dst 192.168.11.1
MM PolicyName: 4
MMPolicy dwFlags 2 SoftSAExpireTime 28800
MMOffer[0] LifetimeSec 28800 QMLimit 1 DHGroup 2
MMOffer[0] Encrypt: Háromszoros DES CBC Hash: SHA
MMOffer[1] LifetimeSec 28800 QMLimit 1 DHGroup 2
MMOffer[1] Encrypt: Háromszoros DES CBC Hash: MD5
MMOffer[2] LifetimeSec 28800 QMLimit 1 DHGroup 1
MMOffer[2] Encrypt: DES CBC Hash: SHA
MMOffer[3] LifetimeSec 28800 QMLimit 1 DHGroup 1
MMOffer[3] Encrypt: DES CBC Hash: MD5
Auth[0]:RSA Sig C=HU, O=VB_LIZING_RT, CN=VBL AuthFlags 0
Responding with new SA f1dc8
processing payload SA
Received Phase 1 Transform 0
Life type in Seconds
Life duration of 3600
Encryption Alg Háromszoros DES CBC(5)
Hash Alg SHA(2)
Auth Method RSA-aláírás tanúsítványokkal(3)
Oakley Group 5
Received Phase 1 Transform 1
Life type in Seconds
Life duration of 3600
Encryption Alg Háromszoros DES CBC(5)
Hash Alg SHA(2)
Auth Method RSA-aláírás tanúsítványokkal(3)
Oakley Group 2
Received Phase 1 Transform 2
Life type in Seconds
Life duration of 3600
Encryption Alg Háromszoros DES CBC(5)
Hash Alg MD5(1)
Auth Method RSA-aláírás tanúsítványokkal(3)
Oakley Group 5
Received Phase 1 Transform 3
Life type in Seconds
Life duration of 3600
Encryption Alg Háromszoros DES CBC(5)
Hash Alg MD5(1)
Auth Method RSA-aláírás tanúsítványokkal(3)
Oakley Group 2
Phase 1 SA accepted: transform=2
SA - Oakley proposal accepted
processing payload VENDOR ID
processing payload VENDOR ID
ClearFragList
constructing ISAKMP Header
constructing SA (ISAKMP)
Constructing Vendor MS NT5 ISAKMPOAKLEY
Constructing Vendor FRAGMENTATION
Constructing Vendor draft-ietf-ipsec-nat-t-ike-02
Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 2.500
ISAKMP Header: (V1.0), len = 148
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 0
next payload: SA
message ID: 00000000
Ports S:f401 D:f401
Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500
ISAKMP Header: (V1.0), len = 180
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 0
next payload: KE
message ID: 00000000
processing payload KE
processing payload NONCE
ClearFragList
constructing ISAKMP Header
constructing KE
constructing NONCE (ISAKMP)
Constructing Cert Request
C=HU, O=VB_LIZING_RT, CN=VBL
Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 2.500
ISAKMP Header: (V1.0), len = 253
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 0
next payload: KE
message ID: 00000000
Ports S:f401 D:f401
Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500
ISAKMP Header: (V1.0), len = 1412
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 1 ( encrypted )
next payload: ID
message ID: 00000000
processing payload ID
processing payload CERT
processing payload CRP
processing payload SIG
Verifying CertStore
SubjectName: C=HU, O=VB_LIZING_RT, CN=firewall.vblizing.hu
Cert Serialnumber 01
Cert SHA Thumbprint 9b04b36a994b3554bcd20a761bbb27dc
6ec84b0d
failed to get chain -2146885628
isadb_set_status sa:000F1DC8 centry:00000000 status 35e9
Kulcscsere mód (f
Forrás IP-címe: 192.168.11.1 Forrás IP-címének maszkja: 255.255.255.255
Cél IP-címe: 192.168.11.254 Cél IP-címének maszkja: 255.255.255.255
Protokoll: 0
Forrás portja: 0 Cél portja: 0 IKE helyi cím 192.168.11.1
IKE peer cím 192.168.11.254
Tanúsítvánnyal hitelesített identitás. Társgép-tulajdonos
C=HU, O=VB_LIZING_RT,
CN=firewall.vblizing.hu Társgép SHA-ujjlenyomata
0000000000000000000000000000000000000000 Társgép tanúsítványát
kiállító szolgáltató Legfels
Én
Az internetes kulcscsere hitelesít
0x0 0x0
ProcessFailure: sa:000F1DC8 centry:00000000 status:35e9
Not creating notify.
Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500
ISAKMP Header: (V1.0), len = 1412
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 1 ( encrypted )
next payload: ID
message ID: 00000000
Dropping SA processing because SA status set. SA 000F1DC8 Centry
00000000 Status 35e9
Receive: (get) SA = 0x000f1dc8 from 192.168.11.254.500
ISAKMP Header: (V1.0), len = 1412
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: Oakley Main Mode
flags: 1 ( encrypted )
next payload: ID
message ID: 00000000
Dropping SA processing because SA status set. SA 000F1DC8 Centry
00000000 Status 35e9
SA Dead. sa:000F1DC8 status:35f0
constructing ISAKMP Header
constructing HASH (null)
constructing DELETE. MM 000F1DC8
constructing HASH (Notify/Delete)
Sending: SA = 0x000F1DC8 to 192.168.11.254:Type 1.500
ISAKMP Header: (V1.0), len = 84
I-COOKIE edf58db1173df605
R-COOKIE bd3c890da7627966
exchange: ISAKMP Informational Exchange
flags: 1 ( encrypted )
next payload: HASH
message ID: 2e238fc5
Ports S:f401 D:f401
ClearFragList
_________________________________________________
linux lista - linux@mlf.linux.rulez.org
http://mlf2.linux.rulez.org/mailman/listinfo/linux
