Re: IpSec (racoon) и WinXP
- From
- Andrew Lutov (2:5000/26)
- To
- Alexey Popov (2:5054/37.63)
- Date
- 2005-12-23T08:21:06Z
- Area
- RU.UNIX.BSD
From: "Andrew Lutov" <andrew_l @ newmail.ru>
Hello, Alexey!
??>> на новые ключи, один из старых ключей (на стороне FreeBSD от WinXP)
??>> "залипает" и канал перестает функционировать до следующего обмена
??>> ключами (в данном случае стоит минимум - 300 секунд).
AP> echo net.key.preferred_oldsa=0 >> /etc/sysctl.conf
На самом деле net.key.prefered_oldsa :)
Не помогло :(
Вот как это выглядит в момент перехода (внизу вывод tcpdump-а):
# setkey -D
8.1.5.201 8.1.5.181
esp mode=transport spi=3342980830(0xc741d6de) reqid=0(0x00000000)
E: 3des-cbc 62aa031f 4f31c3c8 f8c885fb a32f3d07 1280b834 ffb89bba
A: hmac-sha1 5ac4ff47 6e409dce 2bf53304 9f901910 9b658b1a
seq=0x00000046 replay=4 flags=0x00000000 state=mature
created: Dec 23 08:15:26 2005 current: Dec 23 08:16:36 2005
diff: 70(s) hard: 300(s) soft: 240(s)
last: Dec 23 08:16:36 2005 hard: 0(s) soft: 0(s)
current: 76160(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 70 hard: 0 soft: 0
sadb_seq=2 pid=17393 refcnt=2
8.1.5.181 8.1.5.201
test# setkey -D
E: 3des-cbc a86320dd 839c965e f78d8a86 c38fbbfe e2bb00c3 55540774
A: hmac-sha1 4ce2a4f8 5668db3f f7181c2e b46479fc 7c117af6
seq=0x00000046 replay=4 flags=0x00000000 state=mature
created: Dec 23 08:15:26 2005 current: Dec 23 08:16:36 2005
diff: 70(s) hard: 300(s) soft: 240(s)
last: Dec 23 08:16:36 2005 hard: 0(s) soft: 0(s)
current: 73640(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 70 hard: 0 soft: 0
sadb_seq=1 pid=17393 refcnt=1
8.1.5.181 8.1.5.201
esp mode=transport spi=166391361(0x09eaee41) reqid=0(0x00000000)
E: 3des-cbc 51459d72 c0b4aad5 55f7635b 5b1a92f9 9510b79e f86049aa
A: hmac-sha1 184d8137 6467ec69 d63baab1 1d82e9dc 64a442ed
seq=0x000000e2 replay=4 flags=0x00000000 state=dying
created: Dec 23 08:11:40 2005 current: Dec 23 08:16:36 2005
diff: 296(s) hard: 300(s) soft: 240(s)
last: Dec 23 08:15:26 2005 hard: 0(s) soft: 0(s)
current: 237752(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 226 hard: 0 soft: 0
sadb_seq=0 pid=17393 refcnt=1
# setkey -D
8.1.5.201 8.1.5.181
esp mode=transport spi=3342980830(0xc741d6de) reqid=0(0x00000000)
E: 3des-cbc 62aa031f 4f31c3c8 f8c885fb a32f3d07 1280b834 ffb89bba
A: hmac-sha1 5ac4ff47 6e409dce 2bf53304 9f901910 9b658b1a
seq=0x0000004a replay=4 flags=0x00000000 state=mature
created: Dec 23 08:15:26 2005 current: Dec 23 08:16:41 2005
diff: 75(s) hard: 300(s) soft: 240(s)
last: Dec 23 08:16:40 2005 hard: 0(s) soft: 0(s)
current: 80512(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 74 hard: 0 soft: 0
sadb_seq=1 pid=17394 refcnt=2
8.1.5.181 8.1.5.201
esp mode=transport spi=46143897(0x02c01999) reqid=0(0x00000000)
E: 3des-cbc a86320dd 839c965e f78d8a86 c38fbbfe e2bb00c3 55540774
A: hmac-sha1 4ce2a4f8 5668db3f f7181c2e b46479fc 7c117af6
seq=0x0000004a replay=4 flags=0x00000000 state=mature
created: Dec 23 08:15:26 2005 current: Dec 23 08:16:41 2005
diff: 75(s) hard: 300(s) soft: 240(s)
last: Dec 23 08:16:40 2005 hard: 0(s) soft: 0(s)
current: 77848(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 74 hard: 0 soft: 0
sadb_seq=0 pid=17394 refcnt=1
А это вывод tcpdump:
08:16:39.135161 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x49)
08:16:39.135538 8.1.5.201 > 8.1.5.181: ESP(spi=0xc741d6de,seq=0x49)
08:16:40.135229 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4a)
08:16:40.135592 8.1.5.201 > 8.1.5.181: ESP(spi=0xc741d6de,seq=0x4a)
08:16:41.135214 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4b)
08:16:41.135421 8.1.5.201 > 8.1.5.181: icmp: echo reply
08:16:46.572885 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4c)
08:16:46.573082 8.1.5.201 > 8.1.5.181: icmp: echo reply
08:16:52.072993 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4d)
08:16:52.073188 8.1.5.201 > 8.1.5.181: icmp: echo reply
08:16:57.573146 8.1.5.181 > 8.1.5.201: ESP(spi=0x02c01999,seq=0x4e)
08:16:57.573339 8.1.5.201 > 8.1.5.181: icmp: echo reply
--
А5 увидимся е2 ли
--- ifmail v.2.14.os-p7
* Origin: Garant-Siberia fidonet station (2:5000/26@fidonet)
SEEN-BY: 46/50 400/520 814 450/1024 463/68 464/36 562 910 465/213 550/5068
SEEN-BY: 5000/0 1 2 3 20 26 27 28 52 61 67 68 79 81 94 104 111 116 130 170 363
SEEN-BY: 5000/5000 5002/76 5002 5004/75 1111 5005/14 5009/14 5010/77 275
SEEN-BY: 5011/13 5012/46 5013/21 5015/10 28 5019/31 5020/545 715 2395 2871
SEEN-BY: 5020/4441 5021/29 5025/3 5027/16 5029/34 5030/115 1957 5035/38
SEEN-BY: 5036/34 5045/7 5053/16 5054/1 4 8 9 11 28 35 36 37 45 63 66 67 70 75
SEEN-BY: 5054/84 85 5055/177 5057/119 5059/9 5062/10 5063/3 5069/7 5070/66
SEEN-BY: 5077/70 5080/1003 5085/13 5090/1029 5095/20 5096/18 6000/254 6001/10
SEEN-BY: 6090/1
�PATH: 5000/26 5000 5020/545 5054/1 37