[GTER] Dúvida IPSEC

Bruno Vane bruno.vane at sodobrasil.net.br
Wed Mar 13 11:37:51 -03 2013 

Pessoal,

Gostaria de tirar uma dúvida sobre a negociação de algoritmo na conexão
IPSEC. Tenho uma conexão a ser realizada com os seguintes requisitos, entre
um Ubuntu e um Checkpoint:

IKE (Phase 1)
Key exchange encryption: 3DES
Authentication Methods: MD5
Support Diffie-Hellman groups for IKE: Group 2

IPSec (Phase 2) Properties
IPsec data encryption: 3DES
Data Integrity: MD5

Renegotiate IKE (phase 1) SA every: 1440 minutes
Renegotiate IPsec (phase 2) SA every: 3600 seconds


Na saída do comando ipsec auto --status, eu vejo no meu lado (Ubuntu) o
seguinte, mostrando que o tunnel esta OK:

000 "conexao/5x1":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000 "conexao/5x2":
192.168.10.0/24===AAA.BB.CCC.97<AAA.BB.CCC.97>[+S=C]---AAA.BB.CCC.98...XXX.Y.ZZZ.161---XXX.Y.ZZZ.162<XXX.Y.ZZZ.162>[+S=C]===JJJ.K.LLL.0/24;
erouted; eroute owner: #11
000 "conexao/5x2":     myip=unset; hisip=unset;
000 "conexao/5x2":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "conexao/5x2":   policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth1;
000 "conexao/5x2":   newest ISAKMP SA: #1; newest IPsec SA: #11;
000 "conexao/5x2":   aliases: conexao
000 "conexao/5x2":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1536(5),
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "conexao/5x2":   IKE algorithms found:
 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "conexao/5x2":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conexao/5x2":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
flags=-strict
000 "conexao/5x2":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conexao/5x2":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000 #1: "conexao/5x2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 85081s; newest ISAKMP; nodpd; idle; import:admin
initiate


Porém a outra ponta diz que está "pendente phase 2".
A dúvida é, a outra ponta está pedindo um algoritmo e minha máquina está
carregando aparentemente "outro"?

000 "conexao/5x2":   IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1536(5),
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "conexao/5x2":   IKE algorithms found:
 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)

000 "conexao/5x2":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
flags=-strict
000 "conexao/5x2":   ESP algorithms loaded: 3DES(3)_192-MD5(1)_128





-- 
Bruno Vane
Administrador de Redes
S.O. do Brasil Telecomunicações
(24) 9278-7195 / (24) 7812-4414
ID: 131*13206 / skype: broonu

www.zamix.com.br | www.superonda.com.br

More information about the gter mailing list