[GTER] Dúvida IPSEC
Bruno Vane
bruno.vane at sodobrasil.net.br
Wed Mar 13 11:37:51 -03 2013
Pessoal,
Gostaria de tirar uma dúvida sobre a negociação de algoritmo na conexão
IPSEC. Tenho uma conexão a ser realizada com os seguintes requisitos, entre
um Ubuntu e um Checkpoint:
IKE (Phase 1)
Key exchange encryption: 3DES
Authentication Methods: MD5
Support Diffie-Hellman groups for IKE: Group 2
IPSec (Phase 2) Properties
IPsec data encryption: 3DES
Data Integrity: MD5
Renegotiate IKE (phase 1) SA every: 1440 minutes
Renegotiate IPsec (phase 2) SA every: 3600 seconds
Na saída do comando ipsec auto --status, eu vejo no meu lado (Ubuntu) o
seguinte, mostrando que o tunnel esta OK:
000 "conexao/5x1": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000 "conexao/5x2":
192.168.10.0/24===AAA.BB.CCC.97<AAA.BB.CCC.97>[+S=C]---AAA.BB.CCC.98...XXX.Y.ZZZ.161---XXX.Y.ZZZ.162<XXX.Y.ZZZ.162>[+S=C]===JJJ.K.LLL.0/24;
erouted; eroute owner: #11
000 "conexao/5x2": myip=unset; hisip=unset;
000 "conexao/5x2": ike_life: 86400s; ipsec_life: 3600s; rekey_margin:
540s; rekey_fuzz: 100%; keyingtries: 0
000 "conexao/5x2": policy:
PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 24,24;
interface: eth1;
000 "conexao/5x2": newest ISAKMP SA: #1; newest IPsec SA: #11;
000 "conexao/5x2": aliases: conexao
000 "conexao/5x2": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1536(5),
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "conexao/5x2": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "conexao/5x2": IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "conexao/5x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
flags=-strict
000 "conexao/5x2": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
000 "conexao/5x2": ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000 #1: "conexao/5x2":500 STATE_MAIN_I4 (ISAKMP SA established);
EVENT_SA_REPLACE in 85081s; newest ISAKMP; nodpd; idle; import:admin
initiate
Porém a outra ponta diz que está "pendente phase 2".
A dúvida é, a outra ponta está pedindo um algoritmo e minha máquina está
carregando aparentemente "outro"?
000 "conexao/5x2": IKE algorithms wanted:
3DES_CBC(5)_000-MD5(1)_000-MODP1536(5),
3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=-strict
000 "conexao/5x2": IKE algorithms found:
3DES_CBC(5)_192-MD5(1)_128-MODP1536(5),
3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "conexao/5x2": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000;
flags=-strict
000 "conexao/5x2": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128
--
Bruno Vane
Administrador de Redes
S.O. do Brasil Telecomunicações
(24) 9278-7195 / (24) 7812-4414
ID: 131*13206 / skype: broonu
www.zamix.com.br | www.superonda.com.br
More information about the gter
mailing list