Главная » Форум » Gentoo Linux » Системное администрирование

VPN + IPSec (OpenSwan)

OzZ_Born 14 марта, 2008 - 16:27

Добрый день!
Не получается настроить впн между ipcop и gentoo.

# uname -a
Linux nixgate 2.6.19-gentoo-r5 #1 SMP Wed Mar 12 10:48:43 MSK 2008 i686 Intel(R) Celeron(R) CPU 2.00GHz GenuineIntel GNU/Linux

# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.4.9/K2.6.19-gentoo-r5 (netkey)
Checking for IPsec support in kernel [OK]
NETKEY detected, testing for disabled ICMP send_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]

Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!

Checking for RSA private key (/etc/ipsec/ipsec.secrets) [DISABLED]
ipsec showhostkey: no default key in "/etc/ipsec/ipsec.secrets"
Checking that pluto is running [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing
Checking for 'ip' command [OK]
Checking for 'iptables' command [OK]

Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: nixgate [MISSING]
Cannot execute command "host -t txt nixgate": No such file or directory
Does the machine have at least one non-private address? [FAILED]

# cat /etc/ipsec/ipsec.conf
version 2

config setup
interfaces=%defaultroute
klipsdebug=none
plutodebug=none
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12,%v4:192.168.0.0/16,%v4:!192.168.35.0/255.255.255.0,%v4:!192.168.55.0/255.255.255.0

conn %default
keyingtries=0
disablearrivalcheck=no

conn ascn
left=192.168.0.90
leftnexthop=%defaultroute
leftsubnet=192.168.35.0/255.255.255.0
right=192.168.0.91
rightsubnet=192.168.55.0/255.255.255.0
rightnexthop=%defaultroute
ike=aes128-sha-modp1536,aes128-sha-modp1024,aes128-md5-modp1536,aes128-md5-modp1024,3des-sha-modp1536,3des-sha-modp1024,3des-md5-modp1536,3des-md5-modp1024
esp=aes128-sha1,aes128-md5,3des-sha1,3des-md5
ikelifetime=1h
keylife=8h
dpddelay=30
dpdtimeout=120
dpdaction=hold
pfs=yes
authby=secret
auto=start

Вытащил из конфа ipcop и немного перелопатил.

# ipsec showdefaults
routephys=eth0
routevirt=ipsec0
routeaddr=192.168.0.90
routenexthop=192.168.0.100

# ipsec auto --status
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 192.168.0.90
000 interface eth0/eth0 192.168.0.90
000 interface eth1/eth1 192.168.35.2
000 interface eth1/eth1 192.168.35.2
000 %myid = (none)
000 debug none
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000
000 stats db_ops.c: {curr_cnt, total_cnt, maxsz} :context={0,2,36} trans={0,2,216} attrs={0,2,144}
000
000 "ascn": 192.168.35.0/24===192.168.0.90---192.168.0.100...192.168.0.100---192.168.0.91===192.168.55.0/24; erouted; eroute owner: #2
000 "ascn": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "ascn": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "ascn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP; prio: 24,24; interface: eth0; encap: esp;
000 "ascn": dpd: action:hold; delay:30; timeout:120;
000 "ascn": newest ISAKMP SA: #4; newest IPsec SA: #2;
000 "ascn": IKE algorithms wanted: AES_CBC(7)_128-SHA1(2)-MODP1536(5), AES_CBC(7)_128-SHA1(2)-MODP1024(2), AES_CBC(7)_128-MD5(1)-MODP1536(5), AES_CBC(7)_128-MD5(1)-MODP1024(2), 3DES_CBC(5)_000-SHA1(2)-MODP1536(5), 3DES_CBC(5)_000-SHA1(2)-MODP1024(2), 3DES_CBC(5)_000-MD5(1)-MODP1536(5), 3DES_CBC(5)_000-MD5(1)-MODP1024(2); flags=strict
000 "ascn": IKE algorithms found: AES_CBC(7)_128-SHA1(2)_160-MODP1536(5), AES_CBC(7)_128-SHA1(2)_160-MODP1024(2), AES_CBC(7)_128-MD5(1)_128-MODP1536(5), AES_CBC(7)_128-MD5(1)_128-MODP1024(2), 3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5), 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2), 3DES_CBC(5)_192-MD5(1)_128-MODP1536(5), 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "ascn": IKE algorithm newest: AES_CBC_128-SHA1-MODP1536
000 "ascn": ESP algorithms wanted: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn": ESP algorithms loaded: AES(12)_128-SHA1(2), AES(12)_128-MD5(1), 3DES(3)_000-SHA1(2), 3DES(3)_000-MD5(1); flags=strict
000 "ascn": ESP algorithm newest: AES_128-HMAC_SHA1; pfsgroup=
000 "block": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "block": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "block": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "block": policy: TUNNEL+PFS+GROUP+GROUTED+REJECT+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "block": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear": 192.168.0.90[%myid]---192.168.0.100...%group; unrouted; eroute owner: #0
000 "clear": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear": policy: TUNNEL+PFS+GROUP+GROUTED+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.63.2.53/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.63.2.53/32; prospective erouted; eroute owner: #0
000 "clear#128.63.2.53/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.63.2.53/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.63.2.53/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.63.2.53/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#128.8.10.90/32": 192.168.0.90[%myid]---192.168.0.100...%any===128.8.10.90/32; prospective erouted; eroute owner: #0
000 "clear#128.8.10.90/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#128.8.10.90/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#128.8.10.90/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#128.8.10.90/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.112.36.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.112.36.4/32; prospective erouted; eroute owner: #0
000 "clear#192.112.36.4/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.112.36.4/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.112.36.4/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.112.36.4/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.203.230.10/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.203.230.10/32; prospective erouted; eroute owner: #0
000 "clear#192.203.230.10/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.203.230.10/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.203.230.10/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.203.230.10/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.228.79.201/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.228.79.201/32; prospective erouted; eroute owner: #0
000 "clear#192.228.79.201/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.228.79.201/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.228.79.201/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.228.79.201/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.33.4.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.33.4.12/32; prospective erouted; eroute owner: #0
000 "clear#192.33.4.12/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.33.4.12/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.33.4.12/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.33.4.12/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.36.148.17/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.36.148.17/32; prospective erouted; eroute owner: #0
000 "clear#192.36.148.17/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.36.148.17/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.36.148.17/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.36.148.17/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.5.5.241/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.5.5.241/32; prospective erouted; eroute owner: #0
000 "clear#192.5.5.241/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.5.5.241/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.5.5.241/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.5.5.241/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#192.58.128.30/32": 192.168.0.90[%myid]---192.168.0.100...%any===192.58.128.30/32; prospective erouted; eroute owner: #0
000 "clear#192.58.128.30/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#192.58.128.30/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#192.58.128.30/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#192.58.128.30/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#193.0.14.129/32": 192.168.0.90[%myid]---192.168.0.100...%any===193.0.14.129/32; prospective erouted; eroute owner: #0
000 "clear#193.0.14.129/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#193.0.14.129/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#193.0.14.129/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#193.0.14.129/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.32.64.12/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.32.64.12/32; prospective erouted; eroute owner: #0
000 "clear#198.32.64.12/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.32.64.12/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.32.64.12/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.32.64.12/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#198.41.0.4/32": 192.168.0.90[%myid]---192.168.0.100...%any===198.41.0.4/32; prospective erouted; eroute owner: #0
000 "clear#198.41.0.4/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#198.41.0.4/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#198.41.0.4/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#198.41.0.4/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear#202.12.27.33/32": 192.168.0.90[%myid]---192.168.0.100...%any===202.12.27.33/32; prospective erouted; eroute owner: #0
000 "clear#202.12.27.33/32": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear#202.12.27.33/32": ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "clear#202.12.27.33/32": policy: TUNNEL+PFS+PASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear#202.12.27.33/32": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "clear-or-private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "clear-or-private": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "clear-or-private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "clear-or-private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+PASS+failurePASS+NEVER_NEGOTIATE+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "clear-or-private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "packetdefault": 0.0.0.0/0===192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "packetdefault": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "packetdefault": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "packetdefault": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 0,0; interface: eth0; encap: esp;
000 "packetdefault": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failureDROP+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear": 192.168.0.90[%myid]---192.168.0.100...%opportunisticgroup; unrouted; eroute owner: #0
000 "private-or-clear": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+GROUP+GROUTED+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear": newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "private-or-clear#0.0.0.0/0": 192.168.0.90[%myid]---192.168.0.100...%opportunistic; prospective erouted; eroute owner: #0
000 "private-or-clear#0.0.0.0/0": srcip=unset; dstip=unset; srcup=ipsec _updown; dstup=ipsec _updown;
000 "private-or-clear#0.0.0.0/0": ike_life: 3600s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 3
000 "private-or-clear#0.0.0.0/0": policy: RSASIG+ENCRYPT+TUNNEL+PFS+DONTREKEY+OPPORTUNISTIC+failurePASS+lKOD+rKOD; prio: 32,0; interface: eth0; encap: esp;
000 "private-or-clear#0.0.0.0/0": newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "ascn":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 19681s; newest IPSEC; eroute owner
000 #2: "ascn"

000 #4: "ascn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 139s; newest ISAKMP; lastdpd=15s(seq in:1947 out:0)
000
000 192.168.0.90/32:0 -0-> 65.212.118.29/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 65.212.118.29/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 63.245.213.31/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 63.245.213.31/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 63.245.213.31/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 129.42.58.212/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 129.42.58.212/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.123/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.105.50/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.105.50/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 205.188.105.50/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 89.108.86.235/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 89.108.86.235/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 89.108.87.88/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 213.186.115.37/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 91.198.36.16/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 62.80.178.139/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 89.108.87.88/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 213.186.115.37/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 91.198.36.16/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 66.249.91.104/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 62.80.178.139/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 62.149.23.142/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 64.233.183.164/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 83.222.4.246/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 83.222.4.246/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 83.222.4.243/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 83.222.4.238/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 62.149.23.142/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 83.222.4.243/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 193.200.64.41/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 193.200.64.41/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 77.88.21.11/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 87.250.251.11/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 77.88.21.11/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 217.73.200.174/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 217.73.200.169/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 213.180.204.69/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 217.73.200.174/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 213.180.204.69/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 204.9.177.18/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 204.9.177.18/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 64.233.183.164/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 72.14.247.104/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 72.14.247.147/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 72.14.247.99/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 66.249.93.165/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 216.239.51.91/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 129.33.13.208/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.13/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 129.33.13.208/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.45.13/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.98/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.45.123/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 77.234.201.242/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 77.234.201.242/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 66.249.93.166/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 66.249.91.147/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 66.249.91.99/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 66.249.91.103/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 66.249.91.104/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 195.209.233.192/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 195.209.233.192/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.19/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.19/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 194.67.23.102/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 81.19.66.20/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 194.67.23.102/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 194.67.23.102/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 81.19.66.20/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 81.19.66.20/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.238/32:0 -0-> 192.168.35.194/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.238/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.194/32:0 -0-> 205.188.8.238/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 89.108.124.101/32:0 -0-> 192.168.35.30/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 89.108.124.101/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.30/32:0 -0-> 89.108.124.101/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.100/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 205.188.8.134/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 205.188.8.134/32:0 => %pass 32,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.16/32:0 -0-> 205.188.8.134/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.35.2/32:0 -0-> 192.168.35.16/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
000 192.168.0.90/32:0 -0-> 192.168.0.100/32:0 => %pass 0,0 KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure

# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
REDIRECT tcp -- anywhere anywhere tcp dpt:http redir ports 888

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 192.168.35.0/24 !192.168.55.0/24

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
202.12.27.33 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.228.79.201 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
198.41.0.4 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
193.0.14.129 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.5.5.241 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
128.8.10.90 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.112.36.4 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.203.230.10 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.58.128.30 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
128.63.2.53 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.36.148.17 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
198.32.64.12 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.33.4.12 192.168.0.100 255.255.255.255 UGH 0 0 0 eth0
192.168.55.0 192.168.0.100 255.255.255.0 UG 0 0 0 eth0
192.168.35.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 192.168.0.100 128.0.0.0 UG 0 0 0 eth0
128.0.0.0 192.168.0.100 128.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.0.100 0.0.0.0 UG 0 0 0 eth0

# traceroute 192.168.55.101
traceroute to 192.168.55.101 (192.168.55.101), 30 hops max, 40 byte packets
1 ACHTUNG.sbs (192.168.0.100) 1.764 ms 1.817 ms 1.845 ms
2 vl800.cr1-faber.r.westcall.net (84.52.109.177) 3.238 ms 3.641 ms 3.790 ms
3 c7206.rtr-morsk.westcall.net (84.52.73.45) 3.092 ms 3.108 ms 3.104 ms
4 c7206.rtr-morsk.westcall.net (84.52.73.45) 3.366 ms 3.374 ms 3.448 ms
5 87.226.229.161 (87.226.229.161) 4.075 ms 4.198 ms 4.399 ms
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *

Вроде ничего не забыл. На обратной стороне ipcop показывает что туннель есть.

#cat /var/log/syslog
Mar 14 15:42:04 nixgate ipsec_setup: ...Openswan IPsec started
Mar 14 15:42:04 nixgate pluto[13066]: Starting Pluto (Openswan Version 2.4.9 PLUTO_SENDS_VENDORID PLUTO_USES_KEYRR; Vendor ID OE_]{vKgCoOI)
Mar 14 15:42:04 nixgate pluto[13066]: Setting NAT-Traversal port-4500 floating to on
Mar 14 15:42:04 nixgate pluto[13066]: port floating activation criteria nat_t=1/port_fload=1
Mar 14 15:42:04 nixgate pluto[13066]: including NAT-Traversal patch (Version 0.6c)
Mar 14 15:42:04 nixgate pluto[13066]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Mar 14 15:42:04 nixgate pluto[13066]: starting up 1 cryptographic helpers
Mar 14 15:42:04 nixgate pluto[13066]: started helper pid=13067 (fd:5)
Mar 14 15:42:04 nixgate pluto[13066]: Using NETKEY IPsec interface code on 2.6.19-gentoo-r5
Mar 14 15:42:04 nixgate pluto[13066]: Changing to directory '/etc/ipsec/ipsec.d/cacerts'
Mar 14 15:42:04 nixgate pluto[13066]: Changing to directory '/etc/ipsec/ipsec.d/aacerts'
Mar 14 15:42:04 nixgate pluto[13066]: Changing to directory '/etc/ipsec/ipsec.d/ocspcerts'
Mar 14 15:42:04 nixgate pluto[13066]: Changing to directory '/etc/ipsec/ipsec.d/crls'
Mar 14 15:42:04 nixgate pluto[13066]: Warning: empty directory
Mar 14 15:42:04 nixgate pluto[13066]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 14 15:42:04 nixgate pluto[13066]: added connection description "packetdefault"
Mar 14 15:42:04 nixgate pluto[13066]: added connection description "block"
Mar 14 15:42:05 nixgate pluto[13066]: added connection description "ascn"
Mar 14 15:42:05 nixgate pluto[13066]: added connection description "clear-or-private"
Mar 14 15:42:05 nixgate pluto[13066]: added connection description "clear"
Mar 14 15:42:05 nixgate pluto[13066]: added connection description "private-or-clear"
Mar 14 15:42:05 nixgate pluto[13066]: added connection description "private"
Mar 14 15:42:05 nixgate pluto[13066]: listening for IKE messages
Mar 14 15:42:05 nixgate pluto[13066]: adding interface eth1/eth1 192.168.35.2:500
Mar 14 15:42:05 nixgate pluto[13066]: adding interface eth1/eth1 192.168.35.2:4500
Mar 14 15:42:05 nixgate pluto[13066]: adding interface eth0/eth0 192.168.0.90:500
Mar 14 15:42:05 nixgate pluto[13066]: adding interface eth0/eth0 192.168.0.90:4500
Mar 14 15:42:05 nixgate pluto[13066]: adding interface lo/lo 127.0.0.1:500
Mar 14 15:42:05 nixgate pluto[13066]: adding interface lo/lo 127.0.0.1:4500
Mar 14 15:42:05 nixgate pluto[13066]: forgetting secrets
Mar 14 15:42:05 nixgate pluto[13066]: loading secrets from "/etc/ipsec/ipsec.secrets"
Mar 14 15:42:05 nixgate pluto[13066]: loading group "/etc/ipsec/ipsec.d/policies/private"
Mar 14 15:42:05 nixgate pluto[13066]: loading group "/etc/ipsec/ipsec.d/policies/private-or-clear"
Mar 14 15:42:05 nixgate pluto[13066]: loading group "/etc/ipsec/ipsec.d/policies/clear"
Mar 14 15:42:05 nixgate pluto[13066]: loading group "/etc/ipsec/ipsec.d/policies/clear-or-private"
Mar 14 15:42:05 nixgate pluto[13066]: loading group "/etc/ipsec/ipsec.d/policies/block"
Mar 14 15:42:05 nixgate pluto[13066]: can not use our IP (192.168.0.90:TXT) as identity: we don't know our own RSA key
Mar 14 15:42:05 nixgate pluto[13066]: can not use our hostname (@nixgate:TXT) as identity: we don't know our own RSA key
Mar 14 15:42:05 nixgate pluto[13066]: can not use our IP (192.168.0.90:KEY) as identity: we don't know our own RSA key
Mar 14 15:42:05 nixgate pluto[13066]: Can not opportunistically initiate for 192.168.35.16 to 205.188.8.134: KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure
Mar 14 15:42:05 nixgate pluto[13066]: Can not opportunistically initiate for 192.168.0.90 to 192.168.0.100: KEY record for hostname as %myid (no good TXT): failure querying DNS for KEY of nixgate.: Host name lookup failure
Mar 14 15:42:06 nixgate pluto[13066]: Can not opportunistically initiate for 192.168.0.90 to 205.188.8.134: KEY record for hostname as %myid (no good TXT): no host nixgate. for KEY record
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: initiating Main Mode
Mar 14 15:42:06 nixgate ipsec__plutorun: 104 "ascn" #1: STATE_MAIN_I1: initiate
Mar 14 15:42:06 nixgate ipsec__plutorun: ...could not start conn "ascn"
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: received Vendor ID payload [RFC 3947] method set to=110
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: received Vendor ID payload [Dead Peer Detection]
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: I did not send a certificate because I do not have one.
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.91'
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1536}
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #1: Dead Peer Detection (RFC 3706): enabled
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP {using isakmp#1}
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #2: Dead Peer Detection (RFC 3706): enabled
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 14 15:42:06 nixgate pluto[13066]: "ascn" #2: STATE_QUICK_I2: sent QI2, IPsec SA established {ESP=>0x2ec1503d <0x76265be1 xfrm=AES_128-HMAC_SHA1 NATD=none DPD=enabled}

‹ Нужен OpenLDAP benchmark tool Squid, c-icap проверка всего трафика на вирусы ›
»

Нашел затык:

Автор OzZ_Born, дата создания 21 марта, 2008 - 11:09.

Нашел затык: проблема в реализации стека...
на одном конце KLIPS, на другом NETKEY.

»

Настройки просмотра комментариев

Выберите нужный метод показа комментариев и нажмите "Сохранить установки".