pokusavam vec nekoliko dana bezuspesno da podesim mobilni telefon sa symbian operativnim sistemom da se poveze na mikrotik. Situacija je sledeca:
- Telefon ima built-in aplikaciju za VPN koja radi samo IPSec. To sam podesio na sledeci nacin:
IKE mode: IKEv1 aggressive
Authentication method: pre-shared
i to je to sto se tice telefona (naravno i ip adresu rutera sam upisao).
Na ruteru sam podesio sledece:
Code:
Flags: X - disabled
0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="tajna"
generate-policy=yes exchange-mode=aggressive send-initial-contact=no
nat-traversal=no my-id-user-fqdn="" proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
Flags: X - disabled
0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="tajna"
generate-policy=yes exchange-mode=aggressive send-initial-contact=no
nat-traversal=no my-id-user-fqdn="" proposal-check=obey
hash-algorithm=sha1 enc-algorithm=aes-128 dh-group=modp1024 lifetime=1d
lifebytes=0 dpd-interval=disable-dpd dpd-maximum-failures=1
I to je sve. E sad bilo je tu gomila problema jer nisu bili usaglaseni enc-algorithm pa hash algoritam... pa ovo... pa ono... uglavnom, sve je to sada usaglaseno i telefon se uspesno poveze.
Code:
19:59:33 ipsec,debug ISAKMP-SA established 109.92.*.*[500]-109.245.*.*[556] spi:21bb543611b9d046:57b77848c31e4c0d
19:59:33 ipsec,debug ISAKMP-SA established 109.92.*.*[500]-109.245.*.*[556] spi:21bb543611b9d046:57b77848c31e4c0d
I onda cim pokusam da otvorim neku adresu iz browsera telefona dobijem sledece u logu rutera:
Code:
20:01:04 ipsec,debug IPsec-SA established: ESP/Tunnel 109.92.*[0]->109.245.*[0] spi=1990901542(0x76aabf26)
20:01:04 ipsec,debug,packet ===
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 10.107.126.206/32[0] 0.0.0.0/0[0] proto=any dir=in
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 10.107.126.206/32[0] 0.0.0.0/0[0] proto=any dir=fwd
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 0.0.0.0/0[0] 10.107.126.206/32[0] proto=any dir=out
20:01:04 ipsec,debug IPsec-SA established: ESP/Tunnel 109.92.*[0]->109.245.*[0] spi=1990901542(0x76aabf26)
20:01:04 ipsec,debug,packet ===
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 10.107.126.206/32[0] 0.0.0.0/0[0] proto=any dir=in
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 10.107.126.206/32[0] 0.0.0.0/0[0] proto=any dir=fwd
20:01:04 ipsec,debug,packet pk_recv: retry[0] recv()
20:01:04 ipsec,debug,packet such policy does not already exist: 0.0.0.0/0[0] 10.107.126.206/32[0] proto=any dir=out
I onda mi automatski napravi polise:
Code:
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=10.107.126.206/32 src-port=any dst-address=0.0.0.0/0
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.92.*.*
sa-dst-address=109.245.*.* proposal=default priority=2
1 D src-address=10.107.126.206/32 src-port=any dst-address=0.0.0.0/0
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.92.*.*
sa-dst-address=109.245.*.* proposal=default priority=2
2 D src-address=0.0.0.0/0 src-port=any dst-address=10.107.126.206/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.245.*.*
sa-dst-address=109.92.*.* proposal=default priority=2
Flags: X - disabled, D - dynamic, I - inactive
0 D src-address=10.107.126.206/32 src-port=any dst-address=0.0.0.0/0
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.92.*.*
sa-dst-address=109.245.*.* proposal=default priority=2
1 D src-address=10.107.126.206/32 src-port=any dst-address=0.0.0.0/0
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.92.*.*
sa-dst-address=109.245.*.* proposal=default priority=2
2 D src-address=0.0.0.0/0 src-port=any dst-address=10.107.126.206/32
dst-port=any protocol=all action=encrypt level=require
ipsec-protocols=esp tunnel=yes sa-src-address=109.245.*.*
sa-dst-address=109.92.*.* proposal=default priority=2
Pri tom ja uopste ne znam odakle mu ove adrese 10.107.... taj opseg ne postoji na ruteru.
Problem je u tome sto ni jednoj adresi bilo iz internog ili eksternog opsega nije moguce prici sa telefona. U logu nemam nikakve greske prijavljene osim sto na svaka dva tri minuta kaze da je dobio R-U-THERE i da je poslao ACK.
Da li neko ima ideju kako bih mogao da debagujem i sta da uradim?