Я слишком долго рвал волосы от разочарования и решил, что Serverfault может помочь. Может кто-нибудь как-нибудь это объяснить?
Я несколько раз переустанавливал openswan / ipsec с очисткой, я регенерировал ключи и пробовал, насколько мог, все.
[root@db1 ipsec.d]# ipsec auto --add db-to-db
conn 'db-to-db': not found (tried aliases)
[root@db1 ipsec.d]# cat /etc/ipsec.d/db1.conf
conn db-to-db
left=10.0.10.61
leftid=@db1
leftrsasigkey=0sAQO...co9sz
leftnexthop=%defaultroute
right=10.0.10.62
rightid=@db2
rightrsasigkey=0sAQP...7iex3cd
rightnexthop=%defaultroute
authby=rsasig
auto=start
[root]@db1 ipsec.d]# tail /var/log/secure
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [Openswan (this version) 2.6.32 ]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [Dead Peer Detection]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [RFC 3947] method set to=109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Oct 17 06:56:51 db1 pluto[1567]: packet from 10.0.10.62:500: initial Main Mode message received on 10.0.10.61:500 but no connection has been authorized with policy=RSASIG
[root@db2 ipsec.d]# ipsec auto --add db-to-db
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
[root@db2 ipsec.d]# cat /etc/ipsec.d/db2.conf
conn db-to-db
left=10.0.10.61
leftid=@db1
leftrsasigkey=0sAQO....co9sz
leftnexthop=%defaultroute
right=10.0.10.62
rightid=@db2
rightrsasigkey=0sAQP...7iex3cd
rightnexthop=%defaultroute
authby=rsasig
auto=start
[root@db2 ipsec.d]# tail /var/log/secure
Oct 17 06:35:04 db2 pluto[4514]: initiate on demand from 10.0.10.62:3306 to 10.0.10.61:34007 proto=6 state: fos_start because: acquire
Oct 17 06:35:06 db2 pluto[4514]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.0.10.61 port 500, complainant 10.0.10.61: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 06:35:46 db2 pluto[4514]: ERROR: asynchronous network error report on eth0 (sport=500) for message to 10.0.10.61 port 500, complainant 10.0.10.61: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #1: max number of retransmissions (20) reached STATE_MAIN_I1. No response (or no acceptable response) to our first IKE message
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #1: starting keying attempt 2 of an unlimited number
Oct 17 06:36:26 db2 pluto[4514]: "db-to-db" #2: initiating Main Mode to replace #1
Любой ответ очень приветствуется, спасибо.
Решено не будучи полностью глупым. Раскомментируйте эту строку в /etc/ipsec.conf
#include /etc/ipsec.d/*.conf