Strongswan IPsec 配置(Linux - Cisco)

Strongswan IPsec 配置(Linux - Cisco)

我正在配置站点到站点 IPSec 隧道。我收到的错误显示快速模式提议 (ESP) 不匹配

Jan 27 09:23:42 raspberrypi charon: 10[ENC] generating QUICK_MODE request 2270601801 [ HASH SA No ID ID ] 
Jan 27 09:23:42 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to
194.24.131.1[4500] (204 bytes) 
Jan 27 09:23:42 raspberrypi charon: 12[NET] received packet: from 194.24.131.1[4500] to
192.168.0.150[4500] (92 bytes) 
Jan 27 09:23:42 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3838561195 [ HASH N(NO_PROP) ] 
Jan 27 09:23:42 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify

远程主机:


! policy1

crypto isakmp policy 152

encr aes 256

hash sha

group 5

lifetime 86400

!

! policy2

crypto ipsec transform-set TS-AES-SHA256 esp-aes 256 esp-sha256-hmac

 mode tunnel

!

crypto keyring C-AVILOO

  pre-shared-key address 178.115.235.78 key *****************

!

crypto map vpn 89 ipsec-isakmp

 set peer 178.115.235.78

set transform-set TS-AES-SHA256

 set isakmp-profile C-AVILOO

match address C-AVILOO

reverse-route static

!

ip access-list extended C-AVILOO

permit ip host 172.19.254.89 host 178.115.131.146

    permit ip 10.0.0.0 0.0.31.255 128.0.0.0 127.255.255.255

    permit ip 10.0.0.0 0.0.31.255 64.0.0.0 63.255.255.255

    permit ip 10.0.0.0 0.0.31.255 32.0.0.0 31.255.255.255

    permit ip 10.0.0.0 0.0.31.255 16.0.0.0 15.255.255.255

    permit ip 10.0.0.0 0.0.31.255 8.0.0.0 7.255.255.255

    permit ip 10.0.0.0 0.0.31.255 4.0.0.0 3.255.255.255

    permit ip 10.0.0.0 0.0.31.255 2.0.0.0 1.255.255.255

    permit ip 10.0.0.0 0.0.31.255 1.0.0.0 0.255.255.255

!        

在我的服务器上,我使用 strongswan 和以下 ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file

config setup

        charondebug="all"
#def    nat_traversal=yes

conn %default

        ikelifetime=86400s
        keylife=3600s
        keyexchange=ikev1
        authby=secret

conn cisco

#def    left=%any
#def    left=%defaultroute
        leftid= <my public IP>
        left=%any
#mod    left=192.168.0.150
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        rightid=<cisco public IP>
        right=<cisco public IP>
        rightsubnet=10.0.0.0/19
        auto=start
        ike=aes256-sha-modp1536
        esp=aes256-sha256
        aggressive=no


运行 ipsec statusall 提供以下输出:

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l):
  uptime: 3 seconds, since Jan 21 13:37:38 2020
  malloc: sbrk 1220608, mmap 0, used 302432, free 918176
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
  loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
  192.168.0.150
Connections:
       cisco:  %any...<cisco public IP>  IKEv1
       cisco:   local:  [<my public IP>] uses pre-shared key authentication
       cisco:   remote: [<cisco public IP>] uses pre-shared key authentication
       cisco:   child:  0.0.0.0/0 === 10.0.0.0/19 TUNNEL
Security Associations (1 up, 0 connecting):
       cisco[1]: ESTABLISHED 2 seconds ago, 192.168.0.150[<my public IP>]...<cisco public IP>[<cisco public IP>]
       cisco[1]: IKEv1 SPIs: 097a85775d335a12_i* ed7822635e06c267_r, pre-shared key reauthentication in 23 hours
       cisco[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

日志档案

Jan 21 13:37:38 raspberrypi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l)
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 13:37:38 raspberrypi charon: 00[CFG]   loaded IKE secret for <my public IP> <cisco public IP>
Jan 21 13:37:38 raspberrypi charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jan 21 13:37:38 raspberrypi charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Jan 21 13:37:38 raspberrypi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 21 13:37:38 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jan 21 13:37:38 raspberrypi charon: 05[CFG] received stroke: add connection 'cisco'
Jan 21 13:37:38 raspberrypi charon: 05[CFG] added configuration 'cisco'
Jan 21 13:37:38 raspberrypi charon: 07[CFG] received stroke: initiate 'cisco'
Jan 21 13:37:38 raspberrypi charon: 07[IKE] initiating Main Mode IKE_SA cisco[1] to <cisco public IP>
Jan 21 13:37:38 raspberrypi charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 21 13:37:38 raspberrypi charon: 07[NET] sending packet: from 192.168.0.150[500] to <cisco public IP>[500] (252 bytes)
Jan 21 13:37:38 raspberrypi charon: 09[NET] received packet: from <cisco public IP>[500] to 192.168.0.150[500] (108 bytes)
Jan 21 13:37:38 raspberrypi charon: 09[ENC] parsed ID_PROT response 0 [ SA V ]
Jan 21 13:37:38 raspberrypi charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Jan 21 13:37:38 raspberrypi charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jan 21 13:37:38 raspberrypi charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 21 13:37:38 raspberrypi charon: 09[NET] sending packet: from 192.168.0.150[500] to <cisco public IP>[500] (308 bytes)
Jan 21 13:37:38 raspberrypi charon: 10[NET] received packet: from <cisco public IP>[500] to 192.168.0.150[500] (368 bytes)
Jan 21 13:37:38 raspberrypi charon: 10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received Cisco Unity vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received DPD vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[ENC] received unknown vendor ID: 18:bf:85:7e:5e:07:c2:67:eb:55:0d:a8:e0:60:c2:b7
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received XAuth vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[IKE] local host is behind NAT, sending keep alives
Jan 21 13:37:38 raspberrypi charon: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 21 13:37:38 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to <cisco public IP>[4500] (108 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (92 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 21 13:37:39 raspberrypi charon: 16[ENC] could not decrypt payloads
Jan 21 13:37:39 raspberrypi charon: 16[IKE] message parsing failed
Jan 21 13:37:39 raspberrypi charon: 16[IKE] ignore malformed INFORMATIONAL request
Jan 21 13:37:39 raspberrypi charon: 16[IKE] INFORMATIONAL_V1 request with message ID 1010083930 processing failed
Jan 21 13:37:39 raspberrypi charon: 16[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (76 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 21 13:37:39 raspberrypi charon: 16[IKE] IKE_SA cisco[1] established between 192.168.0.150[<my public IP>]...<cisco public IP>[<cisco public IP>]
Jan 21 13:37:39 raspberrypi charon: 16[IKE] scheduling reauthentication in 85426s
Jan 21 13:37:39 raspberrypi charon: 16[IKE] maximum IKE_SA lifetime 85966s
Jan 21 13:37:39 raspberrypi charon: 16[ENC] generating QUICK_MODE request 2584173163 [ HASH SA No ID ID ]
Jan 21 13:37:39 raspberrypi charon: 16[NET] sending packet: from 192.168.0.150[4500] to <cisco public IP>[4500] (204 bytes)
Jan 21 13:37:39 raspberrypi charon: 12[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (92 bytes)
Jan 21 13:37:39 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3026828106 [ HASH N(NO_PROP) ]
Jan 21 13:37:39 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 21 13:37:42 raspberrypi kernel: [511387.051018] Voltage normalised (0x00000000)
Jan 21 13:38:02 raspberrypi charon: 09[IKE] sending keep alive to <cisco public IP>[4500]

** 这是我第一次接触 IPSec。我很困惑,因为我不明白到底哪里出了问题。如果能提供建议,我将不胜感激。**

相关内容