我正在配置站点到站点 IPSec 隧道。我收到的错误显示快速模式提议 (ESP) 不匹配
Jan 27 09:23:42 raspberrypi charon: 10[ENC] generating QUICK_MODE request 2270601801 [ HASH SA No ID ID ]
Jan 27 09:23:42 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to
194.24.131.1[4500] (204 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[NET] received packet: from 194.24.131.1[4500] to
192.168.0.150[4500] (92 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3838561195 [ HASH N(NO_PROP) ]
Jan 27 09:23:42 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
远程主机:
! policy1
crypto isakmp policy 152
encr aes 256
hash sha
group 5
lifetime 86400
!
! policy2
crypto ipsec transform-set TS-AES-SHA256 esp-aes 256 esp-sha256-hmac
mode tunnel
!
crypto keyring C-AVILOO
pre-shared-key address 178.115.235.78 key *****************
!
crypto map vpn 89 ipsec-isakmp
set peer 178.115.235.78
set transform-set TS-AES-SHA256
set isakmp-profile C-AVILOO
match address C-AVILOO
reverse-route static
!
ip access-list extended C-AVILOO
permit ip host 172.19.254.89 host 178.115.131.146
permit ip 10.0.0.0 0.0.31.255 128.0.0.0 127.255.255.255
permit ip 10.0.0.0 0.0.31.255 64.0.0.0 63.255.255.255
permit ip 10.0.0.0 0.0.31.255 32.0.0.0 31.255.255.255
permit ip 10.0.0.0 0.0.31.255 16.0.0.0 15.255.255.255
permit ip 10.0.0.0 0.0.31.255 8.0.0.0 7.255.255.255
permit ip 10.0.0.0 0.0.31.255 4.0.0.0 3.255.255.255
permit ip 10.0.0.0 0.0.31.255 2.0.0.0 1.255.255.255
permit ip 10.0.0.0 0.0.31.255 1.0.0.0 0.255.255.255
!
在我的服务器上,我使用 strongswan 和以下 ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="all"
#def nat_traversal=yes
conn %default
ikelifetime=86400s
keylife=3600s
keyexchange=ikev1
authby=secret
conn cisco
#def left=%any
#def left=%defaultroute
leftid= <my public IP>
left=%any
#mod left=192.168.0.150
leftsubnet=0.0.0.0/0
leftfirewall=yes
rightid=<cisco public IP>
right=<cisco public IP>
rightsubnet=10.0.0.0/19
auto=start
ike=aes256-sha-modp1536
esp=aes256-sha256
aggressive=no
运行 ipsec statusall 提供以下输出:
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l):
uptime: 3 seconds, since Jan 21 13:37:38 2020
malloc: sbrk 1220608, mmap 0, used 302432, free 918176
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
192.168.0.150
Connections:
cisco: %any...<cisco public IP> IKEv1
cisco: local: [<my public IP>] uses pre-shared key authentication
cisco: remote: [<cisco public IP>] uses pre-shared key authentication
cisco: child: 0.0.0.0/0 === 10.0.0.0/19 TUNNEL
Security Associations (1 up, 0 connecting):
cisco[1]: ESTABLISHED 2 seconds ago, 192.168.0.150[<my public IP>]...<cisco public IP>[<cisco public IP>]
cisco[1]: IKEv1 SPIs: 097a85775d335a12_i* ed7822635e06c267_r, pre-shared key reauthentication in 23 hours
cisco[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
日志档案
Jan 21 13:37:38 raspberrypi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l)
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 21 13:37:38 raspberrypi charon: 00[CFG] loaded IKE secret for <my public IP> <cisco public IP>
Jan 21 13:37:38 raspberrypi charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jan 21 13:37:38 raspberrypi charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Jan 21 13:37:38 raspberrypi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 21 13:37:38 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jan 21 13:37:38 raspberrypi charon: 05[CFG] received stroke: add connection 'cisco'
Jan 21 13:37:38 raspberrypi charon: 05[CFG] added configuration 'cisco'
Jan 21 13:37:38 raspberrypi charon: 07[CFG] received stroke: initiate 'cisco'
Jan 21 13:37:38 raspberrypi charon: 07[IKE] initiating Main Mode IKE_SA cisco[1] to <cisco public IP>
Jan 21 13:37:38 raspberrypi charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 21 13:37:38 raspberrypi charon: 07[NET] sending packet: from 192.168.0.150[500] to <cisco public IP>[500] (252 bytes)
Jan 21 13:37:38 raspberrypi charon: 09[NET] received packet: from <cisco public IP>[500] to 192.168.0.150[500] (108 bytes)
Jan 21 13:37:38 raspberrypi charon: 09[ENC] parsed ID_PROT response 0 [ SA V ]
Jan 21 13:37:38 raspberrypi charon: 09[IKE] received NAT-T (RFC 3947) vendor ID
Jan 21 13:37:38 raspberrypi charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jan 21 13:37:38 raspberrypi charon: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 21 13:37:38 raspberrypi charon: 09[NET] sending packet: from 192.168.0.150[500] to <cisco public IP>[500] (308 bytes)
Jan 21 13:37:38 raspberrypi charon: 10[NET] received packet: from <cisco public IP>[500] to 192.168.0.150[500] (368 bytes)
Jan 21 13:37:38 raspberrypi charon: 10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received Cisco Unity vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received DPD vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[ENC] received unknown vendor ID: 18:bf:85:7e:5e:07:c2:67:eb:55:0d:a8:e0:60:c2:b7
Jan 21 13:37:38 raspberrypi charon: 10[IKE] received XAuth vendor ID
Jan 21 13:37:38 raspberrypi charon: 10[IKE] local host is behind NAT, sending keep alives
Jan 21 13:37:38 raspberrypi charon: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 21 13:37:38 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to <cisco public IP>[4500] (108 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (92 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 21 13:37:39 raspberrypi charon: 16[ENC] could not decrypt payloads
Jan 21 13:37:39 raspberrypi charon: 16[IKE] message parsing failed
Jan 21 13:37:39 raspberrypi charon: 16[IKE] ignore malformed INFORMATIONAL request
Jan 21 13:37:39 raspberrypi charon: 16[IKE] INFORMATIONAL_V1 request with message ID 1010083930 processing failed
Jan 21 13:37:39 raspberrypi charon: 16[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (76 bytes)
Jan 21 13:37:39 raspberrypi charon: 16[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 21 13:37:39 raspberrypi charon: 16[IKE] IKE_SA cisco[1] established between 192.168.0.150[<my public IP>]...<cisco public IP>[<cisco public IP>]
Jan 21 13:37:39 raspberrypi charon: 16[IKE] scheduling reauthentication in 85426s
Jan 21 13:37:39 raspberrypi charon: 16[IKE] maximum IKE_SA lifetime 85966s
Jan 21 13:37:39 raspberrypi charon: 16[ENC] generating QUICK_MODE request 2584173163 [ HASH SA No ID ID ]
Jan 21 13:37:39 raspberrypi charon: 16[NET] sending packet: from 192.168.0.150[4500] to <cisco public IP>[4500] (204 bytes)
Jan 21 13:37:39 raspberrypi charon: 12[NET] received packet: from <cisco public IP>[4500] to 192.168.0.150[4500] (92 bytes)
Jan 21 13:37:39 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3026828106 [ HASH N(NO_PROP) ]
Jan 21 13:37:39 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 21 13:37:42 raspberrypi kernel: [511387.051018] Voltage normalised (0x00000000)
Jan 21 13:38:02 raspberrypi charon: 09[IKE] sending keep alive to <cisco public IP>[4500]
** 这是我第一次接触 IPSec。我很困惑,因为我不明白到底哪里出了问题。如果能提供建议,我将不胜感激。**