我尝试在服务器上配置 Ipsec,并以 openswan 为客户端。
但收到错误 - 可能是身份验证错误。
我在配置中写错了什么?
谢谢您的回答。
#1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "f-net" #1: received Vendor ID payload [Cisco-Unity]
003 "f-net" #1: received Vendor ID payload [Dead Peer Detection]
003 "f-net" #1: ignoring unknown Vendor ID payload [ca917959574c7d5aed4222a9df367018]
003 "f-net" #1: received Vendor ID payload [XAUTH]
108 "f-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "f-net" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message
000 "f-net" #1: starting keying attempt 2 of at most 3, but releasing whack
另一边——思科 ASA。
parameters for my connection on our Linux server :
VPN Gateway 8.*.*.* (Cisco )
Phase 1
Exchange Type
Main Mode
Identification Type
IP Address
Local ID 4.*.*.* (our Linux server IP)
Remote ID 8.*.*.* (VPN server IP)
Authentication PSK
Pre Shared Key
Diffie-Hellman Key Group DH 5 (1536 bit) or DH 2 (1024 bit)
Encryption Algorithm AES 256
HMAC Function SHA-1
Lifetime 86.400 seconds / no volume limit
Phase 2
Security Protocol ESP
Connection Mode Tunnel
Encryption Algorithm AES 256
HMAC Function SHA-1
Lifetime 3600 seconds / 4.608.000 kilobytes
DPD / IKE Keepalive 15 seconds
PFS off
Remote Network 192.168.100.0/24
Local Network 1 10.0.0.0/16
...............
Local Network 5
current openswan config :
#
config setup
klipsdebug=all
plutodebug="control parsing"
protostack=netkey
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
oe=off
nhelpers=0
conn f-net
type=tunnel
keyexchange=ike
authby=secret
auth=esp
esp=aes256-sha1
keyingtries=3
pfs=no
aggrmode=no
keylife=3600s
ike=aes256-sha1-modp1024
#
left=4.*.*.*
leftsubnet=10.0.0.0/16
leftid=4.*.*.*
leftnexthop=%defaultroute
right=8.*.*.*
rightsubnet=192.168.100.0/24
rightid=8.*.*.*
rightnexthop=%defaultroute
auto=add
答案1
问题出在 ESXi 桥上。(我们这边的 Virt 服务器位于具有外部 IP 的 ESXI 主机上)在同一个系统上,但在裸硬件(相同的 SL6-RHEL6)上运行,ipsec 运行良好。
config on our side :
conn f-net
type=tunnel
keyexchange=ike
authby=secret
auth=esp
esp=aes-sha1
keyingtries=3
pfs=no
ike=aes256-sha1-modp1536 ## also works without it
left=4***
leftsubnet=****
leftid=4***
leftnexthop=%defaultroute # correct in many situations
right=8*** # Remote vitals
rightsubnet=****
rightid=8***
rightnexthop=%defaultroute # correct in many situations
auto=add