我正在尝试使用 openswan 从 ubuntu 服务器创建到 Cisco ASA 5540 的 IPSec 加密 VPN 隧道。
我之前已经设置过与思科路由器的 VPN 连接,因此这个任务看起来不是什么大问题,但我却为此困惑了好几天。
我需要使用以下参数建立连接(请注意,my_left_ip 是我这边的网络 ip,my_left_id 是我服务器的公共 ip,my_right_ip 是 vpn 路由器的公共 ip):
conn my-conn
type=tunnel
authby=secret
auth=esp
ikelifetime=8h
keylife=8h
compress=no
esp=3des128-md5
ike=3des-md5-modp1024
keyexchange=ike
pfs=no
forceencaps=yes
# Left security gateway, subnet behind it, nexthop toward right.
left=my_left_ip
leftid=my_left_id
leftsubnet=my_left_subnet
leftnexthop=%defaultroute
# Right security gateway, subnet behind it, nexthop toward left.
right=my_right_ip
rightid=my_right_ip
rightsubnet=my_right_subnet
rightnexthop=%defaultroute
# To authorize this connection, but not actually start it,
# at startup, uncomment this.
auto=start
我的 ipsec.secrets 文件如下所示:
my_left_ip my_right_ip : PSK "my_shared_secret"
我已经在另一端验证了我们确实有相同的预共享密钥,并且我们的哈希和加密算法匹配。但我收到以下错误:
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: initiating Main Mode
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Cisco-Unity]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [XAUTH]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring unknown Vendor ID payload [4134667de0a482c8eb1dae0586c309fa]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Dead Peer Detection]
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: Main mode peer ID is ID_IPV4_ADDR: '10.255.255.252'
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: we require peer to have ID 'my_right_ip', but peer declares '10.255.255.252'
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending encrypted notification INVALID_ID_INFORMATION to my_right_ip:500
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: next payload type of ISAKMP Hash Payload has an unknown value: 128
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: malformed payload in packet
Dec 19 20:29:58 server01 pluto[30369]: | payload malformed after IV
Dec 19 20:29:58 server01 pluto[30369]: | 00 ea ff f9 b9 c6 69 1b
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending notification PAYLOAD_MALFORMED to my_right_ip:500
这是思科路由器的配置
object-group network DM_INLINE_NETWORK_163
network-object host right_ip_in_subnet1
network-object host right_ip_in_subnet2
access-list OUTSIDE-WAN_24_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip
access-list nonatinside line 224 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip
tunnel-group my_left_id type ipsec-l2l
tunnel-group my_left_id ipsec-attributes
pre-shared-key **********
isakmp keepalive threshold 10 retry 2
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto map outside_map 24 match address OUTSIDE-WAN_24_cryptomap
crypto map outside_map 24 set peer my_left_id
crypto map outside_map 24 set transform-set ESP-3DES-MD5
access-list OUTSIDE-WAN_24_cryptomap line 1 remark SPROXIL - USA
no crypto map outside_map 24 set nat-t-disable
这可能是什么原因造成的?任何帮助都将不胜感激。