Openswan Ubuntu 畸形数据包

Openswan Ubuntu 畸形数据包

我正在尝试使用 openswan 从 ubuntu 服务器创建到 Cisco ASA 5540 的 IPSec 加密 VPN 隧道。

我之前已经设置过与思科路由器的 VPN 连接,因此这个任务看起来不是什么大问题,但我却为此困惑了好几天。

我需要使用以下参数建立连接(请注意,my_left_ip 是我这边的网络 ip,my_left_id 是我服务器的公共 ip,my_right_ip 是 vpn 路由器的公共 ip):

conn my-conn
        type=tunnel
        authby=secret
        auth=esp
        ikelifetime=8h
        keylife=8h
        compress=no
        esp=3des128-md5
        ike=3des-md5-modp1024
        keyexchange=ike
        pfs=no
        forceencaps=yes
        # Left security gateway, subnet behind it, nexthop toward right.
        left=my_left_ip
        leftid=my_left_id
        leftsubnet=my_left_subnet
        leftnexthop=%defaultroute
        # Right security gateway, subnet behind it, nexthop toward left.
        right=my_right_ip
        rightid=my_right_ip
        rightsubnet=my_right_subnet
        rightnexthop=%defaultroute
        # To authorize this connection, but not actually start it,
        # at startup, uncomment this.
        auto=start

我的 ipsec.secrets 文件如下所示:

my_left_ip my_right_ip : PSK "my_shared_secret"

我已经在另一端验证了我们确实有相同的预共享密钥,并且我们的哈希和加密算法匹配。但我收到以下错误:

Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: initiating Main Mode
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I2: sent MI2, expecting MR2
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Cisco-Unity]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [XAUTH]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring unknown Vendor ID payload [4134667de0a482c8eb1dae0586c309fa]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I3: sent MI3, expecting MR3
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Dead Peer Detection]
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: Main mode peer ID is ID_IPV4_ADDR: '10.255.255.252'
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: we require peer to have ID 'my_right_ip', but peer declares '10.255.255.252'
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending encrypted notification INVALID_ID_INFORMATION to my_right_ip:500
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: next payload type of ISAKMP Hash Payload has an unknown value: 128
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: malformed payload in packet
Dec 19 20:29:58 server01 pluto[30369]: | payload malformed after IV
Dec 19 20:29:58 server01 pluto[30369]: |   00 ea ff f9  b9 c6 69 1b
Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending notification PAYLOAD_MALFORMED to my_right_ip:500

这是思科路由器的配置

 object-group network DM_INLINE_NETWORK_163
        network-object host right_ip_in_subnet1
        network-object host right_ip_in_subnet2
      access-list OUTSIDE-WAN_24_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip
      access-list nonatinside line 224 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip 
      tunnel-group my_left_id type ipsec-l2l
      tunnel-group my_left_id ipsec-attributes
        pre-shared-key **********
        isakmp keepalive threshold 10 retry 2
      crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
      crypto map outside_map 24 match address OUTSIDE-WAN_24_cryptomap
      crypto map outside_map 24 set  peer  my_left_id
      crypto map outside_map 24 set  transform-set  ESP-3DES-MD5

      access-list OUTSIDE-WAN_24_cryptomap line 1 remark SPROXIL - USA 
      no crypto map outside_map 24 set  nat-t-disable

这可能是什么原因造成的?任何帮助都将不胜感激。

相关内容