Amazon EC2 上的 OpenSwan - 最大重传次数已达到 STATE_MAIN_I3。可能的身份验证失败:

Amazon EC2 上的 OpenSwan - 最大重传次数已达到 STATE_MAIN_I3。可能的身份验证失败:

我们正在通过 VPN 隧道与我们的一位客户进行通信。

Openswan 隧道之前运行良好。今天我们将弹性 IP 连接到服务器并重新启动。从那时起,隧道就无法启动了。

以下是我们已执行的步骤:

  1. 要求客户在其端更新我们的新 IP - 已完成

  2. 在我们这边更新 ipsec.config - 完成(这是新文件)

    nat_traversal=yes
    oe=off
    protostack=netkey
    interfaces="%defaultroute"       
    conn customer
            type=tunnel
            authby=secret
            left=%defaultroute
            leftid=52.24.154.45 <elastic-ip>
            leftsourceip=172.31.38.203 <internal-ip>
            leftnexthop=%defaultroute
            leftsubnet=172.31.0.0/16
            right=<client-public-ip>
            rightid=<client-public-ip>
            rightsubnet=<clients-subnet>
            phase2=esp
            phase2alg=3des-md5;modp1024
            ike=3des-md5;modp1024!
            ikelifetime=480m
            pfs=no
            auto=start
            rekey=yes
            keyingtries=%forever
    
  3. ipsec.secrets——无需修改

      include /var/lib/openswan/ipsec.secrets.inc
      <client-public-ip> 0.0.0.0 %any: PSK "xxxxxxxxxxxxxx"
    
  4. iptables -L

  5. iptables -t nat -L

  6. ipsec 自动 --状态

    000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 52.24.154.45 000 interface eth0/eth0 52.24.154.45 000 %myid = (none) 000 debug none 000
    000 virtual_private (%priv): 000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 203.201.213.0/24, fd00::/8, fe80::/10 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000
    000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000
    000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048} 000
    000 "customer": 172.31.0.0/16===172.31.38.203[52.24.154.45]---172.31.32.1...203.201.209.98<203.201.209.98>===203.201.213.0/24; prospective erouted; eroute owner: #0 000 "customer": myip=172.31.38.203; hisip=unset; 000 "customer": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "customer": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 000 "customer": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "customer": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=strict 000 "customer": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) 000 "customer": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict 000 "customer": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000
    000 #2: "customer":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 33s; nodpd; idle; import:admin initiate 000 #2: pending Phase 2 for "customer" replacing #0 000

  7. 尾部/var/log/auth.log

    Jan 11 20:10:57 ip-172-31-38-203 ipsec__plutorun: Starting Pluto subsystem... Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:27458 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: LEAK_DETECTIVE support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: OCF support for IKE [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAref support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAbind support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NSS support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: HAVE_STATSD notification support not compiled in Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Setting NAT-Traversal port-4500 floating to on Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: port floating activation criteria nat_t=1/port_float=1 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NAT-Traversal support [enabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: starting up 1 cryptographic helpers Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: started helper pid=27460 (fd:6) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Using Linux 2.6 IPsec interface code on 3.13.0-36-generic (experimental code) Jan 11 20:10:57 ip-172-31-38-203 pluto[27460]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: added connection description "customer" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: listening for IKE messages Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo ::1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/etc/ipsec.secrets" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: initiating Main Mode Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: ignoring Vendor ID payload [FRAGMENTATION] Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 11 20:12:01 ip-172-31-38-203 pluto[27458]: initiate on demand from 172.31.38.203:0 to 203.201.213.58:80 proto=6 state: fos_start because: acquire Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: starting keying attempt 2 of an unlimited number

正如您在最后几行中看到的,问题是:

“客户”#1:已达到最大重传次数 (2) STATE_MAIN_I3。可能身份验证失败:对我们的第一条加密消息没有可接受的响应

有人能给我们指点迷津吗?我们几乎尝试了 Secret 文件和 IPSec Config 的所有可能组合。

答案1

不确定是否仍然相关,但我们的 VPN 服务器(也托管在 AWS 上)经常遇到类似的错误。

通常使用这些命令重新启动服务可以解决问题:

  • /etc/init.d/ipsec restart
  • /etc/init.d/xl2tpd restart

但我不知道为什么会发生这种情况。有时 VPN 隧道在使用过程中会崩溃,只有重新启动它才能再次建立连接

相关内容