我正在尝试使用 StrongSwan (5.5.1-4+deb9u1) 在内核为 4.9.0-5-amd64 的 Debian Linux 上连接到 Cisco ASA IKEv1 VPN。这是一个经典问题,我发现了很多关于这个主题的讨论,也尝试了很多配置调整,但到目前为止都没有什么帮助。
我无法访问 ASA 本身,但通过这种方式我可以获得有关提案的一些基本信息:
$ sudo ike-scan -v -v ASA_IP_ADDRESS 2>&1
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Sending packet #1 to host entry 1 (ASA_IP_ADDRESS) tmo 500000 us
--- Received packet #1 from ASA_IP_ADDRESS
ASA_IP_ADDRESS Main Mode Handshake returned HDR=(CKY-R=79f5d28631ffd07f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
--- Removing host entry 1 (ASA_IP_ADDRESS) - Received 104 bytes
Ending ike-scan 1.9.4: 1 hosts scanned in 0.017 seconds (57.15 hosts/sec). 1 returned handshake; 0 returned notify
ipsec up asavpn
这是我发出命令时看到的内容:
initiating Aggressive Mode IKE_SA asavpn[1] to ASA_IP_ADDRESS
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
parsed TRANSACTION request 4213336740 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4213336740 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
parsed TRANSACTION request 557234584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'vpn-user123' (myself) successful
IKE_SA asavpn[1] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
scheduling reauthentication in 3379s
maximum IKE_SA lifetime 3559s
generating TRANSACTION response 557234584 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
generating TRANSACTION request 3340376289 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
parsed TRANSACTION response 3340376289 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
installing DNS server 172.51.2.47 to /etc/resolv.conf
installing DNS server 172.51.2.50 to /etc/resolv.conf
installing new virtual IP 172.17.254.12
generating QUICK_MODE request 2105961987 [ HASH SA No ID ID ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
installing new virtual IP 172.17.254.12
establishing connection 'asavpn' failed
这是我的(修剪过的)ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids = yes
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=2
keyexchange=ikev2 # this is because I use more VPN connections then the only asavpn
mobike=yes
conn asavpn
leftauth=psk
leftauth2=xauth
leftsubnet=192.168.7.0/24
aggressive=yes
ike=3des-sha1-modp1024!
esp=3des-sha1!
xauth=client
xauth_identity="vpn-user123"
leftid=PRZ
keyexchange=ikev1
leftsourceip=%config
rightsubnet=0.0.0.0/0
leftdns=172.51.2.47, 172.51.2.50
right=ASA_IP_ADDRESS
rightsubnet=0.0.0.0/0
rightauth=psk
auto=add
我的ipsec.secrets:
vpn-user123 : XAUTH "my.passw0rd"
PRZ@%any ASA_IP_ADDRESS : PSK "secret-120-characters-long-hash"
这是 charon 日志:
Feb 02 12:02:19 lenovo-pc charon[10329]: 15[CFG] received stroke: initiate 'asavpn'
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] using 192.168.7.117 as address to reach ASA_IP_ADDRESS/32
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] IKE_SA asavpn[2] state change: CREATED => CONNECTING
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selecting proposal:
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] proposal matches
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] local host is behind NAT, sending keep alives
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] reinitiating already active tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] queueing MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] nothing to initiate
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] parsed TRANSACTION request 3634853475 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] generating TRANSACTION response 3634853475 [ HASH CPRP(X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] parsed TRANSACTION request 2358240213 [ HASH CPS(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] XAuth authentication of 'vpn-user123' (myself) successful
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] state change: CONNECTING => ESTABLISHED
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] scheduling reauthentication in 3384s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] maximum IKE_SA lifetime 3564s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION response 2358240213 [ HASH CPA(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION request 3672090717 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] parsed TRANSACTION response 3672090717 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.47 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.50 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing UNITY_SPLIT_INCLUDE attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] 192.168.7.117 is on interface wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing new virtual IP 172.17.254.12
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] virtual IP 172.17.254.12 installed on wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] got SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for us:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 192.168.7.0/24
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] changing proposed traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] generating QUICK_MODE request 239751605 [ HASH SA No ID ID ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] parsed INFORMATIONAL_V1 request 2669190869 [ HASH N(NO_PROP) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleting SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleted SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed INFORMATIONAL_V1 request 4133932276 [ HASH D ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DELETE for IKE_SA asavpn[2]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.50 from /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.47 from /etc/resolv.conf
可能出了什么问题?
感谢您的帮助,我非常感激!
更新:
添加 vpnc.log(用于工作连接):https://pastebin.com/KDx3HTnC
答案1
vpnc
在解析快速模式响应时,可以在客户端的调试日志中看到
PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0020
t.number: 01
t.id: 0c (ISAKMP_IPSEC_ESP_AES)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0020c49b
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0003 (IPSEC_ENCAP_UDP_TUNNEL)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
t.attributes.u.attr_16: 0100
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
服务器接受的提议实际上是使用 256 位密钥长度作为加密和使用 SHA-1 作为完整性算法的 AES。因此要使用与 strongSwan 配置相同的方法esp=aes256-sha1!
。