Strongswan:连接到 Cisco ASA 时“收到 NO_PROPOSAL_CHOSEN 错误通知”

Strongswan:连接到 Cisco ASA 时“收到 NO_PROPOSAL_CHOSEN 错误通知”

我正在尝试使用 StrongSwan (5.5.1-4+deb9u1) 在内核为 4.9.0-5-amd64 的 Debian Linux 上连接到 Cisco ASA IKEv1 VPN。这是一个经典问题,我发现了很多关于这个主题的讨论,也尝试了很多配置调整,但到目前为止都没有什么帮助。

我无法访问 ASA 本身,但通过这种方式我可以获得有关提案的一些基本信息:

$ sudo ike-scan -v -v ASA_IP_ADDRESS 2>&1
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Sending packet #1 to host entry 1 (ASA_IP_ADDRESS) tmo 500000 us
--- Received packet #1 from ASA_IP_ADDRESS
ASA_IP_ADDRESS  Main Mode Handshake returned HDR=(CKY-R=79f5d28631ffd07f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
--- Removing host entry 1 (ASA_IP_ADDRESS) - Received 104 bytes

Ending ike-scan 1.9.4: 1 hosts scanned in 0.017 seconds (57.15 hosts/sec).  1 returned handshake; 0 returned notify

ipsec up asavpn这是我发出命令时看到的内容:

initiating Aggressive Mode IKE_SA asavpn[1] to ASA_IP_ADDRESS
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
parsed TRANSACTION request 4213336740 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4213336740 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
parsed TRANSACTION request 557234584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'vpn-user123' (myself) successful
IKE_SA asavpn[1] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
scheduling reauthentication in 3379s
maximum IKE_SA lifetime 3559s
generating TRANSACTION response 557234584 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
generating TRANSACTION request 3340376289 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
parsed TRANSACTION response 3340376289 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
installing DNS server 172.51.2.47 to /etc/resolv.conf
installing DNS server 172.51.2.50 to /etc/resolv.conf
installing new virtual IP 172.17.254.12
generating QUICK_MODE request 2105961987 [ HASH SA No ID ID ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
installing new virtual IP 172.17.254.12
establishing connection 'asavpn' failed

这是我的(修剪过的)ipsec.conf:

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids = yes
    strictcrlpolicy=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=2
    keyexchange=ikev2 # this is because I use more VPN connections then the only asavpn
    mobike=yes

conn asavpn
    leftauth=psk
    leftauth2=xauth
    leftsubnet=192.168.7.0/24
    aggressive=yes
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    xauth=client
    xauth_identity="vpn-user123"
    leftid=PRZ
    keyexchange=ikev1
    leftsourceip=%config
    rightsubnet=0.0.0.0/0
    leftdns=172.51.2.47, 172.51.2.50
    right=ASA_IP_ADDRESS
    rightsubnet=0.0.0.0/0
    rightauth=psk
    auto=add

我的ipsec.secrets:

vpn-user123 : XAUTH "my.passw0rd"
PRZ@%any ASA_IP_ADDRESS : PSK "secret-120-characters-long-hash"

这是 charon 日志:

Feb 02 12:02:19 lenovo-pc charon[10329]: 15[CFG] received stroke: initiate 'asavpn'
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] using 192.168.7.117 as address to reach ASA_IP_ADDRESS/32
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] IKE_SA asavpn[2] state change: CREATED => CONNECTING
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selecting proposal:
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG]   proposal matches
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] local host is behind NAT, sending keep alives
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] reinitiating already active tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE]   ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE]   AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] queueing MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] nothing to initiate
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] parsed TRANSACTION request 3634853475 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] generating TRANSACTION response 3634853475 [ HASH CPRP(X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] parsed TRANSACTION request 2358240213 [ HASH CPS(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] XAuth authentication of 'vpn-user123' (myself) successful
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] state change: CONNECTING => ESTABLISHED
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] scheduling reauthentication in 3384s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] maximum IKE_SA lifetime 3564s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION response 2358240213 [ HASH CPA(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE]   activating MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION request 3672090717 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] parsed TRANSACTION response 3672090717 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.47 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.50 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing UNITY_SPLIT_INCLUDE attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] 192.168.7.117 is on interface wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing new virtual IP 172.17.254.12
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] virtual IP 172.17.254.12 installed on wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE]   activating QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] got SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for us:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  192.168.7.0/24
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] changing proposed traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] generating QUICK_MODE request 239751605 [ HASH SA No ID ID ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] parsed INFORMATIONAL_V1 request 2669190869 [ HASH N(NO_PROP) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleting SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleted SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed INFORMATIONAL_V1 request 4133932276 [ HASH D ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DELETE for IKE_SA asavpn[2]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.50 from /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.47 from /etc/resolv.conf

可能出了什么问题?

感谢您的帮助,我非常感激!

更新:

添加 vpnc.log(用于工作连接):https://pastebin.com/KDx3HTnC

答案1

vpnc在解析快速模式响应时,可以在客户端的调试日志中看到

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0020
t.number: 01
t.id: 0c (ISAKMP_IPSEC_ESP_AES)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0020c49b
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0003 (IPSEC_ENCAP_UDP_TUNNEL)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
t.attributes.u.attr_16: 0100
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

服务器接受的提议实际上是使用 256 位密钥长度作为加密和使用 SHA-1 作为完整性算法的 AES。因此要使用与 strongSwan 配置相同的方法esp=aes256-sha1!

相关内容