Strongswan ike 第 1 阶段失败:“IKE_SA 正在被删除”

tag-icon tag-icon ipsec site-to-site-vpn strongswan digital-ocean ikev1
Strongswan ike 第 1 阶段失败:“IKE_SA 正在被删除”

我正在尝试在我的 Strongswan 云实例和来自 ISP 的 Cisco CSR 1000V 之间建立 IPsec 隧道。

根据给我的表格,我必须考虑以下因素进行配置:第 1 阶段身份验证方法:PSK 加密方案:IKEv1 DH 组:第 2 组 加密算法:AES-256 哈希算法:SHA1 主要或激进:主要 重新协商的生存期:28800

第 2 阶段 ESP/AH:ESP 加密:AES-256 认证算法:SHA1 PFS:第 2 组(无 PFS) 生命周期(用于重新协商):3600 生命周期大小(以 KB 为单位)(用于重新协商):未使用

这是我的 ipsec.conf 文件配置

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration
config setup
#       strictcrlpolicy=yes
        charondebug="ike 1, knl 1, cfg 0"
        uniqueids=no
# Add connections here.

# Sample VPN connections
conn c2c-vpn
        type=tunnel
        keyexchange=ikev1
        left=X.X.X.X
        leftid=X.X.X.X 
        leftsubnet=172.31.8.0/24
        leftauth=secret
        leftfirewall=no
        right=Y.Y.Y.Y
        rightid=Y.Y.Y.Y
        rightsubnet=10.0.0.0/16
        rightauth=secret
        rightfirewall=yes
        ike=aes256-sha1-modp1024!
        esp=aes256-sha1
        aggressive=no
        fragmentation=yes
        ikelifetime=288000s
        lifetime=3600s
        keyingtries=%forever
        dpddelay=30s
        dpdtimeout=120s
        dpdaction=restart
        auto=start

XXXX 是我这边的公网 IP,YYYY 是另一边的公网 IP(我知道我使用的密钥很弱。但是现在,我只希望隧道能够启动。)

这是我的 ipsec.secrets

X.X.X.X Y.Y.Y.Y : PSK "<MyPSK>"

我不确定它是否重要,但这是 strongswan.conf

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
       max_ikev1_exchanges=100
}

这是我重启 ipsec 后 charon 的相应日志

Jul 04 17:23:49 uvmuk charon[14906]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 04 17:23:49 uvmuk charon[14906]: 00[JOB] spawning 16 worker threads
Jul 04 17:23:49 uvmuk ipsec_starter[14905]: charon (14906) started after 40 ms
Jul 04 17:23:49 uvmuk charon[14906]: 07[IKE] initiating Main Mode IKE_SA mpt-to-melo-vpn[1] to Y.Y.Y.Y
Jul 04 17:23:49 uvmuk charon[14906]: 07[IKE] initiating Main Mode IKE_SA mpt-to-melo-vpn[1] to Y.Y.Y.Y
Jul 04 17:23:49 uvmuk charon[14906]: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jul 04 17:23:49 uvmuk charon[14906]: 07[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (184 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 09[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (108 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 09[ENC] parsed ID_PROT response 0 [ SA V ]
Jul 04 17:23:49 uvmuk charon[14906]: 09[IKE] received NAT-T (RFC 3947) vendor ID
Jul 04 17:23:49 uvmuk charon[14906]: 09[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jul 04 17:23:49 uvmuk charon[14906]: 09[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (244 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 10[NET] received packet: from Y.Y.Y.Y[500] to X.X.X.X[500] (304 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 10[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jul 04 17:23:49 uvmuk charon[14906]: 10[IKE] received Cisco Unity vendor ID
Jul 04 17:23:49 uvmuk charon[14906]: 10[IKE] received DPD vendor ID
Jul 04 17:23:49 uvmuk charon[14906]: 10[ENC] received unknown vendor ID: 41:45:bc:50:b1:fa:91:a8:72:57:6f:4e:4e:e2:17:29
Jul 04 17:23:49 uvmuk charon[14906]: 10[IKE] received XAuth vendor ID
Jul 04 17:23:49 uvmuk charon[14906]: 10[IKE] remote host is behind NAT
Jul 04 17:23:49 uvmuk charon[14906]: 10[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jul 04 17:23:49 uvmuk charon[14906]: 10[NET] sending packet: from X.X.X.X[4500] to Y.Y.Y.Y[4500] (108 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 11[NET] received packet: from Y.Y.Y.Y[4500] to X.X.X.X[4500] (92 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 11[ENC] invalid HASH_V1 payload length, decryption failed?
Jul 04 17:23:49 uvmuk charon[14906]: 11[ENC] could not decrypt payloads
Jul 04 17:23:49 uvmuk charon[14906]: 11[IKE] message parsing failed
Jul 04 17:23:49 uvmuk charon[14906]: 11[IKE] ignore malformed INFORMATIONAL request
Jul 04 17:23:49 uvmuk charon[14906]: 11[IKE] INFORMATIONAL_V1 request with message ID 4053640584 processing failed
Jul 04 17:23:49 uvmuk charon[14906]: 12[NET] received packet: from Y.Y.Y.Y[4500] to X.X.X.X[4500] (76 bytes)
Jul 04 17:23:49 uvmuk charon[14906]: 12[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jul 04 17:23:49 uvmuk charon[14906]: 12[IKE] IDir '10.0.1.189' does not match to 'Y.Y.Y.Y'
Jul 04 17:23:49 uvmuk charon[14906]: 12[IKE] deleting IKE_SA c2c-vpn[1] between X.X.X.X[X.X.X.X]...Y.Y.Y.Y[%any]
Jul 04 17:23:49 uvmuk charon[14906]: 12[IKE] deleting IKE_SA c2c-vpn[1] between X.X.X.X[X.X.X.X]...Y.Y.Y.Y[%any]
Jul 04 17:23:49 uvmuk charon[14906]: 12[IKE] sending DELETE for IKE_SA c2c-vpn[1]
Jul 04 17:23:49 uvmuk charon[14906]: 12[ENC] generating INFORMATIONAL_V1 request 4232678559 [ HASH D ]
Jul 04 17:23:49 uvmuk charon[14906]: 12[NET] sending packet: from X.X.X.X[4500] to Y.Y.Y.Y[4500] (92 bytes)

我对 strongswan 和 IPsec 配置还不是很熟悉,但我确信第一阶段隧道没有建立,因为“删除 IKE_SA”行。我已经尝试从多个论坛寻找解决方案,希望有人遇到和我一样的问题,但我被难住了。求助。

答案1

那一件

Jul 04 17:23:49 uvmuk charon[14906]: 11[ENC] invalid HASH_V1 payload length, decryption failed?
Jul 04 17:23:49 uvmuk charon[14906]: 11[ENC] could not decrypt payloads
Jul 04 17:23:49 uvmuk charon[14906]: 11[IKE] message parsing failed
Jul 04 17:23:49 uvmuk charon[14906]: 11[IKE] ignore malformed INFORMATIONAL request

显然出了问题。95% 的概率是两端的 PSK 不一样(解密失败无法解密有效载荷)。

相关内容