无法通过 OpenSWAN ISA Server IPSec VPN 上的“待定第 2 阶段”

tag-icon tag-icon vpn ipsec isa-server openswan
无法通过 OpenSWAN ISA Server IPSec VPN 上的“待定第 2 阶段”

问题

我在 Linux 服务器 (Ubuntu 12.04) 上配置 OpenSWAN 以连接到 ISA Server 2004 IPSec VPN 时遇到了很大困难。配置中显然存在一些问题,导致隧道无法正常工作。看起来我的一些数据包在某处被丢弃了?我真的不确定。

对方说他们这边的日志没有任何问题。我这边没有防火墙。以下是有问题的部分/var/log/auth.log(较长的版本如下)。

Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 29 17:28:12 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3
Jan 29 17:28:34  pluto[5821]: last message repeated 3 times
Jan 29 17:28:42 P-INV-SD07 pluto[5821]: packet from <hispublicip>:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x8341092b
Jan 29 17:28:42 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3

接下来是有关设置的详细信息,以防有人可以提供帮助:) 提前谢谢!

当前配置

我使用我们这边的大部分默认参数建立了连接(我确实尝试了许多其他方法,但似乎没有什么比这更好):

conn myconn
    authby=secret
    type=tunnel
    left=<hispublic>
    leftsubnet=<hislanip>/32
    right=<mypublic>
    rightsubnet=<mylanip>/32
    auto=start

输出自ipsec auto status

000 "myconn": <mylanip>/32===<mypublicip><<mypublicip>>[+S=C]...<hispublicip>    <<hispublicip>>[+S=C]===<hislanip>/32; prospective erouted; eroute owner: #0
000 "myconn":     myip=unset; hisip=unset;
000 "myconn":   ike_life: 7200s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz:     100%; keyingtries: 0
000 "myconn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;   prio:   32,32; interface: eth0;
000 "myconn":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000
000 #2: "myconn":500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 18s;     nodpd; idle; import:admin initiate
000 #2: pending Phase 2 for "myconn" replacing #0

摘录自/var/log/auth.log

Jan 29 17:28:11 P-INV-SD07 pluto[5821]: loading secrets from "/etc/ipsec.secrets"
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: initiating Main Mode
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: ignoring Vendor ID payload [FRAGMENTATION]
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: enabling possible NAT-traversal     with method draft-ietf-ipsec-nat-t-ike-05
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I2: sent MI2, expecting    MR2
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jan 29 17:28:12 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3
Jan 29 17:28:34  pluto[5821]: last message repeated 3 times
Jan 29 17:28:42 P-INV-SD07 pluto[5821]: packet from <hispublicip>:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x8341092b
Jan 29 17:28:42 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3

以下是 ISA 服务器端使用的配置选项:

  • 阶段1
    • 加密:3DES
    • 完整性:SHA1
    • DH 组:第 2 组
  • 阶段2
    • 加密:3DES
    • 完整性:SHA1
    • 每 86400 秒生成一个新密钥
    • 使用 PFS:是(DH 第 2 组)

更新

我设法在 OpenSWAN 端运行了一个数据包嗅探器,并且ISA 端已启用 Oakley 日志嗅探几乎和您所期望的一样:从 OpenSWAN 端发送的第 3 个数据包被 ISA 服务器拒绝,而 ISA 服务器继续发送其第 2​​ 个数据包,因为它认为该数据包没有得到 ACK。

Oakley(ISA)日志上的错误显示:

Receive: (get) SA = 0x00108cf0 from 50.57.73.135.500
2-07: 14:44:25:250:44b24 ISAKMP Header: (V1.0), len = 68
2-07: 14:44:25:250:44b24   I-COOKIE 8802248fab719171
2-07: 14:44:25:250:44b24   R-COOKIE 296787dc0ec4227a
2-07: 14:44:25:250:44b24   exchange: Oakley Main Mode
2-07: 14:44:25:250:44b24   flags: 1 ( encrypted )
2-07: 14:44:25:250:44b24   next payload: ID
2-07: 14:44:25:250:44b24   message ID: 00000000
2-07: 14:44:25:250:44b24 invalid payload received
2-07: 14:44:25:250:44b24 Preshared key ID.  Peer IP Address: <mypublicip>
2-07: 14:44:25:250:44b24 Source IP Address <hispublicip>  Source IP Address Mask 255.255.255.255  Destination IP Address <mypublicip>  Destination IP Address Mask 255.255.255.255  Protocol 0  Source Port 0  Destination Port 0  IKE Local Addr <hispublicip>  IKE Peer Addr <mypublicip>  IKE Source Port 500  IKE Destination Port 500  Peer Private Addr
2-07: 14:44:25:250:44b24 GetPacket failed 3613

所以基本上invalid payload received然后GetPacket failed 3613。这个最后一个错误代码在谷歌上没有产生很多信息,包括人们说他们总是遇到这个并且一切仍然正常。

我放弃了,我们正在设置一个本地服务器,但我正在更新它以供将来参考,以防有人为了互联网的缘故而有线索。

答案1

我最近几天就遇到了这种情况。

这是由于两个问题造成的。

  1. 防火墙
  2. 内核 IP 转发已禁用
  3. 预共享密钥不匹配

对于防火墙,结果发现端口 500 和 4500 被阻止了。通过运行ipsec verify,您可以查看 500 或 4500 是否被阻止。

/etc/sysctl.conf

改成net.ipv4.ip_forward1

附加

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.em1.accept_redirects = 0
net.ipv4.conf.em1.send_redirects = 0

em1是网络接口,可能是你的,eth0或者eth1

最后,就我而言,中的预共享密钥/etc/ipsec.d/ipsec.secrets被错误地用双引号括起来",导致预共享密钥不匹配。

希望它能对某人有所帮助。

相关内容