如何解决Strongswan IKEv1连接问题隧道未建立
我已经安装了Strongswan 并希望与客户站点建立连接。 我所知道的是,他们拥有思科路由器,却不了解如何配置Strongswan。
这是我从他们那里得到的文档。
我尝试了以下配置:
/etc/ipsec.conf
config setup
charondebug="all"
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev1
authby=secret
conn net-net
left=%any
leftsubnet=10.0.0.0/24
leftid=144.0.0.0
right=194.0.0.0
rightsubnet=10.150.30.3/24
rightid=194.0.0.0
auto=add
ike=aes256-sha1-modp1536!
esp=aes256-sha1-modp1536!
/etc/ipsec.secrets
144.0.0.0 194.0.0.0 : PSK "1*************************************************************************************************************z"
> $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNowN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: wls5: <broADCAST,MULTICAST,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether e4:42:a6:2f:40:fe brd ff:ff:ff:ff:ff:ff
altname wlp7s0
inet 10.0.0.254/24 brd 10.0.0.255 scope global dynamic noprefixroute wls5
valid_lft 55684sec preferred_lft 55684sec
inet6 fe80::e642:a6ff:fe2f:40fe/64 scope link
valid_lft forever preferred_lft forever
> $ sudo ipsec up net-net
initiating Main Mode IKE_SA net-net[2] to 194.0.0.0
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (180 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (308 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (368 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unkNown vendor ID: bb:bd:c9:ec:02:e6:95:58:bf:67:ee:5a:86:fb:6d:47
received XAuth vendor ID
local host is behind NAT,sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (108 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA net-net[2] established between 10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
scheduling reauthentication in 3333s
maximum IKE_SA lifetime 3513s
generating QUICK_MODE request 3140082308 [ HASH SA No KE ID ID ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (380 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (92 bytes)
parsed informatIONAL_V1 request 2013420777 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'net-net' Failed
> $ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.0,Linux 5.9.0-rc6-1-mainline,x86_64):
uptime: 17 minutes,since Sep 22 11:33:56 2020
malloc: sbrk 2945024,mmap 0,used 948128,free 1996896
worker threads: 11 of 16 idle,5/0/0/0 working,job queue: 0/0/0/0,scheduled: 5
loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl MysqL sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
Listening IP addresses:
10.0.0.254
Connections:
net-net: %any...194.0.0.0 IKEv1
net-net: local: [144.0.0.0] uses pre-shared key authentication
net-net: remote: [194.0.0.0] uses pre-shared key authentication
net-net: child: 10.0.0.0/24 === 10.150.30.0/24 TUNNEL
Shunted Connections:
Bypass LAN 10.0.0.0/24: 10.0.0.0/24 === 10.0.0.0/24 PASS
Bypass LAN ::1/128: ::1/128 === ::1/128 PASS
Bypass LAN fe80::/64: fe80::/64 === fe80::/64 PASS
Security Associations (1 up,0 connecting):
net-net[2]: ESTABLISHED 2 minutes ago,10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
net-net[2]: IKEv1 SPIs: 0e24f507_i* 4e78_r,pre-shared key reauthentication in 52 minutes
net-net[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
在ipsec上 我收到NO_PROPOSAL_CHOSEN错误,但在statusall上我建立了1个连接
顺便说一句:IPTABLES完全为空,只需尝试一切。
应该没有这样的东西 ipsec statusall?
vpn-to-asa: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL,dpdaction=restart
vpn-to-asa{2}: INSTALLED,TUNNEL,reqid 1,ESP SPIs: c0d93265_i 599b4d60_o
vpn-to-asa{2}: 192.168.2.0/24 === 192.168.1.0/24
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。