Strongswan IKEv1连接问题隧道未建立

如何解决Strongswan IKEv1连接问题隧道未建立

我已经安装了Strongswan 并希望与客户站点建立连接。 我所知道的是，他们拥有思科路由器，却不了解如何配置Strongswan。

这是我从他们那里得到的文档。

我尝试了以下配置：

/etc/ipsec.conf

config setup
    charondebug="all"

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret
    
conn net-net
    left=%any
    leftsubnet=10.0.0.0/24
    leftid=144.0.0.0
    right=194.0.0.0
    rightsubnet=10.150.30.3/24
    rightid=194.0.0.0
    auto=add
    ike=aes256-sha1-modp1536!
    esp=aes256-sha1-modp1536! 

/etc/ipsec.secrets

144.0.0.0 194.0.0.0 : PSK "1*************************************************************************************************************z"

> $ ip a                                                                                                                           
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNowN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: wls5: <broADCAST,MULTICAST,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether e4:42:a6:2f:40:fe brd ff:ff:ff:ff:ff:ff
    altname wlp7s0
    inet 10.0.0.254/24 brd 10.0.0.255 scope global dynamic noprefixroute wls5
       valid_lft 55684sec preferred_lft 55684sec
    inet6 fe80::e642:a6ff:fe2f:40fe/64 scope link 
       valid_lft forever preferred_lft forever

> $ sudo ipsec up net-net                                                                                                                 
initiating Main Mode IKE_SA net-net[2] to 194.0.0.0
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (180 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.0.0.254[500] to 194.0.0.0[500] (308 bytes)
received packet: from 194.0.0.0[500] to 10.0.0.254[500] (368 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unkNown vendor ID: bb:bd:c9:ec:02:e6:95:58:bf:67:ee:5a:86:fb:6d:47
received XAuth vendor ID
local host is behind NAT,sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (108 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA net-net[2] established between 10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
scheduling reauthentication in 3333s
maximum IKE_SA lifetime 3513s
generating QUICK_MODE request 3140082308 [ HASH SA No KE ID ID ]
sending packet: from 10.0.0.254[4500] to 194.0.0.0[4500] (380 bytes)
received packet: from 194.0.0.0[4500] to 10.0.0.254[4500] (92 bytes)
parsed informatIONAL_V1 request 2013420777 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'net-net' Failed

> $ sudo ipsec statusall                                                                                                                  
Status of IKE charon daemon (strongSwan 5.9.0,Linux 5.9.0-rc6-1-mainline,x86_64):
  uptime: 17 minutes,since Sep 22 11:33:56 2020
  malloc: sbrk 2945024,mmap 0,used 948128,free 1996896
  worker threads: 11 of 16 idle,5/0/0/0 working,job queue: 0/0/0/0,scheduled: 5
  loaded plugins: charon ldap pkcs11 aesni aes des rc2 sha2 sha3 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ntru drbg newhope bliss curl MysqL sqlite attr kernel-netlink resolve socket-default bypass-lan connmark forecast farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp radattr unity counters
Listening IP addresses:
  10.0.0.254
Connections:
     net-net:  %any...194.0.0.0  IKEv1
     net-net:   local:  [144.0.0.0] uses pre-shared key authentication
     net-net:   remote: [194.0.0.0] uses pre-shared key authentication
     net-net:   child:  10.0.0.0/24 === 10.150.30.0/24 TUNNEL
Shunted Connections:
Bypass LAN 10.0.0.0/24:  10.0.0.0/24 === 10.0.0.0/24 PASS
Bypass LAN ::1/128:  ::1/128 === ::1/128 PASS
Bypass LAN fe80::/64:  fe80::/64 === fe80::/64 PASS
Security Associations (1 up,0 connecting):
     net-net[2]: ESTABLISHED 2 minutes ago,10.0.0.254[144.0.0.0]...194.0.0.0[194.0.0.0]
     net-net[2]: IKEv1 SPIs: 0e24f507_i* 4e78_r,pre-shared key reauthentication in 52 minutes
     net-net[2]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536

在ipsec上 我收到NO_PROPOSAL_CHOSEN错误，但在statusall上我建立了1个连接

顺便说一句：IPTABLES完全为空，只需尝试一切。

应该没有这样的东西 ipsec statusall？

vpn-to-asa: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL,dpdaction=restart
vpn-to-asa{2}: INSTALLED,TUNNEL,reqid 1,ESP SPIs: c0d93265_i 599b4d60_o
vpn-to-asa{2}: 192.168.2.0/24 === 192.168.1.0/24

版权声明：本文内容由互联网用户自发贡献，该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务，不拥有所有权，不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容， 请发送邮件至 dio@foxmail.com 举报，一经查实，本站将立刻删除。