主页 / server / 问题

问题[ikev1](server)

Martin Hope
xeyipes
Asked: 2020-11-23 05:18:42 +0800 CST
  • 0

出于测试目的,我想使用不需要任何身份验证的 IKEv1 或 v2(最好是 v2)设置 ipsec 隧道 - 所以只需使用协议就 ipsec 隧道的密钥达成一致并跳过身份验证。IKEv1 或 v2 协议是否支持这样的选项?如果是这样,我怎样才能在 strongswan 中启用它(我需要设置什么值leftauthrightauth启用它?)

ipsec strongswan ikev1 ikev2
Martin Hope
aucuparia
Asked: 2020-04-15 03:30:45 +0800 CST
  • 1

尝试对使用 NO_PROPOSAL_CHOSEN 无法完成第 2 阶段的 Strongswan 的 IPSec/IKEv1 VPN 连接进行故障排除。

我知道这个错误的解决方案几乎总是“仔细检查你的第 2 阶段提案”,但我 100% 确定 ESP 提案是正确的——它正在使用 NCP 安全入口客户端的 Windows 机器上运行(见下面的屏幕截图)。

这里我看到这个错误可能是由于不匹配的加密、身份验证、PFS 或偶尔的生命周期提议造成的。但我的是正确的。 还有什么会导致 NO_PROPOSAL_CHOSEN 的吗? (遗憾的是,我无法访问响应者,因此无法在那里检查日志或更改配置)。

ipsec.conf:

config setup
conn VDI
        left=%any
        leftauth=psk
        leftauth2=xauth
        leftid=userfqdn:VDI
        leftsourceip=%config
        right=163.x.y.z
        rightauth=psk
        aggressive=yes
        auto=add
        dpdaction=restart
        dpddelay=20s
        keyexchange=ikev1
        lifetime=8h
        ikelifetime=8h
        modeconfig=pull
        xauth_identity=DR400
        ike=aes256-sha1-modp2048
        esp=aes256-sha2_256-modp2048

ipsec.secrets:

: PSK "zzzzzzzzzzzzzz"
DR400 : XAUTH "xxxxxxxxxx"

卡龙输出:

~$ sudo ipsec up VDI
initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes)
received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ]
received DPD vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received XAuth vendor ID
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3540227287 [ HASH CPRQ(X_USER X_PWD X_MSG) ]
XAuth message: Please Enter Your User Name and Password :
generating TRANSACTION response 3540227287 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3540227287 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ]
XAuth authentication of 'DR400' (myself) successful
IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z]
scheduling reauthentication in 27760s
maximum IKE_SA lifetime 28300s
generating TRANSACTION response 3540227287 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
generating TRANSACTION request 4217090559 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed TRANSACTION response 4217090559 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.132.0.10 via resolvconf
installing DNS server 10.132.0.11 via resolvconf
installing new virtual IP 192.168.246.61
generating QUICK_MODE request 167394241 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3483337871 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'VDI' failed

工作窗口连接: 来自工作 NCP Secure Entry Client 连接的配置屏幕截图

我尝试了其他各种 ESP 提案,结果相同,包括:

  • 没有esp=线
  • esp=aes256-sha2_256-modp2048!
  • esp=aes256-sha2_256
  • esp=aes256-sha2_256!
  • esp=aes256-sha1-modp2048

我也尝试过设置sha256_96 = yesipsec.conf但同样没有区别。

vpn ubuntu-18.04 strongswan ikev1
Martin Hope
aucuparia
Asked: 2020-04-14 23:15:24 +0800 CST
  • 1

尝试使用 Strongswan 连接到工作 VPN 并在日志中出现“选择的对等配置不可接受”错误,我无法在 Google 中找到任何信息:

~$ sudo ipsec up VDI
initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ]
sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes)
received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ]
received DPD vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received XAuth vendor ID
received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPRQ(X_USER X_PWD X_MSG) ]
XAuth message: Please Enter Your User Name and Password :
generating TRANSACTION response 3165206765 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes)
parsed TRANSACTION request 3165206765 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ]
selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed
IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z]
scheduling reauthentication in 28180s
maximum IKE_SA lifetime 28720s
generating TRANSACTION response 3165206765 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
generating TRANSACTION request 2622082016 [ HASH CPRQ(ADDR DNS) ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed TRANSACTION response 2622082016 [ HASH CPRP(ADDR DNS DNS) ]
installing DNS server 10.132.0.10 via resolvconf
installing DNS server 10.132.0.11 via resolvconf
installing new virtual IP 192.168.246.108
generating QUICK_MODE request 1906245246 [ HASH SA No KE ID ID ]
sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes)
received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes)
parsed INFORMATIONAL_V1 request 3184934143 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'VDI' failed

ipsec.conf:

config setup
conn VDI
        left=%any
        leftauth=psk
        leftauth2=xauth
        leftid=userfqdn:VDI
        leftsourceip=%config
        right=163.x.y.z
        rightauth=psk
        rightauth2=xauth
        aggressive=yes
        auto=add
        dpdaction=restart
        dpddelay=20s
        keyexchange=ikev1
        lifetime=8h
        ikelifetime=8h
        modeconfig=pull
        xauth_identity=DR400
        ike=aes256-sha1-modp2048
        esp=aes256-sha2_256-modp2048

ipsec.secret:

: PSK "zzzzzzzzzzzzzz"
DR400 : XAUTH "xxxxxxxxxx"

在我看来,第 1 阶段是成功的,但是我不明白为什么我在第 2 阶段得到 NO_PROPOSAL_CHOSEN。我 100% 确定 esp 提案和生命周期是正确的(它们在 Windows 机器上从不同的 VPN 客户端工作) .

但我真的不明白这些线:

selected peer config 'VDI' inacceptable
no alternative config found
XAuth authentication of 'DR400' (myself) failed

如果 XAuth 密码实际上是错误的,响应者会发送XAuth message: User Authentication Failed ! Try Again. 什么可能导致“选定的对等配置不可接受”和这种早期的 XAuth 失败?

vpn ubuntu-18.04 strongswan ikev1 xauth