主页 / server / 问题

问题[openswan](server)

Martin Hope
DoRe
Asked: 2020-08-08 05:52:21 +0800 CST
  • 0

用例:通过 AWS 云连接的物联网设备

IOT 设备位于通过 aws 云发送所有流量的路由器后面。

IOT 服务器无法配置,因此不是 AWS 云的一部分

对于配置,IOT 设备需要收到一个 UPD 数据包到端口 xxxxx 以建立管理连接。此 udp 数据包无法直接发送到 AWS 云

因此,我们需要一个通信服务器来路由 UDP 数据包:

设置

IOT-server 上的路由无法配置,因此需要将 UDP 数据包发送到 zz.zz.zz.zz

通信服务器使用 strongswan 运行 debian 10

ipsec.conf:

conn %default
    mobike=no
    compress=no
    authby=secret
    keyexchange=ike
    ike=aes128-sha1-modp1024!
    ikelifetime=8h
    esp=aes128-sha1-modp1024!
    lifetime=1h
    rekeymargin=3m
    keyingtries=%forever
    installpolicy=yes
    dpdaction=restart
    type=tunnel

conn dc-aws1
    leftsubnet=zz.zz.zz.zz #local subnet
    right=vv.vv.vv.vv # AWS Gateway Public IP
    rightsubnet=xx.xx.0.0/16 #remoye subnet
    auto=start


include /var/lib/strongswan/ipsec.conf.inc

连接工作的以下部分: 标准操作工作正常。

ipsec 连接正在运行(如预期的那样):

sudo ipsec status
Security Associations (1 up, 0 connecting):
dc-aws1[3]: ESTABLISHED 11 seconds ago, zz.zz.zz.zz[zz.zz.zz.zz]...vv.vv.vv.vv[vv.vv.vv.vv]
dc-aws1{16}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: cd6dfea5_i 401dc4d5_o
dc-aws1{16}: zz.zz.zz.zz/32 = xx.xx.0.0/16
    dc-aws1{17}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: c2507a98_i 9d083aa4_o
    dc-aws1{17}:  zz.zz.zz.zz/32 = xx.xx.0.0/16


sudo ip xfrm policy show

src zz.zz.zz.zz/32 dst xx.xx.0.0/16
dir out priority 375423 ptype main
tmpl src zz.zz.zz.zz dst vv.vv.vv.vv
proto esp spi 0x9d083aa4 reqid 2 mode tunnel
src xx.xx.0.0/16 dst zz.zz.zz.zz/32
dir fwd priority 375423 ptype main
tmpl src vv.vv.vv.vv dst zz.zz.zz.zz
proto esp reqid 2 mode tunnel
src xx.xx.0.0/16 dst zz.zz.zz.zz/32
dir in priority 375423 ptype main
tmpl src vv.vv.vv.vv dst zz.zz.zz.zz
proto esp reqid 2 mode tunnel

Ping 通过 vpn 连接在路由器和通信服务器之间工作。

如果使用 icmp 数据包,Traceroute 也可以工作。

为了将更新数据包转发到 IOT 设备,网络地址转换与 iptables 一起使用

iptables -t nat -I PREROUTING -p udp -s yy.yy.yy.yy --dport xxxxx -j DNAT --to xx.xx.xx.xx

xfrm 策略不适用,如果源是 yy.yy.yy.yy,则也使用源网络地址转换

iptables -t nat -I POSTROUTING -p udp -s yy.yy.yy.yy --dport xxxxx -j SNAT --to-source zz.zz.zz.zz

还需要转发规则

iptables -I FORWARD -p udp -d xx.xx.xx.xx --dport xxxxx -j ACCEPT

tcpdump 显示,udp 数据包到达并被转发(在这之间,有用于 vpn 连接的活动消息):

sudo tcpdump -n -i any host vv.vv.vv.vv or port xxxxx
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
08:22:48.520734 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: NONESP-encap: isakmp: child_sa inf2[I]
08:22:48.535700 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: NONESP-encap: isakmp: child_sa inf2[R]
08:22:56.717778 IP yy.yy.yy.yy.54278 > zz.zz.zz.zz.xxxxx: UDP, length 108
08:22:56.717908 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x81f1d489,seq=0x1), length 180
08:23:06.344622 IP yy.yy.yy.yy.46955 > zz.zz.zz.zz.xxxxx: UDP, length 108
08:23:06.344749 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x81f1d489,seq=0x2), length 180
08:23:10.797048 IP yy.yy.yy.yy.33667 > zz.zz.zz.zz.xxxxx: UDP, length 108
08:23:10.797247 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x81f1d489,seq=0x3), length 180
08:23:18.521104 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: NONESP-encap: isakmp: child_sa inf2[I]
08:23:18.536895 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: NONESP-encap: isakmp: child_sa inf2[R]
08:23:25.423142 IP yy.yy.yy.yy.40703 > zz.zz.zz.zz.xxxxx: UDP, length 108
08:23:25.423271 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x81f1d489,seq=0x4), length 180
08:23:31.756269 IP yy.yy.yy.yy.58584 > zz.zz.zz.zz.xxxxx: UDP, length 108
08:23:31.756378 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x81f1d489,seq=0x5), length 180
^C
14 packets captured
14 packets received by filter
0 packets dropped by kernel

什么不起作用:

然而,udp pakets 似乎迷路了。在 aws 的日志中,隧道中看不到任何流量。此外,没有数据包到达路由器。

使用 udp 和 tcp 数据包的 Traceroute 不起作用。

当以侦听模式在通信服务器上运行 netcat 并从路由器后面连接到它时,可以重现该问题。在 tcp 转储中,syn 数据包正在到达,似乎发出了响应,但没有来自 aws 云中的通信服务器的流量到达。来自通信服务器的 tcpdump 用于此测试:

11:35:06.597736 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: UDP-encap: ESP(spi=0xcb99370a,seq=0x1), length 100
11:35:06.597736 IP xx.xx.xx.xx.49768 > zz.zz.zz.zz.15952: Flags [S], seq 101710370, win 64240, options [mss 1350,sackOK,TS val 2355221232 ecr 0,nop,wscale 7], length 0
11:35:06.598157 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0xb), length 100
11:35:07.534252 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: UDP-encap: ESP(spi=0xcb99370a,seq=0x2), length 100
11:35:07.534252 IP xx.xx.xx.xx.49768 > zz.zz.zz.zz.15952: Flags [S], seq 101710370, win 64240, options [mss 1350,sackOK,TS val 2355222233 ecr 0,nop,wscale 7], length 0
11:35:07.534445 IP zz.zz.zz.zz.4500 > vv.vv.vsv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0xc), length 100
11:35:08.561060 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0xd), length 100
11:35:09.559712 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: UDP-encap: ESP(spi=0xcb99370a,seq=0x3), length 100
11:35:09.559712 IP xx.xx.xx.xx.49768 > zz.zz.zz.zz.15952: Flags [S], seq 101710370, win 64240, options [mss 1350,sackOK,TS val 2355224249 ecr 0,nop,wscale 7], length 0
11:35:09.559908 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0xe), length 100
11:35:11.569079 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0xf), length 100
11:35:13.672232 IP vv.vv.vv.vv.4500 > zz.zz.zz.zz.4500: UDP-encap: ESP(spi=0xcb99370a,seq=0x4), length 100
11:35:13.672232 IP xx.xx.xx.xx.49768 > zz.zz.zz.zz.15952: Flags [S], seq 101710370, win 64240, options [mss 1350,sackOK,TS val 2355228377 ecr 0,nop,wscale 7], length 0
11:35:13.672319 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0x10), length 100
11:35:17.713025 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0x11), length 100
11:35:25.905124 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0x12), length 100
11:35:42.033153 IP zz.zz.zz.zz.4500 > vv.vv.vv.vv.4500: UDP-encap: ESP(spi=0x9a2c6938,seq=0x13), length

我不清楚数据包可能在哪里丢失。欢迎任何有关如何缩小问题范围的提示

** 更新 **

与此同时,我仔细检查了配置,但没有成功。

然后,我切换到了 AWS 测试的 Openswan (2.6.51.5)。

使用 Openswan 数据包按预期到达云。

我的结论是,Strongswan 与 AWS VPC 不兼容。

如果有关于如何进一步测试的想法,我很乐意进行进一步的测试。

udp ipsec amazon-web-services strongswan openswan
Martin Hope
BioRod
Asked: 2016-12-29 11:05:00 +0800 CST
  • 3

我需要了解并解决我的问题。我知道openswan可以工作,因为当我从内部IP地址为10.0.0.97的家庭网络连接到工作的VPN时,我可以ping通,但是当我使用公共xFinity wifi时,它表明隧道已启动但我不能ping 我的 VPN 的内部主机。

当我成功连接到公共 Xfinity wifi 时,我的 IP 为:

inet addr:10.232.204.146  Bcast:10.255.255.255  Mask:255.224.0.0

这是路线-n

root@ubuntu:/etc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref      Use Iface
0.0.0.0         10.224.0.1      0.0.0.0         UG    0      0        0 wlan0
0.0.0.0         10.224.0.1      0.0.0.0         UG    0      0        0 wlan0
10.224.0.0      0.0.0.0         255.224.0.0     U     9      0        0 wlan0

当我在这一点上,我可以ping通和浏览互联网。

当我启动 ipsec/openswan。我明白了。

root@ubuntu:/etc# /etc/init.d/ipsec status
IPsec running  - pluto pid: 4483
pluto pid 4483
1 tunnels up

但我无法 ping 我的内部服务器,这些服务器的 IP 为 192.168.1.xxx。

这是我的 ipsec.conf

    config setup

    dumpdir=/var/run/pluto/
    #
    # NAT-TRAVERSAL support, see README.NAT-Traversal
    #        nat_traversal=yes
    # exclude networks used on server side by adding %v4:!a.b.c.0/24
    # It seems that T-Mobile in the US and Rogers/Fido in Canada are
    # using 25/8 as "private" address space on their 3G network.
    # This range has not been announced via BGP (at least upto 2010-12-21)
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.1.0/24,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
    # OE is now off by default. Uncomment and change to on, to enable.
    oe=off
    # which IPsec stack to use. auto will try netkey, then klips then mast
    #protostack=netkey
    # Use this to log to a file, or disable logging on embedded systems (like openwrt)
    plutostderrlog=/var/log/pluto
    plutodebug="all"
    protostack=netkey

    conn work
    authby=secret
    auto=start
    type=tunnel
    left=10.232.204.146
    leftsubnet=10.0.0.0/8
    right=99.xx.xx.xx
    rightsubnet=192.168.1.0/24
    ike=aes256-sha1,aes128-sha1,3des-sha1
    leftxauthusername=xxxxx

这是我的 ipsec.secrets

@massivedude : XAUTH  "password"
10.232.204.146   vpnserver-01   : PSK "YouWillNeverKnow"

顺便说一句,即使隧道已启动,我无法 ping 内部主机,我仍然可以 ping yahoo.com 和 google.com

任何帮助将不胜感激。

ipsec openswan
Martin Hope
iss_628
Asked: 2016-09-07 07:35:11 +0800 CST
  • 1

我有网站,它显示从 gsm 调制解调器接收的数据。所以我正在尝试使用 vpn 将我的网站连接到 GSM 网络提供商。

提供商方面有一个 Cisco 3900,配置为站点到站点的 vpn 服务器,而我这边我在 debian linux 上安装了 strongswan 并配置为客户端。

我正在使用本指南进行客户端配置 http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html

在 GSM 网络提供商端配置是这样的:

  • VPN设备版本:Cisco 3900
  • VPN 模块:DES+3DES+AES
  • VPN 网关 IP:“VpnGatewayIP”
  • 使用 VPN 的主机:10.248.64.0/20

隧道信息

第 1 阶段 (IKE)

  • 认证方式:预共享密钥
  • 加密模式:IKE
  • 完美前向保密 - IKE:DH Group-5
  • 加密算法:AES256
  • 哈希算法:SHA1
  • 每隔:86400 秒重新协商 IKE SA

第 2 阶段 (IPSEC)

  • IPSec:ESP
  • 完美前向保密-IPSEC:DH Group-5
  • 加密算法 IPSec:AES256
  • 散列算法 IPSec:SHA1
  • 每隔:3600 秒重新协商 IPSec SA
  • 激进模式:未使用

这是我的配置文件 /etc/ipsec.conf 的内容

config setup
        strictcrlpolicy=no
        charondebug="ike 1, knl 2, cfg 0"

conn %default
     ikelifetime=1440m
     keylife=60m
     rekeymargin=3m
     keyingtries=1
     keyexchange=ikev1
     authby=secret

conn "providerVPN"
     left=MyServerIP
     leftsubnet=MyServerIP/32
     leftid=MyServerIP
     leftfirewall=yes
     right=VpnGatewayIP
     rightsubnet=10.248.64.0/20
     rightid=VpnGatewayIP
     auto=add
     ike=aes256-sha1-modp1536
     esp=aes256-sha1

和 PSK 文件 /etc/ipsec.secrets

MyServerIP VpnGatewayIP : PSK someSecretKey

像这样开始客户

/etc/init.d/ipsec start

在此 ifconfig 没有显示任何新连接之后,“ipsec status”给了我输出

Security Associations (0 up, 0 connecting):
  none

有来自 /var/log/daemon.log 的日志

Sep  6 17:54:12 gmapfish ipsec[1221]: ipsec starter stopped
Sep  6 17:54:15 gmapfish ipsec[1320]: Starting strongSwan 5.2.1 IPsec [starter]...
Sep  6 17:54:15 gmapfish charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-686-pae, i686)
Sep  6 17:54:15 gmapfish charon: 00[KNL] known interfaces and IP addresses:
Sep  6 17:54:15 gmapfish charon: 00[KNL]   lo
Sep  6 17:54:15 gmapfish charon: 00[KNL]     127.0.0.1
Sep  6 17:54:15 gmapfish charon: 00[KNL]     ::1
Sep  6 17:54:15 gmapfish charon: 00[KNL]   eth0
Sep  6 17:54:15 gmapfish charon: 00[KNL]     "MyServerIP"
Sep  6 17:54:15 gmapfish charon: 00[KNL]     10.19.0.5
Sep  6 17:54:15 gmapfish charon: 00[KNL]     df80::501:a8ef:ef9f:a321
Sep  6 17:54:15 gmapfish charon: 00[LIB] loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Sep  6 17:54:15 gmapfish charon: 00[LIB] unable to load 3 plugin features (3 due to unmet dependencies)
Sep  6 17:54:15 gmapfish charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Sep  6 17:54:15 gmapfish charon: 00[JOB] spawning 16 worker threads
Sep  6 17:54:15 gmapfish charon: 07[KNL] "VpnGatewayIP" is not a local address or the interface is down
Sep  6 17:54:15 gmapfish ipsec[1320]: charon (1348) started after 60 ms

有什么建议我的设置有什么问题吗?

vpn site-to-site-vpn cisco strongswan openswan
Martin Hope
Tapo
Asked: 2016-08-01 19:54:57 +0800 CST
  • 4

我们需要访问位于客户端的几台 Linux 机器。我们需要访问客户端机器的 Linux 机器位于云上。

要建立的连接是站点到站点 VPN。

在重新启动 ipsec service thru' 命令sudo service ipsec restart时,连接以收到的错误结束 Hash Payload does not match computed value

不过,我们已经重新验证了它ipsec.secrets具有正确的密钥,因为它是由客户端共享的。此外,在运行命令sudo ipsec auto --up vpn时,cli 会挂起。

作为网络中的蹒跚学步的孩子,我正在分享我认为可能与错误有关的大部分输出。如果需要更多信息,请告诉我。

以下信息共享如下:

  • ipsec 服务重启的输出
  • /var/log/secureipsec服务启动时完成登录
  • 配置在ipsec.conf
  • 配置在ipsec.secrets
  • 的输出ipsec.verify
  • 的输出ifconfig
  • 客户和我们共享的记录 VPN 信息

ipsec 服务重启的输出

[root@gbox-1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.32...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

/var/log/secureipsec服务启动时完成登录

[root@gbox-1 log]# tail -f secure
Jul 31 23:43:24 gbox-1 sshd[3005]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down
Jul 31 23:43:38 gbox-1 pluto[32279]: forgetting secrets
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn": deleting connection
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn" #1: deleting state (STATE_AGGR_I1)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo ::1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 ipsec__plutorun: Starting Pluto subsystem...
Jul 31 23:43:40 gbox-1 pluto[3352]: nss directory plutomain: /etc/ipsec.d
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS Initialized
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS: not a FIPS product
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS HMAC integrity verification test passed
Jul 31 23:43:40 gbox-1 pluto[3352]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:3352
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: LEAK_DETECTIVE support [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: OCF support for IKE [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: SAref support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: SAbind support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS support [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: HAVE_STATSD notification support not compiled in
Jul 31 23:43:40 gbox-1 pluto[3352]: Setting NAT-Traversal port-4500 floating to on
Jul 31 23:43:40 gbox-1 pluto[3352]:    port floating activation criteria nat_t=1/port_float=1
Jul 31 23:43:40 gbox-1 pluto[3352]:    NAT-Traversal support  [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: starting up 1 cryptographic helpers
Jul 31 23:43:40 gbox-1 pluto[3352]: started helper (thread) pid=140162780645120 (fd:8)
Jul 31 23:43:40 gbox-1 pluto[3352]: Kernel interface auto-pick
Jul 31 23:43:40 gbox-1 pluto[3352]: Using Linux 2.6 IPsec interface code on 2.6.32-431.11.2.el6.x86_64 (experimental code)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/cacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/aacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/crls'
Jul 31 23:43:40 gbox-1 pluto[3352]: | selinux support is NOT enabled.
Jul 31 23:43:40 gbox-1 pluto[3352]: added connection description "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: listening for IKE messages
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo ::1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: loading secrets from "/etc/ipsec.secrets"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: initiating Aggressive Mode #1, connection "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Cisco-Unity]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [XAUTH]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '41.78.1.143'
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Hash Payload does not match computed value
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: sending notification INVALID_HASH_INFORMATION to 41.78.1.143:500
Jul 31 23:43:48 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:43:56 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:04 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:12 gbox-1 pluto[3352]: "vpn" #1: encrypted Informational Exchange message is invalid because no key is known

配置在ipsec.conf

version 2.0

config setup
        protostack=auto
        #netkey
        nat_traversal=yes
        #forceencaps=yes
        #plutodebug=none

conn vpn
        type=tunnel
        authby=secret
        auto=start
        pfs=yes
        ike=3des-sha1;modp1024!
        phase2alg=3des-sha1;
        aggrmode=yes
        left=50.55.153.121
        right=41.78.1.143
        leftsubnet=10.180.3.132/255.255.128.0
        leftnexthop=50.55.153.121
        leftsourceip=10.180.3.132
        rightsubnet=172.27.176.125/255.255.255.255
        rightnexthop=41.78.1.143
        rightsourceip=172.27.176.125

配置在ipsec.secrets

%any %any : PSK "not_the_actual_psk"

的输出ipsec.verify

[root@gbox-1 log]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-431.11.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: gbox-1                  [MISSING]
   Does the machine have at least one non-private address?      [OK]
   Looking for TXT in reverse dns zone: 115.171.52.49.in-addr.arpa.     [MISSING]

的输出ifconfig

[root@gbox-1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr BC:76:4E:04:94:B6
          inet addr:50.55.153.121  Bcast:50.55.153.255  Mask:255.255.255.0
          inet6 addr: 2001:4800:780e:510:acf:6c9b:ffd8:94cd/64 Scope:Global
          inet6 addr: fe80::be76:acf:6c9b:ffd8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5843131 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5444379 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1587187725 (1.4 GiB)  TX bytes:1356473321 (1.2 GiB)
          Interrupt:246

eth1      Link encap:Ethernet  HWaddr BC:76:4E:04:CA:EE
          inet addr:10.180.3.132  Bcast:10.180.127.255  Mask:255.255.128.0
          inet6 addr: fe80::be76:5e32:fd0f:cdae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6554243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2800 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:327739177 (312.5 MiB)  TX bytes:205160 (200.3 KiB)
          Interrupt:245

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10654186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10654186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9532400622 (8.8 GiB)  TX bytes:9532400622 (8.8 GiB)

客户和我们共享的记录 VPN 信息

VPN 阶段 1

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
Encryption Scheme             | IKE                 | IKE
Diffie-Hellman Group          | Group 2             | 2
Encryption Algorithm          | 3DES                | 3DES
Hashing Algorithm             | MD5                 | SHA-1
Main or Aggressive Mode       | Main mode           | Main
Lifetime (for renegotiation)  | 28800 seconds       | 28800

VPN 阶段 2

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
Encapsulation (ESP or AH)     | ESP                 | ESP
Encryption Algorithm          | 3DES                | 3DES
Authentication Algorithm      | SHA1                | SHA1
Perfect Forward Secrecy       | NO PFS              | Yes, Group-2
Lifetime (for renegotiation)  | 3600 seconds        | 3600
Lifesize (for renegotiation)  | Not Used            | 
Key exchange for Subnets      | Yes                 |

网关设备信息

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
IP Address                    | 41.78.1.143         | 50.55.153.121
VPN Device Description        | Cisco ASA 5510      | OpenSwan
DN Information of VPN Gateway |                     | 
(if using certificates)       | NA                  | 
Encryption Domain             | 172.27.176.125-126  | 10.180.3.132
vpn site-to-site-vpn ipsec linux-networking openswan
Martin Hope
Sandra
Asked: 2012-07-19 05:06:26 +0800 CST
  • 8

背景

我现在有一个可用的 OpenVPN 设置,用户可以在其中将家中的专用网络连接到他们的计算机。

然而,大多数手机只支持 IPSec,所以我想为带有 IPSec 的手机提供与我为带有 OpenVPN 的计算机提供的服务相同的服务。

问题

我找不到任何描述如何配置 OpenSWAN 以向客户端提供私有 IP 的教程。

使用我的 OpenVPN,客户端必须提供密钥和密码才能访问。

问题

是否可以将 OpenSWAN 配置为向客户端提供私有 IP,类似于我的 OpenVPN 设置?

OpenVPN 配置

port 1194
proto udp
dev tun
ca /etc/openvpn/easy-rsa/2.0/keys/ca.crt
cert /etc/openvpn/secrets/server.crt
key /etc/openvpn/secrets/server.key
dh /etc/openvpn/secrets/dh1024.pem
server 192.168.240.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 10.10.64.0  255.255.252.0"
push "dhcp-option DNS xxx.xxx.xxx.xxx"
duplicate-cn
keepalive 10 120
comp-lzo
user openvpn
group openvpn
persist-key
persist-tun
status /var/log/openvpn-status.log
log-append  /var/log/openvpn.log
verb 4
mute 20
plugin /usr/lib64/openvpn/plugin/lib/openvpn-auth-ldap.so "/etc/openvpn/auth/ldap.conf"
script-security 2
auth-user-pass-verify /etc/openvpn/scripts/check_cn_on_connect.sh via-env
learn-address /etc/openvpn/scripts/log_clients_ip.sh
linux centos ubuntu openvpn openswan
Martin Hope
Noam Singer
Asked: 2012-07-14 04:09:16 +0800 CST
  • 4

我正在尝试从家里的 Windows7 连接到 Amazon 的 Ubuntu EC2 实例上的 OpenSwan/xl2tpd 设置。
它是从客户端和服务器端进行 NAT 的连接。
我正在关注几个线程的提示,了解如何完成此连接,但都失败了

最让我困惑的是日志中的以下行:

7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:无法响应 IPsec SA 请求,因为 23.21.84.48/32 没有已知连接===10.117.59.224[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32

此连接显然存在于标识为 leftid 的外部 IP(有关 ipsec auto --status 的信息,请参见下文)。为什么找不到?或者我还做错了什么?

我将不胜感激任何帮助。

我的配置:

我使用的IP:

  • EC2实例内部IP:10.117.59.224
  • 实例关联的弹性IP:23.21.84.48
  • 我的 ISP 的 IP 与我家里的路由器相关联:85.178.143.82
  • 我家的NAT IP:192.168.2.103

我目前在 /var/log/auth.log 上收到这些错误消息:

7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:将路径更改为目录“/etc/ipsec.d/ocspcerts”
7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:更改到目录 '/etc/ipsec.d/crls'
7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:警告:空目录
7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:侦听 IKE 消息
7 月 13 日 11:03:55 ip-10-117-59-224 pluto[8782]:添加接口 eth0/eth0 10.117.59.224:500
7 月 13 日 11:03:55 ip-10-117-59-224 pluto[8782]:添加接口 lo/lo 127.0.0.1:500
7 月 13 日 11:03:55 ip-10-117-59-224 pluto[8782]:添加接口 lo/lo ::1:500
7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:从“/etc/ipsec.secrets”加载机密
7 月 13 日 11:03:55 ip-10-117-59-224 pluto [8782]:为 keyid 加载私钥:PPK_RSA:AQOnFE96U
7 月 13 日 11:03:57 ip-10-117-59-224 pluto[8782]:添加了连接描述“connRW48”
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:忽略供应商 ID 负载 [MS NT5 ISAKMPOAKLEY 00000008]
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:收到供应商 ID 有效负载 [RFC 3947] meth=109,但端口浮动已关闭
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:收到供应商 ID 有效载荷 [draft-ietf-ipsec-nat-t-ike-02_n] meth= 106,但端口浮动关闭
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:忽略供应商 ID 有效负载 [FRAGMENTATION]
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:忽略供应商 ID 负载 [MS-协商发现能力]
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:忽略供应商 ID 有效载荷 [Vid-Initial-Contact]
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:来自 85.178.143.82:500 的数据包:忽略供应商 ID 负载 [IKE CGA 版本 1]
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:从未知对等端 85.178.143.82 响应主模式
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:不支持 OAKLEY_GROUP 20。属性 OAKLEY_GROUP_DESCRIPTION
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:不支持 OAKLEY_GROUP 19。属性 OAKLEY_GROUP_DESCRIPTION
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:从状态 STATE_MAIN_R0 到状态 STATE_MAIN_R1 的转换
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:STATE_MAIN_R1:已发送 MR1,期待 MI2
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:从状态 STATE_MAIN_R1 到状态 STATE_MAIN_R2 的转换
7 月 13 日 11:04:20 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:STATE_MAIN_R2:已发送 MR2,期待 MI3
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:主模式对等 ID 为 ID_IPV4_ADDR:'192.168.2.103'
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[1] 85.178.143.82 #1:从“connRW48”切换为“connRW48”
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:删除与对等 85.178.143.82 的连接“connRW48”实例 {isakmp=#0/ ipsec=#0}
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:从状态 STATE_MAIN_R2 到状态 STATE_MAIN_R3 的转换
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:STATE_MAIN_R3:已发送 MR3,ISAKMP SA 已建立 {auth=OAKLEY_PRESHARED_KEY cipher=aes_256 prf= oakley_sha 组=modp2048}
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:提议的对等方:23.21.84.48/32:17/1701 -> 192.168。 2.103/32:17/0
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:无法响应 IPsec SA 请求,因为 23.21.84.48/32 没有已知连接===10.117.59.224[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32
7 月 13 日 11:04:21 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:发送加密通知 INVALID_ID_INFORMATION 到 85.178.143.82:500
7 月 13 日 11:04:22 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:提议的对等方:23.21.84.48/32:17/1701 -> 192.168。 2.103/32:17/0
7 月 13 日 11:04:22 ip-10-117-59-224 pluto[8782]:“connRW48”[2] 85.178.143.82 #1:无法响应 IPsec SA 请求,因为 23.21.84.48/32 没有已知连接===10.117.59.224[23.21.84.48,+S=C]:17/1701...85.178.143.82[192.168.2.103,+S=C]:17/1701===192.168.2.103/32

我的安全组允许 UDP 端口 500 和 4500 等的传入通信

我的 iptables 还允许 1701 等等

我的 /etc/ipsec.conf:

2.0版
配置设置
        protostack=网络密钥
        接口=%默认路由
        nat_traversal=是
        virtual_private=%v4:10.0.0.0/8,%v4:172.16.0.0/12
        oe=否
        nhelpers=0
        disable_port_floating=是
包括 /etc/ipsec.d/*.conf

我的 /etc/ipsec.d/connRW48.conf

conn connRW48
        rightsubnet=vhost:%no,%priv
        类型=运输
        authby=秘密
        pfs=无
        重新注册=否
        ikelifetime=8h
        按键寿命=1h
        左端口=17/1701
        左=10.117.59.224
        #leftid=@ip-10-117-59-224.ec2.internal
        左 ID=23.21.84.48
        rightprotoport=17/0
        右=%any
        自动=忽略

我的(审查过的)/etc/ipsec.secrets:

:RSA {
        # RSA 2048 位 ip-10-117-59-224 2012 年 7 月 10 日星期二 14:01:50
        # 仅用于签名,对加密不安全
        #pubkey=XXXXXXX
        模数:XXX
        公共指数:0x03
        # 这一点之后的一切都是秘密的
        私人指数:XXX
        Prime1:XXX
        Prime2:XXX
        指数 1:XXX
        指数 2:XXX
        系数:XXX
        }
# 不要改变那个“}”的缩进
@ip-10-117-59-224.ec2.internal %any: PSK "XXX"
23.21.84.48 %any: PSK“XXX”

我运行“ipsec verify”的输出:

检查您的系统以查看 IPsec 是否已正确安装和启动:
版本检查和 ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-25-虚拟(网络密钥)
检查内核中的 IPsec 支持 [确定]
 SAref 内核支持 [N/A]
 NETKEY:测试 XFRM 相关的 proc 值 [OK]
        [好的]
        [好的]
检查 pluto 是否正在运行 [OK]
 Pluto 在 udp 500 上侦听 IKE [OK]
 Pluto 在 udp 4500 上侦听 NAT-T [失败]
检查“ip”命令[确定]
检查 /bin/sh 不是 /bin/dash [警告]
检查“iptables”命令[确定]
机会加密支持 [已禁用]

我运行“ipsec auto --status”的输出:

000 使用内核接口:netkey
000 接口 lo/lo ::1
000 接口 lo/lo 127.0.0.1
000 接口 eth0/eth0 10.117.59.224
000 %myid =(无)
000 调试无
000
000 虚拟_私有 (%priv):
000 - 允许 2 个子网:10.0.0.0/8、172.16.0.0/12
000 - 不允许 0 个子网:
000 警告:virtual_private= 中不允许的子网为空。如果你有
000 内部使用的私有地址空间,应该排除!
000
000算法ESP加密:id=2,name=ESP_DES,ivlen=8,keysizemin=64,keysizemax=64
...
...
000 算法 IKE dh 组:id=24,name=OAKLEY_GROUP_DH24,bits=2048
000
000 统计 db_ops: {curr_cnt, total_cnt, maxsz} :context={0,0,0} trans={0,0,0} attrs={0,0,0}
000
000 "connRW48": 10.117.59.224[23.21.84.48,+S=C]:17/1701...%virtual[+S=C]:17/0===?; 未路由;路由所有者:#0
000“connRW48”:myip=未设置;hisip=未设置;
000“connRW48”:ike_life:28800s;ipsec_l​​ife: 3600s; rekey_margin:540s;rekey_fuzz:100%;键入次数:0
000“connRW48”:策略:PSK+ENCRYPT+DONTREKEY+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD;优先级:32,32;接口:eth0;
000“connRW48”:最新的 ISAKMP SA:#0;最新 IPsec SA:#0;
000

提前致谢

vpn amazon-ec2 ipsec openswan
Martin Hope
XXL
Asked: 2012-06-12 06:43:34 +0800 CST
  • 0

阶段 #1 ( IKE ) 成功,没有任何问题(在目标主机上验证)。
然而,阶段 #2 ( IPSec ) 在某些时候是错误的(显然是由于 localhost 上的错误配置)。

这应该是仅IPSec连接。我在Debian上使用OpenSwan。错误日志内容如下(远程端点的实际 IP 地址已被修改):

pluto[30868]:“x”#2:启动快速模式 PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:5ece82ee proposal=AES(12)_256-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_DH22}
pluto[30868]: "x" #1: 忽略信息负载,类型 NO_PROPOSAL_CHOSEN msgid=00000000
pluto[30868]: "x" #1: 收到并忽略信息性消息
pluto[30868]: "x" #1: 对等方提议: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
pluto[30868]: "x" #3: 响应快速模式提案 {msgid:a4f5a81c}
pluto[30868]: "x" #3:我们:192.168.1.76<192.168.1.76>[+S=C]
冥王星[30868]:“x” #3:他们:222.222.222.222<222.222.222.222>[+S=C]===10.196 .0.0 /17
冥王星 [30868]:“x”#3:从状态 STATE_QUICK_R0 到状态 STATE_QUICK_R1 的转换
pluto[30868]:“x”#3:STATE_QUICK_R1:已发送 QR1,已安装入站 IPsec SA,期望 QI2
pluto[30868]:“x”#1:忽略信息负载,键入 NO_PROPOSAL_CHOSEN msgid=00000000
pluto[30868]:“x " #1:收到并忽略了信息性消息
pluto[30868]:“x” #3:ISAKMP 哈希有效负载的下一个有效负载类型具有未知值:97 X pluto[30868]:“x” #3:数据包
pluto中格式错误的有效负载[30868]:| IV 后有效载荷畸形

我在NAT后面,这一切都来自wlan2。以下是详细信息:

默认通过 192.168.1.254 dev wlan2 proto static
169.254.0.0/16 dev wlan2 scope link metric 1000
192.168.1.0/24 dev wlan2 proto kernel scope link src 192.168.1.76 metric 2

ipsec 验证的输出:

检查您的系统以查看 IPsec 是否已正确安装和启动:
版本检查和 ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel支持 [N/A]
NETKEY:测试 XFRM 相关的 proc 值 [OK]
[OK]
[OK]
检查 pluto 是否正在运行 [OK]
Pluto 在 udp 500 上侦听 IKE [OK]
Pluto 在 udp 4500 上侦听 NAT-T [好的]
找到两个或多个接口,检查 IP 转发 [OK]
检查 NAT 和 MASQUERADEing [OK]
检查 'ip' 命令 [OK]
检查 /bin/sh 不是 /bin/dash [WARNING]
检查 'iptables' 命令 [OK ] ]
机会加密支持[已禁用]

这是我运行ipsec auto --up x时发生的情况:

104“x”#1:STATE_MAIN_I1:启动
003“x”#1:接收到供应商 ID 有效载荷 [RFC 3947] 方法设置为=109
106“x”#1:STATE_MAIN_I2:发送 MI2,期待 MR2
003“x”#1 :收到供应商 ID 有效载荷 [Cisco-Unity]
003“x”#1:收到供应商 ID 有效载荷[Dead Peer Detection]
003“x”#1:忽略未知供应商 ID 有效载荷 [502099ff84bd4373039074cf56649aad]
003“x”#1:收到供应商ID payload [XAUTH]
003“x”#1:NAT-Traversal:使用 RFC 3947(NAT-Traversal)的结果:我是 NATed
108“x”#1:STATE_MAIN_I3:发送 MI3,期待 MR3
004“x”#1: STATE_MAIN_I4:ISAKMP SA 已建立 {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
117 "x" #2: STATE_QUICK_I1: initiate
010“x”#2:STATE_QUICK_I1:重传;将等待 20 秒以响应
010“x”#2:STATE_QUICK_I1:重传;将等待 40 秒以等待响应
031“x”#2:最大重传次数 (2) 达到 STATE_QUICK_I1。对我们的第一个快速模式消息没有可接受的响应:也许对等方不喜欢任何提议
000“x”#2:开始最多 3 次的键控尝试 2,但释放重击

来自ipsec auto --status的更多调试信息:

000 使用内核接口:netkey
000 interface lo/lo ::1
000 interface wlan2/wlan2 192.168.1.76
000 interface wlan2/wlan2 192.168.1.76
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+lifecycle +klips+dns+oppo+controlmore+pfkey+nattraversal+x509+dpd+oppoinfo
000
000 virtual_private (%priv):
000 - 允许 2 个子网:10.196.0.0/17、192.168.1.0/24
000 - 不允许 0 个子网:
000警告:virtual_private= 中不允许的子网为空。如果你有
内部使用的000私有地址空间,应该排除!
000
000 统计数据 db_ops: {curr_cnt, total_cnt, maxsz} :context={0,4,36} trans={0,4,1536} attrs={0,4,2048}
000
000“x”:192.168.1.0/24===192.168.1.76[+S=C]...222.222.222.222<222.222.222.222>[+S=C]===10.196.0.0/17;未路由;eroute 所有者:#0
000 "x": myip=unset; hisip=未设置;
000“x”:ike_life:28800s;ipsec_l​​ife: 28800s; rekey_margin:540s;rekey_fuzz:100%;keyingtries: 3
000 "x": policy: PSK+ENCRYPT+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; 优先级:24,17;接口:wlan2;
000“x”:dpd:动作:清除;延迟:0;超时:0;
000“x”:最新的 ISAKMP SA:#0;最新 IPsec SA:#0;
000“x”:需要 ESP 算法:AES(12)_256-SHA1(2)_000;pfsgroup=DH22(22); flags=-strict
000 “x”:加载的 ESP 算法:AES(12)_256-SHA1(2)_160

来自/var/log/auth.log的更多调试信息 ( plutodebug="all" ) :

冥王星[26439]:| 对等客户端是子网 0.0.0.0/0
pluto[26439]:| 对等客户端协议/端口为 0/0
pluto[26439]:| 我们的客户是子网 0.0.0.0/0
pluto[26439]:| 我们的客户端协议/端口是 0/0
pluto[26439]: "x" #1: peer proposed: 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
pluto[26439]: | 从 x
pluto [26439] 开始的 find_client_connection: | 寻找 0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0
冥王星 [26439]: | 针对 sr#0 192.168.1.0/24 -> 10.196.0.0/17
pluto[26439] 的具体检查:| match_id a=222.222.222.222
冥王星[26439]: | b=222.222.222.222
冥王星[26439]: | 结果与
pluto[26439] 匹配: | trusted_ca 用 a=(empty) b=(empty) 调用
冥王星[26439]:| fc_try 尝试 x:0.0.0.0/0:0/0 -> 0.0.0.0/0:0/0 vs x:192.168.1.0/24:0/0 -> 10.196.0.0/17:0/0
pluto[26439 ]: | 我们的客户 (192.168.1.0/24) 不在 our_net (0.0.0.0/0)
pluto[26439]: | fc_try 以无 [0]
pluto [26439] 结束: | fc_try x 没有给出
pluto[26439]: | find_host_pair:与 192.168.1.76:500 222.222.222.222:500
pluto[26439] 相比:| 检查主机对 192.168.1.0/24 -> 10.196.0.0/17 未找到
pluto[26439]: | 以 d = none
pluto[26439] 结束: | 使用(某物——希望是我们或他们被 NAT 到的 IP)用于传输模式连接“x”

我相应地在ipsec.conf中启用了NAT遍历。以下是与相关连接相关的设置:

2.0版

配置设置

plutoopts="--perpeerlog"
plutoopts="--interface=wlan2"
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4 :172.16.0.0/12
oe=off
protostack=netkey

连接x 

authby=secret  
pfs=yes  
auto=add  
phase2alg=aes256-sha1;dh22  
keyingtries=3  
ikelifetime=8h  
type=transport  
left=192.168.1.76  
leftsubnet=192.168.1.0/24  
leftprotoport=0/0  
right=222.222.222.222  
rightsubnet=10.196.0.0/17  
rightprotoport=0/0

以下是另一端提供的第 2 阶段必须满足的规范:

加密算法:AES(128 或 256 位)
散列算法:SHA
local ident1 (addr/mask/prot/port): (10.196.0.0/255.255.128.0/0/0)
local ident2 (addr/mask/prot/port) : (10.241.0.0/255.255.0.0/0/0)
remote ident (addr/mask/prot/port): (xxxx/xxxx/0/0) (internal network or localhost)
Security association lifetime: 4608000 千字节/3600 秒
PFS:DH组2

那么,最后,我遇到的问题的原因可能是什么?谢谢你。

vpn linux security ipsec openswan