我们需要访问位于客户端的几台 Linux 机器。我们需要访问客户端机器的 Linux 机器位于云上。
要建立的连接是站点到站点 VPN。
在重新启动 ipsec service thru' 命令sudo service ipsec restart
时,连接以收到的错误结束 Hash Payload does not match computed value
不过,我们已经重新验证了它ipsec.secrets
具有正确的密钥,因为它是由客户端共享的。此外,在运行命令sudo ipsec auto --up vpn
时,cli 会挂起。
作为网络中的蹒跚学步的孩子,我正在分享我认为可能与错误有关的大部分输出。如果需要更多信息,请告诉我。
以下信息共享如下:
- ipsec 服务重启的输出
/var/log/secure
ipsec服务启动时完成登录- 配置在
ipsec.conf
- 配置在
ipsec.secrets
- 的输出
ipsec.verify
- 的输出
ifconfig
- 客户和我们共享的记录 VPN 信息
ipsec 服务重启的输出
[root@gbox-1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.32...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/var/log/secure
ipsec服务启动时完成登录
[root@gbox-1 log]# tail -f secure
Jul 31 23:43:24 gbox-1 sshd[3005]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down
Jul 31 23:43:38 gbox-1 pluto[32279]: forgetting secrets
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn": deleting connection
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn" #1: deleting state (STATE_AGGR_I1)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo ::1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 ipsec__plutorun: Starting Pluto subsystem...
Jul 31 23:43:40 gbox-1 pluto[3352]: nss directory plutomain: /etc/ipsec.d
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS Initialized
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS: not a FIPS product
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS HMAC integrity verification test passed
Jul 31 23:43:40 gbox-1 pluto[3352]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:3352
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: LEAK_DETECTIVE support [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: OCF support for IKE [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: SAref support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: SAbind support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS support [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: HAVE_STATSD notification support not compiled in
Jul 31 23:43:40 gbox-1 pluto[3352]: Setting NAT-Traversal port-4500 floating to on
Jul 31 23:43:40 gbox-1 pluto[3352]: port floating activation criteria nat_t=1/port_float=1
Jul 31 23:43:40 gbox-1 pluto[3352]: NAT-Traversal support [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: starting up 1 cryptographic helpers
Jul 31 23:43:40 gbox-1 pluto[3352]: started helper (thread) pid=140162780645120 (fd:8)
Jul 31 23:43:40 gbox-1 pluto[3352]: Kernel interface auto-pick
Jul 31 23:43:40 gbox-1 pluto[3352]: Using Linux 2.6 IPsec interface code on 2.6.32-431.11.2.el6.x86_64 (experimental code)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/cacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/aacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/crls'
Jul 31 23:43:40 gbox-1 pluto[3352]: | selinux support is NOT enabled.
Jul 31 23:43:40 gbox-1 pluto[3352]: added connection description "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: listening for IKE messages
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo ::1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: loading secrets from "/etc/ipsec.secrets"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: initiating Aggressive Mode #1, connection "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Cisco-Unity]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [XAUTH]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '41.78.1.143'
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Hash Payload does not match computed value
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: sending notification INVALID_HASH_INFORMATION to 41.78.1.143:500
Jul 31 23:43:48 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:43:56 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:04 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:12 gbox-1 pluto[3352]: "vpn" #1: encrypted Informational Exchange message is invalid because no key is known
配置在ipsec.conf
version 2.0
config setup
protostack=auto
#netkey
nat_traversal=yes
#forceencaps=yes
#plutodebug=none
conn vpn
type=tunnel
authby=secret
auto=start
pfs=yes
ike=3des-sha1;modp1024!
phase2alg=3des-sha1;
aggrmode=yes
left=50.55.153.121
right=41.78.1.143
leftsubnet=10.180.3.132/255.255.128.0
leftnexthop=50.55.153.121
leftsourceip=10.180.3.132
rightsubnet=172.27.176.125/255.255.255.255
rightnexthop=41.78.1.143
rightsourceip=172.27.176.125
配置在ipsec.secrets
%any %any : PSK "not_the_actual_psk"
的输出ipsec.verify
[root@gbox-1 log]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.32/K2.6.32-431.11.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing for disabled ICMP send_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/send_redirects
or NETKEY will cause the sending of bogus ICMP redirects!
NETKEY detected, testing for disabled ICMP accept_redirects [FAILED]
Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
or NETKEY will accept bogus ICMP redirects!
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption DNS checks:
Looking for TXT in forward dns zone: gbox-1 [MISSING]
Does the machine have at least one non-private address? [OK]
Looking for TXT in reverse dns zone: 115.171.52.49.in-addr.arpa. [MISSING]
的输出ifconfig
[root@gbox-1 ~]# ifconfig
eth0 Link encap:Ethernet HWaddr BC:76:4E:04:94:B6
inet addr:50.55.153.121 Bcast:50.55.153.255 Mask:255.255.255.0
inet6 addr: 2001:4800:780e:510:acf:6c9b:ffd8:94cd/64 Scope:Global
inet6 addr: fe80::be76:acf:6c9b:ffd8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5843131 errors:0 dropped:0 overruns:0 frame:0
TX packets:5444379 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1587187725 (1.4 GiB) TX bytes:1356473321 (1.2 GiB)
Interrupt:246
eth1 Link encap:Ethernet HWaddr BC:76:4E:04:CA:EE
inet addr:10.180.3.132 Bcast:10.180.127.255 Mask:255.255.128.0
inet6 addr: fe80::be76:5e32:fd0f:cdae/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6554243 errors:0 dropped:0 overruns:0 frame:0
TX packets:2800 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:327739177 (312.5 MiB) TX bytes:205160 (200.3 KiB)
Interrupt:245
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:10654186 errors:0 dropped:0 overruns:0 frame:0
TX packets:10654186 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:9532400622 (8.8 GiB) TX bytes:9532400622 (8.8 GiB)
客户和我们共享的记录 VPN 信息
VPN 阶段 1
Property | Client's VAS Device | Our VPN Device
=====================================================================
Encryption Scheme | IKE | IKE
Diffie-Hellman Group | Group 2 | 2
Encryption Algorithm | 3DES | 3DES
Hashing Algorithm | MD5 | SHA-1
Main or Aggressive Mode | Main mode | Main
Lifetime (for renegotiation) | 28800 seconds | 28800
VPN 阶段 2
Property | Client's VAS Device | Our VPN Device
=====================================================================
Encapsulation (ESP or AH) | ESP | ESP
Encryption Algorithm | 3DES | 3DES
Authentication Algorithm | SHA1 | SHA1
Perfect Forward Secrecy | NO PFS | Yes, Group-2
Lifetime (for renegotiation) | 3600 seconds | 3600
Lifesize (for renegotiation) | Not Used |
Key exchange for Subnets | Yes |
网关设备信息
Property | Client's VAS Device | Our VPN Device
=====================================================================
IP Address | 41.78.1.143 | 50.55.153.121
VPN Device Description | Cisco ASA 5510 | OpenSwan
DN Information of VPN Gateway | |
(if using certificates) | NA |
Encryption Domain | 172.27.176.125-126 | 10.180.3.132