LINUX.ORG.RU
ФорумAdmin

Ikev1/IPsec between strongswan and cisco

 , , ,


1

1

Всем привет!

Очень нужна помощь, ломаю голову целый день. Я новичок в этом и буду рад любой подсказке. Я так понял что у меня не совпадает Quick Mode proposal (ESP), но исправить ее так и не сумел.

MY SIDE: System: PRETTY_NAME=«Raspbian GNU/Linux 10 (buster)» NAME=«Raspbian GNU/Linux» VERSION_ID=«10» VERSION=«10 (buster)»

Linux strongSwan U5.7.2/K4.19.75-v7+

ipsec statusall:

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l):
uptime: 48 minutes, since Jan 27 09:23:42 2020
malloc: sbrk 1220608, mmap 0, used 310000, free 910608
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
192.168.0.150
Connections:
cisco: %any...194.24.131.1 IKEv1
cisco: local: [178.115.235.78] uses pre-shared key authentication
cisco: remote: [194.24.131.1] uses pre-shared key authentication
cisco: child: 0.0.0.0/0 === 10.0.0.0/19 TUNNEL
Security Associations (1 up, 0 connecting):
cisco1: ESTABLISHED 48 minutes ago, 192.168.0.150[178.115.235.78]...194.24.131.1[194.24.131.1]
cisco1: IKEv1 SPIs: 0b8b43d67511a785_i* ed782263d9e58bb4_r, pre-shared key reauthentication in 22 hours
cisco1: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536  


ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="all"
#def    nat_traversal=yes
conn %default
        ikelifetime=86400s
        keylife=3600s
        keyexchange=ikev1
        authby=secret
conn cisco
#def    left=%defaultroute
        leftid=178.115.235.78
        left=%any
#in_IP  left=192.168.0.150
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        rightid=194.24.131.1
        right=194.24.131.1
        rightsubnet=10.0.0.0/19
        auto=start
        ike=aes256-sha-modp1536
        esp=aes256-sha256
#       esp=aes256-sha1
        aggressive=no
        keyingtries=%forever 

ipsec.secrets:
  # This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
#source(aviloo)destination(DREI) 
178.115.235.78 194.24.131.1 : PSK "*******************"
include /var/lib/strongswan/ipsec.secrets.inc 


iptables.rules:

 # Generated by xtables-save v1.8.2 on Wed Jan 15 16:00:14 2020
*filter
:INPUT ACCEPT [747:118834]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3412:466286]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s 178.115.235.78/32 -d 172.19.254.89/32 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A INPUT -d 192.168.0.150/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p ah -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 192.168.0.1-192.168.1.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -i eth0 -m iprange --src-range 128.0.0.1-255.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -i eth0 -m iprange --src-range 64.0.0.1-127.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j AC$
-A INPUT -i eth0 -m iprange --src-range 32.0.0.1-63.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACC$
-A INPUT -i eth0 -m iprange --src-range 16.0.0.1-31.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACC$
-A INPUT -i eth0 -m iprange --src-range 8.0.0.1-15.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCE$
-A INPUT -i eth0 -m iprange --src-range 4.0.0.1-7.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 2.0.0.1-3.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 1.0.0.1-1.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 192.168.0.1-192.168.1.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -d 192.168.0.150/32 -i eth0 -p tcp -m tcp --dport 500 -j ACCEPT
-A FORWARD -s 10.0.0.0/19 -d 32.0.0.0/3 -i eth0 -m policy --dir in --pol ipsec --reqid 30 --proto esp -$
-A FORWARD -s 32.0.0.0/3 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 30 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 16.0.0.0/4 -i eth0 -m policy --dir in --pol ipsec --reqid 29 --proto esp -$
-A FORWARD -s 16.0.0.0/4 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 29 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 64.0.0.0/2 -i eth0 -m policy --dir in --pol ipsec --reqid 28 --proto esp -$
-A FORWARD -s 64.0.0.0/2 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 28 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 8.0.0.0/5 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A FORWARD -s 8.0.0.0/5 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 128.0.0.0/1 -i eth0 -m policy --dir in --pol ipsec --reqid 26 --proto esp $
-A FORWARD -s 128.0.0.0/1 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 26 --proto esp$
-A FORWARD -s 10.0.0.0/19 -d 1.0.0.0/8 -i eth0 -m policy --dir in --pol ipsec --reqid 25 --proto esp -j$
-A FORWARD -s 1.0.0.0/8 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 25 --proto esp -$
-A FORWARD -s 4.0.0.0/6 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 4.0.0.0/6 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A FORWARD -s 2.0.0.0/7 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 2.0.0.0/7 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A OUTPUT -d 192.168.0.150/32 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A OUTPUT -o eth0 -p esp -j ACCEPT
-A OUTPUT -o eth0 -p ah -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 500 -j ACCEPT
COMMIT
# Completed on Wed Jan 15 16:00:14 2020
# Generated by xtables-save v1.8.2 on Wed Jan 15 16:00:14 2020
*nat
:PREROUTING ACCEPT [277:44431]
:INPUT ACCEPT [276:44218]
:POSTROUTING ACCEPT [54:4615]
:OUTPUT ACCEPT [54:4615]
-A POSTROUTING -s 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.0.0/19 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/19 -j MASQUERADE
COMMIT
# Completed on Wed Jan 15 16:00:14 2020 


logs:

 Jan 27 09:23:42 raspberrypi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l)
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 27 09:23:42 raspberrypi charon: 00[CFG]   loaded IKE secret for 178.115.235.78 194.24.131.1
Jan 27 09:23:42 raspberrypi charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jan 27 09:23:42 raspberrypi charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Jan 27 09:23:42 raspberrypi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 27 09:23:42 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jan 27 09:23:42 raspberrypi charon: 05[CFG] received stroke: add connection 'cisco'
Jan 27 09:23:42 raspberrypi charon: 05[CFG] added configuration 'cisco'
Jan 27 09:23:42 raspberrypi charon: 07[CFG] received stroke: initiate 'cisco'
Jan 27 09:23:42 raspberrypi charon: 07[IKE] initiating Main Mode IKE_SA cisco[1] to 194.24.131.1
Jan 27 09:23:42 raspberrypi charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 27 09:23:42 raspberrypi charon: 07[NET] sending packet: from 192.168.0.150[500] to 194.24.131.1[500] (252 bytes)
Jan 27 09:23:42 raspberrypi charon: 08[NET] received packet: from 194.24.131.1[500] to 192.168.0.150[500] (108 bytes)
Jan 27 09:23:42 raspberrypi charon: 08[ENC] parsed ID_PROT response 0 [ SA V ]
Jan 27 09:23:42 raspberrypi charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jan 27 09:23:42 raspberrypi charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jan 27 09:23:42 raspberrypi charon: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 27 09:23:42 raspberrypi charon: 08[NET] sending packet: from 192.168.0.150[500] to 194.24.131.1[500] (308 bytes)
Jan 27 09:23:42 raspberrypi charon: 09[NET] received packet: from 194.24.131.1[500] to 192.168.0.150[500] (368 bytes)
Jan 27 09:23:42 raspberrypi charon: 09[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received Cisco Unity vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received DPD vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[ENC] received unknown vendor ID: 18:bf:85:7e:d9:e4:8b:b4:28:b8:89:6b:0a:9e:9e:08
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received XAuth vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[IKE] local host is behind NAT, sending keep alives
Jan 27 09:23:42 raspberrypi charon: 09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 27 09:23:42 raspberrypi charon: 09[NET] sending packet: from 192.168.0.150[4500] to 194.24.131.1[4500] (108 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (92 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 27 09:23:42 raspberrypi charon: 10[ENC] could not decrypt payloads
Jan 27 09:23:42 raspberrypi charon: 10[IKE] message parsing failed
Jan 27 09:23:42 raspberrypi charon: 10[IKE] ignore malformed INFORMATIONAL request
Jan 27 09:23:42 raspberrypi charon: 10[IKE] INFORMATIONAL_V1 request with message ID 2310710256 processing failed
Jan 27 09:23:42 raspberrypi charon: 10[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (76 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 27 09:23:42 raspberrypi charon: 10[IKE] IKE_SA cisco[1] established between 192.168.0.150[178.115.235.78]...194.24.131.1[194.24.131.1]
Jan 27 09:23:42 raspberrypi charon: 10[IKE] scheduling reauthentication in 85473s
Jan 27 09:23:42 raspberrypi charon: 10[IKE] maximum IKE_SA lifetime 86013s
Jan 27 09:23:42 raspberrypi charon: 10[ENC] generating QUICK_MODE request 2270601801 [ HASH SA No ID ID ]
Jan 27 09:23:42 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to 194.24.131.1[4500] (204 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (92 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3838561195 [ HASH N(NO_PROP) ]
Jan 27 09:23:42 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 27 09:23:43 raspberrypi kernel: [ 2726.966443] rpi_firmware_get_throttled: 3 callbacks suppressed
Jan 27 09:23:43 raspberrypi kernel: [ 2726.966450] Under-voltage detected! (0x00050005)
Jan 27 09:23:49 raspberrypi kernel: [ 2733.206531] rpi_firmware_get_throttled: 3 callbacks suppressed
Jan 27 09:23:49 raspberrypi kernel: [ 2733.206538] Voltage normalised (0x00000000)
Jan 27 09:24:06 raspberrypi charon: 06[IKE] sending keep alive to 194.24.131.1[4500]
Jan 27 09:24:26 raspberrypi charon: 07[IKE] sending keep alive to 194.24.131.1[4500] 



[b] MY SIDE:[/b]

 ! policy1

crypto isakmp policy 152

encr aes 256

hash sha

group 5

lifetime 86400

!

! policy2

crypto ipsec transform-set TS-AES-SHA256 esp-aes 256 esp-sha256-hmac

 mode tunnel

!

crypto keyring C-AVILOO

  pre-shared-key address 178.115.235.78 key *****************

!

crypto map vpn 89 ipsec-isakmp

 set peer 178.115.235.78

set transform-set TS-AES-SHA256

 set isakmp-profile C-AVILOO

match address C-AVILOO

reverse-route static

!

ip access-list extended C-AVILOO

permit ip host 172.19.254.89 host 178.115.131.146

    permit ip 10.0.0.0 0.0.31.255 128.0.0.0 127.255.255.255

    permit ip 10.0.0.0 0.0.31.255 64.0.0.0 63.255.255.255

    permit ip 10.0.0.0 0.0.31.255 32.0.0.0 31.255.255.255

    permit ip 10.0.0.0 0.0.31.255 16.0.0.0 15.255.255.255

    permit ip 10.0.0.0 0.0.31.255 8.0.0.0 7.255.255.255

    permit ip 10.0.0.0 0.0.31.255 4.0.0.0 3.255.255.255

    permit ip 10.0.0.0 0.0.31.255 2.0.0.0 1.255.255.255

    permit ip 10.0.0.0 0.0.31.255 1.0.0.0 0.255.255.255

!        
 

Ответ на: комментарий от victorb

ключи одинаковые. Дело не в psk. Вот где проблема:

Jan 27 09:23:42 raspberrypi charon: 10[ENC] generating QUICK_MODE request 2270601801 [ HASH SA No ID ID ]

Jan 27 09:23:42 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to 194.24.131.1[4500] (204 bytes)

Jan 27 09:23:42 raspberrypi charon: 12[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (92 bytes)

Jan 27 09:23:42 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3838561195 [ HASH N(NO_PROP) ]

Jan 27 09:23:42 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
Maxee ()
Ответ на: комментарий от victorb

со стороны циски типа так

crypto ipsec profile ikev2_prof
 set security-association lifetime days 1
 set transform-set DES_MD5 
 set ikev2-profile XX
interface Tunnel316
 ip address x.x.x.x 255.255.255.252
 ip ospf cost 500
 tunnel source 192.168.0.150
 tunnel mode ipsec ipv4
 tunnel destination 194.24.131.1
 tunnel protection ipsec profile ikev2_prof

victorb ★★ ()

у вас в QM

received NO_PROPOSAL_CHOSEN error notify
подберите параметры тоннеля.

arto ★★ ()
Ответ на: комментарий от victorb

У вас IKEv1 или v2? В вашем сообщении написано profile ikev2_prof, а в ipsec.conf — ikev1.

ValdikSS ★★★★★ ()
Ответ на: комментарий от Maxee
crypto isakmp policy 20
 encr aes 256
 authentication pre-share
 group 5
crypto isakmp key xxxxxxx address xx.xx.xx.xx
crypto isakmp aggressive-mode disable
crypto ipsec transform-set DES_SHA esp-3des esp-md5-hmac 
 mode tunnel
crypto ipsec profile VTI
 set transform-set DES_SHA
interface Tunnel126
 ip address x.x.x.x 255.255.255.252
 tunnel source GigabitEthernet0
 tunnel mode ipsec ipv4
 tunnel destination xx.xx.xx.xx
 tunnel protection ipsec profile VTI
victorb ★★ ()

У Вас в ipsec.secrets указан пароль для 178.115.235.78, но соединение идет с 192.168.0.150, поэтому strongswan не может найти привильный PSK. Поставьте

%any 194.24.131.1 : PSK "*******************"
korsar182 ()
Ответ на: комментарий от korsar182

Спасибо за ответ. К сожалению все еще не работает…

Feb 6 08:40:53 raspberrypi charon: 11[ENC] parsed INFORMATIONAL_V1 request 666542977 [ HASH N(NO_PROP) ] Feb 6 08:40:53 raspberrypi charon: 11[IKE] received NO_PROPOSAL_CHOSEN error notify

Maxee ()
Ответ на: комментарий от Maxee

я немного поменял ipsec.conf:

conn cisco

    keyexchange=ikev1
    left=178.115.235.78
    leftsubnet=0.0.0.0/0
    leftfirewall=yes
    rightid=194.24.131.1
    right=194.24.131.1
    rightsubnet=10.0.0.0/19
    auto=start
    ike=3des-md5-modp1024
    esp=aes256-sha1!

И теперь:

Feb 6 08:45:36 raspberrypi charon: 07[IKE] sending retransmit 2 of request message ID 0, seq 1 Feb 6 08:45:36 raspberrypi charon: 07[NET] sending packet: from 178.115.235.78[500] to 194.24.131.1[500] (248 bytes) Feb 6 08:45:36 raspberrypi charon: 04[NET] error writing to socket: Network is unreachable

Connections: cisco: 178.115.235.78…194.24.131.1 IKEv1 cisco: local: [178.115.235.78] uses pre-shared key authentication cisco: remote: [194.24.131.1] uses pre-shared key authentication cisco: child: 0.0.0.0/0 === 10.0.0.0/19 TUNNEL Security Associations (0 up, 1 connecting): cisco[1]: CONNECTING, 178.115.235.78[%any]…194.24.131.1[%any] cisco[1]: IKEv1 SPIs: 2426c7183fa62472_i* 0000000000000000_r cisco[1]: Tasks queued: QUICK_MODE cisco[1]: Tasks active: ISAKMP_VENDOR ISAKMP_CERT_PRE MAIN_MODE ISAKMP_CERT_POST ISAKMP_NATD

Maxee ()
Вы не можете добавлять комментарии в эту тему. Тема перемещена в архив.