racoonデーモン(廃止予定)から新しいデモCharon Strongswanに切り替える必要があります。実際には約12のプロバイダがあり、「一度に」すべてのVPNを変更できます。私はすべての構成をRaccoonからStrongswanに「コピー」して再作成しました。 10人のうち3人だけが接続に失敗しました。これで、単純化のために、そのうちの1つだけがリストされます。実際、フェーズ1は接続できますが、フェーズ2トンネリングは確立できません。場合によっては(このログにはありません)、または通常は最初の起動時にトンネルが確立され、接続されますが、数分後にトンネルが閉じて機能しなくなります。
アライグマ会議(職場で)
remote 2.2.2.2 {
my_identifier address 1.1.1.1;
exchange_mode main;
nat_traversal off;
initial_contact on;
#generate_policy on;
lifetime time 86400 sec;
nonce_size 16;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 'aes 256';
authentication_method pre_shared_key;
hash_algorithm sha1;
dh_group 5;
}
}
sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 2.2.2.2/32 any address 1.1.1.1/32 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 172.16.0.0/29 any address 10.1.0.0/19 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 10.1.0.0/19 any address 172.16.0.0/29 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
ipsec-tools.conf
spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
spdadd 172.16.0.0/29 10.1.0.0/19 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.1.0.0/19 172.16.0.0/29 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
conn.conf(strongswan)
conn conn
type=tunnel
authby=secret
auto=route
compress=no
leftfirewall=yes
rightfirewall=yes
rekey=yes
reauth=no
mobike=no
left=1.1.1.1
leftsourceip=1.1.1.1
leftsubnet=172.16.0.0/29
# Clients
right=2.2.2.2
rightsubnet=10.1.0.0/19
# recommended dpd/liveness to cleanup vanished clients
dpdaction=none
#dpddelay=30
#dpdtimeout=120
aggressive=no
keyexchange=ikev1
ike=aes256-sha1-modp1536!
ikelifetime=24h
fragmentation=no
esp=aes256-sha1-modp1536!
lifetime=1h
IPsec ステータス すべて
Connections:
conn: 1.1.1.1...2.2.2.2 IKEv1, dpddelay=30s
conn: local: [1.1.1.1] uses pre-shared key authentication
conn: remote: [2.2.2.2] uses pre-shared key authentication
conn: child: 172.16.0.0/29 === 10.1.0.0/19 TUNNEL, dpdaction=clear
Routed Connections:
conn{1}: ROUTED, TUNNEL, reqid 1
conn{1}: 172.16.0.0/29 === 10.1.0.0/19
Security Associations (1 up, 0 connecting):
conn[3]: ESTABLISHED 11 seconds ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
conn[3]: IKEv1 SPIs: f8b3195f00f2368e_i* 311a423d5e714f05_r, rekeying in 23 hours
conn[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
conn[3]: Tasks queued: QUICK_MODE
conn[3]: Tasks active: MODE_CONFIG
レコードカロン
Dec 3 22:21:31 moon charon: 14[KNL] creating acquire job for policy 1.1.1.10/32[tcp/46993] === 2.2.2.50/32[tcp/1414] with reqid {1}
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Dec 3 22:21:31 moon charon: 14[IKE] queueing MAIN_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_POST task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_NATD task
Dec 3 22:21:31 moon charon: 14[IKE] queueing QUICK_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] activating new tasks
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_CERT_PRE task
Dec 3 22:21:31 moon charon: 14[IKE] activating MAIN_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_CERT_POST task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_NATD task
Dec 3 22:21:31 moon charon: 14[IKE] sending XAuth vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending DPD vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending FRAGMENTATION vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] initiating Main Mode IKE_SA conn[2] to 2.2.2.2
Dec 3 22:21:31 moon charon: 14[IKE] IKE_SA conn[2] state change: CREATED => CONNECTING
...
ec 3 22:21:31 moon charon: 16[IKE] received DPD vendor ID
Dec 3 22:21:31 moon charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Dec 3 22:21:31 moon charon: 16[ENC] received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
Dec 3 22:21:31 moon charon: 16[IKE] reinitiating already active tasks
Dec 3 22:21:31 moon charon: 16[IKE] ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 16[IKE] MAIN_MODE task
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type KEY_EXCHANGE_V1 to message
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type NONCE_V1 to message
...
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type NAT_D_V1 to message
Dec 3 22:21:31 moon charon: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 3 22:21:31 moon charon: 16[ENC] not encrypting payloads
Dec 3 22:21:31 moon charon: 16[ENC] generating payload of type HEADER
Dec 3 22:21:31 moon charon: 16[ENC] generating rule 0 IKE_SPI
...
Dec 3 22:21:31 moon charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec 3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] state change: CONNECTING => ESTABLISHED
Dec 3 22:21:31 moon charon: 06[IKE] scheduling rekeying in 85857s
Dec 3 22:21:31 moon charon: 06[IKE] maximum IKE_SA lifetime 86397s
Dec 3 22:21:31 moon charon: 06[IKE] queueing MODE_CONFIG task
Dec 3 22:21:31 moon charon: 06[IKE] activating new tasks
Dec 3 22:21:31 moon charon: 06[IKE] activating MODE_CONFIG task
Dec 3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec 3 22:21:31 moon charon: 06[ENC] order payloads in message
Dec 3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec 3 22:21:31 moon charon: 06[ENC] generating TRANSACTION request 1557479715 [ HASH CPRQ(ADDR DNS) ]
Dec 3 22:21:31 moon charon: 06[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 06[ENC] insert payload CONFIGURATION_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 06[ENC] generating payload of type HEADER
Dec 3 22:21:31 moon charon: 06[ENC] generating rule 0 IKE_SPI
...
Dec 3 22:21:31 moon charon: 08[ENC] parsed content of encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] insert decrypted payload of type HASH_V1 at end of list
Dec 3 22:21:31 moon charon: 08[ENC] verifying message structure
Dec 3 22:21:31 moon charon: 08[ENC] found payload of type HASH_V1
Dec 3 22:21:31 moon charon: 08[ENC] payload of type CONFIGURATION_V1 not occurred 1 times (0)
Dec 3 22:21:31 moon charon: 08[IKE] **message verification failed**
Dec 3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec 3 22:21:31 moon charon: 08[ENC] order payloads in message
Dec 3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec 3 22:21:31 moon charon: 08[ENC] generating INFORMATIONAL_V1 request 3329228680 [ HASH N(PLD_MAL) ]
Dec 3 22:21:31 moon charon: 08[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] insert payload NOTIFY_V1 into encrypted payload
...
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 14 SPI
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 15 CHUNK_DATA
Dec 3 22:21:31 moon charon: 08[ENC] generating NOTIFY_V1 payload finished
Dec 3 22:21:31 moon charon: 08[ENC] generated content in encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] generating payload of type ENCRYPTED_V1
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 0 ENCRYPTED_DATA
Dec 3 22:21:31 moon charon: 08[ENC] generating ENCRYPTED_V1 payload finished
Dec 3 22:21:31 moon charon: 08[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec 3 22:21:31 moon charon: 08[IKE] TRANSACTION response with message ID 1557479715 processing failed
Dec 3 22:21:35 moon charon: 05[IKE] sending retransmit 1 of request message ID 1557479715, seq 4
Dec 3 22:21:35 moon charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec 3 22:21:37 moon charon: 03[ENC] parsing header of message
Dec 3 22:21:37 moon charon: 03[ENC] parsing HEADER payload, 248 bytes left
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 0 IKE_SPI
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 1 IKE_SPI
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 2 U_INT_8
...
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 12 FLAG
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 13 FLAG
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 14 U_INT_32
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 15 HEADER_LENGTH
Dec 3 22:22:19 moon charon: 03[ENC] parsing HEADER payload finished
Dec 3 22:22:19 moon charon: 03[ENC] parsed a ID_PROT message header
Dec 3 22:22:27 moon charon: 00[DMN] signal of type SIGINT received. Shutting down
Dec 3 22:22:27 moon charon: 00[IKE] queueing ISAKMP_DELETE task
Dec 3 22:22:27 moon charon: 00[IKE] activating new tasks
Dec 3 22:22:27 moon charon: 00[IKE] activating ISAKMP_DELETE task
Dec 3 22:22:27 moon charon: 00[IKE] deleting IKE_SA conn[2] between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec 3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec 3 22:22:27 moon charon: 00[IKE] sending DELETE for IKE_SA conn[2]
Dec 3 22:22:27 moon charon: 00[IKE] IKE_SA conn[2] state change: ESTABLISHED => DELETING
Dec 3 22:22:27 moon charon: 00[ENC] order payloads in message
Dec 3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec 3 22:22:27 moon charon: 00[ENC] generating INFORMATIONAL_V1 request 4291887391 [ HASH D ]
Dec 3 22:22:27 moon charon: 00[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:22:27 moon charon: 00[ENC] insert payload DELETE_V1 into encrypted payload
Dec 3 22:22:27 moon charon: 00[ENC] generating payload of type HEADER
Dec 3 22:22:27 moon charon: 00[ENC] generating rule 0 IKE_SPI
**注...メッセージの検証に失敗しました。
... メッセージ ID 1557479715** の TRANSACTION 応答処理に失敗しました。
残念ながら、コンソールにメモリが不足しているため、SPIが一致しません!
相手は私が管理していません。この場合、彼らはどのルータ(おそらくCisco)を使用しているのかわからず、変更を要求するのは非常に複雑ですが、他の2つのケースではCheckpointとZeroshellルータを使用していることがわかります。
ベストアンサー1
構成によりleftsourceipStrongSwan 要求が発生する仮想IPアドレス回答者から。これはリモートアクセス/roadwarrriorシナリオに最も便利ですが、トラフィックセレクタ()がここで示唆するサイト間接続にはあまり便利ではありませんleft|rightsubnet(つまり、すべてサブネットです)。
IKEv1の場合、仮想IPを要求することは、構成属性のモード構成(TRANSACTION)交換を要求することを意味します(実際には2つのモードがありますが、デフォルトは「フル」モードです)。ピアがこれらの追加の交換を望まない場合(ここでは)、接続は正常に確立されません。したがって、この問題を解決するには、そのオプションを削除/コメントアウトするだけですleftsourceip。
トンネル内で、このホストが使用する実際の送信元IPは、ネゴシエートされたローカルトラフィックセレクタ()によって決定されますleftsubnet。ホストがネゴシエートされたローカルサブネットの1つにIPアドレスを持っている場合、StrongSwanは自動的にルーティングテーブル220にルートをインストールし、そのIPアドレスをリモートサブネットのトラフィックソースに強制します。