racoon 데몬(더 이상 사용되지 않음)에서 새 데모 Charon Strongswan으로 전환해야 합니다. 실제로는 약 12개의 공급자가 있으며 "한 번에" 모든 VPN을 변경할 수 있습니다. 나는 모든 구성을 Raccoon에서 Strongswan으로 "복사"하여 다시 만들었습니다. 10명 중 3명만이 연결에 실패했습니다. 이제 단순화를 위해 그 중 하나만 나열됩니다. 실제로 1단계는 연결할 수 있지만 2단계 터널링은 설정할 수 없습니다. 일부 경우(이 로그에는 없음) 또는 일반적으로 처음 시작할 때 터널이 설정되고 연결되지만 몇 분 후에 터널이 닫히고 더 이상 작동하지 않습니다.
너구리 회의 (직장에서)
remote 2.2.2.2 {
my_identifier address 1.1.1.1;
exchange_mode main;
nat_traversal off;
initial_contact on;
#generate_policy on;
lifetime time 86400 sec;
nonce_size 16;
support_proxy on;
proposal_check obey; # obey, strict or claim
proposal {
encryption_algorithm 'aes 256';
authentication_method pre_shared_key;
hash_algorithm sha1;
dh_group 5;
}
}
sainfo address 1.1.1.1/32 any address 2.2.2.2/32 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 2.2.2.2/32 any address 1.1.1.1/32 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 172.16.0.0/29 any address 10.1.0.0/19 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
sainfo address 10.1.0.0/19 any address 172.16.0.0/29 any {
encryption_algorithm 'aes 256';
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
lifetime time 3600 sec;
pfs_group 5;
}
ipsec-tools.conf
spdadd 1.1.1.1/32 2.2.2.2/32 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 2.2.2.2/32 1.1.1.1/32 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
spdadd 172.16.0.0/29 10.1.0.0/19 any -P out ipsec
esp/tunnel/1.1.1.1-2.2.2.2/require;
spdadd 10.1.0.0/19 172.16.0.0/29 any -P in ipsec
esp/tunnel/2.2.2.2-1.1.1.1/require;
conn.conf (strongswan)
conn conn
type=tunnel
authby=secret
auto=route
compress=no
leftfirewall=yes
rightfirewall=yes
rekey=yes
reauth=no
mobike=no
left=1.1.1.1
leftsourceip=1.1.1.1
leftsubnet=172.16.0.0/29
# Clients
right=2.2.2.2
rightsubnet=10.1.0.0/19
# recommended dpd/liveness to cleanup vanished clients
dpdaction=none
#dpddelay=30
#dpdtimeout=120
aggressive=no
keyexchange=ikev1
ike=aes256-sha1-modp1536!
ikelifetime=24h
fragmentation=no
esp=aes256-sha1-modp1536!
lifetime=1h
IPsec 상태 모두
Connections:
conn: 1.1.1.1...2.2.2.2 IKEv1, dpddelay=30s
conn: local: [1.1.1.1] uses pre-shared key authentication
conn: remote: [2.2.2.2] uses pre-shared key authentication
conn: child: 172.16.0.0/29 === 10.1.0.0/19 TUNNEL, dpdaction=clear
Routed Connections:
conn{1}: ROUTED, TUNNEL, reqid 1
conn{1}: 172.16.0.0/29 === 10.1.0.0/19
Security Associations (1 up, 0 connecting):
conn[3]: ESTABLISHED 11 seconds ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
conn[3]: IKEv1 SPIs: f8b3195f00f2368e_i* 311a423d5e714f05_r, rekeying in 23 hours
conn[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
conn[3]: Tasks queued: QUICK_MODE
conn[3]: Tasks active: MODE_CONFIG
레코드 카론
Dec 3 22:21:31 moon charon: 14[KNL] creating acquire job for policy 1.1.1.10/32[tcp/46993] === 2.2.2.50/32[tcp/1414] with reqid {1}
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_PRE task
Dec 3 22:21:31 moon charon: 14[IKE] queueing MAIN_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_CERT_POST task
Dec 3 22:21:31 moon charon: 14[IKE] queueing ISAKMP_NATD task
Dec 3 22:21:31 moon charon: 14[IKE] queueing QUICK_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] activating new tasks
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_CERT_PRE task
Dec 3 22:21:31 moon charon: 14[IKE] activating MAIN_MODE task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_CERT_POST task
Dec 3 22:21:31 moon charon: 14[IKE] activating ISAKMP_NATD task
Dec 3 22:21:31 moon charon: 14[IKE] sending XAuth vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending DPD vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending FRAGMENTATION vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending NAT-T (RFC 3947) vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Dec 3 22:21:31 moon charon: 14[ENC] added payload of type VENDOR_ID_V1 to message
Dec 3 22:21:31 moon charon: 14[IKE] initiating Main Mode IKE_SA conn[2] to 2.2.2.2
Dec 3 22:21:31 moon charon: 14[IKE] IKE_SA conn[2] state change: CREATED => CONNECTING
...
ec 3 22:21:31 moon charon: 16[IKE] received DPD vendor ID
Dec 3 22:21:31 moon charon: 16[IKE] received NAT-T (RFC 3947) vendor ID
Dec 3 22:21:31 moon charon: 16[ENC] received unknown vendor ID: 69:93:69:22:87:41:c6:d4:ca:09:4c:93:e2:42:c9:de:19:e7:b7:c6:00:00:00:05:00:00:05:00
Dec 3 22:21:31 moon charon: 16[IKE] reinitiating already active tasks
Dec 3 22:21:31 moon charon: 16[IKE] ISAKMP_VENDOR task
Dec 3 22:21:31 moon charon: 16[IKE] MAIN_MODE task
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type KEY_EXCHANGE_V1 to message
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type NONCE_V1 to message
...
Dec 3 22:21:31 moon charon: 16[ENC] added payload of type NAT_D_V1 to message
Dec 3 22:21:31 moon charon: 16[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Dec 3 22:21:31 moon charon: 16[ENC] not encrypting payloads
Dec 3 22:21:31 moon charon: 16[ENC] generating payload of type HEADER
Dec 3 22:21:31 moon charon: 16[ENC] generating rule 0 IKE_SPI
...
Dec 3 22:21:31 moon charon: 06[ENC] parsed ID_PROT response 0 [ ID HASH ]
Dec 3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] established between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec 3 22:21:31 moon charon: 06[IKE] IKE_SA conn[2] state change: CONNECTING => ESTABLISHED
Dec 3 22:21:31 moon charon: 06[IKE] scheduling rekeying in 85857s
Dec 3 22:21:31 moon charon: 06[IKE] maximum IKE_SA lifetime 86397s
Dec 3 22:21:31 moon charon: 06[IKE] queueing MODE_CONFIG task
Dec 3 22:21:31 moon charon: 06[IKE] activating new tasks
Dec 3 22:21:31 moon charon: 06[IKE] activating MODE_CONFIG task
Dec 3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec 3 22:21:31 moon charon: 06[ENC] order payloads in message
Dec 3 22:21:31 moon charon: 06[ENC] added payload of type CONFIGURATION_V1 to message
Dec 3 22:21:31 moon charon: 06[ENC] generating TRANSACTION request 1557479715 [ HASH CPRQ(ADDR DNS) ]
Dec 3 22:21:31 moon charon: 06[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 06[ENC] insert payload CONFIGURATION_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 06[ENC] generating payload of type HEADER
Dec 3 22:21:31 moon charon: 06[ENC] generating rule 0 IKE_SPI
...
Dec 3 22:21:31 moon charon: 08[ENC] parsed content of encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] insert decrypted payload of type HASH_V1 at end of list
Dec 3 22:21:31 moon charon: 08[ENC] verifying message structure
Dec 3 22:21:31 moon charon: 08[ENC] found payload of type HASH_V1
Dec 3 22:21:31 moon charon: 08[ENC] payload of type CONFIGURATION_V1 not occurred 1 times (0)
Dec 3 22:21:31 moon charon: 08[IKE] **message verification failed**
Dec 3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec 3 22:21:31 moon charon: 08[ENC] order payloads in message
Dec 3 22:21:31 moon charon: 08[ENC] added payload of type NOTIFY_V1 to message
Dec 3 22:21:31 moon charon: 08[ENC] generating INFORMATIONAL_V1 request 3329228680 [ HASH N(PLD_MAL) ]
Dec 3 22:21:31 moon charon: 08[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] insert payload NOTIFY_V1 into encrypted payload
...
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 14 SPI
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 15 CHUNK_DATA
Dec 3 22:21:31 moon charon: 08[ENC] generating NOTIFY_V1 payload finished
Dec 3 22:21:31 moon charon: 08[ENC] generated content in encrypted payload
Dec 3 22:21:31 moon charon: 08[ENC] generating payload of type ENCRYPTED_V1
Dec 3 22:21:31 moon charon: 08[ENC] generating rule 0 ENCRYPTED_DATA
Dec 3 22:21:31 moon charon: 08[ENC] generating ENCRYPTED_V1 payload finished
Dec 3 22:21:31 moon charon: 08[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec 3 22:21:31 moon charon: 08[IKE] TRANSACTION response with message ID 1557479715 processing failed
Dec 3 22:21:35 moon charon: 05[IKE] sending retransmit 1 of request message ID 1557479715, seq 4
Dec 3 22:21:35 moon charon: 05[NET] sending packet: from 1.1.1.1[500] to 2.2.2.2[500] (76 bytes)
Dec 3 22:21:37 moon charon: 03[ENC] parsing header of message
Dec 3 22:21:37 moon charon: 03[ENC] parsing HEADER payload, 248 bytes left
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 0 IKE_SPI
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 1 IKE_SPI
Dec 3 22:21:37 moon charon: 03[ENC] parsing rule 2 U_INT_8
...
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 12 FLAG
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 13 FLAG
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 14 U_INT_32
Dec 3 22:22:19 moon charon: 03[ENC] parsing rule 15 HEADER_LENGTH
Dec 3 22:22:19 moon charon: 03[ENC] parsing HEADER payload finished
Dec 3 22:22:19 moon charon: 03[ENC] parsed a ID_PROT message header
Dec 3 22:22:27 moon charon: 00[DMN] signal of type SIGINT received. Shutting down
Dec 3 22:22:27 moon charon: 00[IKE] queueing ISAKMP_DELETE task
Dec 3 22:22:27 moon charon: 00[IKE] activating new tasks
Dec 3 22:22:27 moon charon: 00[IKE] activating ISAKMP_DELETE task
Dec 3 22:22:27 moon charon: 00[IKE] deleting IKE_SA conn[2] between 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
Dec 3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec 3 22:22:27 moon charon: 00[IKE] sending DELETE for IKE_SA conn[2]
Dec 3 22:22:27 moon charon: 00[IKE] IKE_SA conn[2] state change: ESTABLISHED => DELETING
Dec 3 22:22:27 moon charon: 00[ENC] order payloads in message
Dec 3 22:22:27 moon charon: 00[ENC] added payload of type DELETE_V1 to message
Dec 3 22:22:27 moon charon: 00[ENC] generating INFORMATIONAL_V1 request 4291887391 [ HASH D ]
Dec 3 22:22:27 moon charon: 00[ENC] insert payload HASH_V1 into encrypted payload
Dec 3 22:22:27 moon charon: 00[ENC] insert payload DELETE_V1 into encrypted payload
Dec 3 22:22:27 moon charon: 00[ENC] generating payload of type HEADER
Dec 3 22:22:27 moon charon: 00[ENC] generating rule 0 IKE_SPI
** 참고... 메시지 유효성 검사에 실패했습니다.
... 메시지 ID 1557479715**에 대한 TRANSACTION 응답 처리에 실패했습니다.
불행하게도 콘솔에 메모리가 부족하여 SPI가 일치하지 않습니다!
상대방은 내가 관리하지 않습니다. 이 경우에는 그들이 어떤 라우터(아마도 Cisco)를 사용하는지 알 수 없으며 변경을 요청하는 것은 매우 복잡한 반면, 다른 두 경우에는 Checkpoint 및 Zeroshell 라우터를 사용한다는 것을 알고 있습니다.
답변1
구성으로 leftsourceip
인해 StrongSwan 요청이 발생함가상 IP 주소응답자로부터. 이는 원격 액세스/roadwarrrior 시나리오에 가장 유용하지만 트래픽 선택기( )가 여기에서 암시하는 사이트 간 연결에는 덜 유용합니다 left|rightsubnet
(즉, 모두 서브넷임).
IKEv1의 경우 가상 IP를 요청한다는 것은 구성 속성의 모드 구성(TRANSACTION) 교환을 요청하는 것을 의미합니다(실제로 두 가지 모드가 있지만 기본값은 "풀" 모드입니다). 피어가 이러한 추가 교환을 원하지 않으면(여기의 경우) 연결이 성공적으로 설정되지 않습니다. 따라서 이 문제를 해결하려면 해당 옵션을 제거/주석 처리하면 됩니다 leftsourceip
.
터널 내에서 이 호스트가 사용하는 실제 소스 IP는 협상된 로컬 트래픽 선택기( )에 의해 결정됩니다 leftsubnet
. 호스트가 협상된 로컬 서브넷 중 하나에 IP 주소를 가지고 있는 경우 StrongSwan은 자동으로 라우팅 테이블 220에 경로를 설치하여 해당 IP 주소를 원격 서브넷에 대한 트래픽 소스로 강제합니다.