强天鹅:连接Cisco时“接收到NO_PROPOSAL_CHOSEN错误通知”
强天鹅:连接Cisco时“接收到NO_PROPOSAL_CHOSEN错误通知”
提问于 2018-02-02 13:18:46
我试图连接到思科ASA IKEv1 VPN与StrongSwan (5.5.1-4+ Debian 9u1)在Debian上的4.9.0-5-AMD 64内核。这是一种经典的问题,我已经找到了很多关于这个话题的讨论,并且尝试了很多配置调整,但是到目前为止,没有什么帮助我。
我无法访问ASA本身,但是这样我就可以获得一些关于提案的基本信息:
$ sudo ike-scan -v -v ASA_IP_ADDRESS 2>&1
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Sending packet #1 to host entry 1 (ASA_IP_ADDRESS) tmo 500000 us
--- Received packet #1 from ASA_IP_ADDRESS
ASA_IP_ADDRESS Main Mode Handshake returned HDR=(CKY-R=79f5d28631ffd07f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
--- Removing host entry 1 (ASA_IP_ADDRESS) - Received 104 bytes
Ending ike-scan 1.9.4: 1 hosts scanned in 0.017 seconds (57.15 hosts/sec). 1 returned handshake; 0 returned notify这就是我在发出ipsec up asavpn命令时所看到的:
initiating Aggressive Mode IKE_SA asavpn[1] to ASA_IP_ADDRESS
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
parsed TRANSACTION request 4213336740 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4213336740 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
parsed TRANSACTION request 557234584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'vpn-user123' (myself) successful
IKE_SA asavpn[1] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
scheduling reauthentication in 3379s
maximum IKE_SA lifetime 3559s
generating TRANSACTION response 557234584 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
generating TRANSACTION request 3340376289 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
parsed TRANSACTION response 3340376289 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
installing DNS server 172.51.2.47 to /etc/resolv.conf
installing DNS server 172.51.2.50 to /etc/resolv.conf
installing new virtual IP 172.17.254.12
generating QUICK_MODE request 2105961987 [ HASH SA No ID ID ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
installing new virtual IP 172.17.254.12
establishing connection 'asavpn' failed下面是我的(修剪的) ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids = yes
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=2
keyexchange=ikev2 # this is because I use more VPN connections then the only asavpn
mobike=yes
conn asavpn
leftauth=psk
leftauth2=xauth
leftsubnet=192.168.7.0/24
aggressive=yes
ike=3des-sha1-modp1024!
esp=3des-sha1!
xauth=client
xauth_identity="vpn-user123"
leftid=PRZ
keyexchange=ikev1
leftsourceip=%config
rightsubnet=0.0.0.0/0
leftdns=172.51.2.47, 172.51.2.50
right=ASA_IP_ADDRESS
rightsubnet=0.0.0.0/0
rightauth=psk
auto=add我的ipsec.secrets:
vpn-user123 : XAUTH "my.passw0rd"
PRZ@%any ASA_IP_ADDRESS : PSK "secret-120-characters-long-hash"这是charon日志:
Feb 02 12:02:19 lenovo-pc charon[10329]: 15[CFG] received stroke: initiate 'asavpn'
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] using 192.168.7.117 as address to reach ASA_IP_ADDRESS/32
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] IKE_SA asavpn[2] state change: CREATED => CONNECTING
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selecting proposal:
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] proposal matches
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] local host is behind NAT, sending keep alives
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] reinitiating already active tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] queueing MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] nothing to initiate
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] parsed TRANSACTION request 3634853475 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] generating TRANSACTION response 3634853475 [ HASH CPRP(X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] parsed TRANSACTION request 2358240213 [ HASH CPS(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] XAuth authentication of 'vpn-user123' (myself) successful
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] state change: CONNECTING => ESTABLISHED
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] scheduling reauthentication in 3384s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] maximum IKE_SA lifetime 3564s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION response 2358240213 [ HASH CPA(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION request 3672090717 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] parsed TRANSACTION response 3672090717 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.47 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.50 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing UNITY_SPLIT_INCLUDE attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] 192.168.7.117 is on interface wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing new virtual IP 172.17.254.12
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] virtual IP 172.17.254.12 installed on wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] got SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for us:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 192.168.7.0/24
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] changing proposed traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] generating QUICK_MODE request 239751605 [ HASH SA No ID ID ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] parsed INFORMATIONAL_V1 request 2669190869 [ HASH N(NO_PROP) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleting SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleted SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed INFORMATIONAL_V1 request 4133932276 [ HASH D ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DELETE for IKE_SA asavpn[2]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.50 from /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.47 from /etc/resolv.conf有什么不对的?
谢谢你的帮助,我很感激!
更新:
添加vpnc.log (用于工作连接):https://pastebin.com/KDx3HTnC
回答 1
Server Fault用户
回答已采纳
发布于 2018-02-06 13:15:00
在解析快速模式响应时,可以在vpnc客户端的调试日志中看到
PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0020
t.number: 01
t.id: 0c (ISAKMP_IPSEC_ESP_AES)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0020c49b
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0003 (IPSEC_ENCAP_UDP_TUNNEL)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
t.attributes.u.attr_16: 0100
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)服务器接受的方案实际上是AES,以256位密钥长度作为加密,SHA-1作为完整性算法。因此,要在strongSwan配置esp=aes256-sha1!中使用同样的方法。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/895354
复制相关文章
相似问题
腾讯云开发者
