Всем привет. Второй день не могу поднять ipsec между циской и сваном.
конфиг strongswan
config setup
# strictcrlpolicy=yes
# uniqueids = no
charondebug="cfg 2, dmn 2, esp 2"
conn gate1-gate2
type=tunnel
authby=psk
keyexchange=ikev2
keyingtries=%forever
mark=104
fragmentation=yes
forceencaps=no
left=100.200.0.1
leftid=%any
leftsubnet=0.0.0.0/0
leftsourceip=172.16.11.1
right=100.200.0.2
rightid=%any
rightsubnet=0.0.0.0/0
ikelifetime=86400s
keylife=28800s
ike=aes128-sha256-modp1024
esp=aes256-sha256
auto=start
rekey=yes
reauth=yes
mobike=no
Логи strongswan
Dec 4 16:07:49 server-1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Dec 4 16:07:49 server-1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Dec 4 16:07:49 server-1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Dec 4 16:07:49 server-1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Dec 4 16:07:49 server-1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Dec 4 16:07:49 server-1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Dec 4 16:07:49 server-1 charon: 00[CFG] loaded IKE secret for 100.200.0.1 100.200.0.2
Dec 4 16:07:49 server-1 charon: 00[CFG] loaded IKE secret for 100.200.0.2 100.200.0.1
Dec 4 16:07:49 server-1 charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown counters
Dec 4 16:07:49 server-1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Dec 4 16:07:49 server-1 charon: 00[JOB] spawning 16 worker threads
Dec 4 16:07:49 server-1 charon: 05[CFG] received stroke: add connection 'gate1-gate2'
Dec 4 16:07:49 server-1 charon: 05[CFG] conn gate1-gate2
Dec 4 16:07:49 server-1 charon: 05[CFG] left=100.200.0.1
Dec 4 16:07:49 server-1 charon: 05[CFG] leftsubnet=192.168.109.0/24
Dec 4 16:07:49 server-1 charon: 05[CFG] leftsourceip=172.16.11.1
Dec 4 16:07:49 server-1 charon: 05[CFG] leftauth=psk
Dec 4 16:07:49 server-1 charon: 05[CFG] leftid=%any
Dec 4 16:07:49 server-1 charon: 05[CFG] right=100.200.0.2
Dec 4 16:07:49 server-1 charon: 05[CFG] rightsubnet=0.0.0.0/0
Dec 4 16:07:49 server-1 charon: 05[CFG] rightauth=psk
Dec 4 16:07:49 server-1 charon: 05[CFG] rightid=%any
Dec 4 16:07:49 server-1 charon: 05[CFG] ike=aes128-sha256-modp1024
Dec 4 16:07:49 server-1 charon: 05[CFG] esp=aes256-sha256
Dec 4 16:07:49 server-1 charon: 05[CFG] dpddelay=30
Dec 4 16:07:49 server-1 charon: 05[CFG] dpdtimeout=150
Dec 4 16:07:49 server-1 charon: 05[CFG] sha256_96=no
Dec 4 16:07:49 server-1 charon: 05[CFG] mediation=no
Dec 4 16:07:49 server-1 charon: 05[CFG] keyexchange=ikev2
Dec 4 16:07:49 server-1 charon: 05[CFG] added configuration 'gate1-gate2'
Dec 4 16:07:49 server-1 charon: 07[CFG] received stroke: initiate 'gate1-gate2'
Dec 4 16:07:49 server-1 charon: 07[IKE] initiating IKE_SA gate1-gate2[1] to 100.200.0.2
Dec 4 16:07:49 server-1 charon: 07[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 4 16:07:49 server-1 charon: 07[CFG] sending supported signature hash algorithms: sha256 sha384 sha512
Dec 4 16:07:49 server-1 charon: 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 4 16:07:49 server-1 charon: 07[NET] sending packet: from 100.200.0.1[500] to 100.200.0.2[500] (498 bytes)
Dec 4 16:07:49 server-1 charon: 08[NET] received packet: from 100.200.0.2[500] to 100.200.0.1[500] (315 bytes)
Dec 4 16:07:49 server-1 charon: 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No V N(NATD_S_IP) N(NATD_D_IP) ]
Dec 4 16:07:49 server-1 charon: 08[IKE] received Cisco Delete Reason vendor ID
Dec 4 16:07:49 server-1 charon: 08[CFG] selecting proposal:
Dec 4 16:07:49 server-1 charon: 08[CFG] proposal matches
Dec 4 16:07:49 server-1 charon: 08[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Dec 4 16:07:49 server-1 charon: 08[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048
Dec 4 16:07:49 server-1 charon: 08[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Dec 4 16:07:49 server-1 charon: 08[CFG] no IDi configured, fall back on IP address
Dec 4 16:07:49 server-1 charon: 08[IKE] authentication of '100.200.0.1' (myself) with pre-shared key
Dec 4 16:07:49 server-1 charon: 08[CFG] proposing traffic selectors for us:
Dec 4 16:07:49 server-1 charon: 08[CFG] 0.0.0.0/0
Dec 4 16:07:49 server-1 charon: 08[CFG] proposing traffic selectors for other:
Dec 4 16:07:49 server-1 charon: 08[CFG] 0.0.0.0/0
Dec 4 16:07:49 server-1 charon: 08[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Dec 4 16:07:49 server-1 charon: 08[IKE] establishing CHILD_SA gate1-gate2{1}
Dec 4 16:07:49 server-1 charon: 08[ENC] generating IKE_AUTH request 1 [ IDi AUTH CPRQ(ADDR DNS) SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 4 16:07:49 server-1 charon: 08[NET] sending packet: from 100.200.0.1[500] to 100.200.0.2[500] (352 bytes)
Dec 4 16:07:53 server-1 charon: 11[IKE] retransmit 1 of request with message ID 1
Dec 4 16:07:53 server-1 charon: 11[NET] sending packet: from 100.200.0.1[500] to 100.200.0.2[500] (352 bytes)
Dec 4 16:08:00 server-1 charon: 12[IKE] retransmit 2 of request with message ID 1
Dec 4 16:08:00 server-1 charon: 12[NET] sending packet: from 100.200.0.1[500] to 100.200.0.2[500] (352 bytes)
Dec 4 16:08:13 server-1 charon: 02[IKE] retransmit 3 of request with message ID 1
Dec 4 16:08:13 server-1 charon: 02[NET] sending packet: from 100.200.0.1[500] to 100.200.0.2[500] (352 bytes)
Конфиг циски
crypto ikev2 proposal generic-ikev2-proposal
encryption aes-cbc-128 aes-cbc-256
integrity sha256
group 2
!
crypto ikev2 policy gate1-policy
proposal generic-ikev2-proposal
!
crypto ikev2 keyring gate1-keys
peer gate1-swan
address 100.200.0.1
pre-shared-key local XXXXXXXXXXXXXXXXXXX
pre-shared-key remote XXXXXXXXXXXXXXXXXXX
!
!
!
crypto ikev2 profile gate1-profile
match identity remote address 100.200.0.1 255.255.255.255
identity local address 100.200.0.2
authentication local pre-share
authentication remote pre-share
keyring gate1-keys
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
crypto ipsec transform-set gate1-ts esp-aes 256 esp-sha256-hmac
!
crypto ipsec profile gate1-profile
set transform-set gate1-ts
set ikev2-profile gate1-profile
!
!
interface Tunnel300
ip address 172.16.11.2 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1360
tunnel source 100.200.0.2
tunnel mode ipsec ipv4
tunnel destination 100.200.0.1
tunnel protection ipsec profile gate1-profile
!
в логах циски такое:
Dec 4 15:17:10.140: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 100.200.0.2:500, remote= 100.200.0.1:500,
local_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
remote_proxy= 0.0.0.0/0.0.0.0/0/0 (type=4),
protocol= ESP, transform= esp-aes 256 esp-sha256-hmac (Tunnel),
lifedur= 3600s and 4608000kb,
spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Визуальная схема https://i.ibb.co/VCB0TZW/Screenshot-20191205-104057.png
что я делаю не так?
