Ikev1/IPsec between strongswan and cisco

Форум — Admin

Всем привет!

Очень нужна помощь, ломаю голову целый день. Я новичок в этом и буду рад любой подсказке. Я так понял что у меня не совпадает Quick Mode proposal (ESP), но исправить ее так и не сумел.

MY SIDE: System: PRETTY_NAME=«Raspbian GNU/Linux 10 (buster)» NAME=«Raspbian GNU/Linux» VERSION_ID=«10» VERSION=«10 (buster)»

Linux strongSwan U5.7.2/K4.19.75-v7+

ipsec statusall:

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l):
uptime: 48 minutes, since Jan 27 09:23:42 2020
malloc: sbrk 1220608, mmap 0, used 310000, free 910608
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Listening IP addresses:
192.168.0.150
Connections:
cisco: %any...194.24.131.1 IKEv1
cisco: local: [178.115.235.78] uses pre-shared key authentication
cisco: remote: [194.24.131.1] uses pre-shared key authentication
cisco: child: 0.0.0.0/0 === 10.0.0.0/19 TUNNEL
Security Associations (1 up, 0 connecting):
cisco1: ESTABLISHED 48 minutes ago, 192.168.0.150[178.115.235.78]...194.24.131.1[194.24.131.1]
cisco1: IKEv1 SPIs: 0b8b43d67511a785_i* ed782263d9e58bb4_r, pre-shared key reauthentication in 22 hours
cisco1: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536


ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
config setup
        charondebug="all"
#def    nat_traversal=yes
conn %default
        ikelifetime=86400s
        keylife=3600s
        keyexchange=ikev1
        authby=secret
conn cisco
#def    left=%defaultroute
        leftid=178.115.235.78
        left=%any
#in_IP  left=192.168.0.150
        leftsubnet=0.0.0.0/0
        leftfirewall=yes
        rightid=194.24.131.1
        right=194.24.131.1
        rightsubnet=10.0.0.0/19
        auto=start
        ike=aes256-sha-modp1536
        esp=aes256-sha256
#       esp=aes256-sha1
        aggressive=no
        keyingtries=%forever


ipsec.secrets:

  # This file holds shared secrets or RSA private keys for authentication.
# RSA private key for this host, authenticating it to any other host
# which knows the public part.
#source(aviloo)destination(DREI) 
178.115.235.78 194.24.131.1 : PSK "*******************"
include /var/lib/strongswan/ipsec.secrets.inc



iptables.rules:

 # Generated by xtables-save v1.8.2 on Wed Jan 15 16:00:14 2020
*filter
:INPUT ACCEPT [747:118834]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3412:466286]
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -s 178.115.235.78/32 -d 172.19.254.89/32 -i eth0 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A INPUT -d 192.168.0.150/32 -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i eth0 -p ah -j ACCEPT
-A INPUT -i eth0 -p esp -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 192.168.0.1-192.168.1.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -i eth0 -m iprange --src-range 128.0.0.1-255.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -i eth0 -m iprange --src-range 64.0.0.1-127.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j AC$
-A INPUT -i eth0 -m iprange --src-range 32.0.0.1-63.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACC$
-A INPUT -i eth0 -m iprange --src-range 16.0.0.1-31.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACC$
-A INPUT -i eth0 -m iprange --src-range 8.0.0.1-15.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCE$
-A INPUT -i eth0 -m iprange --src-range 4.0.0.1-7.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 2.0.0.1-3.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 1.0.0.1-1.255.255.254 --dst-range 10.0.0.1-10.0.31.254 -j ACCEPT
-A INPUT -i eth0 -m iprange --src-range 192.168.0.1-192.168.1.254 --dst-range 10.0.0.1-10.0.31.254 -j A$
-A INPUT -p tcp -m tcp --dport 500 -j ACCEPT
-A INPUT -d 192.168.0.150/32 -i eth0 -p tcp -m tcp --dport 500 -j ACCEPT
-A FORWARD -s 10.0.0.0/19 -d 32.0.0.0/3 -i eth0 -m policy --dir in --pol ipsec --reqid 30 --proto esp -$
-A FORWARD -s 32.0.0.0/3 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 30 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 16.0.0.0/4 -i eth0 -m policy --dir in --pol ipsec --reqid 29 --proto esp -$
-A FORWARD -s 16.0.0.0/4 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 29 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 64.0.0.0/2 -i eth0 -m policy --dir in --pol ipsec --reqid 28 --proto esp -$
-A FORWARD -s 64.0.0.0/2 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 28 --proto esp $
-A FORWARD -s 10.0.0.0/19 -d 8.0.0.0/5 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A FORWARD -s 8.0.0.0/5 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 128.0.0.0/1 -i eth0 -m policy --dir in --pol ipsec --reqid 26 --proto esp $
-A FORWARD -s 128.0.0.0/1 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 26 --proto esp$
-A FORWARD -s 10.0.0.0/19 -d 1.0.0.0/8 -i eth0 -m policy --dir in --pol ipsec --reqid 25 --proto esp -j$
-A FORWARD -s 1.0.0.0/8 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 25 --proto esp -$
-A FORWARD -s 4.0.0.0/6 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 4.0.0.0/6 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A FORWARD -s 2.0.0.0/7 -d 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec --reqid 27 --proto esp -$
-A FORWARD -s 10.0.0.0/19 -d 2.0.0.0/7 -i eth0 -m policy --dir in --pol ipsec --reqid 27 --proto esp -j$
-A OUTPUT -d 192.168.0.150/32 -o eth0 -p tcp -m tcp --dport 80 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A OUTPUT -o eth0 -p esp -j ACCEPT
-A OUTPUT -o eth0 -p ah -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o eth0 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 2202 -j ACCEPT
-A OUTPUT -p tcp -m tcp --dport 500 -j ACCEPT
COMMIT
# Completed on Wed Jan 15 16:00:14 2020
# Generated by xtables-save v1.8.2 on Wed Jan 15 16:00:14 2020
*nat
:PREROUTING ACCEPT [277:44431]
:INPUT ACCEPT [276:44218]
:POSTROUTING ACCEPT [54:4615]
:OUTPUT ACCEPT [54:4615]
-A POSTROUTING -s 10.0.0.0/19 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.0.0/19 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/19 -j MASQUERADE
COMMIT
# Completed on Wed Jan 15 16:00:14 2020



logs:

 Jan 27 09:23:42 raspberrypi charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 4.19.75-v7+, armv7l)
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jan 27 09:23:42 raspberrypi charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jan 27 09:23:42 raspberrypi charon: 00[CFG]   loaded IKE secret for 178.115.235.78 194.24.131.1
Jan 27 09:23:42 raspberrypi charon: 00[CFG] expanding file expression '/var/lib/strongswan/ipsec.secrets.inc' failed
Jan 27 09:23:42 raspberrypi charon: 00[LIB] loaded plugins: charon aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Jan 27 09:23:42 raspberrypi charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jan 27 09:23:42 raspberrypi charon: 00[JOB] spawning 16 worker threads
Jan 27 09:23:42 raspberrypi charon: 05[CFG] received stroke: add connection 'cisco'
Jan 27 09:23:42 raspberrypi charon: 05[CFG] added configuration 'cisco'
Jan 27 09:23:42 raspberrypi charon: 07[CFG] received stroke: initiate 'cisco'
Jan 27 09:23:42 raspberrypi charon: 07[IKE] initiating Main Mode IKE_SA cisco[1] to 194.24.131.1
Jan 27 09:23:42 raspberrypi charon: 07[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Jan 27 09:23:42 raspberrypi charon: 07[NET] sending packet: from 192.168.0.150[500] to 194.24.131.1[500] (252 bytes)
Jan 27 09:23:42 raspberrypi charon: 08[NET] received packet: from 194.24.131.1[500] to 192.168.0.150[500] (108 bytes)
Jan 27 09:23:42 raspberrypi charon: 08[ENC] parsed ID_PROT response 0 [ SA V ]
Jan 27 09:23:42 raspberrypi charon: 08[IKE] received NAT-T (RFC 3947) vendor ID
Jan 27 09:23:42 raspberrypi charon: 08[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
Jan 27 09:23:42 raspberrypi charon: 08[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Jan 27 09:23:42 raspberrypi charon: 08[NET] sending packet: from 192.168.0.150[500] to 194.24.131.1[500] (308 bytes)
Jan 27 09:23:42 raspberrypi charon: 09[NET] received packet: from 194.24.131.1[500] to 192.168.0.150[500] (368 bytes)
Jan 27 09:23:42 raspberrypi charon: 09[ENC] parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received Cisco Unity vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received DPD vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[ENC] received unknown vendor ID: 18:bf:85:7e:d9:e4:8b:b4:28:b8:89:6b:0a:9e:9e:08
Jan 27 09:23:42 raspberrypi charon: 09[IKE] received XAuth vendor ID
Jan 27 09:23:42 raspberrypi charon: 09[IKE] local host is behind NAT, sending keep alives
Jan 27 09:23:42 raspberrypi charon: 09[ENC] generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
Jan 27 09:23:42 raspberrypi charon: 09[NET] sending packet: from 192.168.0.150[4500] to 194.24.131.1[4500] (108 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (92 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[ENC] invalid HASH_V1 payload length, decryption failed?
Jan 27 09:23:42 raspberrypi charon: 10[ENC] could not decrypt payloads
Jan 27 09:23:42 raspberrypi charon: 10[IKE] message parsing failed
Jan 27 09:23:42 raspberrypi charon: 10[IKE] ignore malformed INFORMATIONAL request
Jan 27 09:23:42 raspberrypi charon: 10[IKE] INFORMATIONAL_V1 request with message ID 2310710256 processing failed
Jan 27 09:23:42 raspberrypi charon: 10[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (76 bytes)
Jan 27 09:23:42 raspberrypi charon: 10[ENC] parsed ID_PROT response 0 [ ID HASH ]
Jan 27 09:23:42 raspberrypi charon: 10[IKE] IKE_SA cisco[1] established between 192.168.0.150[178.115.235.78]...194.24.131.1[194.24.131.1]
Jan 27 09:23:42 raspberrypi charon: 10[IKE] scheduling reauthentication in 85473s
Jan 27 09:23:42 raspberrypi charon: 10[IKE] maximum IKE_SA lifetime 86013s
Jan 27 09:23:42 raspberrypi charon: 10[ENC] generating QUICK_MODE request 2270601801 [ HASH SA No ID ID ]
Jan 27 09:23:42 raspberrypi charon: 10[NET] sending packet: from 192.168.0.150[4500] to 194.24.131.1[4500] (204 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[NET] received packet: from 194.24.131.1[4500] to 192.168.0.150[4500] (92 bytes)
Jan 27 09:23:42 raspberrypi charon: 12[ENC] parsed INFORMATIONAL_V1 request 3838561195 [ HASH N(NO_PROP) ]
Jan 27 09:23:42 raspberrypi charon: 12[IKE] received NO_PROPOSAL_CHOSEN error notify
Jan 27 09:23:43 raspberrypi kernel: [ 2726.966443] rpi_firmware_get_throttled: 3 callbacks suppressed
Jan 27 09:23:43 raspberrypi kernel: [ 2726.966450] Under-voltage detected! (0x00050005)
Jan 27 09:23:49 raspberrypi kernel: [ 2733.206531] rpi_firmware_get_throttled: 3 callbacks suppressed
Jan 27 09:23:49 raspberrypi kernel: [ 2733.206538] Voltage normalised (0x00000000)
Jan 27 09:24:06 raspberrypi charon: 06[IKE] sending keep alive to 194.24.131.1[4500]
Jan 27 09:24:26 raspberrypi charon: 07[IKE] sending keep alive to 194.24.131.1[4500]




[b] MY SIDE:[/b]

 ! policy1

crypto isakmp policy 152

encr aes 256

hash sha

group 5

lifetime 86400

!

! policy2

crypto ipsec transform-set TS-AES-SHA256 esp-aes 256 esp-sha256-hmac

 mode tunnel

!

crypto keyring C-AVILOO

  pre-shared-key address 178.115.235.78 key *****************

!

crypto map vpn 89 ipsec-isakmp

 set peer 178.115.235.78

set transform-set TS-AES-SHA256

 set isakmp-profile C-AVILOO

match address C-AVILOO

reverse-route static

!

ip access-list extended C-AVILOO

permit ip host 172.19.254.89 host 178.115.131.146

    permit ip 10.0.0.0 0.0.31.255 128.0.0.0 127.255.255.255

    permit ip 10.0.0.0 0.0.31.255 64.0.0.0 63.255.255.255

    permit ip 10.0.0.0 0.0.31.255 32.0.0.0 31.255.255.255

    permit ip 10.0.0.0 0.0.31.255 16.0.0.0 15.255.255.255

    permit ip 10.0.0.0 0.0.31.255 8.0.0.0 7.255.255.255

    permit ip 10.0.0.0 0.0.31.255 4.0.0.0 3.255.255.255

    permit ip 10.0.0.0 0.0.31.255 2.0.0.0 1.255.255.255

    permit ip 10.0.0.0 0.0.31.255 1.0.0.0 0.255.255.255

!

cisco, ipsec, linux, strongswan

Maxee
(27.01.20 18:37:53 MSK)

12 комментариев

Сообщения Maxee

Ikev1/IPsec between strongswan and cisco