Fatal编程技术网
  • ubuntu/
  • Ubuntu OpenSWAN根本不启动第2阶段

Ubuntu OpenSWAN根本不启动第2阶段

ubuntu

Ubuntu OpenSWAN根本不启动第2阶段,ubuntu,vpn,ipsec,openbsd,Ubuntu,Vpn,Ipsec,Openbsd,我想将我的Ubuntu12.04开发者箱连接到公司网络。他们使用isakmpd在路由器上安装了OpenBSD 5.1。仅使用RSA密钥进行身份验证 在我这方面,我安装了openswan(apt get install openswan),并进行了以下设置: # /etc/ipsec.conf - Openswan IPsec configuration file # This file: /usr/share/doc/openswan/ipsec.conf-sample # # Manual

我想将我的Ubuntu12.04开发者箱连接到公司网络。他们使用isakmpd在路由器上安装了OpenBSD 5.1。仅使用RSA密钥进行身份验证

在我这方面,我安装了openswan(apt get install openswan),并进行了以下设置:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        dumpdir=/var/run/pluto/
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null

# Add connections here
include /etc/ipsec.d/ipsec.*.conf
此处显示连接的设置:

conn office
        auto=start
        type=tunnel
        compress=yes
        aggrmode=no
        forceencaps=yes
        left=%defaultroute
        leftid=@andrey-ubuntu.example.com
        # To get the proper rsasigkey values, use ipsec showhostkey. On left (vpgw1) run: ipsec showhostkey --left
        leftrsasigkey=0sAwEAAavfJOtpFvA......big_key
        leftca=ca.crt
        leftsendcert=always
        # Convert PEM cert to der
        # openssl x509 -in andrey-ubuntu.pem -outform DER -out andrey-ubuntu.der
        leftcert=andrey-ubuntu.der
        #
        right=4.5.3.126
        rightid=@secure1.example.com
        rightrsasigkey=0sAwEAAc92q7qKyW......big_key
        #leftupdown="ipsec _updown --route yes" # See ipsec_pluto(8) for details. Relevant only locally, other end need not agree on it.
        ike=aes256-sha1;modp2048
        phase2alg=aes256-sha1;modp2048
        ikelifetime=28800s
        authby=rsasig
        pfs=yes
        salifetime=28800s
        keyexchange=ike
我的工作站使用NAT。当我启动openswan服务时,我在我机器的日志中看到:

Sep 17 06:15:25 zentavr-ig ipsec_setup: Starting Openswan IPsec U2.6.37/K3.5.0-23-generic...
Sep 17 06:15:25 zentavr-ig ipsec_setup: Using NETKEY(XFRM) stack
Sep 17 06:15:25 zentavr-ig kernel: [19389.748253] Initializing XFRM netlink socket
Sep 17 06:15:25 zentavr-ig ipsec_setup: ...Openswan IPsec started
Sep 17 06:15:25 zentavr-ig pluto: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Sep 17 06:15:25 zentavr-ig rsyslogd-2177: imuxsock begins to drop messages from pid 25281 due to rate-limiting
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 loading certificate from andrey-ubuntu.der
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002   loaded host cert file '/etc/ipsec.d/certs/andrey-ubuntu.der' (893 bytes)
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 002 added connection description "office"
Sep 17 06:15:25 zentavr-ig ipsec__plutorun: 104 "office" #1: STATE_MAIN_I1: initiate
还有更多:

root@zentavr-ig:/etc/ipsec.d# ipsec auto status
ipsec auto: warning: obsolete command syntax used
000 using kernel interface: netkey
000 interface lo/lo ::1
000 interface lo/lo 127.0.0.1
000 interface lo/lo 127.0.0.1
000 interface eth0/eth0 172.16.30.254
000 interface eth0/eth0 172.16.30.254
000 %myid = (none)
000 debug raw+crypt+parsing+emitting+control+klips+pfkey+nattraversal+x509+dpd+private
000
000 virtual_private (%priv):
000 - allowed 6 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, fd00::/8, fe80::/10
000 - disallowed 0 subnets:
000 WARNING: Disallowed subnets in virtual_private= is empty. If you have
000          private address space in internal use, it should be excluded!
000
000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64
000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192
000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128
000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448
000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0
000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288
000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256
000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256
000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384
000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512
000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160
000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128
000 algorithm ESP auth attr: id=251, name=(null), keysizemin=0, keysizemax=0
000
000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131
000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192
000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128
000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16
000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20
000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024
000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536
000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048
000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072
000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096
000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144
000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192
000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024
000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048
000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048
000
000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048}
000
000 "office": 172.16.30.254[@andrey-ubuntu.idle-games.com,+S=C]...4.5.3.126<204.15.3.126>[@secure1.example.com,+S=C]; prospective erouted; eroute owner: #0
000 "office":     myip=unset; hisip=unset; mycert=andrey-ubuntu.der;
000 "office":   CAs: '\011'...'%any'
000 "office":   ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "office":   policy: RSASIG+ENCRYPT+COMPRESS+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK; prio: 32,32; interface: eth0;
000 "office":   dpd: action:clear; delay:0; timeout:0;
000 "office":   newest ISAKMP SA: #0; newest IPsec SA: #0;
000 "office":   IKE algorithms wanted: AES_CBC(7)_256-SHA1(2)_000-MODP2048(14); flags=-strict
000 "office":   IKE algorithms found:  AES_CBC(7)_256-SHA1(2)_160-MODP2048(14)
000 "office":   ESP algorithms wanted: AES(12)_256-SHA1(2)_000; pfsgroup=MODP2048(14); flags=-strict
000 "office":   ESP algorithms loaded: AES(12)_256-SHA1(2)_160
000
000 #1: "office":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #1: pending Phase 2 for "office" replacing #0
000
OpeBSDs isakmpd就是这样完成的:

ike passive esp tunnel                                  \
        from any to any                                 \
        main auth hmac-sha1 enc aes-256 group modp2048  \
        quick auth hmac-sha1 enc aes-256 group modp2048 \
        srcid secure1.example.com                \
        tag ipsec-$id
我想知道:为什么openSWAN根本无法启动第2阶段,而在服务器端我看到了如此奇怪的错误?经过几个晚上的调试后,我的想法被耗尽了:(

无效标志让我想知道是否压缩或您在一端启用的其他设置与另一端不兼容。我自己几乎总是在OpenSWAN上使用compression=no来避免兼容性问题

ike passive esp tunnel                                  \
        from any to any                                 \
        main auth hmac-sha1 enc aes-256 group modp2048  \
        quick auth hmac-sha1 enc aes-256 group modp2048 \
        srcid secure1.example.com                \
        tag ipsec-$id