Назад | Перейти на главную страницу

Strongswan CentOS 7 для Mikrotik Router L2TP VPN «NO_PRPOSAL_CHOSEN»

Я просмотрел существующие вопросы и ответы по этой проблеме и, возможно, я не вижу зацепки, но я не знаю, что еще попробовать.

Я получаю этот вывод при попытке запустить VPN из «клиента» CentOS:

[root@hostname etc]# strongswan up casanova_vpn
initiating Main Mode IKE_SA casanova_vpn[1] to <VPN_SERVER_PUBLIC_IP>
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (176 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (156 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received NAT-T (RFC 3947) vendor ID
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (244 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (236 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (100 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA casanova_vpn[1] established between <CENTOS_7_PUBLIC_IP>[<CENTOS_7_PUBLIC_IP>]...<VPN_SERVER_PUBLIC_IP>[<VPN_SERVER_PUBLIC_IP>]
scheduling reauthentication in 3394s
maximum IKE_SA lifetime 3574s
generating QUICK_MODE request 3035167021 [ HASH SA No KE ID ID ]
sending packet: from <CENTOS_7_PUBLIC_IP>[500] to <VPN_SERVER_PUBLIC_IP>[500] (300 bytes)
received packet: from <VPN_SERVER_PUBLIC_IP>[500] to <CENTOS_7_PUBLIC_IP>[500] (68 bytes)
parsed INFORMATIONAL_V1 request 3361583959 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'casanova_vpn' failed
[root@hostname etc]#

CentOS /etc/ipsec.conf: (Я понимаю, что 3des-sha1-modp1024 слабые. Я подниму уровни, когда туннель заработает, и в конечном итоге перейду на сертификаты ... пытаясь сохранить минимальное количество для отладки ...)

[root@hostname etc]# cat ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=3des-sha1-modp1024!
  esp=3des-sha1-modp1024!

conn casanova_vpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=<VPN_SERVER_PUBLIC_IP>
[root@breezeview etc]#

Конфигурация тика:

ppp profile:

name="Vultr_vpn" local-address=172.16.101.1 remote-address=172.16.101.2 
     use-mpls=default use-compression=default use-encryption=yes 
     only-one=default change-tcp-mss=default use-upnp=default 
     address-list="" dns-server=8.8.8.8,8.8.4.4 on-up="" on-down=""

proposal:

 2    name="vultr" auth-algorithms=sha1 enc-algorithms=3des lifetime=1h 
      pfs-group=modp1024 

policy:

 T * group=default src-address=<CENTOS_7_PUBLIC_IP/32> dst-address=\<VPN_SERVER_PUBLIC_IP/32> protocol=all proposal=vultr template=yes

Итак ... все появляется в линию, теоретически. На практике ... не очень.

Любые идеи очень ценятся!