Я пытаюсь подключиться к Cisco ASA IKEv1 VPN с помощью StrongSwan (5.5.1-4 + deb9u1) в Debian Linux с ядром 4.9.0-5-amd64. Это своего рода классический вопрос, и я нашел много обсуждений на эту тему и пробовал много настроек конфигурации, но пока мне ничего не помогло.
У меня нет доступа к самому ASA, но таким образом я могу получить базовую информацию о предложениях:
$ sudo ike-scan -v -v ASA_IP_ADDRESS 2>&1
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Sending packet #1 to host entry 1 (ASA_IP_ADDRESS) tmo 500000 us
--- Received packet #1 from ASA_IP_ADDRESS
ASA_IP_ADDRESS Main Mode Handshake returned HDR=(CKY-R=79f5d28631ffd07f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
--- Removing host entry 1 (ASA_IP_ADDRESS) - Received 104 bytes
Ending ike-scan 1.9.4: 1 hosts scanned in 0.017 seconds (57.15 hosts/sec). 1 returned handshake; 0 returned notify
Вот что я вижу, когда выдаю ipsec up asavpn
команда:
initiating Aggressive Mode IKE_SA asavpn[1] to ASA_IP_ADDRESS
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
parsed TRANSACTION request 4213336740 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4213336740 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
parsed TRANSACTION request 557234584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'vpn-user123' (myself) successful
IKE_SA asavpn[1] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
scheduling reauthentication in 3379s
maximum IKE_SA lifetime 3559s
generating TRANSACTION response 557234584 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
generating TRANSACTION request 3340376289 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
parsed TRANSACTION response 3340376289 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
installing DNS server 172.51.2.47 to /etc/resolv.conf
installing DNS server 172.51.2.50 to /etc/resolv.conf
installing new virtual IP 172.17.254.12
generating QUICK_MODE request 2105961987 [ HASH SA No ID ID ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
installing new virtual IP 172.17.254.12
establishing connection 'asavpn' failed
Вот мой (обрезанный) ipsec.conf:
config setup
charondebug="ike 2, knl 2, cfg 2"
uniqueids = yes
strictcrlpolicy=no
conn %default
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=2
keyexchange=ikev2 # this is because I use more VPN connections then the only asavpn
mobike=yes
conn asavpn
leftauth=psk
leftauth2=xauth
leftsubnet=192.168.7.0/24
aggressive=yes
ike=3des-sha1-modp1024!
esp=3des-sha1!
xauth=client
xauth_identity="vpn-user123"
leftid=PRZ
keyexchange=ikev1
leftsourceip=%config
rightsubnet=0.0.0.0/0
leftdns=172.51.2.47, 172.51.2.50
right=ASA_IP_ADDRESS
rightsubnet=0.0.0.0/0
rightauth=psk
auto=add
мой ipsec.secrets:
vpn-user123 : XAUTH "my.passw0rd"
PRZ@%any ASA_IP_ADDRESS : PSK "secret-120-characters-long-hash"
а вот журнал харона:
Feb 02 12:02:19 lenovo-pc charon[10329]: 15[CFG] received stroke: initiate 'asavpn'
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] using 192.168.7.117 as address to reach ASA_IP_ADDRESS/32
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] IKE_SA asavpn[2] state change: CREATED => CONNECTING
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selecting proposal:
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] proposal matches
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] local host is behind NAT, sending keep alives
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] reinitiating already active tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] queueing MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] nothing to initiate
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] parsed TRANSACTION request 3634853475 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] generating TRANSACTION response 3634853475 [ HASH CPRP(X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] parsed TRANSACTION request 2358240213 [ HASH CPS(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] XAuth authentication of 'vpn-user123' (myself) successful
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] state change: CONNECTING => ESTABLISHED
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] scheduling reauthentication in 3384s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] maximum IKE_SA lifetime 3564s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION response 2358240213 [ HASH CPA(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION request 3672090717 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] parsed TRANSACTION response 3672090717 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.47 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.50 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing UNITY_SPLIT_INCLUDE attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] 192.168.7.117 is on interface wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing new virtual IP 172.17.254.12
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] virtual IP 172.17.254.12 installed on wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] got SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for us:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 192.168.7.0/24
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] changing proposed traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] 0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] generating QUICK_MODE request 239751605 [ HASH SA No ID ID ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] parsed INFORMATIONAL_V1 request 2669190869 [ HASH N(NO_PROP) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleting SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleted SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed INFORMATIONAL_V1 request 4133932276 [ HASH D ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DELETE for IKE_SA asavpn[2]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.50 from /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.47 from /etc/resolv.conf
Что могло быть не так?
Спасибо за любую помощь, я ценю это!
ОБНОВИТЬ:
Добавление vpnc.log (для рабочего соединения): https://pastebin.com/KDx3HTnC
Как видно из журнала отладки vpnc
клиент при разборе ответа быстрого режима
PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0020
t.number: 01
t.id: 0c (ISAKMP_IPSEC_ESP_AES)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0020c49b
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0003 (IPSEC_ENCAP_UDP_TUNNEL)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
t.attributes.u.attr_16: 0100
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
предложение, принятое сервером, фактически представляет собой AES с длиной ключа 256 бит в качестве шифрования и SHA-1 в качестве алгоритма целостности. Итак, чтобы использовать то же самое с настройкой strongSwan esp=aes256-sha1!
.