Назад | Перейти на главную страницу

OpenSwan на Amazon EC2 - достигнуто максимальное количество повторных передач STATE_MAIN_I3. Возможный сбой аутентификации:

Мы общаемся с одним из наших клиентов через VPN-туннель.

Раньше туннель Openswan работал отлично. Сегодня мы подключили эластичный IP к серверу и перезагрузились. С тех пор туннель не запускается.

Вот шаги, которые мы выполнили:

  1. Попросил клиента обновить наш новый IP на их конце - ВЫПОЛНЕНО

  2. Обновите ipsec.config на нашем конце - ВЫПОЛНЕНО (вот новый файл)

    nat_traversal=yes
oe=off
protostack=netkey
interfaces="%defaultroute"       
conn customer
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=52.24.154.45 <elastic-ip>
        leftsourceip=172.31.38.203 <internal-ip>
        leftnexthop=%defaultroute
        leftsubnet=172.31.0.0/16
        right=<client-public-ip>
        rightid=<client-public-ip>
        rightsubnet=<clients-subnet>
        phase2=esp
        phase2alg=3des-md5;modp1024
        ike=3des-md5;modp1024!
        ikelifetime=480m
        pfs=no
        auto=start
        rekey=yes
        keyingtries=%forever

  3. ipsec.secrets - Никаких изменений не требуется

      include /var/lib/openswan/ipsec.secrets.inc
  <client-public-ip> 0.0.0.0 %any: PSK "xxxxxxxxxxxxxx"

  4. iptables -L

  5. iptables -t нат -L

  6. ipsec auto --status

    000 using kernel interface: netkey 000 interface lo/lo ::1 000 interface lo/lo 127.0.0.1 000 interface lo/lo 127.0.0.1 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 172.31.38.203 000 interface eth0/eth0 52.24.154.45 000 interface eth0/eth0 52.24.154.45 000 %myid = (none) 000 debug none 000
    000 virtual_private (%priv): 000 - allowed 7 subnets: 10.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 25.0.0.0/8, 203.201.213.0/24, fd00::/8, fe80::/10 000 - disallowed 0 subnets: 000 WARNING: Disallowed subnets in virtual_private= is empty. If you have 000 private address space in internal use, it should be excluded! 000
    000 algorithm ESP encrypt: id=2, name=ESP_DES, ivlen=8, keysizemin=64, keysizemax=64 000 algorithm ESP encrypt: id=3, name=ESP_3DES, ivlen=8, keysizemin=192, keysizemax=192 000 algorithm ESP encrypt: id=6, name=ESP_CAST, ivlen=8, keysizemin=40, keysizemax=128 000 algorithm ESP encrypt: id=7, name=ESP_BLOWFISH, ivlen=8, keysizemin=40, keysizemax=448 000 algorithm ESP encrypt: id=11, name=ESP_NULL, ivlen=0, keysizemin=0, keysizemax=0 000 algorithm ESP encrypt: id=12, name=ESP_AES, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=13, name=ESP_AES_CTR, ivlen=8, keysizemin=160, keysizemax=288 000 algorithm ESP encrypt: id=14, name=ESP_AES_CCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=15, name=ESP_AES_CCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=16, name=ESP_AES_CCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=18, name=ESP_AES_GCM_A, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=19, name=ESP_AES_GCM_B, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=20, name=ESP_AES_GCM_C, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=22, name=ESP_CAMELLIA, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=252, name=ESP_SERPENT, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP encrypt: id=253, name=ESP_TWOFISH, ivlen=8, keysizemin=128, keysizemax=256 000 algorithm ESP auth attr: id=1, name=AUTH_ALGORITHM_HMAC_MD5, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=2, name=AUTH_ALGORITHM_HMAC_SHA1, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=5, name=AUTH_ALGORITHM_HMAC_SHA2_256, keysizemin=256, keysizemax=256 000 algorithm ESP auth attr: id=6, name=AUTH_ALGORITHM_HMAC_SHA2_384, keysizemin=384, keysizemax=384 000 algorithm ESP auth attr: id=7, name=AUTH_ALGORITHM_HMAC_SHA2_512, keysizemin=512, keysizemax=512 000 algorithm ESP auth attr: id=8, name=AUTH_ALGORITHM_HMAC_RIPEMD, keysizemin=160, keysizemax=160 000 algorithm ESP auth attr: id=9, name=AUTH_ALGORITHM_AES_CBC, keysizemin=128, keysizemax=128 000 algorithm ESP auth attr: id=251, name=AUTH_ALGORITHM_NULL_KAME, keysizemin=0, keysizemax=0 000
    000 algorithm IKE encrypt: id=0, name=(null), blocksize=16, keydeflen=131 000 algorithm IKE encrypt: id=5, name=OAKLEY_3DES_CBC, blocksize=8, keydeflen=192 000 algorithm IKE encrypt: id=7, name=OAKLEY_AES_CBC, blocksize=16, keydeflen=128 000 algorithm IKE hash: id=1, name=OAKLEY_MD5, hashsize=16 000 algorithm IKE hash: id=2, name=OAKLEY_SHA1, hashsize=20 000 algorithm IKE hash: id=4, name=OAKLEY_SHA2_256, hashsize=32 000 algorithm IKE hash: id=6, name=OAKLEY_SHA2_512, hashsize=64 000 algorithm IKE dh group: id=2, name=OAKLEY_GROUP_MODP1024, bits=1024 000 algorithm IKE dh group: id=5, name=OAKLEY_GROUP_MODP1536, bits=1536 000 algorithm IKE dh group: id=14, name=OAKLEY_GROUP_MODP2048, bits=2048 000 algorithm IKE dh group: id=15, name=OAKLEY_GROUP_MODP3072, bits=3072 000 algorithm IKE dh group: id=16, name=OAKLEY_GROUP_MODP4096, bits=4096 000 algorithm IKE dh group: id=17, name=OAKLEY_GROUP_MODP6144, bits=6144 000 algorithm IKE dh group: id=18, name=OAKLEY_GROUP_MODP8192, bits=8192 000 algorithm IKE dh group: id=22, name=OAKLEY_GROUP_DH22, bits=1024 000 algorithm IKE dh group: id=23, name=OAKLEY_GROUP_DH23, bits=2048 000 algorithm IKE dh group: id=24, name=OAKLEY_GROUP_DH24, bits=2048 000
    000 stats db_ops: {curr_cnt, total_cnt, maxsz} :context={0,1,64} trans={0,1,3072} attrs={0,1,2048} 000
    000 "customer": 172.31.0.0/16===172.31.38.203[52.24.154.45]---172.31.32.1...203.201.209.98<203.201.209.98>===203.201.213.0/24; prospective erouted; eroute owner: #0 000 "customer": myip=172.31.38.203; hisip=unset; 000 "customer": ike_life: 28800s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "customer": policy: PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 16,24; interface: eth0; 000 "customer": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 "customer": IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2); flags=strict 000 "customer": IKE algorithms found: 3DES_CBC(5)_192-MD5(1)_128-MODP1024(2) 000 "customer": ESP algorithms wanted: 3DES(3)_000-MD5(1)_000; pfsgroup=MODP1024(2); flags=-strict 000 "customer": ESP algorithms loaded: 3DES(3)_192-MD5(1)_128 000
    000 #2: "customer":4500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 33s; nodpd; idle; import:admin initiate 000 #2: pending Phase 2 for "customer" replacing #0 000

  7. хвост /var/log/auth.log

    Jan 11 20:10:57 ip-172-31-38-203 ipsec__plutorun: Starting Pluto subsystem... Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Starting Pluto (Openswan Version 2.6.38; Vendor ID OEvy\134kgzWq\134s) pid:27458 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: LEAK_DETECTIVE support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: OCF support for IKE [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAref support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: SAbind support [disabled]: Protocol not available Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NSS support [disabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: HAVE_STATSD notification support not compiled in Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Setting NAT-Traversal port-4500 floating to on Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: port floating activation criteria nat_t=1/port_float=1 Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: NAT-Traversal support [enabled] Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: starting up 1 cryptographic helpers Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: started helper pid=27460 (fd:6) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: Using Linux 2.6 IPsec interface code on 3.13.0-36-generic (experimental code) Jan 11 20:10:57 ip-172-31-38-203 pluto[27460]: using /dev/urandom as source of random entropy Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_add(): ERROR: algo_type '0', algo_id '0', Algorithm type already exists Jan 11 20:10:57 ip-172-31-38-203 pluto[27458]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: added connection description "customer" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: listening for IKE messages Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 52.24.154.45:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface eth0/eth0 172.31.38.203:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo 127.0.0.1:4500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: adding interface lo/lo ::1:500 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/etc/ipsec.secrets" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: loading secrets from "/var/lib/openswan/ipsec.secrets.inc" Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: initiating Main Mode Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: ignoring Vendor ID payload [FRAGMENTATION] Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: i am NATed Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 11 20:10:58 ip-172-31-38-203 pluto[27458]: "customer" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 11 20:12:01 ip-172-31-38-203 pluto[27458]: initiate on demand from 172.31.38.203:0 to 203.201.213.58:80 proto=6 state: fos_start because: acquire Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message Jan 11 20:12:08 ip-172-31-38-203 pluto[27458]: "customer" #1: starting keying attempt 2 of an unlimited number

Как вы можете видеть в последних нескольких строках, проблема заключается в следующем:

"customer" # 1: максимальное количество повторных передач (2) достигло STATE_MAIN_I3. Возможный сбой аутентификации: неприемлемый ответ на наше первое зашифрованное сообщение

Может ли кто-нибудь направить нас в правильном направлении? Мы испробовали практически все возможные комбинации секретного файла и IPSec Config.

Не уверен, актуален ли он больше, но мы регулярно сталкиваемся с похожими ошибками на нашем VPN-сервере (также размещенном на AWS).

Обычно перезапуск служб с помощью этих команд решает проблему:

  • /etc/init.d/ipsec restart
  • /etc/init.d/xl2tpd restart

Но я не знаю, почему это вообще происходит. Иногда туннель VPN разрушается во время использования, и только его перезапуск позволяет снова установить соединение.