Linux

Strongswan:連接到 Cisco 路由器時“收到 NO_PROPOSAL_CHOSEN 錯誤通知”

  • November 16, 2018

我正在嘗試建立從帶有 Strongswan(Linux strongSwan U5.5.1/K4.14.50+)的樹莓派到 Cisco 路由器的 ipsec 連接。

這是 Strongswan 的輸出:

root@raspberrypi:~# ipsec up Ciscoios
initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Ciscoios[1] established between x.x.x.118[user@domain.com]...x.x.x.138[x.x.x.138]
scheduling reauthentication in 86201s
maximum IKE_SA lifetime 86381s
generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes)
parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'Ciscoios' failed

這是 ipsec.conf:

ipsec.conf - strongSwan IPsec configuration file


config setup
   strictcrlpolicy=no
   #charondebug="ike 4, knl 4, cfg 2"    #useful debugs
   uniqueids = no



conn %default
   ikelifetime=1440m
   keylife=60m
   rekeymargin=3m
   keyingtries=1
   keyexchange=ikev1
   authby=secret

conn Ciscoios
   left=x.x.x.118
   leftid=fqdn:user@domain.com
   leftsubnet=10.10.145.0/24
   leftfirewall=no
   right=x.x.x.138
   rightsubnet=x.x.x.138/32
   rightid=x.x.x.x.138
   rightauth=psk
   leftauth=psk
   auto=add
   ike=3des-sha1-modp1024!
   esp=3des-sha1!

在 Cisco 上我配置了這個:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac
mode transport

crypto dynamic-map TEST
description ipsecTest
set transform-set ESP-NULL-MD5 ESP-3DES-MD5
set isakmp-profile Routing
match address IPSEC

我想我可能在 ipsec.conf 中的 ike 和 esp 設置了錯誤的參數。Cisco 上的 ipsec 配置可以與另一個 Cisco 路由器作為對等點正常工作,但不能與 Raspberry Pi 一起工作。任何人都可以幫忙嗎?

strongSwan 配置中的 ESP 提案必須與 Cisco 盒子的提案相匹配,因此將其更改為esp=3des-md5!,或者修改 Cisco 配置以使用 SHA-1 作為完整性算法。

請注意,這些都是非常弱的算法。

引用自:https://serverfault.com/questions/940369