Linux
Strongswan:連接到 Cisco 路由器時“收到 NO_PROPOSAL_CHOSEN 錯誤通知”
我正在嘗試建立從帶有 Strongswan(Linux strongSwan U5.5.1/K4.14.50+)的樹莓派到 Cisco 路由器的 ipsec 連接。
這是 Strongswan 的輸出:
root@raspberrypi:~# ipsec up Ciscoios initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138 generating ID_PROT request 0 [ SA V V V V V ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes) parsed ID_PROT response 0 [ SA V ] received NAT-T (RFC 3947) vendor ID generating ID_PROT request 0 [ KE No NAT-D NAT-D ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes) parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ] received Cisco Unity vendor ID received DPD vendor ID received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4 received XAuth vendor ID generating ID_PROT request 0 [ ID HASH ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes) parsed ID_PROT response 0 [ ID HASH ] IKE_SA Ciscoios[1] established between x.x.x.118[user@domain.com]...x.x.x.138[x.x.x.138] scheduling reauthentication in 86201s maximum IKE_SA lifetime 86381s generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ] sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes) received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes) parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'Ciscoios' failed
這是 ipsec.conf:
ipsec.conf - strongSwan IPsec configuration file config setup strictcrlpolicy=no #charondebug="ike 4, knl 4, cfg 2" #useful debugs uniqueids = no conn %default ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 keyexchange=ikev1 authby=secret conn Ciscoios left=x.x.x.118 leftid=fqdn:user@domain.com leftsubnet=10.10.145.0/24 leftfirewall=no right=x.x.x.138 rightsubnet=x.x.x.138/32 rightid=x.x.x.x.138 rightauth=psk leftauth=psk auto=add ike=3des-sha1-modp1024! esp=3des-sha1!
在 Cisco 上我配置了這個:
crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac mode transport crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac mode transport crypto dynamic-map TEST description ipsecTest set transform-set ESP-NULL-MD5 ESP-3DES-MD5 set isakmp-profile Routing match address IPSEC
我想我可能在 ipsec.conf 中的 ike 和 esp 設置了錯誤的參數。Cisco 上的 ipsec 配置可以與另一個 Cisco 路由器作為對等點正常工作,但不能與 Raspberry Pi 一起工作。任何人都可以幫忙嗎?
strongSwan 配置中的 ESP 提案必須與 Cisco 盒子的提案相匹配,因此將其更改為
esp=3des-md5!
,或者修改 Cisco 配置以使用 SHA-1 作為完整性算法。請注意,這些都是非常弱的算法。