Vpn
IKEv1 階段 2 以 NO_PROPOSAL_CHOSEN 失敗,但 ESP 提議是正確的。還有什麼可能導致此失敗?
嘗試對使用 NO_PROPOSAL_CHOSEN 無法完成第 2 階段的 Strongswan 的 IPSec/IKEv1 VPN 連接進行故障排除。
我知道這個錯誤的解決方案幾乎總是“仔細檢查你的第 2 階段提案”,但我 100% 確定 ESP 提案是正確的——它正在使用 NCP 安全入口客戶端的 Windows 機器上執行(見下面的螢幕截圖)。
從這裡我看到這個錯誤可能是由於不匹配的加密、身份驗證、PFS 或偶爾的生命週期提議造成的。但我的是正確的。 還有什麼會導致 NO_PROPOSAL_CHOSEN 的嗎? (遺憾的是,我無法訪問響應者,因此無法在那裡檢查日誌或更改配置)。
ipsec.conf:
config setup conn VDI left=%any leftauth=psk leftauth2=xauth leftid=userfqdn:VDI leftsourceip=%config right=163.x.y.z rightauth=psk aggressive=yes auto=add dpdaction=restart dpddelay=20s keyexchange=ikev1 lifetime=8h ikelifetime=8h modeconfig=pull xauth_identity=DR400 ike=aes256-sha1-modp2048 esp=aes256-sha2_256-modp2048
ipsec.secrets:
: PSK "zzzzzzzzzzzzzz" DR400 : XAUTH "xxxxxxxxxx"
卡龍輸出:
~$ sudo ipsec up VDI initiating Aggressive Mode IKE_SA VDI[1] to 163.x.y.z generating AGGRESSIVE request 0 [ SA KE No ID V V V V V ] sending packet: from 192.168.1.214[500] to 163.x.y.z[500] (547 bytes) received packet: from 163.x.y.z[500] to 192.168.1.214[500] (556 bytes) parsed AGGRESSIVE response 0 [ SA KE No ID V V NAT-D NAT-D V V HASH ] received DPD vendor ID received draft-ietf-ipsec-nat-t-ike-02\n vendor ID received XAuth vendor ID received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4e:53:34:79:49:45:4a:4f:50:54:59:77:4f:54:59:79:4f:41:3d:3d local host is behind NAT, sending keep alives generating AGGRESSIVE request 0 [ HASH NAT-D NAT-D ] sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (108 bytes) received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes) parsed TRANSACTION request 3540227287 [ HASH CPRQ(X_USER X_PWD X_MSG) ] XAuth message: Please Enter Your User Name and Password : generating TRANSACTION response 3540227287 [ HASH CPRP(X_USER X_PWD) ] sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (92 bytes) received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (124 bytes) parsed TRANSACTION request 3540227287 [ HASH CPS(ADDR MASK DNS DNS U_DEFDOM X_STATUS) ] XAuth authentication of 'DR400' (myself) successful IKE_SA VDI[1] established between 192.168.1.214[VDI]...163.x.y.z[163.x.y.z] scheduling reauthentication in 27760s maximum IKE_SA lifetime 28300s generating TRANSACTION response 3540227287 [ HASH CPA(X_STATUS) ] sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes) generating TRANSACTION request 4217090559 [ HASH CPRQ(ADDR DNS) ] sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (76 bytes) received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes) parsed TRANSACTION response 4217090559 [ HASH CPRP(ADDR DNS DNS) ] installing DNS server 10.132.0.10 via resolvconf installing DNS server 10.132.0.11 via resolvconf installing new virtual IP 192.168.246.61 generating QUICK_MODE request 167394241 [ HASH SA No KE ID ID ] sending packet: from 192.168.1.214[4500] to 163.x.y.z[4500] (444 bytes) received packet: from 163.x.y.z[4500] to 192.168.1.214[4500] (92 bytes) parsed INFORMATIONAL_V1 request 3483337871 [ HASH N(NO_PROP) ] received NO_PROPOSAL_CHOSEN error notify establishing connection 'VDI' failed
我嘗試了其他各種 ESP 提案,結果相同,包括:
- 沒有
esp=
線esp=aes256-sha2_256-modp2048!
esp=aes256-sha2_256
esp=aes256-sha2_256!
esp=aes256-sha1-modp2048
我也嘗試過設置
sha256_96 = yes
,ipsec.conf
但同樣沒有區別。
您尚未配置遠端流量選擇器 ( rightsubnet )。因此它將預設為對等方的 IP 地址。這可能不是它所期望的(對於 IKEv1,流量選擇器必須完全匹配)。
對於其他設置所指示的 roadwarrior 連接(例如虛擬 IP 地址和 XAuth 身份驗證),所有內容通常都是隧道式的。所以正確的設置是
rightsubnet=0.0.0.0/0
.響應者(
NO_PROPOSAL_CHOSEN
_ _INVALID_ID_INFORMATION