Vpn
站點到站點 VPN 錯誤“收到的雜湊有效負載與計算值不匹配”
我們需要訪問位於客戶端的幾台 Linux 機器。我們需要訪問客戶端機器的 Linux 機器位於雲上。
要建立的連接是站點到站點 VPN。
在重新啟動 ipsec service thru’ 命令
sudo service ipsec restart時,連接以收到的錯誤結束 Hash Payload does not match computed value不過,我們已經重新驗證了它
ipsec.secrets具有正確的密鑰,因為它是由客戶端共享的。此外,在執行命令sudo ipsec auto --up vpn時,cli 會掛起。作為網路中的蹣跚學步的孩子,我正在分享我認為可能與錯誤有關的大部分輸出。如果需要更多資訊,請告訴我。
以下資訊共享如下:
- ipsec 服務重啟的輸出
/var/log/secureipsec服務啟動時完成登錄- 配置在
ipsec.conf- 配置在
ipsec.secrets- 的輸出
ipsec.verify- 的輸出
ifconfig- 客戶和我們共享的記錄 VPN 資訊
ipsec 服務重啟的輸出
[root@gbox-1 ~]# service ipsec restart ipsec_setup: Stopping Openswan IPsec... ipsec_setup: Starting Openswan IPsec 2.6.32... ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
/var/log/secureipsec服務啟動時完成登錄[root@gbox-1 log]# tail -f secure Jul 31 23:43:24 gbox-1 sshd[3005]: pam_unix(sshd:session): session opened for user root by (uid=0) Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down Jul 31 23:43:38 gbox-1 pluto[32279]: forgetting secrets Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn": deleting connection Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn" #1: deleting state (STATE_AGGR_I1) Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo ::1:500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:4500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:4500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:4500 Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:500 Jul 31 23:43:40 gbox-1 ipsec__plutorun: Starting Pluto subsystem... Jul 31 23:43:40 gbox-1 pluto[3352]: nss directory plutomain: /etc/ipsec.d Jul 31 23:43:40 gbox-1 pluto[3352]: NSS Initialized Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS: not a FIPS product Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS HMAC integrity verification test passed Jul 31 23:43:40 gbox-1 pluto[3352]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:3352 Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled Jul 31 23:43:40 gbox-1 pluto[3352]: LEAK_DETECTIVE support [disabled] Jul 31 23:43:40 gbox-1 pluto[3352]: OCF support for IKE [disabled] Jul 31 23:43:40 gbox-1 pluto[3352]: SAref support [disabled]: Protocol not available Jul 31 23:43:40 gbox-1 pluto[3352]: SAbind support [disabled]: Protocol not available Jul 31 23:43:40 gbox-1 pluto[3352]: NSS support [enabled] Jul 31 23:43:40 gbox-1 pluto[3352]: HAVE_STATSD notification support not compiled in Jul 31 23:43:40 gbox-1 pluto[3352]: Setting NAT-Traversal port-4500 floating to on Jul 31 23:43:40 gbox-1 pluto[3352]: port floating activation criteria nat_t=1/port_float=1 Jul 31 23:43:40 gbox-1 pluto[3352]: NAT-Traversal support [enabled] Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: starting up 1 cryptographic helpers Jul 31 23:43:40 gbox-1 pluto[3352]: started helper (thread) pid=140162780645120 (fd:8) Jul 31 23:43:40 gbox-1 pluto[3352]: Kernel interface auto-pick Jul 31 23:43:40 gbox-1 pluto[3352]: Using Linux 2.6 IPsec interface code on 2.6.32-431.11.2.el6.x86_64 (experimental code) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17) Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17) Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/cacerts': / Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/aacerts': / Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/ocspcerts': / Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/crls' Jul 31 23:43:40 gbox-1 pluto[3352]: | selinux support is NOT enabled. Jul 31 23:43:40 gbox-1 pluto[3352]: added connection description "vpn" Jul 31 23:43:40 gbox-1 pluto[3352]: listening for IKE messages Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:4500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:4500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:4500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500 Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo ::1:500 Jul 31 23:43:40 gbox-1 pluto[3352]: loading secrets from "/etc/ipsec.secrets" Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: initiating Aggressive Mode #1, connection "vpn" Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Cisco-Unity] Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [XAUTH] Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Dead Peer Detection] Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000] Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '41.78.1.143' Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Hash Payload does not match computed value Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: sending notification INVALID_HASH_INFORMATION to 41.78.1.143:500 Jul 31 23:43:48 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1 Jul 31 23:43:56 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1 Jul 31 23:44:04 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1 Jul 31 23:44:12 gbox-1 pluto[3352]: "vpn" #1: encrypted Informational Exchange message is invalid because no key is known配置在
ipsec.confversion 2.0 config setup protostack=auto #netkey nat_traversal=yes #forceencaps=yes #plutodebug=none conn vpn type=tunnel authby=secret auto=start pfs=yes ike=3des-sha1;modp1024! phase2alg=3des-sha1; aggrmode=yes left=50.55.153.121 right=41.78.1.143 leftsubnet=10.180.3.132/255.255.128.0 leftnexthop=50.55.153.121 leftsourceip=10.180.3.132 rightsubnet=172.27.176.125/255.255.255.255 rightnexthop=41.78.1.143 rightsourceip=172.27.176.125配置在
ipsec.secrets%any %any : PSK "not_the_actual_psk"的輸出
ipsec.verify[root@gbox-1 log]# ipsec verify Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.32/K2.6.32-431.11.2.el6.x86_64 (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing for disabled ICMP send_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will cause the sending of bogus ICMP redirects! NETKEY detected, testing for disabled ICMP accept_redirects [FAILED] Please disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will accept bogus ICMP redirects! Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [OK] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption DNS checks: Looking for TXT in forward dns zone: gbox-1 [MISSING] Does the machine have at least one non-private address? [OK] Looking for TXT in reverse dns zone: 115.171.52.49.in-addr.arpa. [MISSING]的輸出
ifconfig[root@gbox-1 ~]# ifconfig eth0 Link encap:Ethernet HWaddr BC:76:4E:04:94:B6 inet addr:50.55.153.121 Bcast:50.55.153.255 Mask:255.255.255.0 inet6 addr: 2001:4800:780e:510:acf:6c9b:ffd8:94cd/64 Scope:Global inet6 addr: fe80::be76:acf:6c9b:ffd8/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5843131 errors:0 dropped:0 overruns:0 frame:0 TX packets:5444379 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1587187725 (1.4 GiB) TX bytes:1356473321 (1.2 GiB) Interrupt:246 eth1 Link encap:Ethernet HWaddr BC:76:4E:04:CA:EE inet addr:10.180.3.132 Bcast:10.180.127.255 Mask:255.255.128.0 inet6 addr: fe80::be76:5e32:fd0f:cdae/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:6554243 errors:0 dropped:0 overruns:0 frame:0 TX packets:2800 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:327739177 (312.5 MiB) TX bytes:205160 (200.3 KiB) Interrupt:245 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:10654186 errors:0 dropped:0 overruns:0 frame:0 TX packets:10654186 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:9532400622 (8.8 GiB) TX bytes:9532400622 (8.8 GiB)客戶和我們共享的記錄 VPN 資訊
VPN 階段 1
Property | Client's VAS Device | Our VPN Device ===================================================================== Encryption Scheme | IKE | IKE Diffie-Hellman Group | Group 2 | 2 Encryption Algorithm | 3DES | 3DES Hashing Algorithm | MD5 | SHA-1 Main or Aggressive Mode | Main mode | Main Lifetime (for renegotiation) | 28800 seconds | 28800VPN 階段 2
Property | Client's VAS Device | Our VPN Device ===================================================================== Encapsulation (ESP or AH) | ESP | ESP Encryption Algorithm | 3DES | 3DES Authentication Algorithm | SHA1 | SHA1 Perfect Forward Secrecy | NO PFS | Yes, Group-2 Lifetime (for renegotiation) | 3600 seconds | 3600 Lifesize (for renegotiation) | Not Used | Key exchange for Subnets | Yes |網關設備資訊
Property | Client's VAS Device | Our VPN Device ===================================================================== IP Address | 41.78.1.143 | 50.55.153.121 VPN Device Description | Cisco ASA 5510 | OpenSwan DN Information of VPN Gateway | | (if using certificates) | NA | Encryption Domain | 172.27.176.125-126 | 10.180.3.132
另一邊有網路配置問題。這解決了。
我是OP
我注意到您解決了這個問題,但為了完成,我添加了這個答案。當您在一側啟用 PFS(完美前向保密)但在另一側未啟用時,會出現此問題。