我有一个支持站点到站点IPSec的无线网关。 我已经使用/etc/ipsec.conf在Ubuntu Server 12.04(隧道的左侧)configuration了openswan:
version 2.0 config setup nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off protostack=netkey conn net-to-net authby=secret left=192.168.0.11 leftsubnet=10.1.0.0/16 leftsourceip=10.1.0.1 right=%any rightsubnet=192.168.127.0/24 rightsourceip=192.168.127.254 auto=add
我已经类似地configuration了无线网关(隧道的右侧)。 我正在使用主模式(不是主动模式)IKE阶段1,但它看起来像它失败之前,它进入阶段2.任何想法,为什么?
这里是tcpdump的输出:
# tcpdump -vv -i eth0 udp port 500 or udp port 4500 tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 00:11:26.042928 IP (tos 0x0, ttl 235, id 39655, offset 0, flags [none], proto UDP (17), length 196) 74.198.87.62.44248 > 192.168.0.11.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->0000000000000000: phase 1 I ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=md5)(type=auth value=preshared)(type=group desc value=modp1536)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) (vid: len=16) (vid: len=16) (vid: len=16) (vid: len=16) 00:11:26.044511 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 172) 192.168.0.11.isakmp > 74.198.87.62.44248: [bad udp cksum 0x6361 -> 0x70a3!] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->6569330ef208fe4d: phase 1 R ident: (sa: doi=ipsec situation=identity (p: #1 protoid=isakmp transform=1 (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=md5)(type=auth value=preshared)(type=group desc value=modp1536)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) (vid: len=12) (vid: len=16) (vid: len=16) 00:11:26.683227 IP (tos 0x0, ttl 235, id 39656, offset 0, flags [none], proto UDP (17), length 312) 74.198.87.62.44248 > 192.168.0.11.isakmp: [udp sum ok] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->6569330ef208fe4d: phase 1 I ident: (ke: key len=192) (nonce: n len=16 data=(7d88f683ff25b40ac37b...00000014471b8027b9d2d76240f4329456eb22db)) (pay20) (pay20) 00:11:26.688968 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 312) 192.168.0.11.isakmp > 74.198.87.62.44248: [bad udp cksum 0x63ed -> 0x4fc7!] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->6569330ef208fe4d: phase 1 R ident: (ke: key len=192) (nonce: n len=16 data=(aaeeb24d4daa1e07f949...00000014637d4a0b75f97e0f771664cd9ac0d818)) (pay20) (pay20) 00:11:36.704351 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 312) 192.168.0.11.isakmp > 74.198.87.62.44248: [bad udp cksum 0x63ed -> 0x4fc7!] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->6569330ef208fe4d: phase 1 R ident: (ke: key len=192) (nonce: n len=16 data=(aaeeb24d4daa1e07f949...00000014637d4a0b75f97e0f771664cd9ac0d818)) (pay20) (pay20) 00:11:56.165304 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 312) 192.168.0.11.isakmp > 74.198.87.62.44248: [bad udp cksum 0x63ed -> 0x4fc7!] isakmp 1.0 msgid 00000000 cookie 7d88f683ff25b40a->6569330ef208fe4d: phase 1 R ident: (ke: key len=192) (nonce: n len=16 data=(aaeeb24d4daa1e07f949...00000014637d4a0b75f97e0f771664cd9ac0d818)) (pay20) (pay20)
隧道的右侧正尝试使用主模式IKE阶段1启动隧道。主模式涉及三个双向交换。 OpenSWAN响应前两个交易所,但由于某种原因,右侧不会启动第三个交易所。 在这个过程中,什么可能会失败呢?