在OpenSWAN < – > ISA Server IPSec VPN上无法通过“挂起阶段2”

问题

我在Linux服务器(Ubuntu 12.04)上configurationOpenSWAN以连接到ISA Server 2004 IPSec VPN相当困难。 在configuration上显然有些问题阻碍了隧道的工作。 看起来我的一些数据包在某处丢了? 我不确定。

对方说他们身边的日志没有错。 我身边没有防火墙。 下面是/var/log/auth.log的冒犯部分(下面的更长的版本)。

 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 29 17:28:12 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3 Jan 29 17:28:34 pluto[5821]: last message repeated 3 times Jan 29 17:28:42 P-INV-SD07 pluto[5821]: packet from <hispublicip>:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x8341092b Jan 29 17:28:42 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3 

接下来是有关设置的情况下,任何人都可以帮助的详细信息:)预先感谢!

当前configuration

我build立了大多数默认参数在我们这边的连接(我尝试了一堆其他的东西,但没有什么比这更好):

 conn myconn authby=secret type=tunnel left=<hispublic> leftsubnet=<hislanip>/32 right=<mypublic> rightsubnet=<mylanip>/32 auto=start 

ipsec auto status输出:

 000 "myconn": <mylanip>/32===<mypublicip><<mypublicip>>[+S=C]...<hispublicip> <<hispublicip>>[+S=C]===<hislanip>/32; prospective erouted; eroute owner: #0 000 "myconn": myip=unset; hisip=unset; 000 "myconn": ike_life: 7200s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 000 "myconn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0; 000 "myconn": newest ISAKMP SA: #0; newest IPsec SA: #0; 000 000 #2: "myconn":500 STATE_MAIN_I3 (sent MI3, expecting MR3); EVENT_RETRANSMIT in 18s; nodpd; idle; import:admin initiate 000 #2: pending Phase 2 for "myconn" replacing #0 

摘自/var/log/auth.log

 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: loading secrets from "/etc/ipsec.secrets" Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: initiating Main Mode Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004] Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: ignoring Vendor ID payload [FRAGMENTATION] Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set to=106 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: enabling possible NAT-traversal with method draft-ietf-ipsec-nat-t-ike-05 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: no NAT detected Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Jan 29 17:28:11 P-INV-SD07 pluto[5821]: "myconn" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Jan 29 17:28:12 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3 Jan 29 17:28:34 pluto[5821]: last message repeated 3 times Jan 29 17:28:42 P-INV-SD07 pluto[5821]: packet from <hispublicip>:500: Informational Exchange is for an unknown (expired?) SA with MSGID:0x8341092b Jan 29 17:28:42 P-INV-SD07 pluto[5821]: "myconn" #1: discarding duplicate packet; already STATE_MAIN_I3 

以下是在ISA服务器端使用的configuration选项:

  • 阶段1
    • encryption:3DES
    • 完整性:SHA1
    • DH集团:第二组
  • 阶段2
    • encryption:3DES
    • 完整性:SHA1
    • 每86400秒产生一个新的密钥
    • 使用PFS:是(DH组2)

更新

我设法在OpenSWAN端运行数据包嗅探器,在ISA端启用Oakley日志 。 嗅探几乎是你所期望的:从OpenSWAN端发送的第三个数据包被ISA服务器拒绝,ISA服务器不停地发送第二个数据包,因为他认为它没有被确认。

奥克利(ISA)日志上的错误说:

 Receive: (get) SA = 0x00108cf0 from 50.57.73.135.500 2-07: 14:44:25:250:44b24 ISAKMP Header: (V1.0), len = 68 2-07: 14:44:25:250:44b24 I-COOKIE 8802248fab719171 2-07: 14:44:25:250:44b24 R-COOKIE 296787dc0ec4227a 2-07: 14:44:25:250:44b24 exchange: Oakley Main Mode 2-07: 14:44:25:250:44b24 flags: 1 ( encrypted ) 2-07: 14:44:25:250:44b24 next payload: ID 2-07: 14:44:25:250:44b24 message ID: 00000000 2-07: 14:44:25:250:44b24 invalid payload received 2-07: 14:44:25:250:44b24 Preshared key ID. Peer IP Address: <mypublicip> 2-07: 14:44:25:250:44b24 Source IP Address <hispublicip> Source IP Address Mask 255.255.255.255 Destination IP Address <mypublicip> Destination IP Address Mask 255.255.255.255 Protocol 0 Source Port 0 Destination Port 0 IKE Local Addr <hispublicip> IKE Peer Addr <mypublicip> IKE Source Port 500 IKE Destination Port 500 Peer Private Addr 2-07: 14:44:25:250:44b24 GetPacket failed 3613 

所以基本上invalid payload received ,然后GetPacket failed 3613 。 最后一个错误代码在Google上不会产生太多的信息,包括人们说他们总是这样做,一切正常。

我放弃了,我们正在build立一个本地服务器,但是我正在更新这个服务器以备将来参考,以防有人因为互联网的缘故而提供线索。

最近几天我遇到了这种情况。

这是由于两个问题。

  1. 火墙
  2. 禁用内核IP转发
  3. 预先共享密钥不匹配

对于防火墙,原来的端口500和4500被阻塞。 通过运行ipsec verify ,你可以看到是否500或4500被阻止。

/etc/sysctl.conf

net.ipv4.ip_forward更改为1

附加

 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.em1.accept_redirects = 0 net.ipv4.conf.em1.send_redirects = 0 

em1是networking接口,你也许是eth0eth1

最后,在我的情况下,/ /etc/ipsec.d/ipsec.secrets中的预共享密钥被错误地用双引号括起来,导致预共享密钥不匹配。

希望它有助于某人。