我正在尝试使用openswan从ubuntu服务器创build一个到Cisco ASA 5540的IPSecencryptionVPN隧道。
我之前build立了VPN连接到思科路由器,所以这个任务似乎不是一个大问题,但我已经在这一个难以置信的几天。
我有一个连接,我需要使用以下参数(请注意my_left_ip是在我的一端的networkingIP,my_left_id是我的服务器的公共IP,my_right_ip是VPN路由器的公共IP):
conn my-conn type=tunnel authby=secret auth=esp ikelifetime=8h keylife=8h compress=no esp=3des128-md5 ike=3des-md5-modp1024 keyexchange=ike pfs=no forceencaps=yes # Left security gateway, subnet behind it, nexthop toward right. left=my_left_ip leftid=my_left_id leftsubnet=my_left_subnet leftnexthop=%defaultroute # Right security gateway, subnet behind it, nexthop toward left. right=my_right_ip rightid=my_right_ip rightsubnet=my_right_subnet rightnexthop=%defaultroute # To authorize this connection, but not actually start it, # at startup, uncomment this. auto=start 和我的ipsec.secrets文件如下所示:
my_left_ip my_right_ip : PSK "my_shared_secret"
另一方面,我们确实已经有了相同的预共享密钥,而且我们的哈希algorithm和encryptionalgorithm是相匹配的。 但是我收到以下错误:
Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: initiating Main Mode Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [FRAGMENTATION c0000000] Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I2: sent MI2, expecting MR2 Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Cisco-Unity] Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [XAUTH] Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring unknown Vendor ID payload [4134667de0a482c8eb1dae0586c309fa] Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: ignoring Vendor ID payload [Cisco VPN 3000 Series] Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Dec 19 20:29:57 server01 pluto[30369]: "my-conn" #229: STATE_MAIN_I3: sent MI3, expecting MR3 Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: received Vendor ID payload [Dead Peer Detection] Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: Main mode peer ID is ID_IPV4_ADDR: '10.255.255.252' Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: we require peer to have ID 'my_right_ip', but peer declares '10.255.255.252' Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending encrypted notification INVALID_ID_INFORMATION to my_right_ip:500 Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: next payload type of ISAKMP Hash Payload has an unknown value: 128 Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: malformed payload in packet Dec 19 20:29:58 server01 pluto[30369]: | payload malformed after IV Dec 19 20:29:58 server01 pluto[30369]: | 00 ea ff f9 b9 c6 69 1b Dec 19 20:29:58 server01 pluto[30369]: "my-conn" #229: sending notification PAYLOAD_MALFORMED to my_right_ip:500
这是Cisco路由器的configuration
object-group network DM_INLINE_NETWORK_163 network-object host right_ip_in_subnet1 network-object host right_ip_in_subnet2 access-list OUTSIDE-WAN_24_cryptomap line 1 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip access-list nonatinside line 224 extended permit ip object-group DM_INLINE_NETWORK_163 host my_left_ip tunnel-group my_left_id type ipsec-l2l tunnel-group my_left_id ipsec-attributes pre-shared-key ********** isakmp keepalive threshold 10 retry 2 crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac crypto map outside_map 24 match address OUTSIDE-WAN_24_cryptomap crypto map outside_map 24 set peer my_left_id crypto map outside_map 24 set transform-set ESP-3DES-MD5 access-list OUTSIDE-WAN_24_cryptomap line 1 remark SPROXIL - USA no crypto map outside_map 24 set nat-t-disable
这可能是什么原因? 任何帮助将不胜感激。