服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 与openswan的Ipsecconfiguration
Intereting Posts
单个目录/文件是否可以同时由两个独立的samba守护进程安全地运行? 在Windows上设置Samba共享上的文件或目录的主要组 我怎样才能防止鱿鱼被发现? tcp_wrappers可以绕过吗? 我可以在SharePoint中删除一个大型的LDF文件吗? NGINXdocker集装箱立即停止 无法编辑GPO,尽pipe是必需组的成员 安装MapServer 6.2.0后,Apache会自动失败 你为什么要用EAP-TTLS而不是PEAP? Python使用OpenStack Keystone port 5000 vm上的ejabberd不能连接到另一个xmmp服务器(iptables dnat dport 5269) (103)软件导致连接中止:代理:通过请求主体失败 安装registry文件时摆脱警告 在IIS 7.5下的经典ASP应用程序中获取模拟工作 在两台Linux服务器之间镜像VG

与openswan的Ipsecconfiguration

我尝试使用openswan作为客户端在服务器上configurationIpsec。
但接收错误 – 可能,这是身份validation错误。

我在configuration中写错了什么?

谢谢你的答案。 

#1: STATE_MAIN_I2: sent MI2, expecting MR2 003 "f-net" #1: received Vendor ID payload [Cisco-Unity] 003 "f-net" #1: received Vendor ID payload [Dead Peer Detection] 003 "f-net" #1: ignoring unknown Vendor ID payload [ca917959574c7d5aed4222a9df367018] 003 "f-net" #1: received Vendor ID payload [XAUTH] 108 "f-net" #1: STATE_MAIN_I3: sent MI3, expecting MR3 003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3 010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 20s for response 003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3 003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3 003 "f-net" #1: discarding duplicate packet; already STATE_MAIN_I3 010 "f-net" #1: STATE_MAIN_I3: retransmission; will wait 40s for response 031 "f-net" #1: max number of retransmissions (2) reached STATE_MAIN_I3. Possible authentication failure: no acceptable response to our first encrypted message 000 "f-net" #1: starting keying attempt 2 of at most 3, but releasing whack

另一端 – 思科ASA。 

 parameters for my connection on our Linux server : VPN Gateway 8.*.*.* (Cisco ) Phase 1 Exchange Type Main Mode Identification Type IP Address Local ID 4.*.*.* (our Linux server IP) Remote ID 8.*.*.* (VPN server IP) Authentication PSK Pre Shared Key Diffie-Hellman Key Group DH 5 (1536 bit) or DH 2 (1024 bit) Encryption Algorithm AES 256 HMAC Function SHA-1 Lifetime 86.400 seconds / no volume limit Phase 2 Security Protocol ESP Connection Mode Tunnel Encryption Algorithm AES 256 HMAC Function SHA-1 Lifetime 3600 seconds / 4.608.000 kilobytes DPD / IKE Keepalive 15 seconds PFS off Remote Network 192.168.100.0/24 Local Network 1 10.0.0.0/16 ............... Local Network 5 
 current openswan config : # config setup klipsdebug=all plutodebug="control parsing" protostack=netkey nat_traversal=no virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12 oe=off nhelpers=0 conn f-net type=tunnel keyexchange=ike authby=secret auth=esp esp=aes256-sha1 keyingtries=3 pfs=no aggrmode=no keylife=3600s ike=aes256-sha1-modp1024 # left=4.*.*.* leftsubnet=10.0.0.0/16 leftid=4.*.*.* leftnexthop=%defaultroute right=8.*.*.* rightsubnet=192.168.100.0/24 rightid=8.*.*.* rightnexthop=%defaultroute auto=add

问题在于ESXi桥。 (位于ESXI主机上的Virt服务器与外部IP)在同一个系统上,但在nake硬件上工作(同样的SL6-RHEL6),ipsec工作正常。 

 config on our side : conn f-net type=tunnel keyexchange=ike authby=secret auth=esp esp=aes-sha1 keyingtries=3 pfs=no ike=aes256-sha1-modp1536 ## also works without it left=4*** leftsubnet=**** leftid=4*** leftnexthop=%defaultroute # correct in many situations right=8*** # Remote vitals rightsubnet=**** rightid=8*** rightnexthop=%defaultroute # correct in many situations auto=add