用Openswan连接的时候报错如下:
STATE_AGGR_I1: INVALID_ID_INFORMATION
以下是tcpdump ip -i eth1 -v来监控输出的结果:
16:36:41.719027 IP (tos 0x0, ttl 245, id 36831, offset 0, flags [DF], proto UDP (17), length 388)
192.168.100.5.isakmp > test-ipsec.isakmp: isakmp 1.0 msgid 00000000: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=FQDN protoid=0 port=0 len=8 @abcd)
(vid: len=16)
(pay20)
(pay20)
(hash: len=20)
(vid: len=16)
16:36:41.755667 IP (tos 0x0, ttl 64, id 58128, offset 0, flags [DF], proto UDP (17), length 68)
test-ipsec.isakmp > 192.168.100.5.isakmp: isakmp 1.0 msgid 00000000: phase 1 I inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
16:36:46.719297 IP (tos 0x0, ttl 245, id 17780, offset 0, flags [DF], proto UDP (17), length 388)
192.168.100.5.isakmp > test-ipsec.isakmp: isakmp 1.0 msgid 00000000: phase 1 R agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=lifetype value=sec)(type=lifeduration value=0e10)(type=enc value=3des)(type=hash value=sha1)(type=auth value=preshared)(type=group desc value=modp1024))))
(ke: key len=128)
(nonce: n len=16)
(id: idtype=FQDN protoid=0 port=0 len=8 @abcd)
(vid: len=16)
(pay20)
(pay20)
(hash: len=20)
(vid: len=16)
16:36:46.755238 IP (tos 0x0, ttl 64, id 58129, offset 0, flags [DF], proto UDP (17), length 68)
test-ipsec.isakmp > 192.168.100.5.isakmp: isakmp 1.0 msgid 00000000: phase 1 I inf:
(n: doi=ipsec proto=isakmp type=NO-PROPOSAL-CHOSEN)
继续求高手指点,网络拓扑是这样的,我在Linux上跑Openswan和对端深信服的VPN连,采用基于IPsec下的net-to-net方式连,现在看预共享秘钥Openswan送过去的和深信服的对不上,在秘钥签名加了@也不行。但是从tcpdump跟踪送过去的字符一个都没有错,怎么就是不能通过呢?
我们配置的leftid或者rightid=预共享秘钥,对端设置成FQDN的方式,看跟踪的日志“(id: idtype=FQDN protoid=0 port=0 len=8 @abcd)”感觉采用的确实就是FQDN啊,而且@后面的就是预共享秘钥,为什么不能通过呢?
这个就是openswan坑爹的地方,还是配置问题,多看看日志,就找出原因了,野蛮模式对接是没有问题,我的环境是openswan在局域网内,没有做任何端口映射,深信服在功能,对接没有问题,很稳定,ID用的就是FQDN