it-swarm.com.de

Strongswan: "NO_PROPOSAL_CHOSEN-Fehlerbenachrichtigung erhalten" beim Herstellen einer Verbindung mit Cisco ASA

Ich versuche, mit StrongSwan (5.5.1-4 + deb9u1) unter Debian Linux mit dem Kernel 4.9.0-5-AMD64 eine Verbindung zu Cisco ASA IKEv1 VPN herzustellen. Dies ist eine klassische Frage, und ich habe viele Diskussionen zu diesem Thema gefunden und viele Konfigurationsänderungen vorgenommen, aber bisher hat mir nichts geholfen.

Ich habe keinen Zugriff auf die ASA selbst, aber auf diese Weise kann ich einige grundlegende Informationen zu Vorschlägen erhalten:

$ Sudo ike-scan -v -v ASA_IP_ADDRESS 2>&1
DEBUG: pkt len=336 bytes, bandwidth=56000 bps, int=52000 us
Starting ike-scan 1.9.4 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
--- Sending packet #1 to Host entry 1 (ASA_IP_ADDRESS) tmo 500000 us
--- Received packet #1 from ASA_IP_ADDRESS
ASA_IP_ADDRESS  Main Mode Handshake returned HDR=(CKY-R=79f5d28631ffd07f) SA=(Enc=3DES Hash=SHA1 Group=2:modp1024 Auth=PSK LifeType=Seconds LifeDuration=28800) VID=4048b7d56ebce88525e7de7f00d6c2d3c0000000 (IKE Fragmentation)
--- Removing Host entry 1 (ASA_IP_ADDRESS) - Received 104 bytes

Ending ike-scan 1.9.4: 1 hosts scanned in 0.017 seconds (57.15 hosts/sec).  1 returned handshake; 0 returned notify

Dies ist, was ich sehe, wenn ich ipsec up asavpn Befehl:

initiating Aggressive Mode IKE_SA asavpn[1] to ASA_IP_ADDRESS
generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
received Cisco Unity vendor ID
received XAuth vendor ID
received DPD vendor ID
received NAT-T (RFC 3947) vendor ID
received FRAGMENTATION vendor ID
received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
local Host is behind NAT, sending keep alives
generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
parsed TRANSACTION request 4213336740 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
generating TRANSACTION response 4213336740 [ HASH CPRP(X_USER X_PWD) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
parsed TRANSACTION request 557234584 [ HASH CPS(X_STATUS) ]
XAuth authentication of 'vpn-user123' (myself) successful
IKE_SA asavpn[1] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
scheduling reauthentication in 3379s
maximum IKE_SA lifetime 3559s
generating TRANSACTION response 557234584 [ HASH CPA(X_STATUS) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
generating TRANSACTION request 3340376289 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
parsed TRANSACTION response 3340376289 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
installing DNS server 172.51.2.47 to /etc/resolv.conf
installing DNS server 172.51.2.50 to /etc/resolv.conf
installing new virtual IP 172.17.254.12
generating QUICK_MODE request 2105961987 [ HASH SA No ID ID ]
sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
parsed INFORMATIONAL_V1 request 3744028568 [ HASH D ]
received DELETE for IKE_SA asavpn[1]
deleting IKE_SA asavpn[1] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
installing new virtual IP 172.17.254.12
establishing connection 'asavpn' failed

Hier ist meine (getrimmte) ipsec.conf:

config setup
    charondebug="ike 2, knl 2, cfg 2"
    uniqueids = yes
    strictcrlpolicy=no

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=2
    keyexchange=ikev2 # this is because I use more VPN connections then the only asavpn
    mobike=yes

conn asavpn
    leftauth=psk
    leftauth2=xauth
    leftsubnet=192.168.7.0/24
    aggressive=yes
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    xauth=client
    xauth_identity="vpn-user123"
    leftid=PRZ
    keyexchange=ikev1
    leftsourceip=%config
    rightsubnet=0.0.0.0/0
    leftdns=172.51.2.47, 172.51.2.50
    right=ASA_IP_ADDRESS
    rightsubnet=0.0.0.0/0
    rightauth=psk
    auto=add

meine ipsec.secrets:

vpn-user123 : XAUTH "my.passw0rd"
[email protected]%any ASA_IP_ADDRESS : PSK "secret-120-characters-long-hash"

und hier ist das charon log:

Feb 02 12:02:19 lenovo-pc charon[10329]: 15[CFG] received stroke: initiate 'asavpn'
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] using 192.168.7.117 as address to reach ASA_IP_ADDRESS/32
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] queueing QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_CERT_PRE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_CERT_POST task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE]   activating ISAKMP_NATD task
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] initiating Aggressive Mode IKE_SA asavpn[2] to ASA_IP_ADDRESS
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] IKE_SA asavpn[2] state change: CREATED => CONNECTING
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] generating AGGRESSIVE request 0 [ SA KE No ID V V V V V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] sending packet: from 192.168.7.117[500] to ASA_IP_ADDRESS[500] (375 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[500] to 192.168.7.117[500] (436 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed AGGRESSIVE response 0 [ SA KE No ID HASH V V V V NAT-D NAT-D V V ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received Cisco Unity vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received XAuth vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DPD vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received NAT-T (RFC 3947) vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received FRAGMENTATION vendor ID
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] received unknown vendor ID: 1f:07:f7:0e:aa:65:14:d3:b0:fa:96:54:2a:50:01:00
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selecting proposal:
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG]   proposal matches
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] received proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] configured proposals: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[CFG] selected proposal: IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] local Host is behind NAT, sending keep alives
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] reinitiating already active tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE]   ISAKMP_VENDOR task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE]   AGGRESSIVE_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] queueing MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] generating AGGRESSIVE request 0 [ NAT-D NAT-D HASH ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (108 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] nothing to initiate
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (76 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] parsed TRANSACTION request 3634853475 [ HASH CPRQ(X_TYPE X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[ENC] generating TRANSACTION response 3634853475 [ HASH CPRP(X_USER X_PWD) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 14[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] parsed TRANSACTION request 2358240213 [ HASH CPS(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] XAuth authentication of 'vpn-user123' (myself) successful
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] established between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] IKE_SA asavpn[2] state change: CONNECTING => ESTABLISHED
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] scheduling reauthentication in 3384s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] maximum IKE_SA lifetime 3564s
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION response 2358240213 [ HASH CPA(X_STATUS) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (68 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[IKE]   activating MODE_CONFIG task
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[ENC] generating TRANSACTION request 3672090717 [ HASH CPRQ(ADDR DNS DNS DNS U_SPLITINC U_LOCALLAN) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 08[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (100 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (300 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] parsed TRANSACTION response 3672090717 [ HASH CPRP(ADDR DNS DNS U_SPLITINC) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.47 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing INTERNAL_IP4_DNS attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing DNS server 172.51.2.50 to /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] processing UNITY_SPLIT_INCLUDE attribute
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] 192.168.7.117 is on interface wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] installing new virtual IP 172.17.254.12
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] virtual IP 172.17.254.12 installed on wlp5s0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE] activating new tasks
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[IKE]   activating QUICK_MODE task
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[KNL] got SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] configured proposals: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for us:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  192.168.7.0/24
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] proposing traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG] changing proposed traffic selectors for other:
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[CFG]  0.0.0.0/0
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[ENC] generating QUICK_MODE request 239751605 [ HASH SA No ID ID ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 09[NET] sending packet: from 192.168.7.117[4500] to ASA_IP_ADDRESS[4500] (172 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[ENC] parsed INFORMATIONAL_V1 request 2669190869 [ HASH N(NO_PROP) ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[IKE] received NO_PROPOSAL_CHOSEN error notify
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleting SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 06[KNL] deleted SAD entry with SPI cc107754
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[NET] received packet: from ASA_IP_ADDRESS[4500] to 192.168.7.117[4500] (84 bytes)
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[ENC] parsed INFORMATIONAL_V1 request 4133932276 [ HASH D ]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] received DELETE for IKE_SA asavpn[2]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] deleting IKE_SA asavpn[2] between 192.168.7.117[PRZ]...ASA_IP_ADDRESS[ASA_IP_ADDRESS]
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.50 from /etc/resolv.conf
Feb 02 12:02:19 lenovo-pc charon[10329]: 07[IKE] removing DNS server 172.51.2.47 from /etc/resolv.conf

Was könnte falsch sein?

Vielen Dank für jede Hilfe, ich schätze es!

AKTUALISIEREN:

Hinzufügen von vpnc.log (für funktionierende Verbindung): https://Pastebin.com/KDx3HTnC

6
patok

Wie im Debug-Protokoll des Clients vpnc beim Parsen der Antwort im Schnellmodus zu sehen ist

PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)
next_type: 00 (ISAKMP_PAYLOAD_NONE)
length: 0020
t.number: 01
t.id: 0c (ISAKMP_IPSEC_ESP_AES)
t.attributes.type: 0001 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE)
t.attributes.u.attr_16: 0001 (IPSEC_LIFE_SECONDS)
t.attributes.type: 0002 (ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION)
t.attributes.u.lots.length: 0004
t.attributes.u.lots.data: 0020c49b
t.attributes.type: 0004 (ISAKMP_IPSEC_ATTRIB_ENCAP_MODE)
t.attributes.u.attr_16: 0003 (IPSEC_ENCAP_UDP_TUNNEL)
t.attributes.type: 0005 (ISAKMP_IPSEC_ATTRIB_AUTH_ALG)
t.attributes.u.attr_16: 0002 (IPSEC_AUTH_HMAC_SHA)
t.attributes.type: 0006 (ISAKMP_IPSEC_ATTRIB_KEY_LENGTH)
t.attributes.u.attr_16: 0100
DONE PARSING PAYLOAD type: 03 (ISAKMP_PAYLOAD_T)

der vom Server akzeptierte Vorschlag ist tatsächlich AES mit einer Schlüssellänge von 256 Bit als Verschlüsselung und SHA-1 als Integritätsalgorithmus. Um dasselbe mit strongSwan zu verwenden, konfigurieren Sie esp=aes256-sha1!.

3
ecdsa