Соединение с сервером strongSwan IKEv2 от клиента Cisco завершается ошибкой «селекторы трафика... неприемлемы», FAIL_CP_REQ, TS_UNACCEPT

Cisco Ipsec Strongswan
1
7

Я настраиваю сервер strongSwan (x.x.168.87) для стороннего сервиса для подключения их Cisco ASA 5525 с использованием аутентификации PSK. Фаза 1, похоже, проходит успешно от шлюза/однорангового узла (x.x.122.4), но фаза 2 дает сбой, когда они запускают трассировку маршрута от клиента (x.x.120.3) к нашему серверу шлюза. В журналах упоминается "ожидается запрос виртуального IP, отправляется FAILED_CP_REQUIRED" и говорится, что "селекторы трафика [неприемлемы]". Неправильно ли настроен strongSwan или клиент cisco не может запросить IP? Требует ли strongSwan ручного создания туннеля виртуального IP? Виртуальный пул IP-адресов, похоже, доступен.

Спасибо.

logs: /var/log/charon.log

status: ipsec statusall

config: /etc/ipsec.conf

config: /etc/strongswan.conf

logs from cisco:

Я попробовал несколько изменений конфигурации, включая leftsourceip=%config и left- и rightsubnet=10.10.10.0/24, но безрезультатно. Я ожидаю, что strongSwan успешно назначит виртуальный IP-адрес, чтобы клиент cisco мог подключиться.

05[IKE2] local endpoint changed from 10.0.0.79[500] to 10.0.0.79[4500]
05[IKE2] remote endpoint changed from x.x.122.4[500] to x.x.122.4[4500]
05[CFG1] looking for peer configs matching 10.0.0.79[%any]...x.x.122.4[x.x.122.4]
05[CFG3] peer config "ikev2-vpn", ike match: 28 (%any...%any IKEv2)
05[CFG3]   local id match: 1 (ID_ANY: )
05[CFG3]   remote id match: 1 (ID_IPV4_ADDR: 17:eb:7a:04)
05[CFG2]   candidate "ikev2-vpn", match: 1/1/28 (me/other/ike)
05[CFG1] selected peer config 'ikev2-vpn'
05[IKE1] authentication of 'x.x.122.4' with pre-shared key successful
05[IKE1] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
05[IKE1] authentication of 'x.x.168.87' (myself) with pre-shared key
05[IKE2] successfully created shared key MAC
05[IKE1] expected a virtual IP request, sending FAILED_CP_REQUIRED
05[IKE0] IKE_SA ikev2-vpn[4] established between 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
05[IKE2] IKE_SA ikev2-vpn[4] state change: CONNECTING => ESTABLISHED
05[CFG2] looking for a child config for x.x.168.87/32 === x.x.120.3/32
05[CFG2] proposing traffic selectors for us:
05[CFG2]  0.0.0.0/0
05[CFG2] proposing traffic selectors for other:
05[CFG2]  dynamic
05[IKE1] traffic selectors x.x.168.87/32 === x.x.120.3/32 unacceptable
05[IKE1] failed to establish CHILD_SA, keeping IKE_SA
05[ENC1] generating IKE_AUTH response 1 [ IDr AUTH N(FAIL_CP_REQ) N(TS_UNACCEPT) ]

Status of IKE charon daemon (strongSwan 5.9.13, Linux 6.8.0-1012-aws, x86_64):
  uptime: 10 days, since Aug 09 13:41:19 2024
  malloc: sbrk 2273280, mmap 0, used 1411536, free 861744
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
  10.10.10.0/24: 254/0/0
Listening IP addresses:
  10.0.0.79
  172.17.0.1
Connections:
   ikev2-vpn:  %any...%any  IKEv2
   ikev2-vpn:   local:  [18.213.168.87] uses pre-shared key authentication
   ikev2-vpn:   remote: uses pre-shared key authentication
   ikev2-vpn:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
   ikev2-vpn[4]: ESTABLISHED 26 hours ago, 10.0.0.79[x.x.168.87]...x.x.122.4[x.x.122.4]
   ikev2-vpn[4]: IKEv2 SPIs: 6ea097f516021b0b_i 9a04fca0e13c4ae6_r*, rekeying disabled
   ikev2-vpn[4]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

config setup
        charondebug="ike 1, knl 1, cfg 0"
        uniqueids=no
conn ikev2-vpn
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        rekey=no
        left=%any
        leftid=x.x.168.87
        leftsubnet=0.0.0.0/0
        right=%any
        rightid=%any
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4
        authby=secret
        ike=aes256-sha256-modp2048!
        esp=chacha20poly1305-sha512,aes256gcm16,aes256-sha256-modp2048,aes256-sha1,3des-sha1!
        eap_identity=%identity

charon {
        load_modular = yes
        uniqueids=never
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Aug 19 2024 14:14:18: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:18: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:18: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
Aug 19 2024 14:14:19: %ASA-5-750001: Local:x.x.122.4:500 Remote:x.x.168.87:500 Username:Unknown IKEv2 Received request to establish an IPsec tunnel; local traffic selector = Address Range: x.x.120.3-x.x.120.3 Protocol: 0 Port Range: 0-65535 ; remote traffic selector = Address Range: x.x.168.87-x.x.168.87 Protocol: 0 Port Range: 0-65535
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:500 from x.x.168.87:500
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750006: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA UP. Reason: New Connection Established
Aug 19 2024 14:14:19: %ASA-7-713906: IKE Receiver: Packet received on x.x.122.4:4500 from x.x.168.87:4500
Aug 19 2024 14:14:19: %ASA-5-750007: Local:x.x.122.4:4500 Remote:x.x.168.87:4500 Username:x.x.168.87 IKEv2 SA DOWN. Reason: local failure
Ананий
Вопрос задан22 июня 2024 г.

1 Ответ

2
Емельян
Ответ получен11 сентября 2024 г.

Ваш ответ

Загрузить файл.

При использовании материалов сайта ссылка на stackoverhow.ru обязательна.