Libreswan к туннелю Cisco IPsec не подключается - PullRequest
Новая
       90

Libreswan к туннелю Cisco IPsec не подключается

0 голосов
/ 07 октября 2019

Я сменил libreswan public ip на "8.8.8.8" по понятным причинам. Мой маршрутизатор cisco находится за ISP nat, поэтому у меня есть контроль над их динамически назначаемым публичным ip. Моя цель - получить доступ к своему общедоступному IP-адресу через туннель IPSEC VPN (сервер), который я использую в AWS. Затем я получаю удаленный доступ к своему домашнему серверу, камерам и т. Д. 

Oct  7 17:14:21.111: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:14:21.111: ISAKMP:(0): SA request profile is (NULL)
Oct  7 17:14:21.111: ISAKMP: Created a peer struct for 8.8.8.8, peer port 500
Oct  7 17:14:21.111: ISAKMP: New peer created peer = 0x11BC8440 peer_handle = 0x80001410
Oct  7 17:14:21.111: ISAKMP: Locking peer struct 0x11BC8440, refcount 1 for isakmp_initiator
Oct  7 17:14:21.111: ISAKMP: local port 500, remote port 500
Oct  7 17:14:21.111: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:14:21.111: ISAKMP:(0):insert sa successfully sa = 11DD1A74
Oct  7 17:14:21.111: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct  7 17:14:21.111: ISAKMP:(0):found peer pre-shared key matching 8.8.8.8
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct  7 17:14:21.111: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct  7 17:14:21.111: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct  7 17:14:21.111: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct  7 17:14:21.111: ISAKMP:(0): beginning Main Mode exchange
Oct  7 17:14:21.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:21.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:31.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:31.111: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct  7 17:14:31.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:31.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:31.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:41.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:41.111: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct  7 17:14:41.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:41.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:41.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:51.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:14:51.111: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct  7 17:14:51.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:14:51.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:14:51.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:14:51.111: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:14:51.111: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:14:51.111: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:14:51.111: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.21.2, remote 8.8.8.8)
Oct  7 17:14:51.111: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct  7 17:14:51.111: ISAKMP: Error while processing KMI message 0, error 2.
Oct  7 17:15:01.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:01.111: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct  7 17:15:01.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:01.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:01.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:11.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:11.111: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct  7 17:15:11.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:11.111: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:11.111: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:21.111: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 2,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:15:21.111: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:21.111: ISAKMP:(0):peer does not do paranoid keepalives.

Oct  7 17:15:21.111: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 8.8.8.8)
Oct  7 17:15:21.111: ISAKMP:(0):deleting SA reason "Death by retransmission P1" state (I) MM_NO_STATE (peer 8.8.8.8)
Oct  7 17:15:21.111: ISAKMP: Unlocking peer struct 0x11BC8440 for isadb_mark_sa_deleted(), count 0
Oct  7 17:15:21.111: ISAKMP: Deleting peer node by peer_reap for 8.8.8.8: 11BC8440
Oct  7 17:15:21.111: ISAKMP:(0):deleting node 1139952207 error FALSE reason "IKE deleted"
Oct  7 17:15:21.111: ISAKMP:(0):deleting node -254195246 error FALSE reason "IKE deleted"
Oct  7 17:15:21.111: ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PHASE1_DEL
Oct  7 17:15:21.111: ISAKMP:(0):Old State = IKE_I_MM1  New State = IKE_DEST_SA

Oct  7 17:15:21.111: IPSEC(key_engine): got a queue event with 1 KMI message(s)
Oct  7 17:15:40.087: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:15:40.087: ISAKMP:(0): SA request profile is (NULL)
Oct  7 17:15:40.087: ISAKMP: Created a peer struct for 8.8.8.8, peer port 500
Oct  7 17:15:40.087: ISAKMP: New peer created peer = 0x11B902AC peer_handle = 0x80000087
Oct  7 17:15:40.087: ISAKMP: Locking peer struct 0x11B902AC, refcount 1 for isakmp_initiator
Oct  7 17:15:40.087: ISAKMP: local port 500, remote port 500
Oct  7 17:15:40.087: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:15:40.087: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = 20B5EA4
Oct  7 17:15:40.087: ISAKMP:(0):Can not start Aggressive mode, trying Main mode.
Oct  7 17:15:40.087: ISAKMP:(0):found peer pre-shared key matching 8.8.8.8
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-07 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-03 ID
Oct  7 17:15:40.087: ISAKMP:(0): constructed NAT-T vendor-02 ID
Oct  7 17:15:40.087: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM
Oct  7 17:15:40.087: ISAKMP:(0):Old State = IKE_READY  New State = IKE_I_MM1

Oct  7 17:15:40.087: ISAKMP:(0): beginning Main Mode exchange
Oct  7 17:15:40.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:40.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:15:50.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:15:50.087: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: retransmit phase 1
Oct  7 17:15:50.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:15:50.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:15:50.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:00.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:00.087: ISAKMP (0): incrementing error counter on sa, attempt 2 of 5: retransmit phase 1
Oct  7 17:16:00.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:00.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:00.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:10.087: IPSEC:(SESSION ID = 1) (key_engine) request timer fired: count = 1,
  (identity) local= 192.168.21.2:0, remote= 8.8.8.8:0,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701
Oct  7 17:16:10.087: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 192.168.21.2:500, remote= 8.8.8.8:500,
    local_proxy= 192.168.21.2/255.255.255.255/17/1701,
    remote_proxy= 8.8.8.8/255.255.255.255/17/1701,
    protocol= ESP, transform= esp-aes 256 esp-sha256-hmac  (Tunnel),
    lifedur= 3600s and 4608000kb,
    spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0
Oct  7 17:16:10.087: ISAKMP: set new node 0 to QM_IDLE
Oct  7 17:16:10.087: ISAKMP:(0):SA is still budding. Attached new ipsec request to it. (local 192.168.21.2, remote 8.8.8.8)
Oct  7 17:16:10.087: ISAKMP: Error while processing SA request: Failed to initialize SA
Oct  7 17:16:10.087: ISAKMP: Error while processing KMI message 0, error 2.
Oct  7 17:16:10.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:10.087: ISAKMP (0): incrementing error counter on sa, attempt 3 of 5: retransmit phase 1
Oct  7 17:16:10.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:10.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:10.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:11.111: ISAKMP:(0):purging node 1139952207
Oct  7 17:16:11.111: ISAKMP:(0):purging node -254195246
Oct  7 17:16:20.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:20.087: ISAKMP (0): incrementing error counter on sa, attempt 4 of 5: retransmit phase 1
Oct  7 17:16:20.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:20.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:20.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:21.111: ISAKMP:(0):purging SA., sa=11DD1A74, delme=11DD1A74
Oct  7 17:16:30.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:30.087: ISAKMP (0): incrementing error counter on sa, attempt 5 of 5: retransmit phase 1
Oct  7 17:16:30.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE
Oct  7 17:16:30.087: ISAKMP:(0): sending packet to 8.8.8.8 my_port 500 peer_port 500 (I) MM_NO_STATE
Oct  7 17:16:30.087: ISAKMP:(0):Sending an IKE IPv4 Packet.
Oct  7 17:16:40.087: ISAKMP:(0): retransmitting phase 1 MM_NO_STATE...
Oct  7 17:16:40.087: ISAKMP:(0):peer does not do paranoid keepalives.
...