文章/答案/技术大牛

发布

社区首页 >问答首页 >强天鹅:连接思科路由器时“接收到NO_PROPOSAL_CHOSEN错误通知”

问强天鹅:连接思科路由器时“接收到NO_PROPOSAL_CHOSEN错误通知”
EN

Server Fault用户

提问于 2018-11-16 15:50:43

回答 1查看 8.5K关注 0票数 1

我正在尝试建立一个ipsec连接，从一个带有Strongswan的raspberry pi (Linux strongSwan U5.5.1/K4.14.50+)到一个Cisco路由器。

这是强天鹅的输出：

root@raspberrypi:~# ipsec up Ciscoios
initiating Main Mode IKE_SA Ciscoios[1] to x.x.x.138
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (180 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (104 bytes)
parsed ID_PROT response 0 [ SA V ]
received NAT-T (RFC 3947) vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (244 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (304 bytes)
parsed ID_PROT response 0 [ KE No V V V V NAT-D NAT-D ]
received Cisco Unity vendor ID
received DPD vendor ID
received unknown vendor ID: d4:35:02:b0:57:db:41:f3:0a:fc:a9:73:1f:79:b2:e4
received XAuth vendor ID
generating ID_PROT request 0 [ ID HASH ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (84 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (68 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA Ciscoios[1] established between x.x.x.118[user@domain.com]...x.x.x.138[x.x.x.138]
scheduling reauthentication in 86201s
maximum IKE_SA lifetime 86381s
generating QUICK_MODE request 3400625212 [ HASH SA No ID ID ]
sending packet: from x.x.x.118[500] to x.x.x.138[500] (172 bytes)
received packet: from x.x.x.138[500] to x.x.x.118[500] (84 bytes)
parsed INFORMATIONAL_V1 request 1129071936 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'Ciscoios' failed

这是ipsec.conf：

ipsec.conf - strongSwan IPsec configuration file


config setup
    strictcrlpolicy=no
    #charondebug="ike 4, knl 4, cfg 2"    #useful debugs
    uniqueids = no



conn %default
    ikelifetime=1440m
    keylife=60m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    authby=secret

conn Ciscoios
    left=x.x.x.118
    leftid=fqdn:user@domain.com
    leftsubnet=10.10.145.0/24
    leftfirewall=no
    right=x.x.x.138
    rightsubnet=x.x.x.138/32
    rightid=x.x.x.x.138
    rightauth=psk
    leftauth=psk
    auto=add
    ike=3des-sha1-modp1024!
    esp=3des-sha1!

在Cisco上，我已经配置了以下内容：

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-NULL-MD5 esp-null esp-md5-hmac
mode transport

crypto dynamic-map TEST
description ipsecTest
set transform-set ESP-NULL-MD5 ESP-3DES-MD5
set isakmp-profile Routing
match address IPSEC

我想我可能在ike上设置了错误的参数，尤其是在ipsec.conf中。Cisco上的ipsec配置可以与另一个Cisco路由器作为对等点工作，但与Raspberry Pi没有关系。有人能帮忙吗？

strongswan

linux

cisco

ipsec

回答 1

Server Fault用户

回答已采纳

发布于 2018-11-16 15:55:18

strongSwan配置中的ESP建议必须与Cisco相匹配，因此将其更改为esp=3des-md5!，或者修改config以使用SHA-1作为完整性算法。

请注意，这些都是非常弱的算法。

票数 0

页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持

原文链接：

https://serverfault.com/questions/940369

复制

相似问题

问强天鹅:连接思科路由器时“接收到NO_PROPOSAL_CHOSEN错误通知”
EN

回答 1

Server Fault用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问强天鹅:连接思科路由器时“接收到NO_PROPOSAL_CHOSEN错误通知”EN

回答 1

Server Fault用户

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问强天鹅:连接思科路由器时“接收到NO_PROPOSAL_CHOSEN错误通知”
EN