IPSec虚拟专用网第二阶段卡住

Question

试图设置到Office的VPN连接，但我无法通过阶段2。

从系统管理员那里收到信息：

• PSK
• IKE v1
• 侵略性模式
• Phase1 3 DES-SHA1
• 生署第5组
• 密钥寿命28800
• XAUTH PAP服务器(不确定这是否需要知道)
• Phase2 3 DES-SHA1
• PFS no

这是许多配置尝试之一，我尝试过添加/删除不同的参数。

config setup
interfaces=%defaultroute
plutodebug="control parsing"
plutoopts="--interface=wlan0"
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:
10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey

conn office
left=%defaultroute
right=<my gateway ip>

phase2=ah
phase2alg=sha1;modp1536
type=transport
authby=secret
pfs=no
compress=no
   keyingtries=%forever

输出量

?  /etc  sudo service ipsec restart
?  /etc  sudo ipsec auto --add office && sudo ipsec auto --up office
104 "office" #1: STATE_MAIN_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: ignoring unknown Vendor ID payload
[8299031757a36082c6a621de00050282]
106 "office" #1: STATE_MAIN_I2: sent MI2, expecting MR2
108 "office" #1: STATE_MAIN_I3: sent MI3, expecting MR3
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
003 "office" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "office" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
031 "office" #1: max number of retransmissions (2) reached STATE_MAIN_I3.
Possible authentication failure: no acceptable response to our first
encrypted message
000 "office" #1: starting keying attempt 2 of an unlimited number, but
releasing whack

更新

在我的配置中添加了聚合模式，并得到了一个关于无效哈希信息的错误，为什么？参数没有正确设置吗？

conn office 
    aggrmode=yes
     left=%defaultroute
     right=<vpn gateway>
     phase2=ah
     phase2alg=sha1;modp1536
     type=transport
     ike=3des-sha1;modp1536

     authby=secret
     #esp=3des;modp1536
     pfs=no
     compress=no
     keyingtries=%forever

输出

➜  /etc  sudo ipsec auto --up office 
112 "office" #1: STATE_AGGR_I1: initiate
003 "office" #1: received Vendor ID payload [Dead Peer Detection]
003 "office" #1: received Vendor ID payload [XAUTH]
003 "office" #1: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00050282]
003 "office" #1: received Hash Payload does not match computed value
223 "office" #1: STATE_AGGR_I1: INVALID_HASH_INFORMATION

ipsec自动状态

000 "office":     myip=unset; hisip=unset;
000 "office":   ike_life: 3600s; ipsec_life: 28800s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "office":   policy: PSK+AUTHENTICATE+UP+AGGRESSIVE+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,24; interface: wlan0; 
000 "office":   newest ISAKMP SA: #0; newest IPsec SA: #0; 
000 "office":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1536(5); flags=-strict
000 "office":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1536(5)
000 "office":   AH algorithms wanted: SHA1(2)_000; pfsgroup=MODP1536(5); flags=-strict
000 "office":   AH algorithms loaded: SHA1(2)_160
000  
000 #3: "office":500 STATE_AGGR_I1 (sent AI1, expecting AR1); none in -1s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000 #3: pending Phase 2 for "office" replacing #0

更新2

通过对防火墙日志的分析表明，所建立的隧道与预期不同，并且有不同的PSK。

现在第二阶段谈判错误。系统管理员说，它需要一个用户的第二阶段，但不确定我将如何指定？

➜  /etc  sudo ipsec auto --up office 
104 "office" #2: STATE_MAIN_I1: initiate
003 "office" #2: received Vendor ID payload [RFC 3947] method set to=109 
003 "office" #2: received Vendor ID payload [Dead Peer Detection]
003 "office" #2: ignoring unknown Vendor ID payload [8299031757a36082c6a621de00050282]
106 "office" #2: STATE_MAIN_I2: sent MI2, expecting MR2
003 "office" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): i am NATed
108 "office" #2: STATE_MAIN_I3: sent MI3, expecting MR3
004 "office" #2: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
117 "office" #3: STATE_QUICK_I1: initiate
010 "office" #3: STATE_QUICK_I1: retransmission; will wait 20s for response
010 "office" #3: STATE_QUICK_I1: retransmission; will wait 40s for response
031 "office" #3: max number of retransmissions (2) reached STATE_QUICK_I1.  No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
000 "office" #3: starting keying attempt 2 of an unlimited number, but releasing whack

Answer 1

没有接收者(Fortigate)日志，很难给出一个明确的答案。

让我们从显而易见的开始:在main mode (而不是aggressive mode)中重新配置您的虚拟专用网，并将类型从transport更改为tunnel。

重试连接，如果可能的话，给我们Fortigate日志。