web-dev-qa-db-ja.com

強化するIPSecVPNトガリネズミ

Fortigate80CでIPSecVPNを構成し、Shrew SoftVPNを使用して接続しようとしています。 Fortigateユニットでのデバッグでは、プロポーザルIDを除いて、両方のプロポーザルで同じ値が表示されますが、ネゴシエーションの失敗で立ち往生しています。

ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID Cisco-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314:   protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314:      trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314:      encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314:   protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314:      trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314:      encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314:   protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314:      trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314:      encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314:         type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314:   protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314:      trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314:      encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314:   protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314:      trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314:      encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314:         type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314:         type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes

なぜこれが起こっているのか考えはありますか?

トンネルの構成は次のとおりです。

BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN 
config vpn ipsec phase1-interface
    edit "BKIPSECVPN"
        set type dynamic
        set interface "WANProsodieDATA"
        set mode aggressive
        set xauthtype pap
        set proposal 3des-sha1 aes128-sha1
        set authusrgrp "vpn-users@SRV3"
        set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
        set keepalive 15
    next
end

BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2 
config vpn ipsec phase2-interface
    edit "BKIPSECVPN_Ph2"
        set keepalive enable
        set phase1name "BKIPSECVPN"
        set proposal 3des-sha1 aes128-sha1
    next
end

そして、これがShrewsoftVPN構成です。

n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-Host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto
2
fsaftoiu

構成には、フェーズ2のさまざまな暗号タイプがあることがわかります。

set proposal 3des-sha1 aes128-sha1

およびShrewsoftVPNの場合

s:phase2-transform:esp-3des
s:phase2-hmac:sha1

AES-128または3DESの両方をPurします。これで問題が解決するはずです。

1
Daler

トンネルのFortigate構成を貼り付けていただけますか? (答えで編集しますが、構成なしでは私はあなたを助けることができません)

0
Vovor