VPN IPSEC PSK NO_PROPOSAL_CHOSEN


0

在Ubuntu 18.10中,我試圖通過使用PSK的WatchGuard服務器與WatchGuard服務器建立L2TP VPN連接,並在階段1中使用SHA1-AES 256bit DH組2,在階段2中使用ESP-AES-SHA1組1。

我同時嘗試了Strongswan和Libreswan,但是無論我在ipsec.conf或GNOME網絡管理器中選擇哪種算法,總是會收到NO_PROPOSAL_CHOSEN錯誤。相關文件如下所示。你有什麼建議?

ipsec.conf

conn vpn
authby=secret
left=%defaultroute
leftxauthclient=yes
leftmodecfgclient=yes
leftxauthusername=[MY USERNAME]
modecfgpull=yes
right=[SERVER IP]
rightxauthserver=yes
rightmodecfgserver=yes
rekey=no
auto=add
ike_frag=no
ike=aes256-sha-modp2048
esp=aes-sha1-modp1024

ipsec.secrets

[MY SERVER IP] %any : PSK "[MY PSK]"
@[MY USERNAME] : XAUTH "[MY PASSWORD]"

修改新的ipsec.conf:

conn myvpn
ikelifetime=8h
keylife=20m
rekeymargin=3m
keyingtries=3
keyexchange=ikev1
authby=psk 
left=%defaultroute
auto=add
authby=secret
type=transport
leftprotoport=17/1701
rightprotoport=17/1701
right=[SERVER_IP]
dpdtimeout=120
dpdaction=clear
rekey=yes
ike=aes256-sha1-modp1024!
esp=aes256-sha1-modp768!

啟動ipsec -up myvpn可以:

initiating Main Mode IKE_SA myvpn[1] to [SERVER_IP]
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (180 bytes)
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (136 bytes)
parsed ID_PROT response 0 [ SA V V V ]
received XAuth vendor ID
received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
received DPD vendor ID
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.1.6[500] to [SERVER_IP][500] (244 bytes)
received packet: from [SERVER_IP][500] to 192.168.1.6[500] (220 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
local host is behind NAT, sending keep alives
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (108 bytes)
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myvpn[1] established between    192.168.1.6[192.168.1.6]...[SERVER_IP][SERVER_IP]
scheduling reauthentication in 28591s
maximum IKE_SA lifetime 28771s
generating QUICK_MODE request 3496213378 [ HASH SA No KE ID ID NAT-OA NAT-OA ]
sending packet: from 192.168.1.6[4500] to [SERVER_IP][4500] (300 bytes)
received packet: from [SERVER_IP][4500] to 192.168.1.6[4500] (76 bytes)
parsed INFORMATIONAL_V1 request 2157690019 [ HASH N(NO_PROP) ]
received NO_PROPOSAL_CHOSEN error notify
establishing connection 'myvpn' failed

修改xl2tpd.conf

[lac myvpn]
lns = [SERVER_IP]
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes

/etc/ppp/options.l2tpd.client

ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name [MY USERNAME]
password [MY PASSWORD]

嘗試使用網絡管理員返回:

nm-l2tp-service[17266]: xl2tpd started with pid 17340
NetworkManager[1137]: xl2tpd[17340]: Not looking for kernel SAref support.
NetworkManager[1137]: xl2tpd[17340]: Using l2tp kernel support.
NetworkManager[1137]: xl2tpd[17340]: xl2tpd version xl2tpd-1.3.12 started on Ing PID:17340
NetworkManager[1137]: xl2tpd[17340]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
NetworkManager[1137]: xl2tpd[17340]: Forked by Scott Balmos and David Stipp, (C) 2001
NetworkManager[1137]: xl2tpd[17340]: Inherited by Jeff McAdams, (C) 2002
NetworkManager[1137]: xl2tpd[17340]: Forked again by Xelerance (www.xelerance.com) (C) 2006-2016
NetworkManager[1137]: xl2tpd[17340]: Listening on IP address 0.0.0.0, port 1701
NetworkManager[1137]: xl2tpd[17340]: Connecting to host [SERVER_IP], port 1701
NetworkManager[1137]: <info>  [1541422442.3462] vpn-connection[0x55a9be8bc370,c657e7cd-7120-40b6-936c-969ca917c53c,"VPN 1",0]: VPN plugin: state changed: starting (3)
NetworkManager[1137]: xl2tpd[17340]: Connection established to [SERVER_IP], 1701.  Local: 62148, Remote: 1 (ref=0/0).
NetworkManager[1137]: xl2tpd[17340]: Calling on tunnel 62148
NetworkManager[1137]: xl2tpd[17340]: Call established with [SERVER_IP], Local: 47419, Remote: 1, Serial: 1 (ref=0/0)
NetworkManager[1137]: xl2tpd[17340]: start_pppd: I'm running:
NetworkManager[1137]: xl2tpd[17340]: "/usr/sbin/pppd"
NetworkManager[1137]: xl2tpd[17340]: "plugin"
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp.so"
NetworkManager[1137]: xl2tpd[17340]: "pppol2tp"
NetworkManager[1137]: xl2tpd[17340]: "7"
NetworkManager[1137]: xl2tpd[17340]: "passive"
NetworkManager[1137]: xl2tpd[17340]: "nodetach"
NetworkManager[1137]: xl2tpd[17340]: ":"
NetworkManager[1137]: xl2tpd[17340]: "file"
NetworkManager[1137]: xl2tpd[17340]: "/run/nm-l2tp-ppp-options-c657e7cd-7120-40b6-936c-969ca917c53c"
pppd[17341]: Plugin pppol2tp.so loaded.
pppd[17341]: Plugin /usr/lib/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
pppd[17341]: pppd 2.4.7 started by root, uid 0
pppd[17341]: Using interface ppp0
    pppd[17341]: Connect: ppp0 <--> 
pppd[17341]: Overriding mtu 1500 to 1400
pppd[17341]: Overriding mru 1500 to mtu value 1400
NetworkManager[1137]: <info>  [1541422442.4026] manager: (ppp0): new Ppp device (/org/freedesktop/NetworkManager/Devices/19)
systemd-udevd[17344]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
NetworkManager[1137]: <info>  [1541422442.4117] devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
NetworkManager[1137]: <info>  [1541422442.4117] device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
NetworkManager[1137]: xl2tpd[17340]: check_control: Received out of order control packet on tunnel 1 (got 1, expected 2)
NetworkManager[1137]: xl2tpd[17340]: handle_packet: bad control packet!
1

Your ipsec.conf seems to be for IPsec IKEv1 XAuth, not for L2TP/IPsec, but you mentioned L2TP. What kind of VPN service is the WatchGuard server offering?

If you are using strongswan I would try adding an exclamation mark (!) to the end, also your esp syntax was wrong. Try offering the following proposals in the ipsec.conf file and see if the VPN server is happy :

  • ike=aes256-sha1-modp2048!
  • esp=aes-sha1!