Fortigate80CでIPSecVPNを構成し、Shrew SoftVPNを使用して接続しようとしています。 Fortigateユニットでのデバッグでは、プロポーザルIDを除いて、両方のプロポーザルで同じ値が表示されますが、ネゴシエーションの失敗で立ち往生しています。
ike 0: comes 213.233.112.182:500->192.168.1.254:500,ifindex=18....
ike 0: IKEv1 exchange=Aggressive id=448542093a752e2a/0000000000000000 len=577
ike 0: in 448542093A752E2A00000000000000000110040000000000000002410400003800000001000000010000002C0101000100000024010100008001000580020002800400058003FDE9800B0001000C0004000070800A0000C498221E8FC2C65CDED61AA7AEEA26562FE6A58F9D4AFD6FB5361DFD380B61C85B2A0BAB6FCD068B69A837868F14CBB06E249CFC82BDD42B2DA1021B6FFE9885F2F8614C4F676E28E5BD8F1967440C4E8381E26E3189DA6491EB3CC8C1E0D7C1F39348D2174B68134CE8214814A8A894FD5B9F268B2F107AF310C1DD3BE84F09486595B9F8C7DEA196250E69F86A85DEEDCADC8AE98D7E1018776DF2D54C8DDD50F52EC27F74751C16CAA51BCDEA17CF3ED65D4116C4F2FFF1F6F27BBFF8DC003805000018F38CC6EAC4E77D031C2ED7E2F509FE65C2E511240D00000D0B000000465341524F0D00000C09002689DFD6B7120D0000144485152D18B6BBCD0BE8A8469579DDCC0D00001416F6CA16E4A4066D83821A0F0AEAA8620D00001490CB80913EBB696E086381B5EC427B1F0D0000147D9419A65310CA6F2C179D9215529D560D0000144A131C81070358455C5728F20E95452F0D0000184048B7D56EBCE88525E7DE7F00D6C2D3800000000D000014AFCAD71368A1F1C96B8696FC775701000D0000143B9031DCE4FCF88B489A923963DD0C490D000014F14B94B7BFF1FEF02773B8C49FEDED260D000018166F932D55EB64D8E4DF4FD37E2313F0D0FD84510D0000148404ADF9CDA05760B2CA292E4BFF537B0000001412F5F28C457168A9702D9FE274CC0100
ike 0:448542093a752e2a/0000000000000000:1314: responder: aggressive mode get 1st message...
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsra-isakmp-xauth-06.txt 09002689DFD6B712
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-00 4485152D18B6BBCD0BE8A8469579DDCC
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-01 16F6CA16E4A4066D83821A0F0AEAA862
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-02\n 90CB80913EBB696E086381B5EC427B1F
ike 0:448542093a752e2a/0000000000000000:1314: VID draft-ietf-ipsec-nat-t-ike-03 7D9419A65310CA6F2C179D9215529D56
ike 0:448542093a752e2a/0000000000000000:1314: VID RFC 3947 4A131C81070358455C5728F20E95452F
ike 0:448542093a752e2a/0000000000000000:1314: VID FRAGMENTATION 4048B7D56EBCE88525E7DE7F00D6C2D380000000
ike 0:448542093a752e2a/0000000000000000:1314: VID DPD AFCAD71368A1F1C96B8696FC77570100
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 3B9031DCE4FCF88B489A923963DD0C49
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): F14B94B7BFF1FEF02773B8C49FEDED26
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (20): 166F932D55EB64D8E4DF4FD37E2313F0D0FD8451
ike 0:448542093a752e2a/0000000000000000:1314: VID unknown (16): 8404ADF9CDA05760B2CA292E4BFF537B
ike 0:448542093a752e2a/0000000000000000:1314: VID Cisco-UNITY 12F5F28C457168A9702D9FE274CC0100
ike 0: IKEv1 Aggressive, comes 213.233.112.182:500->192.168.1.254 18, peer-id=FSARO
ike 0:448542093a752e2a/0000000000000000:1314: my proposal, gw BKIPSECVPN:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 1:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: incoming proposal:
ike 0:448542093a752e2a/0000000000000000:1314: proposal id = 0:
ike 0:448542093a752e2a/0000000000000000:1314: protocol id = ISAKMP:
ike 0:448542093a752e2a/0000000000000000:1314: trans_id = KEY_IKE.
ike 0:448542093a752e2a/0000000000000000:1314: encapsulation = IKE/none
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_ENCRYPT_ALG, val=3DES_CBC.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_HASH_ALG, val=SHA.
ike 0:448542093a752e2a/0000000000000000:1314: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike 0:448542093a752e2a/0000000000000000:1314: type=OAKLEY_GROUP, val=1536.
ike 0:448542093a752e2a/0000000000000000:1314: ISAKMP SA lifetime=28800
ike 0:448542093a752e2a/0000000000000000:1314: negotiation failure
ike Negotiate ISAKMP SA Error: ike 0:448542093a752e2a/0000000000000000:1314: no SA proposal chosen
ike shrank heap by 122880 bytes
ike shrank heap by 20480 bytes
なぜこれが起こっているのか考えはありますか?
トンネルの構成は次のとおりです。
BKFGT80C-03 # show vpn ipsec phase1-interface BKIPSECVPN
config vpn ipsec phase1-interface
edit "BKIPSECVPN"
set type dynamic
set interface "WANProsodieDATA"
set mode aggressive
set xauthtype pap
set proposal 3des-sha1 aes128-sha1
set authusrgrp "vpn-users@SRV3"
set psksecret ENC nhHJbl/trs/6Fxx383T9wTSrI85maR2cvP2R4N5XD0VyLc/rdzp/QnWFKOEYlXEIBc6ViKqSrb2GCliq5+4y3dxuRG3hurRq5T4Vz1uYf23y/+qE8xMspKvWOJkb2BP8wV7bkNgd7TjJabL/GfOU6pIsuga9J0kknxTdEPl8fWzj3U4g85R9+BO7264YQ/7ZopFZHA==
set keepalive 15
next
end
BKFGT80C-03 # show vpn ipsec phase2-interface BKIPSECVPN_Ph2
config vpn ipsec phase2-interface
edit "BKIPSECVPN_Ph2"
set keepalive enable
set phase1name "BKIPSECVPN"
set proposal 3des-sha1 aes128-sha1
next
end
そして、これがShrewsoftVPN構成です。
n:version:4
n:network-ike-port:500
n:network-mtu-size:1380
n:client-addr-auto:0
n:network-natt-port:4500
n:network-natt-rate:15
n:network-frag-size:540
n:network-dpd-enable:1
n:client-banner-enable:0
n:network-notify-enable:1
n:client-dns-used:1
n:client-dns-auto:0
n:client-dns-suffix-auto:0
n:client-splitdns-used:1
n:client-splitdns-auto:0
n:client-wins-used:0
n:client-wins-auto:0
n:phase1-dhgroup:5
n:phase1-life-secs:28800
n:phase1-life-kbytes:0
n:vendor-chkpt-enable:0
n:phase2-life-secs:1800
n:phase2-life-kbytes:5120
n:policy-nailed:1
n:policy-list-auto:1
n:phase1-keylen:256
s:network-Host:213.139.103.131
s:client-auto-mode:disabled
s:client-iface:virtual
s:client-ip-addr:192.168.50.2
s:client-ip-mask:255.255.255.0
s:network-natt-mode:enable
s:network-frag-mode:enable
s:client-dns-addr:8.8.8.8
s:client-dns-suffix:bk.local
s:auth-method:mutual-psk-xauth
s:ident-client-type:address
s:ident-server-type:address
b:auth-mutual-psk:YWJjZGVmZ2hpamts
s:phase1-exchange:aggressive
s:phase1-cipher:3des
s:phase1-hash:sha1
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
s:ipcomp-transform:disabled
n:phase2-pfsgroup:5
s:policy-level:auto
構成には、フェーズ2のさまざまな暗号タイプがあることがわかります。
set proposal 3des-sha1 aes128-sha1
およびShrewsoftVPNの場合
s:phase2-transform:esp-3des
s:phase2-hmac:sha1
AES-128または3DESの両方をPurします。これで問題が解決するはずです。
トンネルのFortigate構成を貼り付けていただけますか? (答えで編集しますが、構成なしでは私はあなたを助けることができません)