本帖最后由 哥乌恩滚 于 2018-3-5 12:26 编辑
在天翼云上用strongswan 与sangfor 做多日对接 一直不成功,跟思科对接就没问题,之前同样的配置跟运营商的strongswan对接成功过,用主模式 第一阶段都连接不上,日志如下:[/table][backcolor=rgb(239, 239, 239) !important][table=98%]
5
DLAN总部(lmdlan)
调试
11:09:10
Handle mian mode R3 from 203.*.*.59 message failure
6
| DLAN总部(lmdlan)
| 调试
| 11:09:10
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
7
| DLAN总部(lmdlan)
| 调试
| 11:09:04
| Handle mian mode R3 from 203.*.*.59 message failure
|
8
| DLAN总部(lmdlan)
| 调试
| 11:09:04
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
9
| DLAN总部(lmdlan)
| 调试
| 11:08:58
| Handle mian mode R3 from 203.*.*.59 message failure
|
10
| DLAN总部(lmdlan)
| 调试
| 11:08:58
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
11
| DLAN总部(lmdlan)
| 调试
| 11:08:53
| Handle mian mode R3 from 203.*.*.59 message failure
|
12
| DLAN总部(lmdlan)
| 调试
| 11:08:53
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
13
| DLAN总部(lmdlan)
| 调试
| 11:08:47
| Handle mian mode R3 from 203.*.*.59 message failure
|
14
| DLAN总部(lmdlan)
| 调试
| 11:08:47
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
15
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| Start to CreateIsakmpSA for 203.*.*.59,ip=203.*.*.59
|
16
| DLAN总部(lmdlan)
| 信息
| 11:08:42
| [Isakmp_Server]发起和网关[203.*.*.59](IP:203.*.*.59) 进行主模式协商.
|
17
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| [Isakmp_Server]第一阶段生存期采用我方值[3600] 秒.
|
18
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| Peer Device [203.*.*.59] support DPD
|
19
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| Add SDLAN to SN
|
20
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| [IsakmpDoi]OnMainR3:Recv a R3 Message, but the ID is not match
|
21
| DLAN总部(lmdlan)
| 调试
| 11:08:42
| Handle mian mode R3 from 203.*.*.59 message failure
|
22
| DLAN总部(lmdlan)
| 调试
| 11:08:38
| [Isakmp_Server]请确认[203.*.*.59]双方网络连接是否正常.
|
23
| DLAN总部(lmdlan)
| 告警
| 11:08:38
| [Isakmp_Server]和网关[203.*.*.59]的第一阶段SA 协商失败,连接建立失败.
|
24
| DLAN总部(lmdlan)
| 调试
| 11:08:25
| Hand Main mode message I3 failure
|
25
| DLAN总部(lmdlan)
| 调试
| 11:08:25
| [CIsakmpDoi]OnMainI3_OutR3:peer's id packet which recved is not the same as our saved
|
26
| DLAN总部(lmdlan)
| 调试
| 11:08:01
| Hand Main mode message I3 failure
|
27
| DLAN总部(lmdlan)
| 调试
| 11:08:01
| [CIsakmpDoi]OnMainI3_OutR3:peer's id packet which recved is not the same as our saved
|
28
| DLAN总部(lmdlan)
| 调试
| 11:07:48
| Hand Main mode message I3 failure
|
29
| DLAN总部(lmdlan)
| 调试
| 11:07:48
| [CIsakmpDoi]OnMainI3_OutR3:peer's id packet which recved is not the same as our saved
|
30
| DLAN总部(lmdlan)
| 告警
| 11:07:44
| [Isakmp_Server]和网关[203.*.*.59]的第一阶段SA 协商失败,连接建立失败.
|
31
| DLAN总部(lmdlan)
| 调试
| 11:07:44
| Delete SDLAN from SN
|
32
| DLAN总部(lmdlan)
| 调试
| 11:07:44
| [Isakmp_Server]检查[203.*.*.59]对应双方共享密钥配置一致.
|
33
| DLAN总部(lmdlan)
| 调试
| 11:07:41
| Hand Main mode message I3 failure
|
34
| DLAN总部(lmdlan)
| 调试
| 11:07:41
| [CIsakmpDoi]OnMainI3_OutR3:peer's id packet which recved is not the same as our saved
|
35
| DLAN总部(lmdlan)
| 调试
| 11:07:37
| Peer Device [203.*.*.59] support DPD
|
36
| DLAN总部(lmdlan)
| 调试
| 11:07:37
| [CIsakmpDoi]OnMainI3_OutR3:peer's id packet which recved is not the same as our saved
|
[backcolor=rgb(223, 232, 246) !important]37
| DLAN总部(lmdlan)
| 调试
| 11:07:37
| Hand Main mode message I3 failure
|
使用野蛮模式可以连接上,但是只起来一部分网段隧道,如下:
strongswan 配置如下: conn kt rekeymargin=3h keyingtries=1 mobike=no type=tunnel
left=0.0.0.0 leftsubnet=10.10.1.0/24,192.168.66.0/23,192.168.40.0/24,192.168.55.0/24,192.168.80.0/24 leftauth=psk right=110.*.*.51 #sangfor公网地址 rightsubnet=192.168.5.0/24,192.168.9.0/24,192.168.39.0/24 rightauth=psk ike=3des-sha1-modp1024 esp=3des-sha1-modp1024 authby=psk auto=start aggressive=yes #dpdaction=none keyexchange=ikev1 ikelifetime=3600s keylife=28800s |