search

zhangke5959 / strongswan

支持国密sm1,sm2,sm3,sm4算法的ipsec vpn。
Other
99 stars 74 forks source link

could not decrypt payloads #18

Open lijh8 opened 3 years ago

lijh8 commented 3 years ago

It works if these two lines: proposals, esp_proposals, are commented out.

sun:

# cat etc/swanctl/swanctl.conf
connections {
    net-net {
        version = 1
        mobike = no
        local_addrs = 192.168.30.160
        remote_addrs = 192.168.30.161

        local {
            certs = server.cert.pem
            auth = pubkey
            id = "C=cn, O=ilove, CN=VPN Server"
        }

        remote {
            id = "C=cn, O=ilove, CN=VPN Client"
            auth = pubkey
        }

    #    remote-xauth {
    #        auth = xauth
    #    }

        #proposals = aes128-sha256-ecp256
        proposals = sm4cbc-sm3-sm2dh
        children {
            net-net {
                start_action = trap
                local_ts  = 172.168.10.0/24
                remote_ts = 172.168.20.0/24
                updown = /ipsec/libexec/ipsec/_updown iptables
                rekey_time = 5400
                rekey_bytes = 500000000
                rekey_packets = 1000000
                #esp_proposals = aes128-sha256-ecp256
                esp_proposals = sm4cbc-sm3-sm2dh
            }
        }
    }
}

secrets {
    xauth-client {
        id = client
        secret = "123456"
    }
}

#
# ipsec up net-net
initiating Main Mode IKE_SA net-net[1] to 192.168.30.161
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.30.160[500] to 192.168.30.161[500] (180 bytes)
received packet: from 192.168.30.161[500] to 192.168.30.160[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.30.160[500] to 192.168.30.161[500] (204 bytes)
received packet: from 192.168.30.161[500] to 192.168.30.160[500] (257 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'C=cn, O=ilove, CN=VPN CA'
remote host is behind NAT
sending cert request for "C=cn, O=ilove, CN=VPN CA"
authentication of 'C=cn, O=ilove, CN=VPN Server' (myself) successful
sending end entity cert "C=cn, O=ilove, CN=VPN Server"
generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
sending packet: from 192.168.30.160[4500] to 192.168.30.161[4500] (684 bytes)
received packet: from 192.168.30.161[500] to 192.168.30.160[500] (92 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 3839217716 processing failed

sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.30.160[4500] to 192.168.30.161[4500] (684 bytes)
received packet: from 192.168.30.161[500] to 192.168.30.160[500] (92 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 2482948940 processing failed

^C
#
# ipsec status
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL, reqid 1
     net-net{1}:   172.168.10.0/24 === 172.168.20.0/24
Security Associations (0 up, 2 connecting):
   (unnamed)[2]: CONNECTING, 192.168.30.160[%any]...192.168.30.161[%any]
     net-net[1]: CONNECTING, 192.168.30.160[C=cn, O=ilove, CN=VPN Server]...192.168.30.161[%any]
#

moon:

# cat etc/swanctl/swanctl.conf
connections {
    net-net {
        version = 1
        mobike = no
        local_addrs = 192.168.30.161
        remote_addrs = 192.168.30.160

        local {
            certs = client.cert.pem
            auth = pubkey
            id = "C=cn, O=ilove, CN=VPN Client"
        }

        remote {
            id = "C=cn, O=ilove, CN=VPN Server"
            auth = pubkey
        }

    #    local-xauth {
    #        auth = xauth
    #        xauth_id = client
    #    }

        #proposals = aes128-sha256-ecp256
        proposals = sm4cbc-sm3-sm2dh
        children {
            net-net {
                start_action = trap
                local_ts  = 172.168.20.0/24
                remote_ts = 172.168.10.0/24
                updown = /ipsec/libexec/ipsec/_updown iptables
                rekey_time = 5400
                rekey_bytes = 500000000
                rekey_packets = 1000000
                #esp_proposals = aes128-sha256-ecp256
                esp_proposals = sm4cbc-sm3-sm2dh
            }
        }
    }
}

secrets {
    xauth-client {
        id = client
        secret = "123456"
    }
}

#
# ipsec up net-net
initiating Main Mode IKE_SA net-net[2] to 192.168.30.160
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 192.168.30.161[500] to 192.168.30.160[500] (180 bytes)
received packet: from 192.168.30.160[500] to 192.168.30.161[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:SM4_CBC_128/HMAC_SM3/PRF_HMAC_SM3/CURVE_SM2
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 192.168.30.161[500] to 192.168.30.160[500] (204 bytes)
received packet: from 192.168.30.160[500] to 192.168.30.161[500] (257 bytes)
parsed ID_PROT response 0 [ KE No CERTREQ NAT-D NAT-D ]
received cert request for 'C=cn, O=ilove, CN=VPN CA'
remote host is behind NAT
sending cert request for "C=cn, O=ilove, CN=VPN CA"
authentication of 'C=cn, O=ilove, CN=VPN Client' (myself) successful
sending end entity cert "C=cn, O=ilove, CN=VPN Client"
generating ID_PROT request 0 [ ID CERT SIG CERTREQ N(INITIAL_CONTACT) ]
sending packet: from 192.168.30.161[4500] to 192.168.30.160[4500] (636 bytes)
received packet: from 192.168.30.160[500] to 192.168.30.161[500] (92 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 602650897 processing failed

sending retransmit 1 of request message ID 0, seq 3
sending packet: from 192.168.30.161[4500] to 192.168.30.160[4500] (636 bytes)
received packet: from 192.168.30.160[500] to 192.168.30.161[500] (92 bytes)
invalid HASH_V1 payload length, decryption failed?
could not decrypt payloads
message parsing failed
ignore malformed INFORMATIONAL request
INFORMATIONAL_V1 request with message ID 3286868507 processing failed

^C
#
# ipsec status
Routed Connections:
     net-net{1}:  ROUTED, TUNNEL, reqid 1
     net-net{1}:   172.168.20.0/24 === 172.168.10.0/24
Security Associations (0 up, 2 connecting):
     net-net[2]: CONNECTING, 192.168.30.161[C=cn, O=ilove, CN=VPN Client]...192.168.30.160[%any]
   (unnamed)[1]: CONNECTING, 192.168.30.161[%any]...192.168.30.160[%any]
#
RoseBL commented 2 years ago

请问您最终解决这个问题了吗?

lijh8 commented 2 years ago

请问您最终解决这个问题了吗?

use his @highland0971 fork. it works.