Erro de VPN de site para site 'carga de hash recebida não corresponde ao valor computado'

Precisamos acessar algumas máquinas Linux localizadas no final do nosso cliente. Nossa máquina Linux, da qual precisamos acessar a máquina do cliente, está localizada na nuvem.

A conexão a ser estabelecida é VPN de site para site.

Ao reiniciar o serviço ipsec através do comando sudo service ipsec restart , a conexão termina com o erro A carga útil Hash recebida não corresponde ao valor computado

No entanto, verificamos novamente que ipsec.secrets tem a chave correta, pois foi compartilhada pelo cliente. Além disso, no comando em execução sudo ipsec auto --up vpn , o cli desliga.

Sendo uma criança na rede, estou compartilhando a maior parte da saída que eu acho, talvez relevante para o erro. Por favor, deixe-me saber se mais informações são necessárias.

As informações a seguir são compartilhadas abaixo:

• Saída para reinicialização do serviço ipsec
• Login completo em /var/log/secure quando o serviço ipsec é iniciado
• Configuração em ipsec.conf
• Configuração em ipsec.secrets
• Saída de ipsec.verify
• Saída de ifconfig
• As informações de VPN documentadas do cliente e da nossa compartilham

Saída para reinício do serviço ipsec

[root@gbox-1 ~]# service ipsec restart
ipsec_setup: Stopping Openswan IPsec...
ipsec_setup: Starting Openswan IPsec 2.6.32...
ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

Login completo em /var/log/secure quando o serviço ipsec é iniciado

[root@gbox-1 log]# tail -f secure
Jul 31 23:43:24 gbox-1 sshd[3005]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down
Jul 31 23:43:38 gbox-1 pluto[32279]: forgetting secrets
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn": deleting connection
Jul 31 23:43:38 gbox-1 pluto[32279]: "vpn" #1: deleting state (STATE_AGGR_I1)
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo ::1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface lo/lo 127.0.0.1:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:38 gbox-1 pluto[32279]: shutting down interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 ipsec__plutorun: Starting Pluto subsystem...
Jul 31 23:43:40 gbox-1 pluto[3352]: nss directory plutomain: /etc/ipsec.d
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS Initialized
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS: not a FIPS product
Jul 31 23:43:40 gbox-1 pluto[3352]: FIPS HMAC integrity verification test passed
Jul 31 23:43:40 gbox-1 pluto[3352]: Starting Pluto (Openswan Version 2.6.32; Vendor ID OEhyLdACecfa) pid:3352
Jul 31 23:43:40 gbox-1 pluto[3352]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Jul 31 23:43:40 gbox-1 pluto[3352]: LEAK_DETECTIVE support [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: OCF support for IKE [disabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: SAref support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: SAbind support [disabled]: Protocol not available
Jul 31 23:43:40 gbox-1 pluto[3352]: NSS support [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: HAVE_STATSD notification support not compiled in
Jul 31 23:43:40 gbox-1 pluto[3352]: Setting NAT-Traversal port-4500 floating to on
Jul 31 23:43:40 gbox-1 pluto[3352]:    port floating activation criteria nat_t=1/port_float=1
Jul 31 23:43:40 gbox-1 pluto[3352]:    NAT-Traversal support  [enabled]
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating OAKLEY_BLOWFISH_CBC: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: starting up 1 cryptographic helpers
Jul 31 23:43:40 gbox-1 pluto[3352]: started helper (thread) pid=140162780645120 (fd:8)
Jul 31 23:43:40 gbox-1 pluto[3352]: Kernel interface auto-pick
Jul 31 23:43:40 gbox-1 pluto[3352]: Using Linux 2.6 IPsec interface code on 2.6.32-431.11.2.el6.x86_64 (experimental code)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_add(): ERROR: Algorithm already exists
Jul 31 23:43:40 gbox-1 pluto[3352]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/cacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/aacerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Jul 31 23:43:40 gbox-1 pluto[3352]: Could not change to directory '/etc/ipsec.d/crls'
Jul 31 23:43:40 gbox-1 pluto[3352]: | selinux support is NOT enabled.
Jul 31 23:43:40 gbox-1 pluto[3352]: added connection description "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: listening for IKE messages
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth1/eth1 10.180.3.132:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 50.55.153.121:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo 127.0.0.1:4500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface eth0/eth0 2001:4800:780e:510:acf:6c9b:ffd8:94cd:500
Jul 31 23:43:40 gbox-1 pluto[3352]: adding interface lo/lo ::1:500
Jul 31 23:43:40 gbox-1 pluto[3352]: loading secrets from "/etc/ipsec.secrets"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: initiating Aggressive Mode #1, connection "vpn"
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Cisco-Unity]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [XAUTH]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Vendor ID payload [Dead Peer Detection]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [FRAGMENTATION c0000000]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: Aggressive mode peer ID is ID_IPV4_ADDR: '41.78.1.143'
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: received Hash Payload does not match computed value
Jul 31 23:43:40 gbox-1 pluto[3352]: "vpn" #1: sending notification INVALID_HASH_INFORMATION to 41.78.1.143:500
Jul 31 23:43:48 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:43:56 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:04 gbox-1 pluto[3352]: "vpn" #1: discarding duplicate packet; already STATE_AGGR_I1
Jul 31 23:44:12 gbox-1 pluto[3352]: "vpn" #1: encrypted Informational Exchange message is invalid because no key is known

Configuração em ipsec.conf

version 2.0

config setup
        protostack=auto
        #netkey
        nat_traversal=yes
        #forceencaps=yes
        #plutodebug=none

conn vpn
        type=tunnel
        authby=secret
        auto=start
        pfs=yes
        ike=3des-sha1;modp1024!
        phase2alg=3des-sha1;
        aggrmode=yes
        left=50.55.153.121
        right=41.78.1.143
        leftsubnet=10.180.3.132/255.255.128.0
        leftnexthop=50.55.153.121
        leftsourceip=10.180.3.132
        rightsubnet=172.27.176.125/255.255.255.255
        rightnexthop=41.78.1.143
        rightsourceip=172.27.176.125

Configuração em ipsec.secrets

%any %any : PSK "not_the_actual_psk"

Saída de ipsec.verify

[root@gbox-1 log]# ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.32/K2.6.32-431.11.2.el6.x86_64 (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing for disabled ICMP send_redirects              [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/send_redirects
  or NETKEY will cause the sending of bogus ICMP redirects!

NETKEY detected, testing for disabled ICMP accept_redirects     [FAILED]

  Please disable /proc/sys/net/ipv4/conf/*/accept_redirects
  or NETKEY will accept bogus ICMP redirects!

Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]

Opportunistic Encryption DNS checks:
   Looking for TXT in forward dns zone: gbox-1                  [MISSING]
   Does the machine have at least one non-private address?      [OK]
   Looking for TXT in reverse dns zone: 115.171.52.49.in-addr.arpa.     [MISSING]

Saída de ifconfig

[root@gbox-1 ~]# ifconfig
eth0      Link encap:Ethernet  HWaddr BC:76:4E:04:94:B6
          inet addr:50.55.153.121  Bcast:50.55.153.255  Mask:255.255.255.0
          inet6 addr: 2001:4800:780e:510:acf:6c9b:ffd8:94cd/64 Scope:Global
          inet6 addr: fe80::be76:acf:6c9b:ffd8/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5843131 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5444379 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1587187725 (1.4 GiB)  TX bytes:1356473321 (1.2 GiB)
          Interrupt:246

eth1      Link encap:Ethernet  HWaddr BC:76:4E:04:CA:EE
          inet addr:10.180.3.132  Bcast:10.180.127.255  Mask:255.255.128.0
          inet6 addr: fe80::be76:5e32:fd0f:cdae/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6554243 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2800 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:327739177 (312.5 MiB)  TX bytes:205160 (200.3 KiB)
          Interrupt:245

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:10654186 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10654186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:9532400622 (8.8 GiB)  TX bytes:9532400622 (8.8 GiB)

O cliente e a nossa informação VPN documentada compartilhada

Fase 1 da VPN

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
Encryption Scheme             | IKE                 | IKE
Diffie-Hellman Group          | Group 2             | 2
Encryption Algorithm          | 3DES                | 3DES
Hashing Algorithm             | MD5                 | SHA-1
Main or Aggressive Mode       | Main mode           | Main
Lifetime (for renegotiation)  | 28800 seconds       | 28800

Fase 2 da VPN

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
Encapsulation (ESP or AH)     | ESP                 | ESP
Encryption Algorithm          | 3DES                | 3DES
Authentication Algorithm      | SHA1                | SHA1
Perfect Forward Secrecy       | NO PFS              | Yes, Group-2
Lifetime (for renegotiation)  | 3600 seconds        | 3600
Lifesize (for renegotiation)  | Not Used            | 
Key exchange for Subnets      | Yes                 | 

Informações do dispositivo de gateway

Property                      | Client's VAS Device | Our VPN Device
=====================================================================
IP Address                    | 41.78.1.143         | 50.55.153.121
VPN Device Description        | Cisco ASA 5510      | OpenSwan
DN Information of VPN Gateway |                     | 
(if using certificates)       | NA                  | 
Encryption Domain             | 172.27.176.125-126  | 10.180.3.132