Ipsec
如何配置 IPSEC 密鑰更新的提議
我有一個通過 IPSEC (strongswan) 成功執行的 VPN 連接。但是,每天至少有一次連接中斷。我認為這與重新加密有關,請參閱日誌:
Aug 25 02:34:25 myserver charon: 09[KNL] creating rekey job for CHILD_SA ESP/0xcbd335d0/xxx.xxx.xxx.xxx Aug 25 02:34:25 myserver charon: 10[IKE] establishing CHILD_SA infonline_datapool{2} reqid 1 Aug 25 02:34:25 myserver charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Aug 25 02:34:25 myserver charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA 2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Aug 25 02:34:25 myserver charon: 12[IKE] no acceptable proposal found Aug 25 02:34:25 myserver charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA Aug 25 02:34:25 myserver charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI cbd2f4c3 Aug 25 02:34:25 myserver charon: 11[IKE] CHILD_SA rekeying failed, trying again in 10 seconds Aug 25 02:34:35 myserver charon: 15[IKE] establishing CHILD_SA infonline_datapool{3} reqid 1 Aug 25 02:34:35 myserver charon: 06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Aug 25 02:34:35 myserver charon: 06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA 2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Aug 25 02:34:35 myserver charon: 06[IKE] no acceptable proposal found Aug 25 02:34:35 myserver charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA Aug 25 02:34:35 myserver charon: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c068db7b Aug 25 02:34:35 myserver charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI c7a90494 Aug 25 02:34:35 myserver charon: 07[IKE] closing CHILD_SA infonline_datapool{1} with SPIs cbd335d0_i (34701240 bytes) c7a90494_o (451113 bytes) and TS yyy.yyy.yyy.0/25 === 10.10.42.0/24 Aug 25 02:34:35 myserver charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cbd335d0 Aug 25 02:34:35 myserver charon: 07[IKE] CHILD_SA closed Aug 25 02:34:35 myserver charon: 07[IKE] detected CHILD_REKEY collision with CHILD_DELETE Aug 25 02:34:35 myserver charon: 09[IKE] received DELETE for unknown ESP CHILD_SA with SPI 632d34ba Aug 25 02:34:35 myserver charon: 09[IKE] CHILD_SA closed Aug 25 02:34:35 myserver charon: 10[IKE] received DELETE for unknown ESP CHILD_SA with SPI 632d34ba Aug 25 02:34:35 myserver charon: 10[IKE] CHILD_SA closed Aug 25 02:34:35 myserver charon: 12[IKE] received DELETE for IKE_SA infonline_datapool[1] Aug 25 02:34:35 myserver charon: 12[IKE] deleting IKE_SA infonline_datapool[1] between xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]...yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy] Aug 25 02:34:35 myserver charon: 12[IKE] IKE_SA deleted
我想這裡的關鍵線是:
Aug 25 02:34:25 myserver charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ Aug 25 02:34:25 myserver charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA 2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ Aug 25 02:34:25 myserver charon: 12[IKE] no acceptable proposal found
配置是
conn conn_name type=tunnel authby=secret left=xxx.xxx.xxx.xxx leftsubnet=xxx.xxx.xxx.0/25 right=yyy.yyy.yyy.yyy rightsubnet=10.10.42.0/24 ike=aes256-sha256-modp2048 ikelifetime=86400s esp=aes256-sha1-modp2048 pfs=yes auto=start
如何配置連接以使其不會中斷?(當我重新啟動 ipsec 時,它連接得很好。)
你的分析是準確的,你現在只需要得出正確的結論:)
您可以在您指出的日誌消息中看到對等方提出的算法。由於您配置了 SHA-1 並且對等方提出了 SHA-256,因此沒有匹配項(您配置的預設提議確實包括 SHA-256,但沒有 DH 組,因此也不匹配)。
所以修復很簡單,配置
esp=aes256-sha256-modp2048
.