Ipsec

帶有 racoon 的 ipsec vpn 在第 1 階段重新協商時丟棄流量

  • May 25, 2016

我們在連接到檢查點防火牆的 Linux 上執行 racoon。連接正常,但我們每 24 小時看到一次流量中斷,對應於第 1 階段的再生。

我們的設置如下:

本地端

來自 ipsec-tools 0.8.0 的 racoon 從 Amazon Linux 上的 RPM 安裝。

本地 IP:10.130.0.253

本地子網:10.130.0.252/30

這是在 AWS VPC 內部執行的,即它在私有子網上。所以我們啟用了 NAT 穿越。我們將 VPN 綁定到子介面,並使用 iptables 將 vpn 連接轉換為主地址,並將發往遠端 LAN 的 NAT 流量轉換為子介面。這允許主機充當其他主機的 VPN 網關,效果很好。iptables 規則:

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       all  --  10.130.0.253         2.2.2.2       to:10.100.200.112
SNAT       all  --  0.0.0.0/0            10.128.80.0/24       to:10.130.0.253

遠端:

VPN 網關 IP:2.2.2.2(匿名)

遠端子網:10.128.80.0/24

我們的本地配置如下:

/etc/racoon/racoon.conf:

# Racoon IKE daemon configuration file.
# See 'man racoon.conf' for a description of the format and entries.

log debug2;

path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";


# Listen on sub-interface - initial connection to establish tunnel is translated to primary IP by iptables
listen {
 isakmp 10.130.0.253 [500];
 isakmp_natt 10.130.0.253 [4500];
}

timer {
natt_keepalive 1 minute ;
}


# CP VPN-1
remote 2.2.2.2
{
 exchange_mode main;
 lifetime time 24 hour;

 nat_traversal on;

 dpd_delay 20;


 proposal {
   encryption_algorithm 3des;
   hash_algorithm sha1;
   authentication_method pre_shared_key;
   dh_group 2;
 }
}

# net-to-net
sainfo address 10.130.0.252/30 any address 10.128.80.0/24 any
{
 pfs_group 2;
       lifetime time 1 hour;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1 ;
       compression_algorithm deflate ;
}

# gateway to gateway
sainfo address 10.130.0.253/32 any address 2.2.2.2/32 any
{
       lifetime time 1 hour;
       encryption_algorithm 3des;
       authentication_algorithm hmac_sha1 ;
       compression_algorithm deflate ;
}

/etc/racoon/setkey.sh

#!/sbin/setkey -f

# First of all flush the SPD database
flush;
spdflush;

# Gateway to Gateway
spdadd 10.130.0.253 2.2.2.2 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique;
spdadd 2.2.2.2 10.130.0.253 any -P in  ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique;


# Linux-racoon -> CP VPN-1
spdadd 10.130.0.252/30 10.128.80.0/24 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique;

# CP VPN-1 > Linux-racoon
spdadd 10.128.80.0/24 10.130.0.252/30 any -P in  ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique;

我們最近收到了一些關於監控 VPN 的警報,所以我設置了一個更詳細的監控腳本,每分鐘連接到遠端伺服器。似乎我們每 24 小時都會有大量的停機時間。我的腳本顯示連接何時斷開以及何時恢復:

Fri Jan 18 20:24:33 UTC 2013 Connection went down
Fri Jan 18 20:48:36 UTC 2013 Connection came up

Sat Jan 19 20:48:36 UTC 2013 Connection went down
Sat Jan 19 21:00:40 UTC 2013 Connection came up

Sun Jan 20 21:00:38 UTC 2013 Connection went down
Sun Jan 20 21:12:43 UTC 2013 Connection came up

如您所見,連接在上次建立後正好 24 小時後斷開。

這些中斷似乎對應於 VPN 日誌中的第 1 階段重新協商,這是有道理的,因為第 1 階段的生命週期是 24 小時:

星期五:

Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7
Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7
Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7)
Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4)
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7)
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4)
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found.
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode.
Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34
Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=264213233(0xfbf92f1)
Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=919162535(0x36c94ea7)

週六:

Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34
Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34
Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d)
Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6)
Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d)
Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6)
Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found.
Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode.
Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9
Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=111999639(0x6acfa97)
Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=577442054(0x226b1106)

星期日:

Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9
Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9
Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b)
Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586)
Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b)
Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586)
Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found.
Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode.
Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:e6d2b9ccb25f4992:31807020144b9a1e
Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500]
Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=179370287(0xab0f92f)
Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=1696204357(0x651a0645)

因此,第一階段的重新談判似乎至少需要 12 分鐘。有誰知道這可能是為什麼以及我們可以做些什麼來解決它,以便我們可以通過 VPN 獲得不間斷的流量?

很抱歉回答我自己的問題 - 我從 ipsec-tools 轉移到 Openswan,VPN 現在完全穩定了。ipsec-tools 似乎是一個死項目,而 Openswan 得到維護,現在是 RHEL 中的預設 VPN 解決方案。

如果您啟用失效對等點檢測,那麼 Racoon 應該會檢測到階段 1 到期,並自動重新協商,假設我已正確診斷出問題。

預設情況下,dpd 被禁用;

dpd_delay 0;是預設值。

在 dpd 檢查之間設置一個合理的數字(以秒為單位)將啟用它;

dpd_delay 30;

現在在我正在做同樣事情的 ipsec vpn 上憤怒地嘗試這個。

引用自:https://serverfault.com/questions/473511