帶有 racoon 的 ipsec vpn 在第 1 階段重新協商時丟棄流量
我們在連接到檢查點防火牆的 Linux 上執行 racoon。連接正常,但我們每 24 小時看到一次流量中斷,對應於第 1 階段的再生。
我們的設置如下:
本地端
來自 ipsec-tools 0.8.0 的 racoon 從 Amazon Linux 上的 RPM 安裝。
本地 IP:10.130.0.253
本地子網:10.130.0.252/30
這是在 AWS VPC 內部執行的,即它在私有子網上。所以我們啟用了 NAT 穿越。我們將 VPN 綁定到子介面,並使用 iptables 將 vpn 連接轉換為主地址,並將發往遠端 LAN 的 NAT 流量轉換為子介面。這允許主機充當其他主機的 VPN 網關,效果很好。iptables 規則:
Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.130.0.253 2.2.2.2 to:10.100.200.112 SNAT all -- 0.0.0.0/0 10.128.80.0/24 to:10.130.0.253
遠端:
VPN 網關 IP:2.2.2.2(匿名)
遠端子網:10.128.80.0/24
我們的本地配置如下:
/etc/racoon/racoon.conf:
# Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. log debug2; path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; # Listen on sub-interface - initial connection to establish tunnel is translated to primary IP by iptables listen { isakmp 10.130.0.253 [500]; isakmp_natt 10.130.0.253 [4500]; } timer { natt_keepalive 1 minute ; } # CP VPN-1 remote 2.2.2.2 { exchange_mode main; lifetime time 24 hour; nat_traversal on; dpd_delay 20; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } # net-to-net sainfo address 10.130.0.252/30 any address 10.128.80.0/24 any { pfs_group 2; lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } # gateway to gateway sainfo address 10.130.0.253/32 any address 2.2.2.2/32 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; }
/etc/racoon/setkey.sh
#!/sbin/setkey -f # First of all flush the SPD database flush; spdflush; # Gateway to Gateway spdadd 10.130.0.253 2.2.2.2 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique; spdadd 2.2.2.2 10.130.0.253 any -P in ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique; # Linux-racoon -> CP VPN-1 spdadd 10.130.0.252/30 10.128.80.0/24 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique; # CP VPN-1 > Linux-racoon spdadd 10.128.80.0/24 10.130.0.252/30 any -P in ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique;
我們最近收到了一些關於監控 VPN 的警報,所以我設置了一個更詳細的監控腳本,每分鐘連接到遠端伺服器。似乎我們每 24 小時都會有大量的停機時間。我的腳本顯示連接何時斷開以及何時恢復:
Fri Jan 18 20:24:33 UTC 2013 Connection went down Fri Jan 18 20:48:36 UTC 2013 Connection came up Sat Jan 19 20:48:36 UTC 2013 Connection went down Sat Jan 19 21:00:40 UTC 2013 Connection came up Sun Jan 20 21:00:38 UTC 2013 Connection went down Sun Jan 20 21:12:43 UTC 2013 Connection came up
如您所見,連接在上次建立後正好 24 小時後斷開。
這些中斷似乎對應於 VPN 日誌中的第 1 階段重新協商,這是有道理的,因為第 1 階段的生命週期是 24 小時:
星期五:
Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7 Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7 Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7) Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=264213233(0xfbf92f1) Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=919162535(0x36c94ea7)
週六:
Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d) Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6) Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d) Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6) Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=111999639(0x6acfa97) Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=577442054(0x226b1106)
星期日:
Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b) Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586) Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b) Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586) Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:e6d2b9ccb25f4992:31807020144b9a1e Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=179370287(0xab0f92f) Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=1696204357(0x651a0645)
因此,第一階段的重新談判似乎至少需要 12 分鐘。有誰知道這可能是為什麼以及我們可以做些什麼來解決它,以便我們可以通過 VPN 獲得不間斷的流量?
很抱歉回答我自己的問題 - 我從 ipsec-tools 轉移到 Openswan,VPN 現在完全穩定了。ipsec-tools 似乎是一個死項目,而 Openswan 得到維護,現在是 RHEL 中的預設 VPN 解決方案。
如果您啟用失效對等點檢測,那麼 Racoon 應該會檢測到階段 1 到期,並自動重新協商,假設我已正確診斷出問題。
預設情況下,dpd 被禁用;
dpd_delay 0;是預設值。
在 dpd 檢查之間設置一個合理的數字(以秒為單位)將啟用它;
dpd_delay 30;
現在在我正在做同樣事情的 ipsec vpn 上憤怒地嘗試這個。