Linux
ipsec 站點到站點 vpn 有時不起作用
我在 CentOS (Linux) 上的 ipsec(strongswan) 站點到站點 vpn 有問題。
我的網路中有 2 個隧道
Security Associations (2 up, 0 connecting): gateway-second[2]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY] gateway-second{2}: INSTALLED, TUNNEL, reqid 2, ESP SPIs: c016f8d5_i 0e88a657_o gateway-second{2}: 10.10.20.1/32 === 10.5.30.144/32 gateway-first[1]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY] gateway-first{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd51497c_i 118e08a0_o gateway-first{1}: 10.10.21.1/32 === 10.5.31.26/32
所以我的問題是,有時當我重新啟動 vpn 伺服器流量時會進入隧道,但有時不會……這很奇怪,我不知道要搜尋什麼。也許你知道?
這是我的 ipsec.conf
conn myikesettings keyexchange=ikev2 authby=secret left=%defaultroute right=XX.XX.XXX.XX type=tunnel ike=aes256-sha256-modp1024! esp=aes256-sha1! keyingtries=3 ikelifetime=86400s lifetime=36000 pfs=no closeaction=hold conn gateway-first leftid=10.10.21.1 leftsubnet=10.10.21.1/32 rightsubnet=10.5.31.26/32 also=myikesettings auto=start conn gateway-second leftid=10.10.20.1 leftsubnet=10.10.20.1/32 rightsubnet=10.5.30.144/32 also=myikesettings auto=start
— charon.log —
Apr 7 20:30:14 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets' Apr 7 20:30:14 00[CFG] loaded IKE secret for XX.XX.XX.XXX YY.YY.YYY.YY Apr 7 20:30:14 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity Apr 7 20:30:14 00[JOB] spawning 16 worker threads Apr 7 20:30:14 06[CFG] received stroke: add connection 'gateway-second' Apr 7 20:30:14 06[CFG] added configuration 'gateway-second' Apr 7 20:30:14 07[CFG] received stroke: initiate 'gateway-second' Apr 7 20:30:14 07[IKE] <gateway-second|1> initiating IKE_SA gateway-second[1] to YY.YY.YYY.YY Apr 7 20:30:14 07[ENC] <gateway-second|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 7 20:30:14 07[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes) Apr 7 20:30:14 09[CFG] received stroke: add connection 'gateway-first' Apr 7 20:30:14 09[CFG] added configuration 'gateway-first' Apr 7 20:30:14 11[CFG] received stroke: initiate 'gateway-first' Apr 7 20:30:14 11[IKE] <gateway-first|2> initiating IKE_SA gateway-first[2] to YY.YY.YYY.YY Apr 7 20:30:14 11[ENC] <gateway-first|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] Apr 7 20:30:14 11[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes) Apr 7 20:30:14 13[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes) Apr 7 20:30:14 13[ENC] <gateway-second|1> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ] Apr 7 20:30:14 13[IKE] <gateway-second|1> received Cisco Delete Reason vendor ID Apr 7 20:30:14 13[IKE] <gateway-second|1> received Cisco Copyright (c) 2009 vendor ID Apr 7 20:30:14 13[IKE] <gateway-second|1> received FRAGMENTATION vendor ID Apr 7 20:30:14 13[IKE] <gateway-second|1> authentication of '10.10.21.1' (myself) with pre-shared key Apr 7 20:30:14 13[IKE] <gateway-second|1> establishing CHILD_SA gateway-second Apr 7 20:30:14 13[ENC] <gateway-second|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Apr 7 20:30:14 13[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes) Apr 7 20:30:14 15[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes) Apr 7 20:30:14 15[ENC] <gateway-first|2> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ] Apr 7 20:30:14 15[IKE] <gateway-first|2> received Cisco Delete Reason vendor ID Apr 7 20:30:14 15[IKE] <gateway-first|2> received Cisco Copyright (c) 2009 vendor ID Apr 7 20:30:14 15[IKE] <gateway-first|2> received FRAGMENTATION vendor ID Apr 7 20:30:14 15[IKE] <gateway-first|2> authentication of '10.10.20.1' (myself) with pre-shared key Apr 7 20:30:14 15[IKE] <gateway-first|2> establishing CHILD_SA gateway-first Apr 7 20:30:14 15[ENC] <gateway-first|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] Apr 7 20:30:14 15[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes) Apr 7 20:30:14 05[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes) Apr 7 20:30:14 05[ENC] <gateway-second|1> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Apr 7 20:30:14 05[IKE] <gateway-second|1> authentication of 'YY.YY.YYY.YY' with pre-shared key successful Apr 7 20:30:14 05[IKE] <gateway-second|1> IKE_SA gateway-second[1] established between XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY] Apr 7 20:30:14 05[IKE] <gateway-second|1> scheduling reauthentication in 85478s Apr 7 20:30:14 05[IKE] <gateway-second|1> maximum IKE_SA lifetime 86018s Apr 7 20:30:14 05[IKE] <gateway-second|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 7 20:30:14 05[IKE] <gateway-second|1> CHILD_SA gateway-second{1} established with SPIs c341bc05_i d8e034cf_o and TS 10.10.21.1/32 === 10.5.31.26/32 Apr 7 20:30:14 04[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes) Apr 7 20:30:14 04[ENC] <gateway-first|2> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] Apr 7 20:30:14 04[IKE] <gateway-first|2> authentication of 'YY.YY.YYY.YY' with pre-shared key successful Apr 7 20:30:14 04[IKE] <gateway-first|2> IKE_SA gateway-first[2] established between XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY] Apr 7 20:30:14 04[IKE] <gateway-first|2> scheduling reauthentication in 85371s Apr 7 20:30:14 04[IKE] <gateway-first|2> maximum IKE_SA lifetime 85911s Apr 7 20:30:14 04[IKE] <gateway-first|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding Apr 7 20:30:14 04[IKE] <gateway-first|2> CHILD_SA gateway-first{2} established with SPIs cc5c14b6_i d89a3328_o and TS 10.10.20.1/32 === 10.5.30.144/32
通過為伺服器再獲取一個公共 ip 來解決。這是因為遠端站點無法在同一對等點上建立 2 條隧道。