ipsec 站點到站點 vpn 有時不起作用

April 15, 2018

我在 CentOS (Linux) 上的 ipsec(strongswan) 站點到站點 vpn 有問題。

我的網路中有 2 個隧道

Security Associations (2 up, 0 connecting):
gateway-second[2]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-second{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c016f8d5_i 0e88a657_o
gateway-second{2}:   10.10.20.1/32 === 10.5.30.144/32
gateway-first[1]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-first{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd51497c_i 118e08a0_o
gateway-first{1}:   10.10.21.1/32 === 10.5.31.26/32

所以我的問題是，有時當我重新啟動 vpn 伺服器流量時會進入隧道，但有時不會……這很奇怪，我不知道要搜尋什麼。也許你知道？

這是我的 ipsec.conf

conn myikesettings
 keyexchange=ikev2
 authby=secret
 left=%defaultroute
 right=XX.XX.XXX.XX
 type=tunnel
 ike=aes256-sha256-modp1024!
 esp=aes256-sha1!
 keyingtries=3
 ikelifetime=86400s
 lifetime=36000
 pfs=no
 closeaction=hold
conn gateway-first
 leftid=10.10.21.1
 leftsubnet=10.10.21.1/32
 rightsubnet=10.5.31.26/32
 also=myikesettings
 auto=start
conn gateway-second
 leftid=10.10.20.1
 leftsubnet=10.10.20.1/32
 rightsubnet=10.5.30.144/32
 also=myikesettings
 auto=start

— charon.log —

Apr  7 20:30:14 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr  7 20:30:14 00[CFG] loaded IKE secret for XX.XX.XX.XXX YY.YY.YYY.YY
Apr  7 20:30:14 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Apr  7 20:30:14 00[JOB] spawning 16 worker threads
Apr  7 20:30:14 06[CFG] received stroke: add connection 'gateway-second'
Apr  7 20:30:14 06[CFG] added configuration 'gateway-second'
Apr  7 20:30:14 07[CFG] received stroke: initiate 'gateway-second'
Apr  7 20:30:14 07[IKE] &lt;gateway-second|1&gt; initiating IKE_SA gateway-second[1] to YY.YY.YYY.YY
Apr  7 20:30:14 07[ENC] &lt;gateway-second|1&gt; generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 07[NET] &lt;gateway-second|1&gt; sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 09[CFG] received stroke: add connection 'gateway-first'
Apr  7 20:30:14 09[CFG] added configuration 'gateway-first'
Apr  7 20:30:14 11[CFG] received stroke: initiate 'gateway-first'
Apr  7 20:30:14 11[IKE] &lt;gateway-first|2&gt; initiating IKE_SA gateway-first[2] to YY.YY.YYY.YY
Apr  7 20:30:14 11[ENC] &lt;gateway-first|2&gt; generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 11[NET] &lt;gateway-first|2&gt; sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 13[NET] &lt;gateway-second|1&gt; received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 13[ENC] &lt;gateway-second|1&gt; parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 13[IKE] &lt;gateway-second|1&gt; received Cisco Delete Reason vendor ID
Apr  7 20:30:14 13[IKE] &lt;gateway-second|1&gt; received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 13[IKE] &lt;gateway-second|1&gt; received FRAGMENTATION vendor ID
Apr  7 20:30:14 13[IKE] &lt;gateway-second|1&gt; authentication of '10.10.21.1' (myself) with pre-shared key
Apr  7 20:30:14 13[IKE] &lt;gateway-second|1&gt; establishing CHILD_SA gateway-second
Apr  7 20:30:14 13[ENC] &lt;gateway-second|1&gt; generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 13[NET] &lt;gateway-second|1&gt; sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 15[NET] &lt;gateway-first|2&gt; received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 15[ENC] &lt;gateway-first|2&gt; parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 15[IKE] &lt;gateway-first|2&gt; received Cisco Delete Reason vendor ID
Apr  7 20:30:14 15[IKE] &lt;gateway-first|2&gt; received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 15[IKE] &lt;gateway-first|2&gt; received FRAGMENTATION vendor ID
Apr  7 20:30:14 15[IKE] &lt;gateway-first|2&gt; authentication of '10.10.20.1' (myself) with pre-shared key
Apr  7 20:30:14 15[IKE] &lt;gateway-first|2&gt; establishing CHILD_SA gateway-first
Apr  7 20:30:14 15[ENC] &lt;gateway-first|2&gt; generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 15[NET] &lt;gateway-first|2&gt; sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 05[NET] &lt;gateway-second|1&gt; received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 05[ENC] &lt;gateway-second|1&gt; parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; IKE_SA gateway-second[1] established between XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; scheduling reauthentication in 85478s
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; maximum IKE_SA lifetime 86018s
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 05[IKE] &lt;gateway-second|1&gt; CHILD_SA gateway-second{1} established with SPIs c341bc05_i d8e034cf_o and TS 10.10.21.1/32 === 10.5.31.26/32
Apr  7 20:30:14 04[NET] &lt;gateway-first|2&gt; received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 04[ENC] &lt;gateway-first|2&gt; parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; IKE_SA gateway-first[2] established between XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; scheduling reauthentication in 85371s
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; maximum IKE_SA lifetime 85911s
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 04[IKE] &lt;gateway-first|2&gt; CHILD_SA gateway-first{2} established with SPIs cc5c14b6_i d89a3328_o and TS 10.10.20.1/32 === 10.5.30.144/32

通過為伺服器再獲取一個公共 ip 來解決。這是因為遠端站點無法在同一對等點上建立 2 條隧道。

引用自：https://serverfault.com/questions/906450

ipsec 站點到站點 vpn 有時不起作用

相關問答

VPN：無法使用 ipsec/strongswan 訪問我自己的網關

如何測試我是否有有效的 VPN 連接？

xauth 在 openwrt 上使用 ipsec-tools：身份驗證失敗？

網路到網路 VPN Centos 5

L2TP和機器上的多個介面

如何將 ipsec 客戶端與 StrongSwan 中的不同連接連結？