Linux

Strongswan 和 Windows 客戶端:連接在幾分鐘內凍結

  • April 17, 2022

在 AWS VPS 上,我安裝了 Strongswan 以將其用作 VPN。它適用於 iPhone 客戶端。但是,當我嘗試從 Windows 客戶端連接時,SA 連接成功建立並在幾分鐘內正常工作,但幾分鐘後(2 到 10 分鐘,在大多數情況下為 2 或更多)連接掛起並且停止通過交通。似乎雙方都認為連接是有效的,至少我看不到任何錯誤跡象。

我花了幾天時間試圖找出問題所在。網際網路上描述這種情況的材料似乎很少。另外,我是 Linux 管理和網路的新手,所以我可能看到了對這個問題的描述和解決方案,但我就是無法理解。我將非常感謝任何幫助。

下面是ipsec.conf(這裡伺服器的真實外部IP替換為EXT.SRVR.IP.ADR

config setup
   uniqueids=never
   charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
   keyexchange=ikev2
   ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
   esp=aes128gcm16-sha2_256-ecp256,aes256-sha1!
   fragmentation=yes
   rekey=no
   compress=yes
   dpdaction=clear
   left=%any
   leftauth=pubkey
   leftsourceip=EXT.SRVR.IP.ADR
   leftid=EXT.SRVR.IP.ADR
   leftcert=debian.pem
   leftsendcert=always
   leftsubnet=0.0.0.0/0
   right=%any
   rightauth=pubkey
   rightsourceip=10.10.10.0/24
   rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
   auto=add

這裡是摘錄ipsec.log(真實IP替換為"EXT.SRVR.IP.ADR",對於伺服器的外部IP,分別是它的內部IP和我的Windows客戶端,省略了明顯不相關的行"INT.SRVR.IP.ADR""MY.CLNT.IP.ADR"

Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i 0000000000000000_r
Mar 17 12:41:17 server-name charon: 07[MGR] created IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500] (536 bytes)
Mar 17 12:41:17 server-name charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 17 12:41:17 server-name charon: 07[CFG] looking for an ike config for INT.SRVR.IP.ADR...MY.CLNT.IP.ADR
Mar 17 12:41:17 server-name charon: 07[CFG]   candidate: %any...%any, prio 28
Mar 17 12:41:17 server-name charon: 07[CFG] found matching ike config: %any...%any with prio 28
Mar 17 12:41:17 server-name charon: 07[IKE] MY.CLNT.IP.ADR is initiating an IKE_SA
Mar 17 12:41:17 server-name charon: 07[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[IKE] local host is behind NAT, sending keep alives
Mar 17 12:41:17 server-name charon: 07[IKE] remote host is behind NAT
Mar 17 12:41:17 server-name charon: 07[IKE] sending cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 17 12:41:17 server-name charon: 07[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500] (465 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:17 server-name charon: 08[MGR] IKE_SA (unnamed)[1] successfully checked out
Mar 17 12:41:17 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (3408 bytes)
Mar 17 12:41:17 server-name charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 39:9e:66:a7:20:3c:4d:06:fb:62:6b:65:87:22:35:57:a0:a0:0a:22
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Mar 17 12:41:17 server-name charon: 08[IKE] received 67 cert requests for an unknown ca
Mar 17 12:41:17 server-name charon: 08[IKE] received end entity cert "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] looking for peer configs matching INT.SRVR.IP.ADR[%any]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey", match: 1/1/28 (me/other/ike)
Mar 17 12:41:17 server-name charon: 08[CFG] selected peer config 'ikev2-pubkey'
Mar 17 12:41:17 server-name charon: 08[CFG]   using certificate "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=me" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   using trusted ca certificate "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[CFG] checking certificate status of "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] ocsp check skipped, no ocsp found
Mar 17 12:41:17 server-name charon: 08[CFG] certificate status is not available
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=EXT.SRVR.IP.ADR" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   reached self-signed root ca with a path length of 0
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'CN=me' with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar 17 12:41:17 server-name charon: 08[IKE] peer supports MOBIKE
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'EXT.SRVR.IP.ADR' (myself) with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] established between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Mar 17 12:41:17 server-name charon: 08[IKE] sending end entity cert "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] peer requested virtual IP %any
Mar 17 12:41:17 server-name charon: 08[CFG] assigning new lease to 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] assigning virtual IP 10.10.10.1 to peer 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey" with prio 5+1
Mar 17 12:41:17 server-name charon: 08[CFG] found matching child config "ikev2-pubkey" with prio 6
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[KNL] got SPI c6bcf84d
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 10.10.10.1/32, received: 0.0.0.0/0 => match: 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI c6bcf84d and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 32 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI b74162a4 and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 0 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] policy 0.0.0.0/0 === 10.10.10.1/32 out already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] getting a local address in traffic selector 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[KNL] using host %any
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface name for index 2
Mar 17 12:41:17 server-name charon: 08[KNL] using 172.26.0.1 as nexthop and eth0 as dev to reach MY.CLNT.IP.ADR/32
Mar 17 12:41:17 server-name charon: 08[KNL] installing route: 10.10.10.1/32 via 172.26.0.1 src %any dev eth0
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 in already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 fwd already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs c6bcf84d_i b74162a4_o and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Mar 17 12:41:17 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (2048 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:41:37 server-name charon: 10[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:37 server-name charon: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:37 server-name charon: 10[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:37 server-name charon: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:37 server-name charon: 10[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:41:47 server-name dhclient[358]: XMT: Renew on eth0, interval 9070ms.
Mar 17 12:41:47 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:41:47 server-name charon: 11[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 11[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 11[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name charon: 12[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 12[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:41:47 server-name charon: 12[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 12[MGR] checkin of IKE_SA successful
Mar 17 12:41:56 server-name charon: 13[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:56 server-name charon: 13[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:56 server-name charon: 13[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:56 server-name charon: 13[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:56 server-name charon: 13[MGR] checkin of IKE_SA successful
...
Mar 17 12:49:35 server-name charon: 16[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:35 server-name charon: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:35 server-name charon: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:35 server-name charon: 16[MGR] checkin of IKE_SA successful
Mar 17 12:49:51 server-name charon: 05[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:51 server-name charon: 05[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:51 server-name charon: 05[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:49:51 server-name charon: 05[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:51 server-name charon: 05[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 06[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 06[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:55 server-name charon: 06[IKE] sending DPD request
Mar 17 12:49:55 server-name charon: 06[IKE] queueing IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 06[IKE]   activating IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[ENC] generating INFORMATIONAL request 0 [ ]
Mar 17 12:49:55 server-name charon: 06[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 06[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 06[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:49:55 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Mar 17 12:49:55 server-name charon: 07[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 07[IKE] nothing to initiate
Mar 17 12:49:55 server-name charon: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:49:57 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:49:57 server-name dhclient[358]: XMT: Renew on eth0, interval 10290ms.
Mar 17 12:49:57 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:49:59 server-name charon: 09[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:59 server-name charon: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:59 server-name charon: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:59 server-name charon: 09[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 08[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[IKE] closing CHILD_SA ikev2-pubkey{1} with SPIs c6bcf84d_i (1148939 bytes) b74162a4_o (21040410 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:50:00 server-name charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[IKE] CHILD_SA closed
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[ENC] generating INFORMATIONAL response 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 11[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 11[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[ENC] parsed INFORMATIONAL request 3 [ D ]
Mar 17 12:50:00 server-name charon: 11[IKE] received DELETE for IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] deleting IKE_SA ikev2-pubkey[1] between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: ESTABLISHED => DELETING
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA deleted
Mar 17 12:50:00 server-name charon: 11[ENC] generating INFORMATIONAL response 3 [ ]
Mar 17 12:50:00 server-name charon: 11[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: DELETING => DESTROYING
Mar 17 12:50:00 server-name charon: 11[CFG] lease 10.10.10.1 by 'CN=me' went offline
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy of IKE_SA successful

Windows 報告的連接屬性:

DataEncryption = Require maximum
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = Machine Certificate 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
Dial-in User = admin
VpnStrategy = IKEv2

當連接被凍結(不通過流量)時,swanctl --list-sasreprts 如下

ikev2-pubkey: #1, ESTABLISHED, IKEv2, f77fbfbe7c371b32_i e0e250355a87db62_r*
  local  'EXT.SRVR.IP.ADR' @ INT.SRVR.IP.ADR[4500]
  remote 'CN=me' @ MY.CLNT.IP.ADR[4500] [10.10.10.1]
  AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
  established 287s ago
  ikev2-pubkey: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 287s ago
    in  ce57563f, 792014 bytes,  4493 packets,   150s ago
    out 6b24b7fd, 10904301 bytes, 10680 packets,     1s ago
    local  0.0.0.0/0
    remote 10.10.10.1/32

Windows 還顯示連接正常,事件查看器中沒有錯誤跡象,SEP 防火牆日誌中也沒有相關的阻止數據包。

伺服器:Debian 4.9.246-2,strongSwan 5.5.1。

客戶端:Windows 2008 R2、Agile VPN(通過連接屬性設置)

這種行為的原因可能是什麼以及如何解決?

我該怎麼做才能找出確切的原因?

如果有任何幫助,我將不勝感激。

**UPD1:**當傳出流量變得相對較高時,連接最常(或可能總是)凍結。例如,當我訪問 時speedtest.net,連接在嘗試測量上傳速度時凍結。

**UPD2:**其他設備在同一個本地網路上工作正常,在同一個路由器後面,NAT,ISP等。這清楚地表明問題只與使用W2k8的特定機器有關。機器上有 SEP 防火牆,但這不是罪魁禍首——關閉它不會影響行為。Strongswan也幾乎不相關,因為它是一個已經建立的凍結隧道。

原因是路由器的本地埠不太好。Wireshark 顯示本地乙太網中的大量數據包正在失去。簡單tcp的連接可以裸露,所以我看不到年久失修,但esp隧道一直在結冰。

我意識到這不是提供太多資訊的消息,但我把它放在這裡作為答案,以便其他可能遇到類似問題的人在簡單地更換路由器時不會浪費太多時間Google搜尋、學習手冊和檢查配置可能會解決問題。

引用自:https://serverfault.com/questions/1096450