Networking
Strongswan IPSec 隧道無法正常重建。為什麼 DPD 會繼續?
我在兩台機器之間有一條 IPSec 隧道,其中一台(發起方)有兩個介面(data0 和 data1)。data0 介面的度量為 100,data1 的度量為 70,因此在最初創建連接時使用 data1 介面,因為它具有更好的度量。
在連接建立並且我取下 data1 介面的 ip 後,應該使用新的 CHILD_SA 和使用 data0 介面的新虛擬 ip 重新建立連接。
但這不會發生。發生的情況是 data0 介面試圖讓第一個 CHILD_SA 保持活動狀態,無限發送 DPD 請求。
如何使 CHILD_SA 關閉並在使用 data0 介面的地方創建一個新的?
data0 - 10.3.219.27/16 data1 - 10.3.219.28/16 initiator's vti0 ip: 173.164.0.1 responder's vti0 ip: 192.168.169.1
發起者的配置 DPD 和密鑰更新配置:
version=1 keyingtries=0 aggressive=no dpd_delay=10 dpd_timeout=50 policies=yes dpd_action=restart close_action=start
Journalctl 登錄粘貼程式碼:https ://pastecode.xyz/view/3f89dfdd
ipsec statusall 在我關閉介面之前:
Listening IP addresses: 10.3.219.27 10.3.219.28 173.164.0.1 Connections: conn-vti0: 0.0.0.0...94.26.49.38 IKEv1, dpddelay=10s conn-vti0: local: [tve53] uses pre-shared key authentication conn-vti0: local: [loc-2] uses XAuth authentication: any with XAuth identity 'config4' conn-vti0: remote: [fortinetconfig4] uses pre-shared key authentication ch_vti0: child: dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart Security Associations (1 up, 0 connecting): conn-vti0[80]: ESTABLISHED 15 minutes ago, 10.3.219.28[tve53]...94.26.49.38[fortinetconfig4] conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r, rekeying in 3 hours conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096 ch_vti0{51}: INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o ch_vti0{51}: AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 4276555 bytes_i (9500 pkts, 0s ago), 1913489 bytes_o (8751 pkts, 0s ago), rekeying in 39 minutes ch_vti0{51}: 173.164.0.1/32 === 192.168.169.0/24
ipsec statusall 在我這樣做之後:
Listening IP addresses: 10.3.219.27 173.164.0.1 Connections: conn-vti0: 0.0.0.0...94.26.49.38 IKEv1, dpddelay=10s conn-vti0: local: [tve53] uses pre-shared key authentication conn-vti0: local: [loc-2] uses XAuth authentication: any with XAuth identity 'config4' conn-vti0: remote: [fortinetconfig4] uses pre-shared key authentication ch_vti0: child: dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart Security Associations (2 up, 0 connecting): conn-vti0[81]: ESTABLISHED 8 seconds ago, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4] conn-vti0[81]: IKEv1 SPIs: 8425e35cef48f8b5_i* 490188becb87d6ad_r, rekeying in 3 hours conn-vti0[81]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096 ch_vti0{51}: INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o ch_vti0{51}: AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 7958755 bytes_i (17317 pkts, 9s ago), 3480780 bytes_o (15870 pkts, 9s ago), rekeying in 24 minutes ch_vti0{51}: 173.164.0.1/32 === 192.168.169.0/24 conn-vti0[80]: REKEYING, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4] conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
當你想在WAN連接上實現failover時,你需要配置正確的metric/priority介面,然後手動切換,或者實現一個ping/http connect自動切換……還需要合適的靜態路由。
當介面 data1 出現故障時,ipv4 和 ipv6 IP 都必須轉換/更新:
ip a (newer tool) ifconfig -a (older tool)
並且路由也需要更改,以便流量使用data0。檢查:
ip r (using newer ip tool) route -n (older command)
具體來說,檢查任何剩餘的 IP,例如 ipv6 IP,即使 ipv4 IP 已經消失。