Networking

Strongswan IPSec 隧道無法正常重建。為什麼 DPD 會繼續?

  • October 2, 2019

我在兩台機器之間有一條 IPSec 隧道,其中一台(發起方)有兩個介面(data0 和 data1)。data0 介面的度量為 100,data1 的度量為 70,因此在最初創建連接時使用 data1 介面,因為它具有更好的度量。

在連接建立並且我取下 data1 介面的 ip 後,應該使用新的 CHILD_SA 和使用 data0 介面的新虛擬 ip 重新建立連接。

但這不會發生。發生的情況是 data0 介面試圖讓第一個 CHILD_SA 保持活動狀態,無限發送 DPD 請求。

如何使 CHILD_SA 關閉並在使用 data0 介面的地方創建一個新的?

data0 - 10.3.219.27/16
data1 - 10.3.219.28/16
initiator's vti0 ip: 173.164.0.1
responder's vti0 ip: 192.168.169.1

發起者的配置 DPD 和密鑰更新配置:

version=1
keyingtries=0
aggressive=no
dpd_delay=10
dpd_timeout=50
policies=yes
dpd_action=restart
close_action=start

Journalctl 登錄粘貼程式碼:https ://pastecode.xyz/view/3f89dfdd

ipsec statusall 在我關閉介面之前:

Listening IP addresses:
 10.3.219.27
 10.3.219.28
 173.164.0.1
Connections:
  conn-vti0:  0.0.0.0...94.26.49.38  IKEv1, dpddelay=10s
  conn-vti0:   local:  [tve53] uses pre-shared key authentication
  conn-vti0:   local:  [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
  conn-vti0:   remote: [fortinetconfig4] uses pre-shared key authentication
    ch_vti0:   child:  dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  conn-vti0[80]: ESTABLISHED 15 minutes ago, 10.3.219.28[tve53]...94.26.49.38[fortinetconfig4]
  conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r, rekeying in 3 hours
  conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
    ch_vti0{51}:  INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
    ch_vti0{51}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 4276555 bytes_i (9500 pkts, 0s ago), 1913489 bytes_o (8751 pkts, 0s ago), rekeying in 39 minutes
    ch_vti0{51}:   173.164.0.1/32 === 192.168.169.0/24

ipsec statusall 在我這樣做之後:

Listening IP addresses:
 10.3.219.27
 173.164.0.1
Connections:
  conn-vti0:  0.0.0.0...94.26.49.38  IKEv1, dpddelay=10s
  conn-vti0:   local:  [tve53] uses pre-shared key authentication
  conn-vti0:   local:  [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
  conn-vti0:   remote: [fortinetconfig4] uses pre-shared key authentication
    ch_vti0:   child:  dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
  conn-vti0[81]: ESTABLISHED 8 seconds ago, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
  conn-vti0[81]: IKEv1 SPIs: 8425e35cef48f8b5_i* 490188becb87d6ad_r, rekeying in 3 hours
  conn-vti0[81]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
    ch_vti0{51}:  INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
    ch_vti0{51}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 7958755 bytes_i (17317 pkts, 9s ago), 3480780 bytes_o (15870 pkts, 9s ago), rekeying in 24 minutes
    ch_vti0{51}:   173.164.0.1/32 === 192.168.169.0/24
  conn-vti0[80]: REKEYING, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
  conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r
  conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096

當你想在WAN連接上實現failover時,你需要配置正確的metric/priority介面,然後手動切換,或者實現一個ping/http connect自動切換……還需要合適的靜態路由。

當介面 data1 出現故障時,ipv4 和 ipv6 IP 都必須轉換/更新:

ip a (newer tool)
ifconfig -a (older tool)

並且路由也需要更改,以便流量使用data0。檢查:

ip r (using newer ip tool)
route -n (older command)

具體來說,檢查任何剩餘的 IP,例如 ipv6 IP,即使 ipv4 IP 已經消失。

引用自:https://serverfault.com/questions/986464