Vpn
IPsec 隧道不會保持正常執行
我在執行 StrongSwan 的 Debian 雲伺服器和 Juniper SRX 210 之間配置了一個靜態 IPsec 隧道。隧道上升得很好,但它永遠不會持續很長時間,最長的可能是 1 小時左右。我認為這是因為沒有太多數據通過隧道並且超時。
StrongSwan 配置:
# ipsec.conf - strongSwan IPsec configuration file config setup # Add connections here. conn vpn.mydomain.com auto=start keyexchange=ikev2 authby=secret ike=aes128-sha256-modp2048s256 ikelifetime=3h esp=aes128-sha256 left=AAA.BBB.CCC.DDD leftid=@reverser.mydomain.com leftsubnet=192.168.2.0/24 leftsourceip=192.168.2.2 right=vpn.mydomain.com rightid=@vpn.mydomain.com rightsubnet=192.168.1.0/24 dpdaction=hold dpddelay=60 dpdtimeout=500SRX 配置(部分):
proposal ike-vpn-proposal { authentication-method pre-shared-keys; dh-group group24; authentication-algorithm sha-256; encryption-algorithm aes-128-cbc; } policy ike-vpn-policy { mode aggressive; proposals ike-vpn-proposal; pre-shared-key ascii-text "SECRET"; ## SECRET-DATA } gateway vpn-local-gw { ike-policy ike-vpn-policy; address AAA.BBB.CCC.DDD; dead-peer-detection { interval 10; threshold 3; } local-identity hostname vpn.mydomain.com; remote-identity hostname reverser.mydomain.com; external-interface fe-0/0/7.0; version v2-only; } proposal ipsec-vpn-proposal { protocol esp; authentication-algorithm hmac-sha-256-128; encryption-algorithm aes-128-cbc; } policy ipsec-vpn-policy { perfect-forward-secrecy { keys group24; } proposals ipsec-vpn-proposal; } vpn vpn { bind-interface st0.0; ike { gateway vpn-local-gw; proxy-identity { local 192.168.1.0/24; remote 192.168.2.0/24; } ipsec-policy ipsec-vpn-policy; } establish-tunnels immediately; } security-zone trust { host-inbound-traffic { system-services { all; } protocols { all; } } interfaces { vlan.100; } } security-zone untrust { screen untrust-screen; interfaces { fe-0/0/7.0 { host-inbound-traffic { system-services { dhcp; ike; } } } } } security-zone vpn { interfaces { st0.0; } }SRX IKE 和 IPsec 狀態:
root@dravis> show security ike security-associations Index State Initiator cookie Responder cookie Mode Remote Address 1402228 UP 3551524e1af4a5e3 9dbc38ed8519f12b IKEv2 AAA.BBB.CCC.DDD root@dravis> show security ipsec security-associations Total active tunnels: 0 root@dravis> show security ipsec inactive-tunnels Total inactive tunnels: 1 Total inactive tunnels with establish immediately: 1 ID Port Nego# Fail# Flag Gateway Tunnel Down Reason 131073 500 8 0 600a29 AAA.BBB.CCC.DDD Delete payload received強天鵝狀態:
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64): uptime: 92 days, since Aug 24 17:41:13 2016 malloc: sbrk 1495040, mmap 0, used 312800, free 1182240 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2 loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown Listening IP addresses: AAA.BBB.CCC.DDD 10.10.0.5 192.168.2.2 Connections: vpn.mydomain.com: AAA.BBB.CCC.DDD...vpn.mydomain.com IKEv2 vpn.mydomain.com: local: [reverser.mydomain.com] uses pre-shared key authentication vpn.mydomain.com: remote: [vpn.mydomain.com] uses pre-shared key authentication vpn.mydomain.com: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL Security Associations (1 up, 0 connecting): vpn.mydomain.com[941]: ESTABLISHED 2 hours ago, AAA.BBB.CCC.DDD[reverser.mydomain.com]...EEE.FFF.GGG.HHH[vpn.mydomain.com] vpn.mydomain.com[941]: IKEv2 SPIs: e3a5f41a4e525135_i 2bf11985ed38bc9d_r*, pre-shared key reauthentication in 15 minutes vpn.mydomain.com[941]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256
我相信我通過在雙方設置明確的重新鍵入間隔解決了這個問題 - IKE 3 小時,IPsec 12 小時。
我不知道為什麼這解決了它,這讓我很擔心,但是隧道已經執行了好幾天,沒有任何問題。