Vpn

IPsec 隧道不會保持正常執行

  • December 2, 2016

我在執行 StrongSwan 的 Debian 雲伺服器和 Juniper SRX 210 之間配置了一個靜態 IPsec 隧道。隧道上升得很好,但它永遠不會持續很長時間,最長的可能是 1 小時左右。我認為這是因為沒有太多數據通過隧道並且超時。

StrongSwan 配置:

# ipsec.conf - strongSwan IPsec configuration file

config setup

# Add connections here.
conn vpn.mydomain.com
   auto=start
   keyexchange=ikev2
   authby=secret
   ike=aes128-sha256-modp2048s256
   ikelifetime=3h
   esp=aes128-sha256
   left=AAA.BBB.CCC.DDD
   leftid=@reverser.mydomain.com
   leftsubnet=192.168.2.0/24
   leftsourceip=192.168.2.2
   right=vpn.mydomain.com
   rightid=@vpn.mydomain.com
   rightsubnet=192.168.1.0/24
   dpdaction=hold
   dpddelay=60
   dpdtimeout=500

SRX 配置(部分):

proposal ike-vpn-proposal {
   authentication-method pre-shared-keys;
   dh-group group24;
   authentication-algorithm sha-256;
   encryption-algorithm aes-128-cbc;
}
policy ike-vpn-policy {
   mode aggressive;
   proposals ike-vpn-proposal;
   pre-shared-key ascii-text "SECRET"; ## SECRET-DATA    }
gateway vpn-local-gw {
   ike-policy ike-vpn-policy;
   address AAA.BBB.CCC.DDD;
   dead-peer-detection {
       interval 10;
       threshold 3;
   }
   local-identity hostname vpn.mydomain.com;
   remote-identity hostname reverser.mydomain.com;
   external-interface fe-0/0/7.0;
   version v2-only;
}


proposal ipsec-vpn-proposal {
   protocol esp;
   authentication-algorithm hmac-sha-256-128;
   encryption-algorithm aes-128-cbc;
}
policy ipsec-vpn-policy {
   perfect-forward-secrecy {
       keys group24;
   }
   proposals ipsec-vpn-proposal;
}
vpn vpn {
   bind-interface st0.0;
   ike {
       gateway vpn-local-gw;
       proxy-identity {
           local 192.168.1.0/24;
           remote 192.168.2.0/24;
       }
       ipsec-policy ipsec-vpn-policy;
   }
   establish-tunnels immediately;
}


security-zone trust {
   host-inbound-traffic {
       system-services {
           all;
       }
       protocols {
           all;
       }
   }
   interfaces {
       vlan.100;
   }
}
security-zone untrust {
   screen untrust-screen;
   interfaces {
       fe-0/0/7.0 {
           host-inbound-traffic {
               system-services {
                   dhcp;
                   ike;
               }
           }
       }
   }
}
security-zone vpn {
   interfaces {
       st0.0;
   }
}

SRX IKE 和 IPsec 狀態:

root@dravis> show security ike security-associations
Index   State  Initiator cookie  Responder cookie  Mode           Remote Address
1402228 UP     3551524e1af4a5e3  9dbc38ed8519f12b  IKEv2          AAA.BBB.CCC.DDD

root@dravis> show security ipsec security-associations
 Total active tunnels: 0

root@dravis> show security ipsec inactive-tunnels
 Total inactive tunnels: 1
 Total inactive tunnels with establish immediately: 1
 ID     Port  Nego#  Fail#  Flag      Gateway          Tunnel Down Reason
 131073 500   8      0      600a29    AAA.BBB.CCC.DDD  Delete payload received

強天鵝狀態:

Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
 uptime: 92 days, since Aug 24 17:41:13 2016
 malloc: sbrk 1495040, mmap 0, used 312800, free 1182240
 worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
 loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
 AAA.BBB.CCC.DDD
 10.10.0.5
 192.168.2.2
Connections:
vpn.mydomain.com:  AAA.BBB.CCC.DDD...vpn.mydomain.com  IKEv2
vpn.mydomain.com:   local:  [reverser.mydomain.com] uses pre-shared key authentication
vpn.mydomain.com:   remote: [vpn.mydomain.com] uses pre-shared key authentication
vpn.mydomain.com:   child:  192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
vpn.mydomain.com[941]: ESTABLISHED 2 hours ago, AAA.BBB.CCC.DDD[reverser.mydomain.com]...EEE.FFF.GGG.HHH[vpn.mydomain.com]
vpn.mydomain.com[941]: IKEv2 SPIs: e3a5f41a4e525135_i 2bf11985ed38bc9d_r*, pre-shared key reauthentication in 15 minutes
vpn.mydomain.com[941]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256

我相信我通過在雙方設置明確的重新鍵入間隔解決了這個問題 - IKE 3 小時,IPsec 12 小時。

我不知道為什麼這解決了它,這讓我很擔心,但是隧道已經執行了好幾天,沒有任何問題。

引用自:https://serverfault.com/questions/817109