IPsec 隧道模式 - 15 分钟无流量后 ping 将不起作用

IPsec 隧道模式 - 15 分钟无流量后 ping 将不起作用

我有一个 IPsec(隧道模式)连接,在大约 15 分钟没有流量后,ping 就会停止工作,并且只有从另一端发起 ping 才能恢复。

该设置由两个使用 Linux Openswan 1.5.13-6-g96f6187-dirty (klips) 的路由器组成

以下是工作时和不工作时的配置和日志。

我对 IPsec 还不太熟悉。我尝试启用重新密钥和压缩,但没有成功。当 ping 工作和停止工作时,iptables 看起来完全相同。

设备_1

config setup
        interfaces="ipsec0=wwan0"
        klipsdebug=all
        plutodebug=all
        plutostderrlog=/var/logs/ipsecerr.log
        uniqueids=no
        protostack=klips

conn %default
        keyingtries=0
        authby=secret
        connaddrfamily=ipv4
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        compress=no
        rekey=no
        auto=start
        leftupdown="ipsec _updown"

conn remote
        leftid=@Device_1
        left=82.79.119.159
        leftsubnet=10.0.0.0/24
        leftsourceip=10.0.0.250
        #leftnexthop=
        rightid=@Device_2
        right=82.79.119.160
        rightsubnet=10.0.1.5/24
        #rightsourceip=
        #rightnexthop=
        auto=start

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn OEself
        auto=ignore

设备_2

config setup
        interfaces="ipsec0=wwan0"
        klipsdebug=all
        plutodebug=all
        plutostderrlog=/var/logs/ipsecerr.log
        uniqueids=no
        protostack=klips

conn %default
        keyingtries=0
        authby=secret
        connaddrfamily=ipv4
        type=tunnel
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        compress=no
        rekey=no
        auto=start
        leftupdown="ipsec _updown"

conn remote
        leftid=@Device_2
        left=82.79.119.160
        leftsubnet=10.0.1.0/24
        leftsourceip=10.0.1.250
        #leftnexthop=
        rightid=@Device_1
        right=82.79.119.159
        rightsubnet=10.0.0.5/24
        #rightsourceip=
        #rightnexthop=
        auto=start

conn block
        auto=ignore

conn private
        auto=ignore

conn private-or-clear
        auto=ignore

conn clear-or-private
        auto=ignore

conn clear
        auto=ignore

conn packetdefault
        auto=ignore

conn OEself
        auto=ignore

日志

当 ping 工作时:

ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:[email protected] requested.
ipsec_sa_get: ipsec_sa c319a400 SA:[email protected], ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> [email protected]
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:25693 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:49730 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:[email protected], ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:[email protected], ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29293 frag_off:0 ttl:64 proto:4 chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:[email protected], ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:[email protected], ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c32f164c ilen=96 iv=c32f163c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29767 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:[email protected], ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29293 frag_off:0 ttl:64 proto:50 (ESP) chk:29673 saddr:82.79.119.159 daddr:82.79.119.160
klips_debug: ipsec_rcv_init(st=0,nxt=1)
klips_debug:ipsec_rcv_init: <<< Info -- skb->dev=wwan0
klips_debug:ipsec_rcv_init: assigning packet ownership to virtual device ipsec0 from physical device wwan0.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:61055 frag_off:0 ttl:63 proto:50 (ESP) chk:63702 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug: ipsec_rcv_decap_init(st=1,nxt=2)
klips_debug: ipsec_rcv_decap_lookup(st=2,nxt=3)
klips_debug: ipsec_rcv_auth_init(st=3,nxt=4)
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=158 of SA:[email protected] requested.
ipsec_sa_get: ipsec_sa c32a8000 SA:[email protected], ref:17 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_rcv_auth_init: SA:[email protected], src=82.79.119.160 of pkt agrees with expected SA source address policy.
klips_debug:ipsec_rcv_auth_init: SA:[email protected] First SA in group.
klips_debug:ipsec_rcv_auth_init: natt_type=0 tdbp->ips_natt_type=0 : ok
klips_debug:ipsec_rcv: packet from 82.79.119.160 received with seq=19 (iv)=0x77865e0e44db14b0 iplen=132 esplen=120 [email protected]
klips_debug: ipsec_rcv_auth_calc(st=5,nxt=6)
klips_debug:ipsec_rcv_auth_calc: encalg = 12, authalg = 3.
klips_debug: ipsec_rcv_auth_chk(st=6,nxt=7) - will check
klips_debug:ipsec_rcv_auth_chk: authentication successful.
klips_debug: ipsec_rcv_decrypt(st=7,nxt=8)
klips_debug:ipsec_rcv: encalg=12 esphlen=24
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308240 idat=c3bd223c ilen=96 iv=c3bd222c, encrypt=0
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_rcv_esp_post_decrypt: padlen=10, contents: 0x<offset>: 0x<value> 0x<value> ...
klips_debug:           00: 01 02 03 04 05 06 07 08 09 0a
klips_debug:ipsec_rcv_esp_post_decrypt: packet decrypted from 82.79.119.160: next_header = 4, padding = 10
klips_debug:ipsec_rcv: trimming to 84.
klips_debug: ipsec_rcv_decap_cont(st=8,nxt=9)
klips_debug: ipsec_rcv_auth_chk(st=8,nxt=9) - already checked
klips_debug:ipsec_rcv_decap_cont: after <ESP_AES_HMAC_SHA1>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:61055 frag_off:0 ttl:63 proto:4 chk:63796 saddr:82.79.119.160 daddr:82.79.119.159
klips_debug:ipsec_rcv_decap_cont: SA:[email protected], Another IPSEC header to process.
klips_debug: ipsec_rcv_cleanup(st=9,nxt=11)
ipsec_sa_get: ipsec_sa c32a8800 SA:[email protected], ref:16 reference count (3++) incremented by ipsec_rcv_cleanup:1798.
ipsec_sa_get: ipsec_sa c3191400 SA:[email protected], ref:15 reference count (3++) incremented by ipsec_rcv_cleanup:1815.
ipsec_sa_put: ipsec_sa c32a8000 SA:[email protected], ref:17 reference count (4--) decremented by ipsec_rcv_cleanup:1818.
klips_debug:ipsec_rcv_decap_ipip: IPIP tunnel stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:34482 frag_off:0 ttl:63 proto:1 (ICMP) chk:57325 saddr:10.0.1.5 daddr:10.0.0.5 type:code=0:0
klips_debug:ipsec_rcv_decap_ipip: IPIP SA sets skb->nfmark=0x800f0000.
klips_debug: ipsec_rcv_complete(st=11,nxt=100)
klips_debug:ipsec_rcv_complete: netif_rx(ipsec0) called.
ipsec_sa_put: ipsec_sa c32a8800 SA:[email protected], ref:16 reference count (4--) decremented by ipsec_rsm:2019.
ipsec_sa_put: ipsec_sa c3191400 SA:[email protected], ref:15 reference count (4--) decremented by ipsec_rsm:2024.

当 ping 不通时:

ipsec_tunnel_start_xmit: STARTING
klips_debug:ipsec_xmit_strip_hard_header: >>> skb->len=98 hard_header_len:14 aa:92:55:00:cc:e5:aa:92:55:00:cc:e5:08:00
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_strip_hard_header: Original head,tailroom: 34,28
klips_debug:ipsec_findroute: 10.0.0.5:0->10.0.1.5:0 1
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:ipsec_xmit_SAlookup: checking for local udp/500 IKE, udp/4500 NAT-T, ESP or AH packets saddr=10.0.0.5, er=0pc31f8be0, daddr=10.0.1.5, er_dst=524f77a0, proto=1 sport=0 dport=0
ipsec_sa_getbyid: linked entry in ipsec_sa table for hash=234 of SA:[email protected] requested.
ipsec_sa_get: ipsec_sa c319a400 SA:[email protected], ref:12 reference count (3++) incremented by ipsec_sa_getbyid:556.
klips_debug:ipsec_xmit_init2: found ipsec_sa -- SA:<IPIP> [email protected]
klips_debug:ipsec_xmit_init2: calling room for <IPIP>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 20,0
klips_debug:ipsec_xmit_init2: calling room for <COMP_DEFLATE>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 0,0
klips_debug:ipsec_xmit_init2: calling room for <ESP_AES_HMAC_SHA1>, SA:[email protected]
klips_debug:ipsec_xmit_init2: Required head,tailroom: 24,24
klips_debug:ipsec_xmit_init2: existing head,tailroom: 34,28 before applying xforms with head,tailroom: 44,24 .
klips_debug:ipsec_xmit_init2: mtu:1500 physmtu:1500 tothr:44 tottr:24 mtudiff:68 ippkttotlen:84
klips_info:ipsec_xmit_init2: dev ipsec0 mtu of 1500 decreased by 73 to 1427
klips_debug:ipsec_xmit_init2: allocating 14 bytes for hardheader.
klips_debug:ipsec_xmit_init2: head,tailroom: 48,28 after hard_header stripped.
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_init2: head,tailroom: 76,160 after allocation
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:84 id:31202 DF frag_off:0 ttl:63 proto:1 (ICMP) chk:44221 saddr:10.0.0.5 daddr:10.0.1.5 type:code=8:0
klips_debug:ipsec_xmit_encap_init: calling output for <IPIP>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 20 bytes, putting 0, proto 4.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:ipsec_xmit_cont: after <IPIP>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c319a400 SA:[email protected], ref:12 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b800 SA:[email protected], ref:13 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <COMP_DEFLATE>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 0 bytes, putting 0, proto 108.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 56,160 before xform.
klips_debug:skb_compress: .
klips_debug:skb_compress: skipping compression of tiny packet, len=84.
klips_debug:ipsec_xmit_ipcomp: packet did not compress (flags = 1).
klips_debug:ipsec_xmit_cont: after <COMP_DEFLATE>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:104 id:29295 frag_off:0 ttl:64 proto:4 chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b800 SA:[email protected], ref:13 reference count (4--) decremented by ipsec_xmit_cont:1286.
ipsec_sa_get: ipsec_sa c314b000 SA:[email protected], ref:14 reference count (3++) incremented by ipsec_xmit_cont:1291.
klips_debug:ipsec_xmit_encap_init: calling output for <ESP_AES_HMAC_SHA1>, SA:[email protected]
klips_debug:ipsec_xmit_encap_init: pushing 24 bytes, putting 24, proto 50.
klips_debug:ipsec_xmit_encap_init: head,tailroom: 32,136 before xform.
klips_debug:ipsec_alg_esp_encrypt: entering with encalg=12, ixt_e=bf0b697c
klips_debug:ipsec_alg_esp_encrypt: calling cbc_encrypt encalg=12 ips_key_e=c3308180 idat=c320cc4c ilen=96 iv=c320cc3c, encrypt=1
klips_debug:ipsec_alg_esp_encrypt: returned ret=96
klips_debug:ipsec_xmit_cont: after <ESP_AES_HMAC_SHA1>, SA:[email protected]:
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29765 saddr:82.79.119.159 daddr:82.79.119.160
ipsec_sa_put: ipsec_sa c314b000 SA:[email protected], ref:14 reference count (4--) decremented by ipsec_xmit_cont:1286.
klips_debug:ipsec_findroute: 82.79.119.159:0->82.79.119.160:0 50
klips_debug:rj_match: * See if we match exactly as a host destination
klips_debug:rj_match: ** try to match a leaf, t=0pc31f8be0
klips_debug:rj_match: *** start searching up the tree, t=0pc31f8be0
klips_debug:rj_match: **** t=0pc31f8bf8
klips_debug:rj_match: **** t=0pc3172680
klips_debug:rj_match: ***** cp2=0pc30963f8 cp3=0pc31d01d0
klips_debug:rj_match: ***** not found.
klips_debug:ipsec_xmit_restore_hard_header: After recursive xforms -- head,tailroom: 32,136
klips_debug:ipsec_xmit_restore_hard_header: With hard_header, final head,tailroom: 18,136
klips_debug:ipsec_xmit_send: ...done, calling ip_send() on device:wwan0
klips_debug:   IP: ihl:20 ver:4 tos:0 tlen:152 id:29295 frag_off:0 ttl:64 proto:50 (ESP) chk:29671 saddr:82.79.119.159 daddr:82.79.119.160

    Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Control loopback interface input */
    0     0 ACCEPT     udp  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            udp dpt:8080 /* Control web port connection attempts */
    0     0 ACCEPT     tcp  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
  342 49352 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Allow incoming WAN traffic in response to established connection */
    0     0 DROP       all  --  wwan0  *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
   35 11480 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    7   203 ACCEPT     all  --  ipsec0 *       0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
   27  2268 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            state NEW /* Forward new connection attempts out WAN port */
  464 38976 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* Forward established connections (where?) */

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* Control loopback interface output */
    0     0 ACCEPT     udp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            udp dpt:8080 /* Control web port connection attempts */
    0     0 ACCEPT     tcp  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            tcp dpt:8080 flags:0x17/0x02 /* Control web port connection attempts */
    0     0 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            state NEW /* Allow new outbound WAN connections */
  360 52568 ACCEPT     all  --  *      wwan0   0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */
    0     0 ACCEPT     all  --  *      ipsec0  0.0.0.0/0            0.0.0.0/0            /* Control interface traffic */

答案1

我们通过每 5 分钟在每个设备上添加指向远程设备的 LAN IP 的 keepalive 来解决这个问题。这就是解决办法!:)

相关内容