我在运行 StrongSwan 的 Debian 云服务器和 Juniper SRX 210 之间配置了一条静态 IPsec 隧道。隧道可以正常建立,但不会维持很长时间,最长可能只有 1 小时左右。我认为这是因为没有太多数据穿越隧道,导致隧道超时。
StrongSwan 配置:
# ipsec.conf - strongSwan IPsec configuration file
config setup
# Add connections here.
conn vpn.mydomain.com
auto=start
keyexchange=ikev2
authby=secret
ike=aes128-sha256-modp2048s256
ikelifetime=3h
esp=aes128-sha256
left=AAA.BBB.CCC.DDD
[email protected]
leftsubnet=192.168.2.0/24
leftsourceip=192.168.2.2
right=vpn.mydomain.com
[email protected]
rightsubnet=192.168.1.0/24
dpdaction=hold
dpddelay=60
dpdtimeout=500
SRX 配置(部分):
proposal ike-vpn-proposal {
authentication-method pre-shared-keys;
dh-group group24;
authentication-algorithm sha-256;
encryption-algorithm aes-128-cbc;
}
policy ike-vpn-policy {
mode aggressive;
proposals ike-vpn-proposal;
pre-shared-key ascii-text "SECRET"; ## SECRET-DATA }
gateway vpn-local-gw {
ike-policy ike-vpn-policy;
address AAA.BBB.CCC.DDD;
dead-peer-detection {
interval 10;
threshold 3;
}
local-identity hostname vpn.mydomain.com;
remote-identity hostname reverser.mydomain.com;
external-interface fe-0/0/7.0;
version v2-only;
}
proposal ipsec-vpn-proposal {
protocol esp;
authentication-algorithm hmac-sha-256-128;
encryption-algorithm aes-128-cbc;
}
policy ipsec-vpn-policy {
perfect-forward-secrecy {
keys group24;
}
proposals ipsec-vpn-proposal;
}
vpn vpn {
bind-interface st0.0;
ike {
gateway vpn-local-gw;
proxy-identity {
local 192.168.1.0/24;
remote 192.168.2.0/24;
}
ipsec-policy ipsec-vpn-policy;
}
establish-tunnels immediately;
}
security-zone trust {
host-inbound-traffic {
system-services {
all;
}
protocols {
all;
}
}
interfaces {
vlan.100;
}
}
security-zone untrust {
screen untrust-screen;
interfaces {
fe-0/0/7.0 {
host-inbound-traffic {
system-services {
dhcp;
ike;
}
}
}
}
}
security-zone vpn {
interfaces {
st0.0;
}
}
SRX IKE 和 IPsec 状态:
root@dravis> show security ike security-associations
Index State Initiator cookie Responder cookie Mode Remote Address
1402228 UP 3551524e1af4a5e3 9dbc38ed8519f12b IKEv2 AAA.BBB.CCC.DDD
root@dravis> show security ipsec security-associations
Total active tunnels: 0
root@dravis> show security ipsec inactive-tunnels
Total inactive tunnels: 1
Total inactive tunnels with establish immediately: 1
ID Port Nego# Fail# Flag Gateway Tunnel Down Reason
131073 500 8 0 600a29 AAA.BBB.CCC.DDD Delete payload received
StrongSwan 状态:
Status of IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64):
uptime: 92 days, since Aug 24 17:41:13 2016
malloc: sbrk 1495040, mmap 0, used 312800, free 1182240
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon aes rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
AAA.BBB.CCC.DDD
10.10.0.5
192.168.2.2
Connections:
vpn.mydomain.com: AAA.BBB.CCC.DDD...vpn.mydomain.com IKEv2
vpn.mydomain.com: local: [reverser.mydomain.com] uses pre-shared key authentication
vpn.mydomain.com: remote: [vpn.mydomain.com] uses pre-shared key authentication
vpn.mydomain.com: child: 192.168.2.0/24 === 192.168.1.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
vpn.mydomain.com[941]: ESTABLISHED 2 hours ago, AAA.BBB.CCC.DDD[reverser.mydomain.com]...EEE.FFF.GGG.HHH[vpn.mydomain.com]
vpn.mydomain.com[941]: IKEv2 SPIs: e3a5f41a4e525135_i 2bf11985ed38bc9d_r*, pre-shared key reauthentication in 15 minutes
vpn.mydomain.com[941]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048_256
答案1
我相信我通过在双方设置明确的重新密钥间隔解决了这个问题 - IKE 为 3 小时,IPsec 为 12 小时。
我不知道为什么这可以解决这个问题,这让我很担心,但是隧道已经连续运行了好几天,没有任何问题。