命令“ip xfrm state”没有输出来显示 strongswan 状态

命令“ip xfrm state”没有输出来显示 strongswan 状态
[root@vrouter-ovs ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.36.3.el7.x86_64, x86_64):
uptime: 5 hours, since Jul 26 01:22:51 2017
malloc: sbrk 1699840, mmap 0, used 536928, free 1162912
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
192.168.220.155
10.10.64.155
172.16.2.1
Connections:
   gz-bj:  10.10.64.155...10.10.64.156  IKEv2, dpddelay=30s
   gz-bj:   local:  [10.10.64.155] uses pre-shared key authentication
   gz-bj:   remote: [10.10.64.156] uses pre-shared key authentication
   gz-bj:   child:  172.16.2.0/24 === 10.11.11.0/24 TUNNEL, dpdaction=hold
Routed Connections:
   gz-bj{3}:  ROUTED, TUNNEL, reqid 1
   gz-bj{3}:   172.16.2.0/24 === 10.11.11.0/24
Security Associations (1 up, 0 connecting):
   gz-bj[7]: ESTABLISHED 27 minutes ago, 10.10.64.155[10.10.64.155]...10.10.64.156[10.10.64.156]
   gz-bj[7]: IKEv2 SPIs: 88bb0cc94a980fa6_i ed5a61b03f1fd433_r*, pre-shared key reauthentication in 30 minutes
   gz-bj[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
   gz-bj{8}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 40d2fe06_i 9afad142_o
   gz-bj{8}:  AES_CBC_128/HMAC_SHA1_96, 136752 bytes_i (1628 pkts, 1s ago), 136752 bytes_o (1628 pkts, 1s ago), rekeying in 29 minutes
   gz-bj{8}:   172.16.2.0/24 === 10.11.11.0/24

[root@vrouter-ovs ~]# ip xfrm state

答案1

你有内核-libipsec插件已启用,它在用户空间而不是 Linux 内核中处理 IPsec。不建议在安全网关上使用它(查看链接页面上的说明)。内核网络链接插件是在内核中安装 IPsec SA 和策略的插件。

如果您自己构建了 strongSwan,只需禁用该插件(即不要添加--enable-kernel-libipsec到配置选项(make clean在重建之前使用)。您也可以通过 strongswan.conf 或包含的配置片段禁用该插件(即在中strongswan.d设置),请参阅load = no/etc/strongswan.d/charon/kernel-libipsec.conf插件加载选项了解详情。

相关内容