[root@vrouter-ovs ~]# strongswan statusall
Status of IKE charon daemon (strongSwan 5.5.3, Linux 3.10.0-327.36.3.el7.x86_64, x86_64):
uptime: 5 hours, since Jul 26 01:22:51 2017
malloc: sbrk 1699840, mmap 0, used 536928, free 1162912
worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-libipsec kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Listening IP addresses:
192.168.220.155
10.10.64.155
172.16.2.1
Connections:
gz-bj: 10.10.64.155...10.10.64.156 IKEv2, dpddelay=30s
gz-bj: local: [10.10.64.155] uses pre-shared key authentication
gz-bj: remote: [10.10.64.156] uses pre-shared key authentication
gz-bj: child: 172.16.2.0/24 === 10.11.11.0/24 TUNNEL, dpdaction=hold
Routed Connections:
gz-bj{3}: ROUTED, TUNNEL, reqid 1
gz-bj{3}: 172.16.2.0/24 === 10.11.11.0/24
Security Associations (1 up, 0 connecting):
gz-bj[7]: ESTABLISHED 27 minutes ago, 10.10.64.155[10.10.64.155]...10.10.64.156[10.10.64.156]
gz-bj[7]: IKEv2 SPIs: 88bb0cc94a980fa6_i ed5a61b03f1fd433_r*, pre-shared key reauthentication in 30 minutes
gz-bj[7]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536
gz-bj{8}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 40d2fe06_i 9afad142_o
gz-bj{8}: AES_CBC_128/HMAC_SHA1_96, 136752 bytes_i (1628 pkts, 1s ago), 136752 bytes_o (1628 pkts, 1s ago), rekeying in 29 minutes
gz-bj{8}: 172.16.2.0/24 === 10.11.11.0/24
[root@vrouter-ovs ~]# ip xfrm state
答案1
你有内核-libipsec插件已启用,它在用户空间而不是 Linux 内核中处理 IPsec。不建议在安全网关上使用它(查看链接页面上的说明)。内核网络链接插件是在内核中安装 IPsec SA 和策略的插件。
如果您自己构建了 strongSwan,只需禁用该插件(即不要添加--enable-kernel-libipsec
到配置选项(make clean
在重建之前使用)。您也可以通过 strongswan.conf 或包含的配置片段禁用该插件(即在中strongswan.d
设置),请参阅load = no
/etc/strongswan.d/charon/kernel-libipsec.conf
插件加载选项了解详情。