ipsec 站点到站点 vpn 有时不起作用

ipsec 站点到站点 vpn 有时不起作用

我在 CentOS(Linux)上使用 ipsec(strongswan)站点到站点 vpn 时遇到了问题。

我的网络中有 2 个隧道

Security Associations (2 up, 0 connecting):
gateway-second[2]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-second{2}:  INSTALLED, TUNNEL, reqid 2, ESP SPIs: c016f8d5_i 0e88a657_o
gateway-second{2}:   10.10.20.1/32 === 10.5.30.144/32
gateway-first[1]: ESTABLISHED 6 minutes ago, XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
gateway-first{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cd51497c_i 118e08a0_o
gateway-first{1}:   10.10.21.1/32 === 10.5.31.26/32

所以我的问题是,有时当我重新启动 vpn 服务器时,流量会进入隧道,但有时不会。这很奇怪,我不知道该搜索什么。也许你知道?

这是我的 ipsec.conf

conn myikesettings
  keyexchange=ikev2
  authby=secret
  left=%defaultroute
  right=XX.XX.XXX.XX
  type=tunnel
  ike=aes256-sha256-modp1024!
  esp=aes256-sha1!
  keyingtries=3
  ikelifetime=86400s
  lifetime=36000
  pfs=no
  closeaction=hold
conn gateway-first
  leftid=10.10.21.1
  leftsubnet=10.10.21.1/32
  rightsubnet=10.5.31.26/32
  also=myikesettings
  auto=start
conn gateway-second
  leftid=10.10.20.1
  leftsubnet=10.10.20.1/32
  rightsubnet=10.5.30.144/32
  also=myikesettings
  auto=start

--- charon.log ---

Apr  7 20:30:14 00[CFG] loading secrets from '/etc/strongswan/ipsec.secrets'
Apr  7 20:30:14 00[CFG] loaded IKE secret for XX.XX.XX.XXX YY.YY.YYY.YY
Apr  7 20:30:14 00[LIB] loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp unity
Apr  7 20:30:14 00[JOB] spawning 16 worker threads
Apr  7 20:30:14 06[CFG] received stroke: add connection 'gateway-second'
Apr  7 20:30:14 06[CFG] added configuration 'gateway-second'
Apr  7 20:30:14 07[CFG] received stroke: initiate 'gateway-second'
Apr  7 20:30:14 07[IKE] <gateway-second|1> initiating IKE_SA gateway-second[1] to YY.YY.YYY.YY
Apr  7 20:30:14 07[ENC] <gateway-second|1> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 07[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 09[CFG] received stroke: add connection 'gateway-first'
Apr  7 20:30:14 09[CFG] added configuration 'gateway-first'
Apr  7 20:30:14 11[CFG] received stroke: initiate 'gateway-first'
Apr  7 20:30:14 11[IKE] <gateway-first|2> initiating IKE_SA gateway-first[2] to YY.YY.YYY.YY
Apr  7 20:30:14 11[ENC] <gateway-first|2> generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Apr  7 20:30:14 11[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[500] to YY.YY.YYY.YY[500] (338 bytes)
Apr  7 20:30:14 13[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 13[ENC] <gateway-second|1> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> received FRAGMENTATION vendor ID
Apr  7 20:30:14 13[IKE] <gateway-second|1> authentication of '10.10.21.1' (myself) with pre-shared key
Apr  7 20:30:14 13[IKE] <gateway-second|1> establishing CHILD_SA gateway-second
Apr  7 20:30:14 13[ENC] <gateway-second|1> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 13[NET] <gateway-second|1> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 15[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[500] to XX.XX.XX.XXX[500] (438 bytes)
Apr  7 20:30:14 15[ENC] <gateway-first|2> parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) V ]
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Delete Reason vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received Cisco Copyright (c) 2009 vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> received FRAGMENTATION vendor ID
Apr  7 20:30:14 15[IKE] <gateway-first|2> authentication of '10.10.20.1' (myself) with pre-shared key
Apr  7 20:30:14 15[IKE] <gateway-first|2> establishing CHILD_SA gateway-first
Apr  7 20:30:14 15[ENC] <gateway-first|2> generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Apr  7 20:30:14 15[NET] <gateway-first|2> sending packet: from XX.XX.XX.XXX[4500] to YY.YY.YYY.YY[4500] (288 bytes)
Apr  7 20:30:14 05[NET] <gateway-second|1> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 05[ENC] <gateway-second|1> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 05[IKE] <gateway-second|1> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 05[IKE] <gateway-second|1> IKE_SA gateway-second[1] established between XX.XX.XX.XXX[10.10.21.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 05[IKE] <gateway-second|1> scheduling reauthentication in 85478s
Apr  7 20:30:14 05[IKE] <gateway-second|1> maximum IKE_SA lifetime 86018s
Apr  7 20:30:14 05[IKE] <gateway-second|1> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 05[IKE] <gateway-second|1> CHILD_SA gateway-second{1} established with SPIs c341bc05_i d8e034cf_o and TS 10.10.21.1/32 === 10.5.31.26/32
Apr  7 20:30:14 04[NET] <gateway-first|2> received packet: from YY.YY.YYY.YY[4500] to XX.XX.XX.XXX[4500] (256 bytes)
Apr  7 20:30:14 04[ENC] <gateway-first|2> parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
Apr  7 20:30:14 04[IKE] <gateway-first|2> authentication of 'YY.YY.YYY.YY' with pre-shared key successful
Apr  7 20:30:14 04[IKE] <gateway-first|2> IKE_SA gateway-first[2] established between XX.XX.XX.XXX[10.10.20.1]...YY.YY.YYY.YY[YY.YY.YYY.YY]
Apr  7 20:30:14 04[IKE] <gateway-first|2> scheduling reauthentication in 85371s
Apr  7 20:30:14 04[IKE] <gateway-first|2> maximum IKE_SA lifetime 85911s
Apr  7 20:30:14 04[IKE] <gateway-first|2> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Apr  7 20:30:14 04[IKE] <gateway-first|2> CHILD_SA gateway-first{2} established with SPIs cc5c14b6_i d89a3328_o and TS 10.10.20.1/32 === 10.5.30.144/32

答案1

通过为服务器获取另一个公共 IP 解决了此问题。这是因为远程站点无法在同一个对等点上建立 2 个隧道。

相关内容