Strongswan IKEv2 REAUTH 请求

Strongswan IKEv2 REAUTH 请求

我已成功在带有 LTE 模块的 Mikrotik 路由板和 Strongswan 服务器之间创建了 IKEv2 连接。Mikrotik 具有由 SIM 卡分配的非公开动态 IP 地址。

强天鹅:

config setup
   charondebug="all"
   uniqueids=yes
   strictcrlpolicy=no

conn %default
keyexchange=ikev2

conn tunnel 
   reauth=no
   rightsendcert=never
   left=87.236.194.196
   leftsubnet=192.168.80.0/24
   right=%any
   rightsubnet=0.0.0.0/0
   keyingtries=0
   ikelifetime=1h
   lifetime=8h
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   authby=secret
   auto=route
   type=tunnel

微控制器:

/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-   cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=89.187.144.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=89.187.144.196 sa-src-address=0.0.0.0 src-address=192.168.40.0/24 tunnel=yes

当在 conn 部分禁用重新认证时,一切都会正常工作。当启用重新认证(默认情况下)时,重新认证会中断 IPsec 隧道并重新建立连接。

May 14 10:05:50 mvvk4-1 charon: 05[IKE] initiator did not reauthenticate as requested
May 14 10:05:50 mvvk4-1 charon: 05[IKE] reauthenticating IKE_SA tunnel[137] actively
May 14 10:05:50 mvvk4-1 charon: 05[IKE] deleting IKE_SA tunnel[137] between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:50 mvvk4-1 charon: 05[IKE] sending DELETE for IKE_SA tunnel[137]
May 14 10:05:50 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 34 [ D ]
May 14 10:05:50 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (92 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[ENC] parsed INFORMATIONAL response 34 [ ]
May 14 10:05:50 mvvk4-1 charon: 13[IKE] IKE_SA deleted
May 14 10:05:50 mvvk4-1 charon: 13[IKE] restarting CHILD_SA tunnel
May 14 10:05:50 mvvk4-1 charon: 13[IKE] unable to resolve %any, initiate aborted
May 14 10:05:50 mvvk4-1 charon: 13[MGR] tried to check-in and delete nonexisting IKE_SA
May 14 10:05:50 mvvk4-1 charon: 13[IKE] reauthenticating IKE_SA failed
May 14 10:05:53 mvvk4-1 charon: 05[NET] received packet: from    89.24.32.111[61529] to 87.236.194.196[4500] (296 bytes)
May 14 10:05:53 mvvk4-1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
May 14 10:05:53 mvvk4-1 charon: 05[IKE] 89.24.32.111 is initiating an IKE_SA
May 14 10:05:53 mvvk4-1 charon: 05[IKE] remote host is behind NAT
May 14 10:05:53 mvvk4-1 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 10:05:53 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (312 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (316 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '100.111.170.80' with pre-shared key successful
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
May 14 10:05:53 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[144] established between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[IKE] scheduling reauthentication in 3346s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3526s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{126} established with SPIs c1db676c_i 09f7b444_o and TS 192.168.80.0/24 === 192.168.88.0/24
May 14 10:05:53 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
May 14 10:05:53 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (220 bytes)
May 14 10:06:23 mvvk4-1 charon: 04[IKE] sending DPD request
May 14 10:06:23 mvvk4-1 charon: 04[ENC] generating INFORMATIONAL request 0 [ ]
May 14 10:06:23 mvvk4-1 charon: 04[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)

重新密钥没有问题。

我想问一下问题可能出在哪里 - 在 Mikrotik 端,在服务器端还是与 NAT 连接?谢谢。

相关内容