我已成功在带有 LTE 模块的 Mikrotik 路由板和 Strongswan 服务器之间创建了 IKEv2 连接。Mikrotik 具有由 SIM 卡分配的非公开动态 IP 地址。
强天鹅:
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn tunnel
reauth=no
rightsendcert=never
left=87.236.194.196
leftsubnet=192.168.80.0/24
right=%any
rightsubnet=0.0.0.0/0
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=route
type=tunnel
微控制器:
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128- cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=89.187.144.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=89.187.144.196 sa-src-address=0.0.0.0 src-address=192.168.40.0/24 tunnel=yes
当在 conn 部分禁用重新认证时,一切都会正常工作。当启用重新认证(默认情况下)时,重新认证会中断 IPsec 隧道并重新建立连接。
May 14 10:05:50 mvvk4-1 charon: 05[IKE] initiator did not reauthenticate as requested
May 14 10:05:50 mvvk4-1 charon: 05[IKE] reauthenticating IKE_SA tunnel[137] actively
May 14 10:05:50 mvvk4-1 charon: 05[IKE] deleting IKE_SA tunnel[137] between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:50 mvvk4-1 charon: 05[IKE] sending DELETE for IKE_SA tunnel[137]
May 14 10:05:50 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 34 [ D ]
May 14 10:05:50 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (92 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[ENC] parsed INFORMATIONAL response 34 [ ]
May 14 10:05:50 mvvk4-1 charon: 13[IKE] IKE_SA deleted
May 14 10:05:50 mvvk4-1 charon: 13[IKE] restarting CHILD_SA tunnel
May 14 10:05:50 mvvk4-1 charon: 13[IKE] unable to resolve %any, initiate aborted
May 14 10:05:50 mvvk4-1 charon: 13[MGR] tried to check-in and delete nonexisting IKE_SA
May 14 10:05:50 mvvk4-1 charon: 13[IKE] reauthenticating IKE_SA failed
May 14 10:05:53 mvvk4-1 charon: 05[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (296 bytes)
May 14 10:05:53 mvvk4-1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
May 14 10:05:53 mvvk4-1 charon: 05[IKE] 89.24.32.111 is initiating an IKE_SA
May 14 10:05:53 mvvk4-1 charon: 05[IKE] remote host is behind NAT
May 14 10:05:53 mvvk4-1 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 10:05:53 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (312 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (316 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '100.111.170.80' with pre-shared key successful
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
May 14 10:05:53 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[144] established between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[IKE] scheduling reauthentication in 3346s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3526s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{126} established with SPIs c1db676c_i 09f7b444_o and TS 192.168.80.0/24 === 192.168.88.0/24
May 14 10:05:53 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
May 14 10:05:53 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (220 bytes)
May 14 10:06:23 mvvk4-1 charon: 04[IKE] sending DPD request
May 14 10:06:23 mvvk4-1 charon: 04[ENC] generating INFORMATIONAL request 0 [ ]
May 14 10:06:23 mvvk4-1 charon: 04[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)
重新密钥没有问题。
我想问一下问题可能出在哪里 - 在 Mikrotik 端,在服务器端还是与 NAT 连接?谢谢。