感谢您帮助我解决之前有关 Strongswan 的问题,请允许我再次向您寻求帮助。我有两个网络通过两个 Mikrotik 路由器连接到 Strongswan 服务器。第一个路由器通过电缆调制解调器连接到互联网,第二个路由器通过 LTE 移动网络连接到互联网。两个路由器中的 IPsec 和 IKEv2 配置相同(私有网络定义除外)
Mikrotik 路由器:
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128- cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=87.236.194.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=87.236.194.196 sa-src-address=0.0.0.0 src-address=192.168.XX.0/24 tunnel=yes
Strongswan 服务器:
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn tunnel
reauth=no
rightsendcert=never
left=87.236.194.196
leftsubnet=192.168.80.0/24
right=%any
rightsubnet=0.0.0.0/0
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=route
type=tunnel
我正在测试这些连接的可靠性,所以我打开路由器,等到连接建立,开始从服务器 ping 到路由器,然后关闭路由器一分钟,然后再次打开路由器。路由器通过有线网络连接后,它的工作方式与我想象的一样 - 从我关闭路由器的那一刻起,路由器就无法访问,直到路由器打开并重新建立连接,然后在一分钟多一点的时间后继续 ping。
这是来自服务器的日志:
Jun 19 19:09:32 mvvk4-1 charon: 13[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] remote host is behind NAT
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:09:32 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] looking for peer configs matching 87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] selected peer config 'tunnel'
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] IKE_SA tunnel[42] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] scheduling rekeying in 2962s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] maximum IKE_SA lifetime 3502s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] CHILD_SA tunnel{58} established with SPIs c394e689_i 037ac6e1_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:10:16 mvvk4-1 charon: 05[IKE] sending DPD request
Jun 19 19:10:16 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:10:16 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:20 mvvk4-1 charon: 15[IKE] retransmit 1 of request with message ID 0
Jun 19 19:10:20 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:27 mvvk4-1 charon: 10[IKE] retransmit 2 of request with message ID 0
Jun 19 19:10:27 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:40 mvvk4-1 charon: 05[IKE] retransmit 3 of request with message ID 0
Jun 19 19:10:40 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] remote host is behind NAT
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] looking for peer configs matching 87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] destroying duplicate IKE_SA for peer '192.168.1.137', received INITIAL_CONTACT
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[43] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] scheduling rekeying in 2673s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3213s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{59} established with SPIs c962c381_i 04c993a8_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:10:51 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 12[IKE] sending DPD request
Jun 19 19:11:39 mvvk4-1 charon: 12[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:11:39 mvvk4-1 charon: 12[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (108 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Jun 19 19:12:09 mvvk4-1 charon: 12[IKE] sending DPD request
当我使用通过 LTE 网络连接的路由器执行同样的事情时,情况完全不同。
以下是路由器开启后约一分钟的日志:
Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] 89.24.60.60 is initiating an IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] remote host is behind NAT
Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 20 18:36:46 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (312 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (332 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] selected peer config 'tunnel'
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '100.80.138.125' with pre-shared key successful
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] IKE_SA tunnel[75] established between 87.236.194.196[87.236.194.196]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] scheduling rekeying in 2874s
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] maximum IKE_SA lifetime 3414s
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (124 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] parsed CREATE_CHILD_SA request 2 [ No SA TSi TSr ]
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (268 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[ENC] parsed CREATE_CHILD_SA request 3 [ No SA TSi TSr ]
最后经过 5 次重传,新的连接建立
8:38:14 mvvk4-1 charon: 08[IKE] giving up after 5 retransmits
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] parsed CREATE_CHILD_SA request 19 [ No SA TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[IKE] CHILD_SA tunnel{71} established with SPIs c27e6319_i 04d17e54_o and TS 192.168.80.0/24 === 192.168.150.0/24
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] generating CREATE_CHILD_SA response 19 [ SA No TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (204 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 15[IKE] sending DPD request
Jun 20 18:38:47 mvvk4-1 charon: 15[ENC] generating INFORMATIONAL request 0 [ ]
Jun 20 18:38:47 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (92 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[ENC] parsed INFORMATIONAL response 0 [ ]
但直到第一次重新加密这个新连接之前,路由器仍然无法访问。
有人能帮我解决这个问题吗?提前谢谢了。
答案1
因此,在 Jessie 上,我已完全删除 Strongswan 5.2.1 软件包,并使用默认 ./configure 选项从源代码安装了 Strongswan 5.6.3。上述问题已完全修复。
答案2
ikelifetime(IKE SA)必须始终大于 lifetime(IPsec SA)。
尝试将 lifetime 设置为低于 ikelifetime 的值。ikelifetime=8h lifetime=1h