我正在努力解决 strongswan IKEv2 VPN 的一个问题。我使用strongSwan U5.6.1/K3.10.0-862.el7.x86_64
安装在 CentOS 7 上的 Linux 和一些客户端:Windows Server 2012 R2、Windows 10、Android。
连接已成功建立,当我使用 RDP 连接到远程网络中的主机时,一切正常,但过了一会儿,ping 数据包停止传递,RDP 重试重新连接。什么都不起作用。
VPN 连接看起来不错,没有明显问题,但我应该手动重新连接 VPN 连接以重新连接到远程主机。
我找不到问题出在哪里,我尝试了一些不同的设置,ipsec.conf
但问题仍然存在。我一直在寻找类似的问题,但仍然没有找到任何东西。
大多数人无法连接或路由流量,但没有人写道,一切都正常,但在发送流量之后,发生了一些事情并且流量不再通过。
这是连接建立但无法正常工作后的状态:
systemctl status strongswan
strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
Active: active (running) since Вт 2018-06-26 16:07:58 MSK; 20h ago
Main PID: 18969 (starter)
CGroup: /system.slice/strongswan.service
├─18969 /usr/libexec/strongswan/starter --daemon charon --nofork
└─18979 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0
июн 27 12:09:02 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:22 ipsec charon[18979]: 09[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:42 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:02 ipsec charon[18979]: 14[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:22 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:42 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:02 ipsec charon[18979]: 05[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:22 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:42 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:12:02 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]
这是连接建立但无法正常工作后的日志:
ipsec strongswan: 06[IKE] sending DPD request
ipsec strongswan: 06[ENC] generating INFORMATIONAL request 2 [ ]
ipsec strongswan: 06[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 08[ENC] parsed INFORMATIONAL response 2 [ ]
ipsec strongswan: 07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 07[ENC] parsed INFORMATIONAL request 4 [ D ]
ipsec strongswan: 07[IKE] received DELETE for ESP CHILD_SA with SPI 8d1ef9b8
ipsec strongswan: 07[IKE] closing CHILD_SA IPSec-IKEv2{10} with SPIs c63d643e_i (0 bytes) 8d1ef9b8_o (0 bytes) and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c63d643e
ipsec strongswan: 07[IKE] CHILD_SA closed
ipsec strongswan: 07[ENC] generating INFORMATIONAL response 4 [ D ]
ipsec strongswan: 07[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (264 bytes)
ipsec strongswan: 12[ENC] parsed CREATE_CHILD_SA request 5 [ SA No TSi TSr ]
ipsec strongswan: 12[IKE] CHILD_SA IPSec-IKEv2{11} established with SPIs cb1601b9_i 3ada8b16_o and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 12[ENC] generating CREATE_CHILD_SA response 5 [ SA No TSi TSr ]
ipsec strongswan: 12[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (216 bytes)
ipsec charon: 10[IKE] sending keep alive to 192.168.0.1[4500]
ipsec charon: 07[IKE] sending keep alive to 192.168.0.1[4500]
ipsec charon: 06[IKE] sending keep alive to 192.168.0.1[4500]
ipsec charon: 12[IKE] sending keep alive to 192.168.0.1[4500]
这是一个 ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 1, knl 1, cfg 0"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.der
right=%any
rightdns=8.8.8.8,8.8.4.4
rightsourceip=10.20.30.0/24
conn IPSec-IKEv2
keyexchange=ikev2
auto=add
conn IPSec-IKEv2-EAP
also="IPSec-IKEv2"
rightauth=eap-mschapv2
rightauthby2=pubkey
rightsendcert=never
eap_identity=%any
conn CiscoIPSec
keyexchange=ikev1
forceencaps=yes
authby=xauthrsasig
xauth=server
auto=add