Strongswan 一段时间后停止工作

tag-icon tag-icon vpn strongswan ikev2
Strongswan 一段时间后停止工作

我正在努力解决 strongswan IKEv2 VPN 的一个问题。我使用strongSwan U5.6.1/K3.10.0-862.el7.x86_64安装在 CentOS 7 上的 Linux 和一些客户端:Windows Server 2012 R2、Windows 10、Android。

连接已成功建立,当我使用 RDP 连接到远程网络中的主机时,一切正常,但过了一会儿,ping 数据包停止传递,RDP 重试重新连接。什么都不起作用。

VPN 连接看起来不错,没有明显问题,但我应该手动重新连接 VPN 连接以重新连接到远程主机。

我找不到问题出在哪里,我尝试了一些不同的设置,ipsec.conf但问题仍然存在。我一直在寻找类似的问题,但仍然没有找到任何东西。

大多数人无法连接或路由流量,但没有人写道,一切都正常,但在发送流量之后,发生了一些事情并且流量不再通过。

这是连接建立但无法正常工作后的状态:

systemctl status strongswan
 strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; vendor preset: disabled)
   Active: active (running) since Вт 2018-06-26 16:07:58 MSK; 20h ago
 Main PID: 18969 (starter)
   CGroup: /system.slice/strongswan.service
           ├─18969 /usr/libexec/strongswan/starter --daemon charon --nofork
           └─18979 /usr/libexec/strongswan/charon --debug-ike 1 --debug-knl 1 --debug-cfg 0

июн 27 12:09:02 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:22 ipsec charon[18979]: 09[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:09:42 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:02 ipsec charon[18979]: 14[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:22 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:10:42 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:02 ipsec charon[18979]: 05[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:22 ipsec charon[18979]: 07[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:11:42 ipsec charon[18979]: 11[IKE] sending keep alive to 192.168.0.1[4500]
июн 27 12:12:02 ipsec charon[18979]: 06[IKE] sending keep alive to 192.168.0.1[4500]

这是连接建立但无法正常工作后的日志:

ipsec strongswan: 06[IKE] sending DPD request
ipsec strongswan: 06[ENC] generating INFORMATIONAL request 2 [ ]
ipsec strongswan: 06[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 08[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 08[ENC] parsed INFORMATIONAL response 2 [ ]
ipsec strongswan: 07[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (88 bytes)
ipsec strongswan: 07[ENC] parsed INFORMATIONAL request 4 [ D ]
ipsec strongswan: 07[IKE] received DELETE for ESP CHILD_SA with SPI 8d1ef9b8
ipsec strongswan: 07[IKE] closing CHILD_SA IPSec-IKEv2{10} with SPIs c63d643e_i (0 bytes) 8d1ef9b8_o (0 bytes) and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 07[IKE] sending DELETE for ESP CHILD_SA with SPI c63d643e
ipsec strongswan: 07[IKE] CHILD_SA closed
ipsec strongswan: 07[ENC] generating INFORMATIONAL response 4 [ D ]
ipsec strongswan: 07[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (88 bytes)
ipsec strongswan: 12[NET] received packet: from 192.168.0.1[4500] to 192.168.0.32[4500] (264 bytes)
ipsec strongswan: 12[ENC] parsed CREATE_CHILD_SA request 5 [ SA No TSi TSr ]
ipsec strongswan: 12[IKE] CHILD_SA IPSec-IKEv2{11} established with SPIs cb1601b9_i 3ada8b16_o and TS 0.0.0.0/0 === 10.20.30.1/32
ipsec strongswan: 12[ENC] generating CREATE_CHILD_SA response 5 [ SA No TSi TSr ]
ipsec strongswan: 12[NET] sending packet: from 192.168.0.32[4500] to 192.168.0.1[4500] (216 bytes)
    ipsec charon: 10[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 07[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 06[IKE] sending keep alive to 192.168.0.1[4500]
    ipsec charon: 12[IKE] sending keep alive to 192.168.0.1[4500]

这是一个 ipsec.conf:

# ipsec.conf - strongSwan IPsec configuration file
config setup
    charondebug="ike 1, knl 1, cfg 0"
conn %default
    keyexchange=ikev2
    ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024!
    esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256,aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    leftsubnet=0.0.0.0/0
    leftcert=vpnHostCert.der
    right=%any
    rightdns=8.8.8.8,8.8.4.4
    rightsourceip=10.20.30.0/24
conn IPSec-IKEv2
    keyexchange=ikev2
    auto=add
conn IPSec-IKEv2-EAP
    also="IPSec-IKEv2"
    rightauth=eap-mschapv2
    rightauthby2=pubkey
    rightsendcert=never
    eap_identity=%any
conn CiscoIPSec
    keyexchange=ikev1
    forceencaps=yes
    authby=xauthrsasig
    xauth=server
    auto=add

相关内容