IPSec隧道导致ping网关和其他机器时丢失大量数据包

tag-icon tag-icon networking linux-networking ipsec ubuntu-18.04 icmp
IPSec隧道导致ping网关和其他机器时丢失大量数据包

我的 Ubuntu 机器是 10.0.0.15,我的 Windows 机器是 10.0.0.10。将互联网流量路由到 LAN 的网关是 10.0.0.1。

当我从 Windows 机器 ping 网关时,一切都很好 - 我收到了每一个数据包。当我从 Windows 机器 ping Ubuntu 机器时也是如此。但是,当我从 Ubuntu 机器 ping 网关时,大约 80% 的数据包丢失了:

~# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=16 ttl=64 time=0.460 ms
64 bytes from 10.0.0.1: icmp_seq=29 ttl=64 time=0.464 ms
64 bytes from 10.0.0.1: icmp_seq=30 ttl=64 time=0.477 ms
64 bytes from 10.0.0.1: icmp_seq=77 ttl=64 time=0.498 ms
64 bytes from 10.0.0.1: icmp_seq=91 ttl=64 time=0.452 ms
64 bytes from 10.0.0.1: icmp_seq=92 ttl=64 time=0.690 ms
64 bytes from 10.0.0.1: icmp_seq=94 ttl=64 time=0.539 ms
64 bytes from 10.0.0.1: icmp_seq=95 ttl=64 time=0.445 ms
64 bytes from 10.0.0.1: icmp_seq=96 ttl=64 time=0.541 ms
64 bytes from 10.0.0.1: icmp_seq=98 ttl=64 time=0.474 ms
64 bytes from 10.0.0.1: icmp_seq=99 ttl=64 time=1.40 ms
64 bytes from 10.0.0.1: icmp_seq=103 ttl=64 time=0.577 ms
64 bytes from 10.0.0.1: icmp_seq=106 ttl=64 time=0.535 ms
64 bytes from 10.0.0.1: icmp_seq=107 ttl=64 time=0.490 ms
64 bytes from 10.0.0.1: icmp_seq=109 ttl=64 time=0.477 ms
64 bytes from 10.0.0.1: icmp_seq=110 ttl=64 time=0.627 ms
64 bytes from 10.0.0.1: icmp_seq=111 ttl=64 time=0.563 ms
64 bytes from 10.0.0.1: icmp_seq=114 ttl=64 time=0.467 ms
64 bytes from 10.0.0.1: icmp_seq=115 ttl=64 time=0.535 ms
64 bytes from 10.0.0.1: icmp_seq=137 ttl=64 time=0.479 ms
64 bytes from 10.0.0.1: icmp_seq=138 ttl=64 time=0.455 ms
64 bytes from 10.0.0.1: icmp_seq=142 ttl=64 time=0.548 ms
64 bytes from 10.0.0.1: icmp_seq=143 ttl=64 time=0.448 ms
64 bytes from 10.0.0.1: icmp_seq=144 ttl=64 time=0.470 ms
64 bytes from 10.0.0.1: icmp_seq=147 ttl=64 time=0.545 ms
64 bytes from 10.0.0.1: icmp_seq=149 ttl=64 time=0.557 ms
64 bytes from 10.0.0.1: icmp_seq=152 ttl=64 time=0.547 ms
64 bytes from 10.0.0.1: icmp_seq=153 ttl=64 time=0.476 ms
64 bytes from 10.0.0.1: icmp_seq=179 ttl=64 time=0.472 ms
64 bytes from 10.0.0.1: icmp_seq=180 ttl=64 time=0.854 ms
64 bytes from 10.0.0.1: icmp_seq=188 ttl=64 time=0.494 ms
64 bytes from 10.0.0.1: icmp_seq=190 ttl=64 time=0.556 ms
64 bytes from 10.0.0.1: icmp_seq=192 ttl=64 time=0.499 ms
64 bytes from 10.0.0.1: icmp_seq=193 ttl=64 time=0.482 ms
^C
--- 10.0.0.1 ping statistics ---
194 packets transmitted, 34 received, 82% packet loss, time 197372ms
rtt min/avg/max/mdev = 0.445/0.546/1.404/0.171 ms

当我 ping 互联网上的任何 IP 地址时(== 通过网关),也会发生同样的事情。但是,如果我 ping 局域网上的任何其他机器,则一切正常(例如 Windows 机器)。

情况并不总是如此。我最近配置了 IPSec 隧道,所以这可能是原因。但是,即使 IPSec 隧道停止,我仍然遇到同样的问题。

我检查了路线,它的表现并不像我预期的那样。

到 LAN 中另一台机器的跟踪路由看起来正常:

~# traceroute 10.0.0.7
traceroute to 10.0.0.7 (10.0.0.7), 64 hops max
  1   10.0.0.7  0.173ms  0.115ms  0.180ms

跟踪到网关的路由不是看起来很好(必须这样CTRL+C- 它卡得太久了):

~# traceroute 10.0.0.1
traceroute to 10.0.0.1 (10.0.0.1), 64 hops max
^C

路由表看起来不错:

~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.0.0.1        0.0.0.0         UG    100    0        0 enp5s0
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 enp5s0
10.0.0.1        0.0.0.0         255.255.255.255 UH    100    0        0 enp5s0

编辑: 我已经知道问题是由隧道引起的。当我禁用服务 ( sudo systemctl disable strongswan) 并重新启动计算机时,ping 可以正常工作。如果我手动启动隧道 ( ipsec start),ping 不起作用(以上述方式工作)。如果我停止隧道 ( ipsec stop),它仍然不会改变任何东西。我需要重新启动计算机来修复它。

我的 IPSec 配置是:

# ipsec.conf - strongSwan IPsec configuration file

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

conn my-tunnel
        type=tunnel
        keyexchange=ikev1
        authby=secret
        left=%defaultroute
        leftid=Y.Y.Y.Y
        leftsubnet=10.0.0.0/24
        right=X.X.X.X
        rightsubnet=192.168.0.0/24
        ike=aes256-sha1-modp2048!
        esp=aes256-sha1-modp2048!
        keyingtries=0
        ikelifetime=1h
        lifetime=8h
        dpddelay=30
        dpdtimeout=120
        dpdaction=restart
        auto=start

您是否有什么建议我可以看看并可能修复该问题?

编辑2:(正如 Kevin K. 在评论中所要求的那样)

请记住,XXXX 是一个远程公共 IP 地址,我自己替换了它。

~# ip xfrm state
src 10.0.0.15 dst X.X.X.X
        proto esp spi 0xc44dd838 reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        mark 0x64/0xffffffff
        auth-trunc hmac(sha1) 0x951ac2ff6fadcd180b86e91ddf850c96f9e09ec2 96
        enc cbc(aes) 0x0b17feeeafb55e1693c1e1c3f8d59b3a1d2c5470e4fc7580b0887e0a8beb504d
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src X.X.X.X dst 10.0.0.15
        proto esp spi 0xc364db19 reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        auth-trunc hmac(sha1) 0x00b17673c57fac4957123718d046578689edb07a 96
        enc cbc(aes) 0xedd573110a33a7ac100372fa605514703b0f9954b33a3780dd97ee8e8ac32fe5
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000

~# ip xfrm policy
src 10.0.0.0/24 dst 192.168.0.0/24
        dir out priority 376959
        mark 0x64/0xffffffff
        tmpl src 10.0.0.15 dst X.X.X.X
                proto esp spi 0xc44dd838 reqid 1 mode tunnel
src 192.168.0.0/21 dst 10.0.0.0/24
        dir fwd priority 376959
        mark 0x64/0xffffffff
        tmpl src X.X.X.X dst 10.0.0.15
                proto esp reqid 1 mode tunnel
src 192.168.0.0/21 dst 10.0.0.0/24
        dir in priority 376959
        mark 0x64/0xffffffff
        tmpl src X.X.X.X dst 10.0.0.15
                proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0
src ::/0 dst ::/0
        socket in priority 0
src ::/0 dst ::/0
        socket out priority 0

我决定让 ping 运行一段时间。看起来我收到了一秒钟左右的响应,然后它又停止了。在下面的例子中,我每秒发送 10 个数据包(-i 0.1)。您可以通过查看 icmp_seq 参数来区分连续的数据包。

root@phenom:~# ping 10.0.0.1 -i 0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=656 ttl=64 time=0.572 ms
64 bytes from 10.0.0.1: icmp_seq=657 ttl=64 time=0.501 ms
64 bytes from 10.0.0.1: icmp_seq=658 ttl=64 time=0.518 ms
64 bytes from 10.0.0.1: icmp_seq=659 ttl=64 time=0.464 ms
64 bytes from 10.0.0.1: icmp_seq=660 ttl=64 time=0.491 ms
64 bytes from 10.0.0.1: icmp_seq=661 ttl=64 time=0.561 ms
64 bytes from 10.0.0.1: icmp_seq=662 ttl=64 time=0.571 ms
64 bytes from 10.0.0.1: icmp_seq=663 ttl=64 time=0.545 ms
64 bytes from 10.0.0.1: icmp_seq=664 ttl=64 time=0.584 ms
64 bytes from 10.0.0.1: icmp_seq=665 ttl=64 time=0.549 ms
64 bytes from 10.0.0.1: icmp_seq=666 ttl=64 time=0.564 ms
64 bytes from 10.0.0.1: icmp_seq=667 ttl=64 time=0.539 ms
64 bytes from 10.0.0.1: icmp_seq=668 ttl=64 time=0.587 ms
64 bytes from 10.0.0.1: icmp_seq=669 ttl=64 time=0.531 ms
64 bytes from 10.0.0.1: icmp_seq=670 ttl=64 time=0.832 ms
64 bytes from 10.0.0.1: icmp_seq=671 ttl=64 time=0.903 ms
64 bytes from 10.0.0.1: icmp_seq=747 ttl=64 time=0.511 ms
64 bytes from 10.0.0.1: icmp_seq=748 ttl=64 time=0.483 ms
64 bytes from 10.0.0.1: icmp_seq=749 ttl=64 time=0.472 ms
64 bytes from 10.0.0.1: icmp_seq=914 ttl=64 time=0.553 ms
64 bytes from 10.0.0.1: icmp_seq=915 ttl=64 time=0.568 ms
64 bytes from 10.0.0.1: icmp_seq=916 ttl=64 time=0.553 ms
64 bytes from 10.0.0.1: icmp_seq=917 ttl=64 time=0.589 ms
64 bytes from 10.0.0.1: icmp_seq=918 ttl=64 time=0.556 ms
64 bytes from 10.0.0.1: icmp_seq=919 ttl=64 time=0.573 ms
64 bytes from 10.0.0.1: icmp_seq=920 ttl=64 time=0.574 ms
64 bytes from 10.0.0.1: icmp_seq=921 ttl=64 time=0.556 ms
64 bytes from 10.0.0.1: icmp_seq=922 ttl=64 time=0.551 ms
64 bytes from 10.0.0.1: icmp_seq=923 ttl=64 time=0.607 ms
64 bytes from 10.0.0.1: icmp_seq=934 ttl=64 time=0.848 ms
64 bytes from 10.0.0.1: icmp_seq=935 ttl=64 time=0.555 ms
64 bytes from 10.0.0.1: icmp_seq=936 ttl=64 time=1.00 ms
64 bytes from 10.0.0.1: icmp_seq=937 ttl=64 time=0.586 ms
64 bytes from 10.0.0.1: icmp_seq=938 ttl=64 time=0.566 ms
64 bytes from 10.0.0.1: icmp_seq=939 ttl=64 time=0.495 ms
64 bytes from 10.0.0.1: icmp_seq=940 ttl=64 time=0.551 ms
64 bytes from 10.0.0.1: icmp_seq=941 ttl=64 time=0.456 ms
64 bytes from 10.0.0.1: icmp_seq=953 ttl=64 time=0.453 ms
64 bytes from 10.0.0.1: icmp_seq=954 ttl=64 time=0.478 ms
64 bytes from 10.0.0.1: icmp_seq=955 ttl=64 time=0.567 ms
64 bytes from 10.0.0.1: icmp_seq=956 ttl=64 time=0.585 ms
64 bytes from 10.0.0.1: icmp_seq=957 ttl=64 time=0.488 ms
64 bytes from 10.0.0.1: icmp_seq=958 ttl=64 time=0.586 ms
64 bytes from 10.0.0.1: icmp_seq=959 ttl=64 time=0.486 ms
64 bytes from 10.0.0.1: icmp_seq=960 ttl=64 time=0.543 ms
64 bytes from 10.0.0.1: icmp_seq=961 ttl=64 time=0.442 ms
64 bytes from 10.0.0.1: icmp_seq=962 ttl=64 time=0.443 ms
64 bytes from 10.0.0.1: icmp_seq=963 ttl=64 time=0.528 ms
64 bytes from 10.0.0.1: icmp_seq=964 ttl=64 time=0.475 ms
64 bytes from 10.0.0.1: icmp_seq=965 ttl=64 time=0.474 ms
64 bytes from 10.0.0.1: icmp_seq=966 ttl=64 time=0.839 ms
64 bytes from 10.0.0.1: icmp_seq=967 ttl=64 time=0.461 ms
64 bytes from 10.0.0.1: icmp_seq=968 ttl=64 time=0.474 ms
64 bytes from 10.0.0.1: icmp_seq=969 ttl=64 time=0.474 ms
64 bytes from 10.0.0.1: icmp_seq=970 ttl=64 time=0.547 ms
64 bytes from 10.0.0.1: icmp_seq=971 ttl=64 time=0.837 ms
64 bytes from 10.0.0.1: icmp_seq=972 ttl=64 time=18.6 ms
^C
--- 10.0.0.1 ping statistics ---
1174 packets transmitted, 57 received, 95% packet loss, time 121969ms
rtt min/avg/max/mdev = 0.442/0.883/18.628/2.374 ms

相关内容