我在两台机器之间建立了一个 IPSec 隧道,其中一台(发起方)有两个接口(data0 和 data1)。data0 接口的度量为 100,data1 接口的度量为 70,因此最初创建连接时会使用 data1 接口,因为它的度量更好。
连接建立后,我关闭 data1 接口的 ip,然后使用 data0 接口用新的 CHILD_SA 和新的虚拟 ip 重新建立连接。
但这种情况并没有发生。实际发生的情况是 data0 接口试图保持第一个 CHILD_SA 处于活动状态,并无限发送 DPD 请求。
我怎样才能关闭 CHILD_SA 并在使用 data0 接口的地方创建一个新的 CHILD_SA ?
data0 - 10.3.219.27/16
data1 - 10.3.219.28/16
initiator's vti0 ip: 173.164.0.1
responder's vti0 ip: 192.168.169.1
发起者的配置DPD和重新密钥配置:
version=1
keyingtries=0
aggressive=no
dpd_delay=10
dpd_timeout=50
policies=yes
dpd_action=restart
close_action=start
Journalctl 记录粘贴代码:https://pastecode.xyz/view/3f89dfdd
在我关闭接口之前,ipsec statusall:
Listening IP addresses:
10.3.219.27
10.3.219.28
173.164.0.1
Connections:
conn-vti0: 0.0.0.0...94.26.49.38 IKEv1, dpddelay=10s
conn-vti0: local: [tve53] uses pre-shared key authentication
conn-vti0: local: [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
conn-vti0: remote: [fortinetconfig4] uses pre-shared key authentication
ch_vti0: child: dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
conn-vti0[80]: ESTABLISHED 15 minutes ago, 10.3.219.28[tve53]...94.26.49.38[fortinetconfig4]
conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r, rekeying in 3 hours
conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
ch_vti0{51}: INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
ch_vti0{51}: AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 4276555 bytes_i (9500 pkts, 0s ago), 1913489 bytes_o (8751 pkts, 0s ago), rekeying in 39 minutes
ch_vti0{51}: 173.164.0.1/32 === 192.168.169.0/24
我完成后的 ipsec statusall:
Listening IP addresses:
10.3.219.27
173.164.0.1
Connections:
conn-vti0: 0.0.0.0...94.26.49.38 IKEv1, dpddelay=10s
conn-vti0: local: [tve53] uses pre-shared key authentication
conn-vti0: local: [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
conn-vti0: remote: [fortinetconfig4] uses pre-shared key authentication
ch_vti0: child: dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
conn-vti0[81]: ESTABLISHED 8 seconds ago, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
conn-vti0[81]: IKEv1 SPIs: 8425e35cef48f8b5_i* 490188becb87d6ad_r, rekeying in 3 hours
conn-vti0[81]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
ch_vti0{51}: INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
ch_vti0{51}: AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 7958755 bytes_i (17317 pkts, 9s ago), 3480780 bytes_o (15870 pkts, 9s ago), rekeying in 24 minutes
ch_vti0{51}: 173.164.0.1/32 === 192.168.169.0/24
conn-vti0[80]: REKEYING, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r
conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
答案1
当您想要在 WAN 连接上实现故障转移时,您需要为接口配置正确的度量/优先级,然后手动切换,或者实现 ping/http 连接自动切换……但也需要合适的静态路由。
当接口 data1 发生故障时,ipv4 和 ipv6 IP 都必须切换/更新:
ip a (newer tool)
ifconfig -a (older tool)
并且路由也需要改变,以便流量使用 data0。检查:
ip r (using newer ip tool)
route -n (older command)
具体来说,检查是否有任何剩余的 IP,例如,ipv6 IP,即使 ipv4 IP 已经消失。