最近,我的 VPN 设置出现了一些相当奇怪的问题。某些客户端长时间无法连接。然后,它会工作一段时间,直到无法连接。所有涉及的系统(启动器和响应器)都是 Debian buster 并且是最新的。安装了相同的 strongswan 软件包(libcharon-extra-plugins strongswan-charon strongswan-starter libstrongswan-extra-plugins)。相同的配置(用户名和 ip 显然不同)。大多数启动器都是同一主机上的 VM。网络配置相同。有些显示此问题,有些则不显示。一旦客户端出现问题,它就会一直保持这种状态。大多数客户端已经运行了几个月,没有任何问题。
另一个问题可能与此有关,也可能无关。在我的设置中,发起者能够通过 VPN 相互连接。这对大多数发起者来说都行得通,但有些发起者无法联系到他们的同伴,他们也无法联系到他们。同样,一旦客户端出现此问题,它就会一直存在
应答器显示负载为 0.00,且 2 GB 中有 800 MB 是空闲的。
我的配置: 响应者:
root@ipsec-1:/home/karsten# cat /etc/ipsec.conf
config setup
charondebug="ike 0, knl 0, cfg 0"
conn GoogleCloud
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
eap_identity=%identity
left=%any
[email protected]
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=172.31.0.2/24
rightdns=172.31.0.1
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=%config
rightsendcert=never
auto=add
发起者:
root@ROUTER:/home/karsten# cat /etc/ipsec.conf
config setup
charondebug="ike 0, knl 0, cfg 0"
conn routerhome
dpdaction=clear
dpddelay=300s
fragmentation=yes
type=tunnel
keyexchange=ikev2
eap_identity=routerhome
left=%defaultroute
leftsourceip=172.31.0.151
leftauth=eap-mschapv2
rightauth=pubkey
right=35.xxx.xxx.xx
rightsubnet=172.31.0.0/24
rightid=%any
auto=route
eap_identity 和 leftsourceip 在其他启动器上有所不同。
root@ipsec-1:/home/karsten# ipsec status 安全关联 (16 个启动,0 个连接):
有问题的客户端上的系统日志:
Jun 5 19:20:01 Openxpki CRON[8343]: (root) CMD ( ping -c 5 172.31.0.1 > /dev/null)
Jun 5 19:20:32 Openxpki charon: 14[JOB] CHILD_SA ESP/0xce0decda/192.168.1.251 not found for delete
Jun 5 19:20:32 Openxpki charon: 11[IKE] initiating IKE_SA openxpki[48] to 35.xxx
Jun 5 19:20:32 Openxpki charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 5 19:20:32 Openxpki charon: 11[NET] sending packet: from 192.168.1.251[500] to xxx[500] (1080 bytes)
Jun 5 19:20:32 Openxpki charon: 16[NET] received packet: from 35.xxx[500] to 192.168.1.251[500] (272 bytes)
Jun 5 19:20:32 Openxpki charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 5 19:20:32 Openxpki charon: 16[IKE] establishing CHILD_SA openxpki{145}
Jun 5 19:20:32 Openxpki charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 5 19:20:32 Openxpki charon: 16[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:36 Openxpki charon: 05[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:43 Openxpki charon: 07[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:56 Openxpki charon: 13[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:21:20 Openxpki charon: 02[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
有任何想法吗?
更新:今天 Openxpki 启动器上的 ipsec 运行正常。连接已建立,VPN 对等体可访问。
现在的问题出在 Proxmox 主机上。IPSec 连接已建立。但无法访问对等点。主机本身也无法与其他对等点连接。即通过 VPN。使用本地 IP 没有问题。
root@P-T1650:/home/karsten# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64):
uptime: 58 minutes, since Jun 08 02:28:42 2020
malloc: sbrk 3080192, mmap 0, used 1131120, free 1949072
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.1.147
2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
2a01:c23:5c09:1100:92b1:1cff:fe9c:82a0
Connections:
athome: %any...35.xxx IKEv2, dpddelay=300s
athome: local: uses EAP_MSCHAPV2 authentication with EAP identity 'proxmoxhome'
athome: remote: uses public key authentication
athome: child: dynamic === 172.31.0.0/24 TUNNEL, dpdaction=clear
Routed Connections:
athome{1}: ROUTED, TUNNEL, reqid 1
athome{1}: 192.168.1.147/32 === 172.31.0.0/24
Security Associations (1 up, 0 connecting):
athome[1]: ESTABLISHED 58 minutes ago, 192.168.1.147[192.168.1.147]...35.xxx[ipsec.xxx]
athome[1]: IKEv2 SPIs: dfdcf7762d70554a_i* e8fb6db55242bdb8_r, EAP reauthentication in 103 minutes
athome[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
athome{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c09f2550_i cfc03b8d_o
athome{3}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 24164 bytes_o (243 pkts, 5s ago), rekeying in 28 minutes
athome{3}: 172.31.0.150/32 === 172.31.0.0/24
root@P-T1650:/home/karsten# ip route list table 220
172.31.0.0/24 via 192.168.1.1 dev vmbr0 proto static src 172.31.0.150
此类问题偶尔会出现。重启ipsec也无法解决。
wazuh 代理将通过 VPN 将日志发送到 wazuh 服务器。现在它不能:
root@P-T1650:/home/karsten# tail -f /var/ossec/logs/ossec.log
2020/06/08 03:34:09 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '172.31.0.164'.
2020/06/08 03:34:20 ossec-agentd: INFO: Trying to connect to server (172.31.0.164:1514/udp).
2020/06/08 03:34:41 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '172.31.0.164'.
2020/06/08 03:34:52 ossec-agentd: INFO: Trying to connect to server (172.31.0.164:1514/udp).
当 ipsec 服务停止时它将看起来像这样:
2020/06/08 03:34:58 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:03 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:09 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:16 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
使用 charondebug="ike 2, knl 2, cfg 2" 启动 ipsec:
Jun 8 03:44:06 P-T1650 systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jun 8 03:44:19 P-T1650 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jun 8 03:44:19 P-T1650 ipsec[9539]: Starting strongSwan 5.7.2 IPsec [starter]...
Jun 8 03:44:19 P-T1650 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64)
Jun 8 03:44:20 P-T1650 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Jun 8 03:44:20 P-T1650 charon: 00[KNL] known interfaces and IP addresses:
Jun 8 03:44:20 P-T1650 charon: 00[KNL] lo
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 127.0.0.1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] ::1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] eno1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] vmbr0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 192.168.1.147
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] fe80::92b1:1cff:fe9c:82a0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] vmbr1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] fe80::8c04:b8ff:feb5:c59f
Jun 8 03:44:20 P-T1650 charon: 00[KNL] tap104i0
.
.
.
Jun 8 03:44:20 P-T1650 charon: 00[JOB] spawning 16 worker threads
Jun 8 03:44:20 P-T1650 ipsec[9539]: charon (9565) started after 20 ms
Jun 8 03:44:20 P-T1650 charon: 05[CFG] received stroke: add connection 'athome'
Jun 8 03:44:20 P-T1650 charon: 05[CFG] conn athome
Jun 8 03:44:20 P-T1650 charon: 05[CFG] left=%any
Jun 8 03:44:20 P-T1650 charon: 05[CFG] leftsourceip=172.31.0.150
Jun 8 03:44:20 P-T1650 charon: 05[CFG] leftauth=eap-mschapv2
Jun 8 03:44:20 P-T1650 charon: 05[CFG] right=35.238.244.88
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightsubnet=172.31.0.0/24
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightauth=pubkey
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightid=%any
Jun 8 03:44:20 P-T1650 charon: 05[CFG] eap_identity=proxmoxhome
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpddelay=300
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpdtimeout=150
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpdaction=1
Jun 8 03:44:20 P-T1650 charon: 05[CFG] sha256_96=no
Jun 8 03:44:20 P-T1650 charon: 05[CFG] mediation=no
Jun 8 03:44:20 P-T1650 charon: 05[CFG] keyexchange=ikev2
Jun 8 03:44:20 P-T1650 ipsec[9539]: 'athome' routed
Jun 8 03:44:20 P-T1650 charon: 05[KNL] 35.xxx is not a local address or the interface is down
Jun 8 03:44:20 P-T1650 charon: 05[CFG] added configuration 'athome'
Jun 8 03:44:20 P-T1650 charon: 08[CFG] received stroke: route 'athome'
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using 192.168.1.147 as address to reach 35.238.244.88/32
Jun 8 03:44:20 P-T1650 charon: 08[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 172.31.0.0/24 === 192.168.1.147/32 in [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 172.31.0.0/24 === 192.168.1.147/32 fwd [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 192.168.1.147/32 === 172.31.0.0/24 out [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting a local address in traffic selector 192.168.1.147/32
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using host 192.168.1.147
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting iface name for index 3
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:20 P-T1650 charon: 08[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 192.168.1.147 dev vmbr0
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting iface index for vmbr0
Jun 8 03:44:30 P-T1650 charon: 10[KNL] received a XFRM_MSG_ACQUIRE
Jun 8 03:44:30 P-T1650 charon: 10[KNL] XFRMA_TMPL
Jun 8 03:44:30 P-T1650 charon: 10[KNL] creating acquire job for policy 192.168.1.147/32[udp/34832] === 172.31.0.1/32[udp/1025] with reqid {1}
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64)
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[CFG] PKCS11 module '<name>' lacks library path
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] known interfaces and IP addresses:
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] lo
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 127.0.0.1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] ::1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] eno1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] vmbr0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 192.168.1.147
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] fe80::92b1:1cff:fe9c:82a0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] vmbr1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] fe80::8c04:b8ff:feb5:c59f
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] tap104i0
.
.
.
Jun 8 03:44:30 P-T1650 charon: 11[IKE] IKE_SA athome[1] state change: CREATED => CONNECTING
.
.
.
Jun 8 03:44:30 P-T1650 charon: 11[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 03:44:30 P-T1650 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 8 03:44:30 P-T1650 charon: 11[NET] sending packet: from 192.168.1.147[500] to 35.xxx[500] (1080 bytes)
Jun 8 03:44:30 P-T1650 charon: 12[NET] received packet: from 35.xxx[500] to 192.168.1.147[500] (272 bytes)
Jun 8 03:44:30 P-T1650 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 8 03:44:30 P-T1650 charon: 12[IKE] received FRAGMENTATION_SUPPORTED notify
Jun 8 03:44:30 P-T1650 charon: 12[IKE] received SIGNATURE_HASH_ALGORITHMS notify
Jun 8 03:44:30 P-T1650 ipsec[9539]: 11[KNL] using 192.168.1.147 as address to reach 35.238.244.88/32
.
.
.
Jun 8 03:44:30 P-T1650 charon: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Jun 8 03:44:30 P-T1650 charon: 12[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 03:44:30 P-T1650 charon: 12[IKE] local host is behind NAT, sending keep alives
Jun 8 03:44:30 P-T1650 charon: 12[IKE] remote host is behind NAT
Jun 8 03:44:30 P-T1650 charon: 12[IKE] reinitiating already active tasks
Jun 8 03:44:30 P-T1650 charon: 12[IKE] IKE_CERT_PRE task
Jun 8 03:44:30 P-T1650 charon: 12[IKE] IKE_AUTH task
Jun 8 03:44:30 P-T1650 charon: 12[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jun 8 03:44:30 P-T1650 charon: 12[CFG] no IDi configured, fall back on IP address
Jun 8 03:44:30 P-T1650 charon: 12[IKE] building INTERNAL_IP4_DNS attribute
Jun 8 03:44:30 P-T1650 charon: 12[CFG] proposing traffic selectors for us:
Jun 8 03:44:30 P-T1650 charon: 12[CFG] 0.0.0.0/0
Jun 8 03:44:30 P-T1650 charon: 12[CFG] proposing traffic selectors for other:
Jun 8 03:44:30 P-T1650 charon: 12[CFG] 172.31.0.0/24
Jun 8 03:44:30 P-T1650 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 03:44:30 P-T1650 charon: 12[IKE] establishing CHILD_SA athome{2} reqid 1
Jun 8 03:44:30 P-T1650 charon: 12[KNL] got SPI c2cc1356
Jun 8 03:44:30 P-T1650 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 8 03:44:30 P-T1650 charon: 12[NET] sending packet: from 192.168.1.147[4500] to 35.xxx[4500] (368 bytes)
Jun 8 03:44:30 P-T1650 charon: 13[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (1236 bytes)
Jun 8 03:44:30 P-T1650 charon: 13[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Jun 8 03:44:30 P-T1650 charon: 13[ENC] received fragment #1 of 3, waiting for complete IKE message
Jun 8 03:44:30 P-T1650 charon: 15[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (1236 bytes)
Jun 8 03:44:30 P-T1650 charon: 15[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Jun 8 03:44:30 P-T1650 charon: 15[ENC] received fragment #2 of 3, waiting for complete IKE message
Jun 8 03:44:30 P-T1650 charon: 14[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (644 bytes)
Jun 8 03:44:30 P-T1650 charon: 14[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Jun 8 03:44:30 P-T1650 charon: 14[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2976 bytes)
Jun 8 03:44:30 P-T1650 charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Jun 8 03:44:30 P-T1650 charon: 14[IKE] received end entity cert "CN=ipsec.xxx"
Jun 8 03:44:30 P-T1650 charon: 14[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
.
.
.
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] selecting traffic selectors for us:
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] config: 172.31.0.150/32, received: 172.31.0.150/32 => match: 172.31.0.150/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] selecting traffic selectors for other:
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] config: 172.31.0.0/24, received: 172.31.0.0/24 => match: 172.31.0.0/24
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding SAD entry with SPI c2cc1356 and reqid {1}
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using replay window of 32 packets
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding SAD entry with SPI cc78d74c and reqid {1}
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using replay window of 0 packets
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 in [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 fwd [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.150/32 === 172.31.0.0/24 out [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting a local address in traffic selector 172.31.0.150/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using host 172.31.0.150
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting iface name for index 3
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 172.31.0.150 dev vmbr0
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[KNL] virtual IP 172.31.0.150 installed on vmbr0
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[IKE] CHILD_SA athome{2} established with SPIs c2cc1356_i cc78d74c_o and TS 172.31.0.150/32 === 172.31.0.0/24
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[IKE] received AUTH_LIFETIME of 9863s, scheduling reauthentication in 9323s
.
.
.
Jun 8 03:44:31 P-T1650 charon: 07[CFG] selecting traffic selectors for us:
Jun 8 03:44:31 P-T1650 charon: 07[CFG] config: 172.31.0.150/32, received: 172.31.0.150/32 => match: 172.31.0.150/32
Jun 8 03:44:31 P-T1650 charon: 07[CFG] selecting traffic selectors for other:
Jun 8 03:44:31 P-T1650 charon: 07[CFG] config: 172.31.0.0/24, received: 172.31.0.0/24 => match: 172.31.0.0/24
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding SAD entry with SPI c2cc1356 and reqid {1}
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using replay window of 32 packets
Jun 8 03:44:31 P-T1650 charon: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding SAD entry with SPI cc78d74c and reqid {1}
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using replay window of 0 packets
Jun 8 03:44:31 P-T1650 charon: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 in [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 fwd [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.150/32 === 172.31.0.0/24 out [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting a local address in traffic selector 172.31.0.150/32
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using host 172.31.0.150
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting iface name for index 3
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:31 P-T1650 charon: 07[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 172.31.0.150 dev vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[IKE] CHILD_SA athome{2} established with SPIs c2cc1356_i cc78d74c_o and TS 172.31.0.150/32 === 172.31.0.0/24
Jun 8 03:44:31 P-T1650 charon: 07[IKE] received AUTH_LIFETIME of 9863s, scheduling reauthentication in 9323s
Jun 8 03:44:31 P-T1650 charon: 07[IKE] peer supports MOBIKE
Jun 8 03:44:31 P-T1650 charon: 07[IKE] activating new tasks
Jun 8 03:44:31 P-T1650 charon: 07[IKE] nothing to initiate
Jun 8 03:44:31 P-T1650 charon: 11[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 11[KNL] getting iface index for vmbr0
响应方服务器重启后,之前无法连接但今天可以连接的启动方再次无法连接。
root@Openxpki:/home/karsten# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-9-amd64, x86_64):
uptime: 3 minutes, since Jun 08 08:47:13 2020
malloc: sbrk 2940928, mmap 0, used 962544, free 1978384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.1.251
2a01:c22:3434:9900:a00:27ff:feeb:7283
Connections:
openxpki: %any...35.238.244.88 IKEv2, dpddelay=300s
openxpki: local: uses EAP_MSCHAPV2 authentication with EAP identity 'openxpkihome'
openxpki: remote: uses public key authentication
openxpki: child: dynamic === 172.31.0.0/24 TUNNEL, dpdaction=clear
Routed Connections:
openxpki{1}: ROUTED, TUNNEL, reqid 1
openxpki{1}: 192.168.1.251/32 === 172.31.0.0/24
Security Associations (0 up, 1 connecting):
openxpki[1]: CONNECTING, 192.168.1.251[192.168.1.251]...35.238.244.88[%any]
openxpki[1]: IKEv2 SPIs: 82eef527dc777857_i* 0c6594db8ab2676e_r
openxpki[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
openxpki[1]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
系统日志:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] reinitiating already active tasks
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] IKE_CERT_PRE task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] IKE_AUTH task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] no IDi configured, fall back on IP address
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] building INTERNAL_IP4_DNS attribute
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] proposing traffic selectors for us:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] 0.0.0.0/0
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] proposing traffic selectors for other:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] 172.31.0.0/24
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] establishing CHILD_SA openxpki{3}
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] got SPI ce2cfd23
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 10[IKE] retransmit 1 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 10[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[IKE] retransmit 2 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 13[IKE] retransmit 3 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 13[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 14[IKE] retransmit 4 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 14[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 16[IKE] retransmit 5 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 16[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] received a XFRM_MSG_ACQUIRE
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] XFRMA_TMPL
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] XFRMA_POLICY_TYPE
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] creating acquire job for policy 192.168.1.251/32[udp/47894] === 172.31.0.1/32[udp/1025] with reqid {1}
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] queueing CHILD_CREATE task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] delaying task initiation, IKE_AUTH exchange in progress
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[KNL] received a XFRM_MSG_EXPIRE
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[KNL] creating delete job for CHILD_SA ESP/0xce2cfd23/192.168.1.251
Jun 8 08:55:31 Openxpki charon: 13[IKE] peer not responding, trying again (3/3)
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[JOB] CHILD_SA ESP/0xce2cfd23/192.168.1.251 not found for delete