ipsec 重复策略:允许和阻止

ipsec 重复策略:允许和阻止

我正在尝试使用 Strongswan 在两台虚拟机之间建立 IPsec 连接。我的第一台机器上的配置如下 ( ipsec.conf):

conn %default
    ikelifetime=60m
    keylife=20m
    rekeymargin=3m
    keyingtries=1
    mobike=no
    keyexchange=ikev2
    authby=pubkey
    esp=null-sha1!
conn host-to-host
    left=192.168.56.102
    leftcert=/etc/ipsec.d/certs/servercert.pem
    leftid="C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org"
    right=192.168.56.101
    rightid="C=..., ST=..., O=..., OU=SSTT, CN=name"
    type=tunnel
    auto=start

该文件ipsec.secrets包含私钥的正确路由。我的第二台机器上的配置与此处列出的配置相匹配。

我的问题是:当 SA 由于某种原因在我的第一台机器(服务器)上建立时,策略列表如下所示:

src 192.168.56.101/32 dst 192.168.56.102/32 
    dir fwd priority 2819 
    tmpl src 192.168.56.101 dst 192.168.56.102
        proto esp reqid 1 mode tunnel
src 192.168.56.101/32 dst 192.168.56.102/32 
    dir in priority 2819 
    tmpl src 192.168.56.101 dst 192.168.56.102
        proto esp reqid 1 mode tunnel
src 192.168.56.102/32 dst 192.168.56.101/32 
    dir out priority 2819 
    tmpl src 192.168.56.102 dst 192.168.56.101
        proto esp reqid 1 mode tunnel
src 192.168.56.101/32 dst 192.168.56.102/32 
    dir fwd action block priority 12035 
src 192.168.56.101/32 dst 192.168.56.102/32 
    dir in action block priority 12035 
src 192.168.56.102/32 dst 192.168.56.101/32 
    dir out action block priority 12035

客户端机器的策略列表中没有任何具有阻止操作的策略,只有正确的策略。

我用 wireshark 捕获了一些流量,发现当我的服务器 ping 第二台机器时,ICMP 数据包被发送了两次,一次带有 ESP 标头,一次不带。第二台机器只回复没有 ESP 标头的数据包。

我尝试过仅通过阻止操作删除策略,但显然没有效果。

服务器端重启服务后的日志输出:

Jun 11 15:29:28 ubuntu-server charon: 00[DMN] signal of type SIGINT received. Shutting down
Jun 11 15:29:28 ubuntu-server charon: 00[IKE] deleting IKE_SA host-to-host[2] between 192.168.56.102[C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org]...192.168.56.101[C=..., ST=..., O=..., OU=SSTT, CN=name]
Jun 11 15:29:28 ubuntu-server charon: 00[IKE] sending DELETE for IKE_SA host-to-host[2]
Jun 11 15:29:28 ubuntu-server charon: 00[ENC] generating INFORMATIONAL request 0 [ D ]
Jun 11 15:29:28 ubuntu-server charon: 00[NET] sending packet: from 192.168.56.102[500] to 192.168.56.101[500] (76 bytes)
Jun 11 15:29:30 ubuntu-server charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-186-generic, x86_64)
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG]   loaded ca certificate "C=..., ST=..., O=..., OU=SSTT, CN=ca.sstt.org" from '/etc/ipsec.d/cacerts/cacert.pem'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Jun 11 15:29:30 ubuntu-server charon: 00[CFG]   loaded RSA private key from '/etc/ipsec.d/private/serverkey.pem'
Jun 11 15:29:30 ubuntu-server charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Jun 11 15:29:30 ubuntu-server charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jun 11 15:29:30 ubuntu-server charon: 00[JOB] spawning 16 worker threads
Jun 11 15:29:30 ubuntu-server charon: 11[CFG] received stroke: add connection 'host-to-host'
Jun 11 15:29:30 ubuntu-server charon: 11[CFG]   loaded certificate "C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org" from '/etc/ipsec.d/certs/servercert.pem'
Jun 11 15:29:30 ubuntu-server charon: 11[CFG] added configuration 'host-to-host'
Jun 11 15:29:30 ubuntu-server charon: 13[CFG] received stroke: initiate 'host-to-host'
Jun 11 15:29:30 ubuntu-server charon: 13[IKE] initiating IKE_SA host-to-host[1] to 192.168.56.101
Jun 11 15:29:30 ubuntu-server charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
Jun 11 15:29:30 ubuntu-server charon: 13[NET] sending packet: from 192.168.56.102[500] to 192.168.56.101[500] (1124 bytes)
Jun 11 15:29:30 ubuntu-server charon: 15[NET] received packet: from 192.168.56.101[500] to 192.168.56.102[500] (481 bytes)
Jun 11 15:29:30 ubuntu-server charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(HASH_ALG) N(MULT_AUTH) ]
Jun 11 15:29:30 ubuntu-server charon: 15[IKE] received cert request for "C=..., ST=..., O=..., OU=SSTT, CN=ca.sstt.org"
Jun 11 15:29:30 ubuntu-server charon: 15[IKE] sending cert request for "C=..., ST=..., O=..., OU=SSTT, CN=ca.sstt.org"
Jun 11 15:29:30 ubuntu-server charon: 15[IKE] authentication of 'C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org' (myself) with RSA_EMSA_PKCS1_SHA256 successful
Jun 11 15:29:30 ubuntu-server charon: 15[IKE] sending end entity cert "C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org"
Jun 11 15:29:30 ubuntu-server charon: 15[IKE] establishing CHILD_SA host-to-host
Jun 11 15:29:30 ubuntu-server charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Jun 11 15:29:30 ubuntu-server charon: 15[NET] sending packet: from 192.168.56.102[500] to 192.168.56.101[500] (1628 bytes)
Jun 11 15:29:30 ubuntu-server charon: 16[NET] received packet: from 192.168.56.101[500] to 192.168.56.102[500] (1500 bytes)
Jun 11 15:29:30 ubuntu-server charon: 16[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ]
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] received end entity cert "C=..., ST=..., O=..., OU=SSTT, CN=name"
Jun 11 15:29:30 ubuntu-server charon: 16[CFG]   using certificate "C=..., ST=..., O=..., OU=SSTT, CN=name"
Jun 11 15:29:30 ubuntu-server charon: 16[CFG]   using trusted ca certificate "C=..., ST=..., O=..., OU=SSTT, CN=ca.sstt.org"
Jun 11 15:29:30 ubuntu-server charon: 16[CFG] checking certificate status of "C=..., ST=..., O=..., OU=SSTT, CN=name"
Jun 11 15:29:30 ubuntu-server charon: 16[CFG] certificate status is not available
Jun 11 15:29:30 ubuntu-server charon: 16[CFG]   reached self-signed root ca with a path length of 0
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] authentication of 'C=..., ST=..., O=..., OU=SSTT, CN=name' with RSA_EMSA_PKCS1_SHA256 successful
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] IKE_SA host-to-host[1] established between 192.168.56.102[C=..., ST=..., O=..., OU=SSTT, CN=www.sstt.org]...192.168.56.101[C=..., ST=..., O=..., OU=SSTT, CN=name]
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] scheduling reauthentication in 3250s
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] maximum IKE_SA lifetime 3430s
Jun 11 15:29:30 ubuntu-server charon: 16[KNL] policy already exists, try to update it
Jun 11 15:29:30 ubuntu-server charon: message repeated 2 times: [ 16[KNL] policy already exists, try to update it]
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] CHILD_SA host-to-host{1} established with SPIs c056e14a_i c62093a4_o and TS 192.168.56.102/32 === 192.168.56.101/32
Jun 11 15:29:30 ubuntu-server charon: 16[IKE] received AUTH_LIFETIME of 3364s, scheduling reauthentication in 3184s

有人能解释一下发生了什么吗?提前谢谢

相关内容