我们在使用 strongSwan (charon) 提供的 IPsec/L2TP 远程访问 VPN 时偶尔会遇到问题。
今天,一个用户无法连接。我查看了 charon 日志,发现另一个现有会话受到了影响。共同部分是本地 LAN 地址 (192.168.0.18)。
charon.log 中一切平静。然后用户 B 连接 (50.xx.xx.xx)。用户 A 的会话 (70.xx.xx.xx) 立即创建日志。当用户 B 的尝试失败 (l2tp 断开连接) 时,一切又平静了。
卡戎日志摘录:
Jul 16 01:14:59 01[IKE] <21363> 50.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:14:59 08[IKE] <remote-access|21362> closing CHILD_SA remote-access{45249} with SPIs c9ea7827_i (59714 bytes) 08d6c880_o (43106 bytes) and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:14:59 08[IKE] <remote-access|21362> deleting IKE_SA remote-access[21362] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:14:59 08[IKE] <remote-access|21363> IKE_SA remote-access[21363] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:00 06[IKE] <remote-access|21363> CHILD_SA remote-access{45251} established with SPIs cc91da0f_i 0e42f461_o and TS abc.61.143.254/32[udp/l2f] === 50.68.170.211/32[udp/58401]
Jul 16 01:15:02 15[IKE] <21364> 70.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:15:03 11[IKE] <remote-access|21363> closing CHILD_SA remote-access{45251} with SPIs cc91da0f_i (331 bytes) 0e42f461_o (300 bytes) and TS abc.61.143.254/32[udp/l2f] === 50.xxx.xxx.xxx/32[udp/58401]
Jul 16 01:15:03 11[IKE] <remote-access|21363> deleting IKE_SA remote-access[21363] between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:03 11[IKE] <remote-access|21364> IKE_SA remote-access[21364] established between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:03 07[IKE] <remote-access|21364> CHILD_SA remote-access{45252} established with SPIs cca08f41_i 0da530b5_o and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:15:22 11[IKE] <21365> 50.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:15:23 07[IKE] <remote-access|21364> closing CHILD_SA remote-access{45252} with SPIs cca08f41_i (12135 bytes) 0da530b5_o (8428 bytes) and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:15:23 07[IKE] <remote-access|21364> deleting IKE_SA remote-access[21364] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:23 07[IKE] <remote-access|21365> IKE_SA remote-access[21365] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:23 12[IKE] <remote-access|21365> CHILD_SA remote-access{45253} established with SPIs c28d018d_i 0dbb052e_o and TS abc.61.143.254/32[udp/l2f] === 50.xxx.xxx.xxx/32[udp/58401]
Jul 16 01:15:26 15[KNL] 10.255.255.0 appeared on ppp1
Jul 16 01:15:26 14[KNL] 10.255.255.0 disappeared from ppp1
我看不出本地 LAN 地址会如何影响服务器。但这两个连接之间的冲突是一致的。并且日志在上述日志之前和之后相当一致。
答案1
问题在于客户端发送了他们的私有 IP 地址作为身份。你可以[]在日志消息中看到这些身份:
deleting IKE_SA remote-access[21362] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
IKE_SA remote-access[21363] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
因此两个 IKE_SA 均位于身份192.168.0.18和之间abc.61.143.254。
根据unique(swanctl.conf) 或者uniqueids(ipsec配置文件),则重复项将被删除。为避免这种情况,请通过将其设置为no或(如果客户端发送INITIAL_CONTACT通知)设置为 来禁用此唯一性检查never。