如何与 strongswan 服务器协商 transport-udp-esp-natt SA

tag-icon tag-icon centos
如何与 strongswan 服务器协商 transport-udp-esp-natt SA

我已经编写了一个 IKE 客户端来与一些 IKE 服务器(例如 racoon 和 strongswan)协商 IPsec SA。

当协商完成后,我从客户端机器发送一个 IPsec 数据包(udp-esp 数据包),strongswan 服务器机器接收该数据包但不处理它。

我的transport-udp-natt网络场景: 机器A(centos7) 机器B(win7) 机器B中的Vmware机器(centos7) 172.23.25.10 172.23.25.99 192.168.163.1 192.168.163.130 IKE客户端 IKE服务器 udp客户端 udp服务器

当协商完成后,客户端和strongswan服务器之间的SA信息是不同的在机器A中,sa是:

172.23.25.10[4500] 172.23.25.99[4500] 
        esp-udp mode=transport spi=3409495451(0xcb38c59b) reqid=0(0x00000000)
        E: aes-cbc  bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
        A: hmac-sha256  b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 15:35:59 2021   current: Dec 10 15:36:19 2021
        diff: 20(s)     hard: 120(s)    soft: 96(s)
        last: Dec 10 15:36:01 2021      hard: 120(s)    soft: 96(s)
        current: 55(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 5    hard: 120       soft: 96
        sadb_seq=1 pid=349 refcnt=0
172.23.25.99[4500] 172.23.25.10[4500] 
        esp-udp mode=transport spi=244675610(0x0e95741a) reqid=0(0x00000000)
        E: aes-cbc  eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
        A: hmac-sha256  5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 15:35:59 2021   current: Dec 10 15:36:19 2021
        diff: 20(s)     hard: 120(s)    soft: 96(s)
        last:                           hard: 120(s)    soft: 96(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 120       soft: 96
        sadb_seq=0 pid=349 refcnt=0

在Vmware机器中,strongswan添加的SA是:

192.168.163.130 172.23.25.10 
        esp mode=transport spi=244675610(0x0e95741a) reqid=1(0x00000001)
        E: aes-cbc  eb74d7ad 50dd0adf 2e93a40a aada69f6 cb4d2d26 73b76d3b 1ac8c4c1 8534c6cc
        A: hmac-sha256  5029b994 d005f5b6 8b39172a 0b86dc7c 00551e2a 1ef57a13 603e2ee6 bac29afa
        seq=0x00000000 replay=0 flags=0x00000000 state=mature 
        created: Dec 10 02:35:29 2021   current: Dec 10 02:35:45 2021
        diff: 16(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=10114 refcnt=0
172.23.25.10 192.168.163.130 
        esp mode=transport spi=3409495451(0xcb38c59b) reqid=1(0x00000001)
        E: aes-cbc  bacca0d7 19fa120b 25202473 99704304 0e826139 f898be77 01b28606 b09ea092
        A: hmac-sha256  b4ded3b3 58214e27 c63d0f91 e4e66912 add797a0 67755537 9003b5b0 0c04338b
        seq=0x00000000 replay=32 flags=0x00000000 state=mature 
        created: Dec 10 02:35:29 2021   current: Dec 10 02:35:45 2021
        diff: 16(s)     hard: 0(s)      soft: 0(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=0 pid=10114 refcnt=0

我怀疑 Vmware 机器中的 SA 缺少端口 **[4500]** 和esp-udp信息。因为当我使用 racoon 时,Vmware 机器可以处理来自机器 A 的 udp 数据包。racoon 添加的 SA 如下:

192.168.163.130[4500] 172.23.25.10[4500] 
        esp-udp mode=transport spi=217431274(0x0cf5bcea) reqid=0(0x00000000)
        E: des-cbc  7744c128 a553d81a
        A: hmac-md5  af32028d 098ebf1b e0be8a42 84122992
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Dec 10 02:23:59 2021   current: Dec 10 02:24:18 2021
        diff: 19(s)     hard: 120(s)    soft: 96(s)
        last:                           hard: 0(s)      soft: 0(s)
        current: 0(bytes)       hard: 0(bytes)  soft: 0(bytes)
        allocated: 0    hard: 0 soft: 0
        sadb_seq=1 pid=9396 refcnt=0
172.23.25.10[4500] 192.168.163.130[4500] 
        esp-udp mode=transport spi=62789244(0x03be167c) reqid=0(0x00000000)
        E: des-cbc  b2a72540 98f4bfb2
        A: hmac-md5  c745f6b7 f79f5c52 e9f3cafc 38a717d3
        seq=0x00000000 replay=4 flags=0x00000000 state=mature 
        created: Dec 10 02:23:59 2021   current: Dec 10 02:24:18 2021
        diff: 19(s)     hard: 120(s)    soft: 96(s)
        last: Dec 10 02:24:01 2021      hard: 0(s)      soft: 0(s)
        current: 33(bytes)      hard: 0(bytes)  soft: 0(bytes)
        allocated: 3    hard: 0 soft: 0
        sadb_seq=0 pid=9396 refcnt=0

我尝试修改配置,但无法生成这些 SA。这是我的配置:ipsec.conf:

conn %default
    ikelifetime=6m
    keylife=5m
    rekeymargin=3m
    keyingtries=1
    keyexchange=ikev1
    ike=aes256-sha256-modp1024
    esp=aes256-sha256-modp1024
    authby=psk
    type=transport
    auto=route
    aggresive=no
    fragmentation=no
    rekey=no
    forceencaps=yes

conn trap-b
    left=192.168.163.130
    leftsubnet=192.168.163.0/24
    right=172.23.25.10
    rightsubnet=172.23.25.0/24
    auto=add

conn nat-t
    left=172.23.25.99
    leftsubnet=192.168.163.0/24
    right=172.23.25.10
    rightsubnet=172.23.25.0/24
    auto=add

strongswan.conf:

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
        install_routes = no
        filelog {
                charon {
                        path = /etc/strongswan/logs/strongswan.log
                        time_format = %b %e %T
                        ike_name = yes
                        append = yes
                        default = 2
                        flush_line = yes
                }
                stderr {
                        ike = 2
                        kml = 3
                }
        }
}
include strongswan.d/*.conf

我的配置有问题吗?谢谢!

相关内容