strongswan site2site 连接处于活动状态,但没有流量

strongswan site2site 连接处于活动状态,但没有流量

我按照几个教程设置了 strongswan site-2-site vpn,但是遇到了困难……

情况就是这样的:

SITE A                     <------->     SITE B
AWS VPN GATEWAY                          STRONGSWAN
HOST 1                                   HOST 2 (Strongswan host, also EC2)
  • 我可以从主机 1 ping 主机 2,没有得到任何答复 (主机 2 上的 tcpdump)。
    00:30:46.360533 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 599, length 64
    00:30:47.384644 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 600, length 64
    00:30:48.408526 eth0  In  IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 601, length 64
    ... etc.
    
  • 我看到主机 2 向主机 1 发出的 ping 请求被破坏。
    00:36:41.881802 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 297
    00:36:41.881891 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60
    00:36:41.893326 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60 
    

有人可以帮忙吗?我将不胜感激。


这是我的 strongswan 配置:

config setup
    charondebug="all"
    uniqueids=yes
    # from generated AWS config
    strictcrlpolicy=no

conn customer
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret

    ike=aes256-sha2_512-ecp256
    esp=aes256-sha2_512-ecp256
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

    # PUBLIC network interfaces, "left" is "us"
    left=%defaultroute
    right=CENSORED # public IP

    # PRIVATE subnets
    leftsubnet=10.250.9.0/28
    rightsubnet=10.250.10.0/28

    # settings taken from AWS generated config
    margintime=270s
    rekey=yes
    rekeyfuzz=100%
    fragmentation=yes
    replay_window=1024

    mark=100

这是ipsec statusall

Connections:
customer:  %any...XXXX  IKEv2, dpddelay=30s
customer:   local:  uses pre-shared key authentication
customer:   remote: [XXXX] uses pre-shared key authentication
customer:   child:  10.250.9.0/28 === 10.250.10.0/28 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
customer[3]: ESTABLISHED 21 minutes ago, 10.250.9.5[EEEE]...XXXX[XXXX]
customer[3]: IKEv2 SPIs: aca26c16528c6023_i b8d244b9ba20a4ba_r*, pre-shared key reauthentication in 7 hours
customer[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
customer{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2e749c9_i ccd2a33d_o
customer{3}:  AES_CBC_256/HMAC_SHA2_512_256, 51072 bytes_i, 3108 bytes_o (37 pkts, 198s ago), rekeying in 29 minutes
customer{3}:   10.250.9.0/28 === 10.250.10.0/28

XXXX / EEEE - public IP addresses of the VPN gateways

最后,ipsec reload ; journalctl -f

Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 06[CFG] deleted connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] received stroke: add connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] added configuration 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[CFG] received stroke: initiate 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[ENC] generating CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (448 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (304 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[ENC] parsed CREATE_CHILD_SA response 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_256/NO_EXT_SEQ
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (96 bytes)
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] parsed INFORMATIONAL request 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] generating INFORMATIONAL response 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (96 bytes)

相关内容