在远程机器(Debian 11.7 / Kernel 5.10.0-23-amd64)上工作时,我安装了 Strongswan 以将其配置为 VPN 客户端。
apt install strongswan
此后,服务strongswan-starter.service
正在启动,主机变得无法访问。幸运的是,我可以通过物理方式禁用该服务systemctl disable strongswan-starter.service
并重新启动。
但是每当我运行“systemctl start strongswan-starter.service”时,我的 openssh 连接就会丢失。
启动服务时我唯一注意到的是以下内容:
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 21:45:25 machinename charon: 08[KNL] received netlink error: Permission denied (13)
May 29 21:45:25 machinename charon: 08[KNL] installing route failed: 2a00:6020:4e2a:8000::/64 src 2a00:xxxx:4e2a:xxxx:6a1d:xxxx:xxxx:9579 dev ipsec0
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
IP192.168.189.1
是路由器地址。但是从本地物理控制台我能够 ping google 等。
我首先关注bypass-lan插件,因为它仅在安装libcharon-extra-plugin包时才会出现。
更新
由于这是默认的 strongswan 安装,因此目前尚未进行任何配置。因此这些是相关的配置文件
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
# strongswan.conf
charon {
plugins {
eap_dynamic {
preferred = eap-mschapv2, eap-tls
}
}
}
# /etc/strongswan.d/starter.conf
starter {
# Location of the ipsec.conf file
# config_file = ${sysconfdir}/ipsec.conf
# Disable charon plugin load option warning.
# load_warning = yes
}
更新2
以下是我启动服务后远程连接hostmachine
断开时的完整日志输出
May 29 23:21:49 hostmachine systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 29 23:21:49 hostmachine ipsec[6423]: Starting strongSwan 5.9.1 IPsec [starter]...
May 29 23:21:49 hostmachine charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:21:49 hostmachine kernel: [ 3621.243706] NET: Registered protocol family 38
May 29 23:21:49 hostmachine kernel: [ 3621.282054] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.332375] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.394450] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.436211] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.445352] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.559730] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.593517] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.682207] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.750485] tun: Universal TUN/TAP device driver, 1.6
May 29 23:21:50 hostmachine charon: 00[LIB] created TUN device: ipsec0
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Link UP
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained carrier
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained IPv6LL
May 29 23:21:50 hostmachine systemd-udevd[6556]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
May 29 23:21:50 hostmachine charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:21:50 hostmachine charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:21:50 hostmachine charon: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:21:50 hostmachine charon: 00[CFG] HA config misses local/remote address
May 29 23:21:50 hostmachine charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:21:50 hostmachine charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:21:50 hostmachine charon: 00[JOB] spawning 16 worker threads
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for ::1/128
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for fe80::/64
May 29 23:21:50 hostmachine charon: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine ipsec[6423]: charon (6427) started after 580 ms
May 29 23:22:04 hostmachine charon: 00[DMN] SIGINT received, shutting down
May 29 23:22:04 hostmachine systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Link DOWN
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Lost carrier
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for ::1/128
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] created TUN device: ipsec0
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] HA config misses local/remote address
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:22:04 hostmachine ipsec[6427]: 00[JOB] spawning 16 worker threads
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for ::1/128
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
非常感谢任何想法。