简单的 Strongswan 安装导致无法通过 (Open)SSH 访问服务器

tag-icon tag-icon networking debian strongswan
简单的 Strongswan 安装导致无法通过 (Open)SSH 访问服务器

在远程机器(Debian 11.7 / Kernel 5.10.0-23-amd64)上工作时,我安装了 Strongswan 以将其配置为 VPN 客户端。

apt install strongswan

此后,服务strongswan-starter.service正在启动,主机变得无法访问。幸运的是,我可以通过物理方式禁用该服务systemctl disable strongswan-starter.service并重新启动。

但是每当我运行“systemctl start strongswan-starter.service”时,我的 openssh 连接就会丢失。

启动服务时我唯一注意到的是以下内容:

May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 21:45:25 machinename charon: 08[KNL] received netlink error: Permission denied (13)
May 29 21:45:25 machinename charon: 08[KNL] installing route failed: 2a00:6020:4e2a:8000::/64 src 2a00:xxxx:4e2a:xxxx:6a1d:xxxx:xxxx:9579 dev ipsec0
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

IP192.168.189.1是路由器地址。但是从本地物理控制台我能够 ping google 等。

我首先关注bypass-lan插件,因为它仅在安装libcharon-extra-plugin包时才会出现。

更新

由于这是默认的 strongswan 安装,因此目前尚未进行任何配置。因此这些是相关的配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

# strongswan.conf
charon {

    plugins {
        eap_dynamic {
            preferred = eap-mschapv2, eap-tls
        }
    }
}

# /etc/strongswan.d/starter.conf
starter {

    # Location of the ipsec.conf file
    # config_file = ${sysconfdir}/ipsec.conf

    # Disable charon plugin load option warning.
    # load_warning = yes

}

更新2

以下是我启动服务后远程连接hostmachine断开时的完整日志输出

May 29 23:21:49 hostmachine systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 29 23:21:49 hostmachine ipsec[6423]: Starting strongSwan 5.9.1 IPsec [starter]...
May 29 23:21:49 hostmachine charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:21:49 hostmachine kernel: [ 3621.243706] NET: Registered protocol family 38
May 29 23:21:49 hostmachine kernel: [ 3621.282054] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.332375] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.394450] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.436211] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.445352] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.559730] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.593517] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.682207] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.750485] tun: Universal TUN/TAP device driver, 1.6
May 29 23:21:50 hostmachine charon: 00[LIB] created TUN device: ipsec0
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Link UP
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained carrier
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained IPv6LL
May 29 23:21:50 hostmachine systemd-udevd[6556]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
May 29 23:21:50 hostmachine charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:21:50 hostmachine charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:21:50 hostmachine charon: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:21:50 hostmachine charon: 00[CFG] HA config misses local/remote address
May 29 23:21:50 hostmachine charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:21:50 hostmachine charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:21:50 hostmachine charon: 00[JOB] spawning 16 worker threads
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for ::1/128
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for fe80::/64
May 29 23:21:50 hostmachine charon: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine ipsec[6423]: charon (6427) started after 580 ms
May 29 23:22:04 hostmachine charon: 00[DMN] SIGINT received, shutting down
May 29 23:22:04 hostmachine systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Link DOWN
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Lost carrier
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for ::1/128
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] created TUN device: ipsec0
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] HA config misses local/remote address
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:22:04 hostmachine ipsec[6427]: 00[JOB] spawning 16 worker threads
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for ::1/128
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

非常感谢任何想法。

相关内容