(注意:我确实在使用 pfSense,但我只关注文件ipsec.conf,因为 pfSense 似乎与该问题不是特别相关。)
我们收到以下错误charon:
Aug 2 21:10:10 vpn-left charon: 13[CFG] <con2000|2049> looking for a child config for 100.127.7.8/32|/0 === 100.127.6.8/32|/0
Aug 2 21:10:10 vpn-left charon: 13[IKE] <con2000|2049> traffic selectors 100.127.7.8/32|/0 === 100.127.6.8/32|/0 unacceptable
Aug 2 21:10:10 vpn-left charon: 13[IKE] <con2000|2049> failed to establish CHILD_SA, keeping IKE_SA
Aug 2 21:10:10 vpn-left charon: 13[ENC] <con2000|2049> generating CREATE_CHILD_SA response 131 [ N(TS_UNACCEPT) ]
与此相对应的ipsec.conf是:
conn con2000
fragmentation = yes
keyexchange = ikev2
reauth = yes
forceencaps = no
mobike = no
rekey = yes
installpolicy = yes
type = tunnel
dpdaction = restart
dpddelay = 10s
dpdtimeout = 60s
auto = route
left = <snip>
right = <snip>
leftid = <snip>
ikelifetime = 86400s
lifetime = 3600s
ike = aes256-sha256-modp2048!
esp = aes256gcm128-sha256-modp2048!
leftauth = psk
rightauth = psk
rightid = <snip>
rightsubnet = 100.127.6.4,100.127.6.2,100.127.6.8,100.127.6.6
leftsubnet = 100.127.7.4|10.10.0.66,100.127.7.2|10.10.0.0/16,100.127.7.8|10.10.0.67,100.127.7.6|10.10.0.0/16
在此设置中,我是left,而我们正在与之对等的组织是right。也就是说,从我的角度来看local== left,remote== right。
这是尝试设置 4 个子 SA。我们知道此配置中列出的第一个和最后一个 SA 正在运行。charon此处找不到的子 SA 应该是列表中的第三个。如果我删除所有周围的信息,并交换行,使左边的行在前面:
# looking for […] 100.127.7.8/32|/0 === 100.127.6.8/32|/0
leftsubnet = […],100.127.7.8|10.10.0.67,[…]
rightsubnet = […],100.127.6.8,[…]
我开始怀疑自己是不是瞎了:这完全匹配……不是吗?我不明白为什么传入的 TS 与配置的这一部分不匹配。
(让我们更加困惑的是,第一个子 SA 似乎可以工作;它基本上是相同的配置,只是 IP 地址略有不同!)