S2S VPN - 无法从 A ping B,除非 A ping B

tag-icon tag-icon networking vpn site-to-site-vpn strongswan arp
S2S VPN - 无法从 A ping B,除非 A ping B

我正在私有云内的两个网络之间建立站点到站点 VPN。我在两端都安装了 Strongswan 并建立了 VPN 连接。

问题是我无法从 A (10.0.1.0/24) ping 到 B (172.30.0.0/16)。奇怪的是,当我从 B ping 到 A 时,它正在修复从 A 到 B 的流量,但只持续了一段时间,但我不确定到底是什么导致了这个问题,可能不是重新密钥。

A(65.21.51.x 和 10.0.1.x)的 VPN 网关 /etc/ipsec.conf:

config setup
    charondebug="all"
    uniqueids=yes
conn A-to-B
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=65.21.51.x
    leftid=65.21.51.x
    leftsubnet=10.0.1.0/24
    right=195.201.46.x
    rightid=195.201.46.x
    rightsubnet=172.30.0.0/16
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

B(195.201.46.x 和 172.30.0.x)/etc/ipsec.conf

config setup
    charondebug="all"
    uniqueids=yes
conn B-to-A
    type=tunnel
    auto=start
    keyexchange=ikev2
    authby=secret
    left=195.201.46.x
    leftid=195.201.46.x
    leftsubnet=172.30.0.0/16
    right=65.21.51.x
    rightid=65.21.51.x
    rightsubnet=10.0.1.0/24
    ike=3des-sha1-modp1024!
    esp=3des-sha1!
    aggressive=no
    keyingtries=%forever
    ikelifetime=28800s
    lifetime=3600s
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

重新启动隧道后,A(有问题的隧道)上的 ipsec statusall:

Listening IP addresses:
  65.21.51.x
  10.0.1.x
Connections:
A-to-B:   child:  10.0.1.0/24 === 172.30.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
A-to-B[2]: ESTABLISHED 2 minutes ago, 65.21.51.x[65.21.51.x]...195.201.46.x[195.201.46.x]
A-to-B[2]: IKEv2 SPIs: 9eafc9ec4ffa378f_i 72859622332da6cb_r*, pre-shared key reauthentication in 13 minutes
A-to-B[2]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
A-to-B{5}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2b406e2_i c801b7d3_o
A-to-B{5}:  3DES_CBC/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
A-to-B{5}:   10.0.1.0/24 === 172.30.0.0/16

失败之后:

Listening IP addresses:
  65.21.51.x
  10.0.1.14
Connections:
A-to-B:  65.21.51.x...195.201.46.x  IKEv2, dpddelay=30s
A-to-B:   local:  [65.21.51.x] uses pre-shared key authentication
A-to-B:   remote: [195.201.46.x] uses pre-shared key authentication
A-to-B:   child:  10.0.1.0/24 === 172.30.0.0/16 TUNNEL, dpdaction=restart
Security Associations (0 up, 0 connecting):
  none

A的IP路由:

default via 172.31.1.1 dev eth0 proto dhcp src 65.21.51.x metric 100 
10.0.0.0/8 via 10.0.0.1 dev ens10 proto dhcp src 10.0.1.x metric 100 
10.0.0.1 dev ens10 proto dhcp scope link src 10.0.1.x metric 100 
172.30.0.0/16 via 10.0.0.1 dev ens10 proto static metric 100 onlink

A 的 iptables-save 输出:

# Generated by iptables-save v1.8.7 on Wed Jan  3 11:19:49 2024
*filter
:INPUT ACCEPT [134136:140300437]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [93293:11784956]
COMMIT
# Completed on Wed Jan  3 11:19:49 2024
# Generated by iptables-save v1.8.7 on Wed Jan  3 11:19:49 2024
*nat
:PREROUTING ACCEPT [668:57544]
:INPUT ACCEPT [135:20236]
:OUTPUT ACCEPT [753:60165]
:POSTROUTING ACCEPT [226:25545]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.30.0.0/16 -o ens10 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.30.0.0/16 -o ens10 -j MASQUERADE
COMMIT
# Completed on Wed Jan  3 11:19:49 202

来自 A 服务器的 /var/log/syslog 的几行日志:

Jan  3 11:00:07 A charon: 10[CFG] selected proposal: ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jan  3 11:00:07 A charon: 10[IKE] CHILD_SA dyvenia-infra-dev_dyvenia-faam-prod{5} established with SPIs c2b406e2_i c801b7d3_o and TS 10.0.1.0/24 === 172.30.0.0/16
Jan  3 11:00:43 A charon: 13[KNL] creating delete job for CHILD_SA ESP/0xc2b406e2/65.21.51.x
Jan  3 11:00:43 A charon: 13[IKE] closing expired CHILD_SA dyvenia-infra-dev_dyvenia-faam-prod{5} with SPIs c2b406e2_i c801b7d3_o and TS 10.0.1.0/24 === 172.30.0.0/16
Jan  3 11:00:43 A charon: 13[IKE] sending DELETE for ESP CHILD_SA with SPI c2b406e2
Jan  3 11:00:43 A charon: 13[IKE] scheduling CHILD_SA recreate after hard expire
Jan  3 11:00:43 A charon: 13[ENC] generating INFORMATIONAL request 8 [ D ]
Jan  3 11:00:43 A charon: 13[NET] sending packet: from 65.21.51.x[4500] to 195.201.46.x[4500] (68 bytes)
Jan  3 11:00:43 A charon: 12[KNL] creating delete job for CHILD_SA ESP/0xc801b7d3/195.201.46.x
Jan  3 11:00:43 A charon: 01[NET] received packet: from 195.201.46.x[4500] to 65.21.51.x[4500] (68 bytes)

我不知道还有什么有趣的东西,请告诉我我可以发送什么来帮助解决这个问题。

同样重要的是,它之前运行良好。我需要重新安装 B VM,之后它就停止工作了。

我也尝试使用 arp,但它似乎没有改变任何东西,所以也许不是像这样的情况:在 B ping A 之前,无法从 A ping B

此外,我创建了可以替换 A 的新 VM,也遇到了同样的问题。我还创建了类似于 B 的新 VM,并将 A' 与 B' 连接起来,问题是一样的。所以可能是我设置不正确导致了这个问题,但很难说到底是什么。

编辑我还在晚上做了一些测试,似乎找到了可能有助于找到解决方案的解决方法。我nohup ping 10.0.1.x &基本上从 B 到 A 网络执行了此操作,一切正常。所以问题是当没有流量且未建立新隧道时,隧道将被移除。

相关内容