В последнее время у меня возникли довольно странные проблемы с настройкой VPN. Некоторые клиенты не могут подключиться в течение длительного времени. Потом какое-то время работает, пока не перестает. Все задействованные системы (инициаторы и респондент) являются обновленными и обновленными Debian. Установлены те же пакеты strongswan (libcharon-extra-plugins strongswan-charon strongswan-starter libstrongswan-extra-plugins). Одинаковая конфигурация (очевидно, что имена пользователей и IP-адреса различаются). Большинство инициаторов - это виртуальные машины на одном хосте. Та же конфигурация в отношении сети. Некоторые показывают эту проблему, другие нет. Если клиент ведет себя проблемно, он остается таким. Большинство клиентов уже несколько месяцев работают без проблем.
Другая проблема может быть связана или не связана. В моей настройке инициаторы могут подключаться друг к другу через VPN. Это работает для большинства из них, но некоторые не могут связаться со своими сверстниками и не могут связаться с ними. И здесь, как только у клиента возникнет эта проблема, он будет ее решать.
Ответчик показывает нагрузку 0,00 и 800 МБ из 2 ГБ свободно.
Мои конфиги: Ответчик:
root@ipsec-1:/home/karsten# cat /etc/ipsec.conf
config setup
charondebug="ike 0, knl 0, cfg 0"
conn GoogleCloud
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
eap_identity=%identity
left=%any
leftid=@ipsec.xxxxxxxxx
leftcert=fullchain.pem
leftsendcert=always
leftsubnet=172.31.0.2/24
rightdns=172.31.0.1
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=%config
rightsendcert=never
auto=add
Инициатор:
root@ROUTER:/home/karsten# cat /etc/ipsec.conf
config setup
charondebug="ike 0, knl 0, cfg 0"
conn routerhome
dpdaction=clear
dpddelay=300s
fragmentation=yes
type=tunnel
keyexchange=ikev2
eap_identity=routerhome
left=%defaultroute
leftsourceip=172.31.0.151
leftauth=eap-mschapv2
rightauth=pubkey
right=35.xxx.xxx.xx
rightsubnet=172.31.0.0/24
rightid=%any
auto=route
eap_identity и leftsourceip отличаются от других инициаторов.
root @ ipsec-1: / home / karsten # ipsec status Ассоциации безопасности (16 подключений, 0 подключений):
Системный журнал проблемного клиента:
Jun 5 19:20:01 Openxpki CRON[8343]: (root) CMD ( ping -c 5 172.31.0.1 > /dev/null)
Jun 5 19:20:32 Openxpki charon: 14[JOB] CHILD_SA ESP/0xce0decda/192.168.1.251 not found for delete
Jun 5 19:20:32 Openxpki charon: 11[IKE] initiating IKE_SA openxpki[48] to 35.xxx
Jun 5 19:20:32 Openxpki charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 5 19:20:32 Openxpki charon: 11[NET] sending packet: from 192.168.1.251[500] to xxx[500] (1080 bytes)
Jun 5 19:20:32 Openxpki charon: 16[NET] received packet: from 35.xxx[500] to 192.168.1.251[500] (272 bytes)
Jun 5 19:20:32 Openxpki charon: 16[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 5 19:20:32 Openxpki charon: 16[IKE] establishing CHILD_SA openxpki{145}
Jun 5 19:20:32 Openxpki charon: 16[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 5 19:20:32 Openxpki charon: 16[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:36 Openxpki charon: 05[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:43 Openxpki charon: 07[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:20:56 Openxpki charon: 13[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Jun 5 19:21:20 Openxpki charon: 02[NET] sending packet: from 192.168.1.251[4500] to 35.xxx[4500] (368 bytes)
Любые идеи?
Обновление: сегодня ipsec на инициаторе Openxpki работает нормально. Соединение установлено, и узлы VPN доступны.
Теперь проблема с хостом Proxmox. Соединение IPsec установлено. Но сверстники недоступны. Также нельзя подключиться к самому хосту от других узлов. То есть через VPN. Никаких проблем с использованием местных IPS.
root@P-T1650:/home/karsten# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64):
uptime: 58 minutes, since Jun 08 02:28:42 2020
malloc: sbrk 3080192, mmap 0, used 1131120, free 1949072
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.1.147
2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
2a01:c23:5c09:1100:92b1:1cff:fe9c:82a0
Connections:
athome: %any...35.xxx IKEv2, dpddelay=300s
athome: local: uses EAP_MSCHAPV2 authentication with EAP identity 'proxmoxhome'
athome: remote: uses public key authentication
athome: child: dynamic === 172.31.0.0/24 TUNNEL, dpdaction=clear
Routed Connections:
athome{1}: ROUTED, TUNNEL, reqid 1
athome{1}: 192.168.1.147/32 === 172.31.0.0/24
Security Associations (1 up, 0 connecting):
athome[1]: ESTABLISHED 58 minutes ago, 192.168.1.147[192.168.1.147]...35.xxx[ipsec.xxx]
athome[1]: IKEv2 SPIs: dfdcf7762d70554a_i* e8fb6db55242bdb8_r, EAP reauthentication in 103 minutes
athome[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
athome{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c09f2550_i cfc03b8d_o
athome{3}: AES_CBC_128/HMAC_SHA2_256_128, 0 bytes_i, 24164 bytes_o (243 pkts, 5s ago), rekeying in 28 minutes
athome{3}: 172.31.0.150/32 === 172.31.0.0/24
root@P-T1650:/home/karsten# ip route list table 220
172.31.0.0/24 via 192.168.1.1 dev vmbr0 proto static src 172.31.0.150
Такая проблема возникает время от времени. Перезапуск ipsec не решает.
Агент wazuh отправляет журналы на сервер wazuh через VPN. Теперь не может:
root@P-T1650:/home/karsten# tail -f /var/ossec/logs/ossec.log
2020/06/08 03:34:09 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '172.31.0.164'.
2020/06/08 03:34:20 ossec-agentd: INFO: Trying to connect to server (172.31.0.164:1514/udp).
2020/06/08 03:34:41 ossec-agentd: WARNING: (4101): Waiting for server reply (not started). Tried: '172.31.0.164'.
2020/06/08 03:34:52 ossec-agentd: INFO: Trying to connect to server (172.31.0.164:1514/udp).
Когда служба ipsec остановлена, это будет выглядеть так:
2020/06/08 03:34:58 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:03 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:09 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
2020/06/08 03:35:16 ossec-agentd: ERROR: (1218): Unable to send message to 'server': Network is unreachable
Запуск ipsec с charondebug = "ike 2, knl 2, cfg 2":
Jun 8 03:44:06 P-T1650 systemd[1]: Stopped strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jun 8 03:44:19 P-T1650 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
Jun 8 03:44:19 P-T1650 ipsec[9539]: Starting strongSwan 5.7.2 IPsec [starter]...
Jun 8 03:44:19 P-T1650 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64)
Jun 8 03:44:20 P-T1650 charon: 00[CFG] PKCS11 module '<name>' lacks library path
Jun 8 03:44:20 P-T1650 charon: 00[KNL] known interfaces and IP addresses:
Jun 8 03:44:20 P-T1650 charon: 00[KNL] lo
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 127.0.0.1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] ::1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] eno1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] vmbr0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 192.168.1.147
Jun 8 03:44:20 P-T1650 charon: 00[KNL] 2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] fe80::92b1:1cff:fe9c:82a0
Jun 8 03:44:20 P-T1650 charon: 00[KNL] vmbr1
Jun 8 03:44:20 P-T1650 charon: 00[KNL] fe80::8c04:b8ff:feb5:c59f
Jun 8 03:44:20 P-T1650 charon: 00[KNL] tap104i0
.
.
.
Jun 8 03:44:20 P-T1650 charon: 00[JOB] spawning 16 worker threads
Jun 8 03:44:20 P-T1650 ipsec[9539]: charon (9565) started after 20 ms
Jun 8 03:44:20 P-T1650 charon: 05[CFG] received stroke: add connection 'athome'
Jun 8 03:44:20 P-T1650 charon: 05[CFG] conn athome
Jun 8 03:44:20 P-T1650 charon: 05[CFG] left=%any
Jun 8 03:44:20 P-T1650 charon: 05[CFG] leftsourceip=172.31.0.150
Jun 8 03:44:20 P-T1650 charon: 05[CFG] leftauth=eap-mschapv2
Jun 8 03:44:20 P-T1650 charon: 05[CFG] right=35.238.244.88
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightsubnet=172.31.0.0/24
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightauth=pubkey
Jun 8 03:44:20 P-T1650 charon: 05[CFG] rightid=%any
Jun 8 03:44:20 P-T1650 charon: 05[CFG] eap_identity=proxmoxhome
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpddelay=300
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpdtimeout=150
Jun 8 03:44:20 P-T1650 charon: 05[CFG] dpdaction=1
Jun 8 03:44:20 P-T1650 charon: 05[CFG] sha256_96=no
Jun 8 03:44:20 P-T1650 charon: 05[CFG] mediation=no
Jun 8 03:44:20 P-T1650 charon: 05[CFG] keyexchange=ikev2
Jun 8 03:44:20 P-T1650 ipsec[9539]: 'athome' routed
Jun 8 03:44:20 P-T1650 charon: 05[KNL] 35.xxx is not a local address or the interface is down
Jun 8 03:44:20 P-T1650 charon: 05[CFG] added configuration 'athome'
Jun 8 03:44:20 P-T1650 charon: 08[CFG] received stroke: route 'athome'
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using 192.168.1.147 as address to reach 35.238.244.88/32
Jun 8 03:44:20 P-T1650 charon: 08[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 172.31.0.0/24 === 192.168.1.147/32 in [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 172.31.0.0/24 === 192.168.1.147/32 fwd [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] adding policy 192.168.1.147/32 === 172.31.0.0/24 out [priority 371328, refcount 1]
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting a local address in traffic selector 192.168.1.147/32
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using host 192.168.1.147
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting iface name for index 3
Jun 8 03:44:20 P-T1650 charon: 08[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:20 P-T1650 charon: 08[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 192.168.1.147 dev vmbr0
Jun 8 03:44:20 P-T1650 charon: 08[KNL] getting iface index for vmbr0
Jun 8 03:44:30 P-T1650 charon: 10[KNL] received a XFRM_MSG_ACQUIRE
Jun 8 03:44:30 P-T1650 charon: 10[KNL] XFRMA_TMPL
Jun 8 03:44:30 P-T1650 charon: 10[KNL] creating acquire job for policy 192.168.1.147/32[udp/34832] === 172.31.0.1/32[udp/1025] with reqid {1}
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[DMN] Starting IKE charon daemon (strongSwan 5.7.2, Linux 5.4.41-1-pve, x86_64)
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[CFG] PKCS11 module '<name>' lacks library path
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] known interfaces and IP addresses:
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] lo
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 127.0.0.1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] ::1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] eno1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] vmbr0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 192.168.1.147
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] 2a01:c22:3434:9900:92b1:1cff:fe9c:82a0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] fe80::92b1:1cff:fe9c:82a0
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] vmbr1
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] fe80::8c04:b8ff:feb5:c59f
Jun 8 03:44:30 P-T1650 ipsec[9539]: 00[KNL] tap104i0
.
.
.
Jun 8 03:44:30 P-T1650 charon: 11[IKE] IKE_SA athome[1] state change: CREATED => CONNECTING
.
.
.
Jun 8 03:44:30 P-T1650 charon: 11[CFG] sending supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 03:44:30 P-T1650 charon: 11[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jun 8 03:44:30 P-T1650 charon: 11[NET] sending packet: from 192.168.1.147[500] to 35.xxx[500] (1080 bytes)
Jun 8 03:44:30 P-T1650 charon: 12[NET] received packet: from 35.xxx[500] to 192.168.1.147[500] (272 bytes)
Jun 8 03:44:30 P-T1650 charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Jun 8 03:44:30 P-T1650 charon: 12[IKE] received FRAGMENTATION_SUPPORTED notify
Jun 8 03:44:30 P-T1650 charon: 12[IKE] received SIGNATURE_HASH_ALGORITHMS notify
Jun 8 03:44:30 P-T1650 ipsec[9539]: 11[KNL] using 192.168.1.147 as address to reach 35.238.244.88/32
.
.
.
Jun 8 03:44:30 P-T1650 charon: 12[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Jun 8 03:44:30 P-T1650 charon: 12[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 03:44:30 P-T1650 charon: 12[IKE] local host is behind NAT, sending keep alives
Jun 8 03:44:30 P-T1650 charon: 12[IKE] remote host is behind NAT
Jun 8 03:44:30 P-T1650 charon: 12[IKE] reinitiating already active tasks
Jun 8 03:44:30 P-T1650 charon: 12[IKE] IKE_CERT_PRE task
Jun 8 03:44:30 P-T1650 charon: 12[IKE] IKE_AUTH task
Jun 8 03:44:30 P-T1650 charon: 12[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jun 8 03:44:30 P-T1650 charon: 12[CFG] no IDi configured, fall back on IP address
Jun 8 03:44:30 P-T1650 charon: 12[IKE] building INTERNAL_IP4_DNS attribute
Jun 8 03:44:30 P-T1650 charon: 12[CFG] proposing traffic selectors for us:
Jun 8 03:44:30 P-T1650 charon: 12[CFG] 0.0.0.0/0
Jun 8 03:44:30 P-T1650 charon: 12[CFG] proposing traffic selectors for other:
Jun 8 03:44:30 P-T1650 charon: 12[CFG] 172.31.0.0/24
Jun 8 03:44:30 P-T1650 charon: 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 03:44:30 P-T1650 charon: 12[IKE] establishing CHILD_SA athome{2} reqid 1
Jun 8 03:44:30 P-T1650 charon: 12[KNL] got SPI c2cc1356
Jun 8 03:44:30 P-T1650 charon: 12[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 8 03:44:30 P-T1650 charon: 12[NET] sending packet: from 192.168.1.147[4500] to 35.xxx[4500] (368 bytes)
Jun 8 03:44:30 P-T1650 charon: 13[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (1236 bytes)
Jun 8 03:44:30 P-T1650 charon: 13[ENC] parsed IKE_AUTH response 1 [ EF(1/3) ]
Jun 8 03:44:30 P-T1650 charon: 13[ENC] received fragment #1 of 3, waiting for complete IKE message
Jun 8 03:44:30 P-T1650 charon: 15[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (1236 bytes)
Jun 8 03:44:30 P-T1650 charon: 15[ENC] parsed IKE_AUTH response 1 [ EF(2/3) ]
Jun 8 03:44:30 P-T1650 charon: 15[ENC] received fragment #2 of 3, waiting for complete IKE message
Jun 8 03:44:30 P-T1650 charon: 14[NET] received packet: from 35.xxx[4500] to 192.168.1.147[4500] (644 bytes)
Jun 8 03:44:30 P-T1650 charon: 14[ENC] parsed IKE_AUTH response 1 [ EF(3/3) ]
Jun 8 03:44:30 P-T1650 charon: 14[ENC] received fragment #3 of 3, reassembled fragmented IKE message (2976 bytes)
Jun 8 03:44:30 P-T1650 charon: 14[ENC] parsed IKE_AUTH response 1 [ IDr CERT CERT AUTH EAP/REQ/ID ]
Jun 8 03:44:30 P-T1650 charon: 14[IKE] received end entity cert "CN=ipsec.xxx"
Jun 8 03:44:30 P-T1650 charon: 14[IKE] received issuer cert "C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3"
.
.
.
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] selecting traffic selectors for us:
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] config: 172.31.0.150/32, received: 172.31.0.150/32 => match: 172.31.0.150/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] selecting traffic selectors for other:
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[CFG] config: 172.31.0.0/24, received: 172.31.0.0/24 => match: 172.31.0.0/24
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding SAD entry with SPI c2cc1356 and reqid {1}
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using replay window of 32 packets
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding SAD entry with SPI cc78d74c and reqid {1}
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using replay window of 0 packets
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 in [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 fwd [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] adding policy 172.31.0.150/32 === 172.31.0.0/24 out [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting a local address in traffic selector 172.31.0.150/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using host 172.31.0.150
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting iface name for index 3
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 172.31.0.150 dev vmbr0
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[KNL] virtual IP 172.31.0.150 installed on vmbr0
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[IKE] CHILD_SA athome{2} established with SPIs c2cc1356_i cc78d74c_o and TS 172.31.0.150/32 === 172.31.0.0/24
Jun 8 03:44:31 P-T1650 ipsec[9539]: 07[IKE] received AUTH_LIFETIME of 9863s, scheduling reauthentication in 9323s
.
.
.
Jun 8 03:44:31 P-T1650 charon: 07[CFG] selecting traffic selectors for us:
Jun 8 03:44:31 P-T1650 charon: 07[CFG] config: 172.31.0.150/32, received: 172.31.0.150/32 => match: 172.31.0.150/32
Jun 8 03:44:31 P-T1650 charon: 07[CFG] selecting traffic selectors for other:
Jun 8 03:44:31 P-T1650 charon: 07[CFG] config: 172.31.0.0/24, received: 172.31.0.0/24 => match: 172.31.0.0/24
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding SAD entry with SPI c2cc1356 and reqid {1}
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using replay window of 32 packets
Jun 8 03:44:31 P-T1650 charon: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding SAD entry with SPI cc78d74c and reqid {1}
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using encryption algorithm AES_CBC with key size 128
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using integrity algorithm HMAC_SHA2_256_128 with key size 256
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using replay window of 0 packets
Jun 8 03:44:31 P-T1650 charon: 07[KNL] HW offload: no
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 in [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.0/24 === 172.31.0.150/32 fwd [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] adding policy 172.31.0.150/32 === 172.31.0.0/24 out [priority 371327, refcount 1]
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting a local address in traffic selector 172.31.0.150/32
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using host 172.31.0.150
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting iface name for index 3
Jun 8 03:44:31 P-T1650 charon: 07[KNL] using 192.168.1.1 as nexthop and vmbr0 as dev to reach 35.238.244.88/32
Jun 8 03:44:31 P-T1650 charon: 07[KNL] installing route: 172.31.0.0/24 via 192.168.1.1 src 172.31.0.150 dev vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 07[IKE] CHILD_SA athome{2} established with SPIs c2cc1356_i cc78d74c_o and TS 172.31.0.150/32 === 172.31.0.0/24
Jun 8 03:44:31 P-T1650 charon: 07[IKE] received AUTH_LIFETIME of 9863s, scheduling reauthentication in 9323s
Jun 8 03:44:31 P-T1650 charon: 07[IKE] peer supports MOBIKE
Jun 8 03:44:31 P-T1650 charon: 07[IKE] activating new tasks
Jun 8 03:44:31 P-T1650 charon: 07[IKE] nothing to initiate
Jun 8 03:44:31 P-T1650 charon: 11[KNL] getting iface index for vmbr0
Jun 8 03:44:31 P-T1650 charon: 11[KNL] getting iface index for vmbr0
После перезагрузки отвечающего сервера инициатор, который раньше не мог подключиться, но работал сегодня, снова не может подключиться.
root@Openxpki:/home/karsten# ipsec statusall
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-9-amd64, x86_64):
uptime: 3 minutes, since Jun 08 08:47:13 2020
malloc: sbrk 2940928, mmap 0, used 962544, free 1978384
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.1.251
2a01:c22:3434:9900:a00:27ff:feeb:7283
Connections:
openxpki: %any...35.238.244.88 IKEv2, dpddelay=300s
openxpki: local: uses EAP_MSCHAPV2 authentication with EAP identity 'openxpkihome'
openxpki: remote: uses public key authentication
openxpki: child: dynamic === 172.31.0.0/24 TUNNEL, dpdaction=clear
Routed Connections:
openxpki{1}: ROUTED, TUNNEL, reqid 1
openxpki{1}: 192.168.1.251/32 === 172.31.0.0/24
Security Associations (0 up, 1 connecting):
openxpki[1]: CONNECTING, 192.168.1.251[192.168.1.251]...35.238.244.88[%any]
openxpki[1]: IKEv2 SPIs: 82eef527dc777857_i* 0c6594db8ab2676e_r
openxpki[1]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
openxpki[1]: Tasks active: IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
Системный журнал:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] received supported signature hash algorithms: sha256 sha384 sha512 identity
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] reinitiating already active tasks
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] IKE_CERT_PRE task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] IKE_AUTH task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] sending cert request for "O=Digital Signature Trust Co., CN=DST Root CA X3"
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] no IDi configured, fall back on IP address
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] building INTERNAL_IP4_DNS attribute
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] proposing traffic selectors for us:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] 0.0.0.0/0
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] proposing traffic selectors for other:
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] 172.31.0.0/24
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] establishing CHILD_SA openxpki{3}
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] got SPI ce2cfd23
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[ENC] generating IKE_AUTH request 1 [ IDi CERTREQ CPRQ(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 10[IKE] retransmit 1 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 10[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[IKE] retransmit 2 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 13[IKE] retransmit 3 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 13[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 14[IKE] retransmit 4 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 14[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 16[IKE] retransmit 5 of request with message ID 1
Jun 8 08:55:31 Openxpki ipsec[15972]: 16[NET] sending packet: from 192.168.1.251[4500] to 35.238.244.88[4500] (368 bytes)
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] received a XFRM_MSG_ACQUIRE
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] XFRMA_TMPL
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] XFRMA_POLICY_TYPE
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[KNL] creating acquire job for policy 192.168.1.251/32[udp/47894] === 172.31.0.1/32[udp/1025] with reqid {1}
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] queueing CHILD_CREATE task
Jun 8 08:55:31 Openxpki ipsec[15972]: 07[IKE] delaying task initiation, IKE_AUTH exchange in progress
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[KNL] received a XFRM_MSG_EXPIRE
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[KNL] creating delete job for CHILD_SA ESP/0xce2cfd23/192.168.1.251
Jun 8 08:55:31 Openxpki charon: 13[IKE] peer not responding, trying again (3/3)
Jun 8 08:55:31 Openxpki ipsec[15972]: 11[JOB] CHILD_SA ESP/0xce2cfd23/192.168.1.251 not found for delete