Раньше я использовал службу strongswan-swanctl до версии strongswan.5.8.0 (или службу strongswan после). Но теперь я обнаружил, что иногда при запуске он не загружает конфигурацию должным образом, хотя в журналах написано, что это так.
Я использую strongswan-swanctl, потому что у меня версия strongSwan 5.6.2. У меня хороший случай (когда он загружается правильно, а плохой - нет). Я ничего не меняю в конфигурации /etc/swanctl/swanctl.conf, поэтому проблема не в этом файле.
Это мой файл /etc/strongswan.conf:
charon {
delete_rekeyed = yes
install_routes = yes
install_virtual_ip = no
install_virtual_ip_on = no
load_modular = yes
retry_initiate_interval = 30
plugins {
include strongswan.d/charon/*.conf
}
}
И это хороший и плохой случай соответственно:
G:
-- Logs begin at Wed 2019-11-13 21:20:11 EET, end at Mon 2019-11-18 11:30:55 EET. --
Nov 18 11:30:26 automation-ipsec-gateway systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading crls from '/etc/ipsec.d/crls'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loading secrets from '/etc/ipsec.secrets'
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: loaded plugins: charon-systemd charon-systemd aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: dropped capabilities, running as uid 0, gid 0
Nov 18 11:30:26 automation-ipsec-gateway charon-systemd[1000]: spawning 16 worker threads
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: no authorities found, 0 unloaded
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded certificate from '/etc/swanctl/x509/autom-tester-cert.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded certificate from '/etc/swanctl/x509/autom-server-cert.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded certificate from '/etc/swanctl/x509/autom-client-cert.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded certificate from '/etc/swanctl/x509ca/autom-ca-cert.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded private key from '/etc/swanctl/private/autom-client-key.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded private key from '/etc/swanctl/private/autom-ca-key.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded private key from '/etc/swanctl/private/autom-tester-key.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded private key from '/etc/swanctl/private/autom-server-key.pem'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded xauth secret 'xauth-ucpe'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded xauth secret 'xauth-tester'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded ike secret 'ike-sec'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded ike secret 'ike-local'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded pool 'pools_users'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: successfully loaded 1 pools, 0 unloaded
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: loaded connection 'ch_vti0'
Nov 18 11:30:27 automation-ipsec-gateway swanctl[1154]: successfully loaded 1 connections, 0 unloaded
Nov 18 11:30:27 automation-ipsec-gateway systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
B:
-- Logs begin at Wed 2019-11-13 21:20:11 EET, end at Mon 2019-11-18 11:31:57 EET. --
Nov 18 11:31:39 automation-ipsec-gateway systemd[1]: Starting strongSwan IPsec IKEv1/IKEv2 daemon using swanctl...
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading ca certificates from '/etc/ipsec.d/cacerts'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading aa certificates from '/etc/ipsec.d/aacerts'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading attribute certificates from '/etc/ipsec.d/acerts'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading crls from '/etc/ipsec.d/crls'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loading secrets from '/etc/ipsec.secrets'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded plugins: charon-systemd charon-systemd aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: dropped capabilities, running as uid 0, gid 0
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: spawning 16 worker threads
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded certificate 'CN=10.3.72.29'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded certificate 'CN=10.3.199.180'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded certificate 'CN=10.3.131.131'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded certificate 'CN=VPN root CA'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded ANY private key
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded ANY private key
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded ANY private key
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded ANY private key
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded EAP shared key with id 'xauth-ucpe' for: 'test1'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded EAP shared key with id 'xauth-tester' for: 'test2'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded IKE shared key with id 'ike-sec' for: '%any'
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: loaded IKE shared key with id 'ike-local' for: '10.3.80.180'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: no authorities found, 0 unloaded
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: added vici pool pools_users: 172.13.14.2, 253 entries
Nov 18 11:31:39 automation-ipsec-gateway charon-systemd[916]: added vici connection: ch_vti0
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded certificate from '/etc/swanctl/x509/autom-tester-cert.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded certificate from '/etc/swanctl/x509/autom-server-cert.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded certificate from '/etc/swanctl/x509/autom-client-cert.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded certificate from '/etc/swanctl/x509ca/autom-ca-cert.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded private key from '/etc/swanctl/private/autom-client-key.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded private key from '/etc/swanctl/private/autom-ca-key.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded private key from '/etc/swanctl/private/autom-tester-key.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded private key from '/etc/swanctl/private/autom-server-key.pem'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded xauth secret 'xauth-ucpe'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded xauth secret 'xauth-tester'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded ike secret 'ike-sec'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded ike secret 'ike-local'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded pool 'pools_users'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: successfully loaded 1 pools, 0 unloaded
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: loaded connection 'ch_vti0'
Nov 18 11:31:39 automation-ipsec-gateway swanctl[1062]: successfully loaded 1 connections, 0 unloaded
Nov 18 11:31:39 automation-ipsec-gateway systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
К вашему сведению: службы strongswan и strongswan-swanctl включены и запускаются правильно при загрузке.
В чем может быть причина такого несоответствия? Единственное, что я делаю, чтобы воспроизвести эту проблему, - это перезагружаться несколько раз.