Спасибо за вашу помощь с моей предыдущей проблемой, касающейся Strongswan, и позвольте мне попросить вас о помощи еще раз. У меня две сети, подключенные к серверу Strongswan через два маршрутизатора Mikrotik. Первый маршрутизатор подключен к Интернету через кабельный модем, а второй - через мобильную сеть LTE. Конфигурации IPsec и IKEv2 в обоих маршрутизаторах одинаковы (за исключением определения частной сети)
Маршрутизаторы Mikrotik:
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128- cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=87.236.194.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=87.236.194.196 sa-src-address=0.0.0.0 src-address=192.168.XX.0/24 tunnel=yes
Сервер Strongswan:
config setup
charondebug="all"
uniqueids=yes
strictcrlpolicy=no
conn %default
keyexchange=ikev2
conn tunnel
reauth=no
rightsendcert=never
left=87.236.194.196
leftsubnet=192.168.80.0/24
right=%any
rightsubnet=0.0.0.0/0
keyingtries=0
ikelifetime=1h
lifetime=8h
dpddelay=30
dpdtimeout=120
dpdaction=clear
authby=secret
auto=route
type=tunnel
Я проверяю надежность этих подключений, поэтому включаю маршрутизатор, жду, пока соединение не установится, начинаю пинговать от сервера к маршрутизатору, затем выключаю маршрутизатор на минуту, а затем снова включаю маршрутизатор. С маршрутизатором, подключенным через кабельную сеть, он работает так, как я полагаю - маршрутизатор недоступен с момента, когда я выключаю маршрутизатор, пока маршрутизатор не будет включен и соединение не будет восстановлено, а затем пинг продолжится через что-то более минуты.
Вот журнал с сервера:
Jun 19 19:09:32 mvvk4-1 charon: 13[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:09:32 mvvk4-1 charon: 13[IKE] remote host is behind NAT
Jun 19 19:09:32 mvvk4-1 charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:09:32 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] looking for peer configs matching 87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] selected peer config 'tunnel'
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] IKE_SA tunnel[42] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] scheduling rekeying in 2962s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] maximum IKE_SA lifetime 3502s
Jun 19 19:09:32 mvvk4-1 charon: 15[IKE] CHILD_SA tunnel{58} established with SPIs c394e689_i 037ac6e1_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:09:32 mvvk4-1 charon: 15[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:09:32 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:10:16 mvvk4-1 charon: 05[IKE] sending DPD request
Jun 19 19:10:16 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:10:16 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:20 mvvk4-1 charon: 15[IKE] retransmit 1 of request with message ID 0
Jun 19 19:10:20 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:27 mvvk4-1 charon: 10[IKE] retransmit 2 of request with message ID 0
Jun 19 19:10:27 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:40 mvvk4-1 charon: 05[IKE] retransmit 3 of request with message ID 0
Jun 19 19:10:40 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (296 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] 89.102.219.9 is initiating an IKE_SA
Jun 19 19:10:50 mvvk4-1 charon: 08[IKE] remote host is behind NAT
Jun 19 19:10:50 mvvk4-1 charon: 08[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 19 19:10:50 mvvk4-1 charon: 08[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (312 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (300 bytes)
Jun 19 19:10:50 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] looking for peer configs matching 87.236.194.196[%any]...89.102.219.9[192.168.1.137]
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] authentication of '192.168.1.137' with pre-shared key successful
Jun 19 19:10:50 mvvk4-1 charon: 14[IKE] destroying duplicate IKE_SA for peer '192.168.1.137', received INITIAL_CONTACT
Jun 19 19:10:50 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[43] established between 87.236.194.196[87.236.194.196]...89.102.219.9[192.168.1.137]
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] scheduling rekeying in 2673s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3213s
Jun 19 19:10:51 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{59} established with SPIs c962c381_i 04c993a8_o and TS 192.168.80.0/24 === 192.168.88.0/24
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[CFG] received RADIUS Accounting-Response from server 'local'
Jun 19 19:10:51 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Jun 19 19:10:51 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (204 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 12[IKE] sending DPD request
Jun 19 19:11:39 mvvk4-1 charon: 12[ENC] generating INFORMATIONAL request 0 [ ]
Jun 19 19:11:39 mvvk4-1 charon: 12[NET] sending packet: from 87.236.194.196[4500] to 89.102.219.9[4500] (76 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[NET] received packet: from 89.102.219.9[4500] to 87.236.194.196[4500] (108 bytes)
Jun 19 19:11:39 mvvk4-1 charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Jun 19 19:12:09 mvvk4-1 charon: 12[IKE] sending DPD request
Когда я делаю то же самое с маршрутизатором, подключенным через сеть LTE, ситуация совершенно другая.
Вот журнал после включения маршрутизатора примерно с минутной задержкой:
Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] 89.24.60.60 is initiating an IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 14[IKE] remote host is behind NAT
Jun 20 18:36:46 mvvk4-1 charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Jun 20 18:36:46 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (312 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (332 bytes)
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] selected peer config 'tunnel'
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '100.80.138.125' with pre-shared key successful
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] IKE_SA tunnel[75] established between 87.236.194.196[87.236.194.196]...89.24.60.60[100.80.138.125]
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] scheduling rekeying in 2874s
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] maximum IKE_SA lifetime 3414s
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 53, the same policy for reqid 52 exists
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:46 mvvk4-1 charon: 13[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:36:46 mvvk4-1 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(TS_UNACCEPT) ]
Jun 20 18:36:46 mvvk4-1 charon: 13[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (124 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] parsed CREATE_CHILD_SA request 2 [ No SA TSi TSr ]
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.80.0/24 === 192.168.150.0/24 out (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 in (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[CFG] unable to install policy 192.168.150.0/24 === 192.168.80.0/24 fwd (mark 0/0x00000000) for reqid 54, the same policy for reqid 52 exists
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] unable to install IPsec policies (SPD) in kernel
Jun 20 18:36:51 mvvk4-1 charon: 10[IKE] failed to establish CHILD_SA, keeping IKE_SA
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.80.0/24 === 192.168.150.0/24 out failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 in failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[KNL] deleting policy 192.168.150.0/24 === 192.168.80.0/24 fwd failed, not found
Jun 20 18:36:51 mvvk4-1 charon: 10[ENC] generating CREATE_CHILD_SA response 2 [ N(TS_UNACCEPT) ]
Jun 20 18:36:51 mvvk4-1 charon: 10[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (268 bytes)
Jun 20 18:36:56 mvvk4-1 charon: 06[ENC] parsed CREATE_CHILD_SA request 3 [ No SA TSi TSr ]
Наконец, после 5 повторных передач устанавливается новое соединение.
8:38:14 mvvk4-1 charon: 08[IKE] giving up after 5 retransmits
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] sending RADIUS Accounting-Request to server 'local'
Jun 20 18:38:14 mvvk4-1 charon: 08[CFG] received RADIUS Accounting-Response from server 'local'
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (252 bytes)
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] parsed CREATE_CHILD_SA request 19 [ No SA TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[IKE] CHILD_SA tunnel{71} established with SPIs c27e6319_i 04d17e54_o and TS 192.168.80.0/24 === 192.168.150.0/24
Jun 20 18:38:17 mvvk4-1 charon: 09[ENC] generating CREATE_CHILD_SA response 19 [ SA No TSi TSr ]
Jun 20 18:38:17 mvvk4-1 charon: 09[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (204 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 15[IKE] sending DPD request
Jun 20 18:38:47 mvvk4-1 charon: 15[ENC] generating INFORMATIONAL request 0 [ ]
Jun 20 18:38:47 mvvk4-1 charon: 15[NET] sending packet: from 87.236.194.196[4500] to 89.24.60.60[38055] (76 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[NET] received packet: from 89.24.60.60[38055] to 87.236.194.196[4500] (92 bytes)
Jun 20 18:38:47 mvvk4-1 charon: 16[ENC] parsed INFORMATIONAL response 0 [ ]
но маршрутизатор по-прежнему недоступен до первой смены ключей для этого нового соединения.
Может ли кто-нибудь быть таким добрым и помочь мне решить эту проблему? Заранее спасибо.
Итак, в Jessie я полностью удалил пакет Strongswan 5.2.1 и установил Strongswan 5.6.3 из исходного кода с параметрами по умолчанию ./configure. Вышеупомянутая проблема полностью устранена.