主页 / user-958123

m. vokhm's questions

Martin Hope
m. vokhm
Asked: 2023-09-04 16:21:09 +0800 CST
  • 5

我正在尝试设置远程 VPN 服务器以从我的家用电脑访问互联网。它位于租用的 AWS VPS 上,带有DebianStrongswan. 它的目的是通过隧道接收我的流量,将其转发到互联网,接收来自互联网的响应,然后通过隧道将它们转发回我。我的电脑成功连接到它,它接收我的流量并将其转发到互联网,但它似乎没有收到来自互联网的响应,因此它无法按预期工作。Iptables显示从隧道到 Internet 的传出流量,但来自 Internet 的流量为零:

root@internal_aws_ip:/home/admin# iptables -L -nv
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
14667 2284K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
  595 56329 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    3   168 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
   13  7232 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:500
   35 19992 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:4500
   14  4592 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 8697  522K ACCEPT     all  --  *      *       10.10.10.0/24        0.0.0.0/0            policy match dir in pol ipsec proto 50
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            10.10.10.0/24        policy match dir out pol ipsec proto 50
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 8639 packets, 3433K bytes)
 pkts bytes target     prot opt in     out     source               destination

tcpdump还显示从隧道到互联网的流量,但没有反向流量:

root@internal_aws_ip:/home/admin# tcpdump port not ssh
....
06:46:19.605227 IP #HOME_PC#.ipsec-nat-t > #AWS_VPS#.eu-central-1.compute.internal.ipsec-nat-t: UDP-encap: ESP(spi=0xcbf6e396,seq=0x43), length 100
06:46:19.605227 IP ip-10-10-10-1.eu-central-1.compute.internal.50576 > dns.google.domain: 38403+ A? dns.msftncsi.com. (34)
06:46:19.605284 IP ip-10-10-10-1.eu-central-1.compute.internal.50576 > dns.google.domain: 38403+ A? dns.msftncsi.com. (34)
06:46:20.119576 IP #HOME_PC#.ipsec-nat-t > #AWS_VPS#.eu-central-1.compute.internal.ipsec-nat-t: UDP-encap: ESP(spi=0xcbf6e396,seq=0x44), length 100
06:46:20.119576 IP ip-10-10-10-1.eu-central-1.compute.internal.61302 > dns.google.domain: 42466+ A? dns.msftncsi.com. (34)
06:46:20.119634 IP ip-10-10-10-1.eu-central-1.compute.internal.61302 > dns.google.domain: 42466+ A? dns.msftncsi.com. (34)
06:46:20.122526 IP #HOME_PC#.ipsec-nat-t > #AWS_VPS#.eu-central-1.compute.internal.ipsec-nat-t: UDP-encap: ESP(spi=0xcbf6e396,seq=0x45), length 100
06:46:20.122526 IP ip-10-10-10-1.eu-central-1.compute.internal.53026 > 82.221.107.34.bc.googleusercontent.com.http: Flags [S], seq 2356796043, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
06:46:20.122580 IP ip-10-10-10-1.eu-central-1.compute.internal.53026 > 82.221.107.34.bc.googleusercontent.com.http: Flags [S], seq 2356796043, win 65280, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
06:46:20.122773 IP #HOME_PC#.ipsec-nat-t > #AWS_VPS#.eu-central-1.compute.internal.ipsec-nat-t: UDP-encap: ESP(spi=0xcbf6e396,seq=0x46), length 100
06:46:20.122773 IP ip-10-10-10-1.eu-central-1.compute.internal.53027 > 82.221.107.34.bc.googleusercontent.com.http: Flags [S], seq 2988801698, win 65280, options [mss 1360,nop,wscale 8,nop,nop,sackOK], length 0
06:46:20.122791 IP ip-10-10-10-1.eu-central-1.compute.internal.53027 > 82.221.107.34.bc.googleusercontent.com.http: Flags [S], seq 2988801698, win 65280, options [mss 1320,nop,wscale 8,nop,nop,sackOK], length 0
....

IPsec.conf 包含

config setup
        uniqueids=never
        charondebug="ike 2, knl 2, cfg 3, net 2, esp 2, dmn 2,  mgr 2"

conn %default
        keyexchange=ikev2
        ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
        esp=aes128gcm16-sha2_256-ecp256,chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1!
        fragmentation=yes
        rekey=no
        compress=yes
        dpdaction=clear
        left=%any
        leftauth=pubkey
        leftsourceip=#SERVER_IP#
        leftid=#SERVER_IP#
        leftcert=debian.pem
        leftsendcert=always
        leftsubnet=0.0.0.0/0
        right=%any
        rightauth=pubkey
        rightsourceip=10.10.10.0/24
        rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
        auto=add

sysctl.conf包含(大多数注释掉的行未显示)

# /etc/sysctl.conf - Configuration file for setting system variables

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

# Do not accept ICMP redirects (prevent MITM attacks)
net.ipv4.conf.all.accept_redirects = 0

# Do not send ICMP redirects (we are not a router)
net.ipv4.conf.all.send_redirects = 0

net.ipv4.ip_no_pmtu_disc = 1

服务器本身似乎可以与 Internet 正常工作,通过 IP 地址和域名进行 ping 操作均成功。

除了我正在谈论的服务器之外,我在类似的租赁 AWS VPS 上还有另一个类似的 VPN 服务器。它与我的另一台家用电脑配合得很好。我找不到两台服务器配置之间的任何相关差异。

我对 Linux 服务器的经验很少。我还应该检查什么来找出原因?哪些其他信息可以阐明情况?

UPD:iptables -t nat -L回复

.... 
Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  ip-10-10-10-0.eu-central-1.compute.internal/24  anywhere             policy match dir out pol ipsec  
MASQUERADE  all  --  ip-10-10-10-0.eu-central-1.compute.internal/24  anywhere

这是对的吗?

debian
Martin Hope
m. vokhm
Asked: 2022-03-18 22:30:36 +0800 CST
  • -1

在 AWS VPS 上,我安装了 Strongswan 以将其用作 VPN。它适用于 iPhone 客户端。但是,当我尝试从 Windows 客户端连接时,SA 连接成功建立并在几分钟内正常工作,但几分钟后(2 到 10 分钟,在大多数情况下为 2 或更多)连接挂起并且停止通过交通。似乎双方都认为连接是有效的,至少我看不到任何错误迹象。

我花了几天时间试图找出问题所在。互联网上描述这种情况的材料似乎很少。另外,我是 Linux 管理和网络的新手,所以我可能看到了对此问题的描述和解决方案,但我就是无法理解。我将非常感谢任何帮助。

下面是ipsec.conf(这里服务器的真实外部IP替换为EXT.SRVR.IP.ADR

config setup
    uniqueids=never
    charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2,  mgr 2"

conn %default
    keyexchange=ikev2
    ike=aes128gcm16-sha2_256-prfsha256-ecp256,aes256-sha2_256-prfsha256-modp2048!
    esp=aes128gcm16-sha2_256-ecp256,aes256-sha1!
    fragmentation=yes
    rekey=no
    compress=yes
    dpdaction=clear
    left=%any
    leftauth=pubkey
    leftsourceip=EXT.SRVR.IP.ADR
    leftid=EXT.SRVR.IP.ADR
    leftcert=debian.pem
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    right=%any
    rightauth=pubkey
    rightsourceip=10.10.10.0/24
    rightdns=8.8.8.8,8.8.4.4

conn ikev2-pubkey
    auto=add

这里是摘录ipsec.log(真实IP替换为"EXT.SRVR.IP.ADR",对于服务器的外部IP,分别是其内部IP和我的Windows客户端,省略了明显不相关的行"INT.SRVR.IP.ADR""MY.CLNT.IP.ADR"

Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i 0000000000000000_r
Mar 17 12:41:17 server-name charon: 07[MGR] created IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[500] to INT.SRVR.IP.ADR[500] (536 bytes)
Mar 17 12:41:17 server-name charon: 07[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 17 12:41:17 server-name charon: 07[CFG] looking for an ike config for INT.SRVR.IP.ADR...MY.CLNT.IP.ADR
Mar 17 12:41:17 server-name charon: 07[CFG]   candidate: %any...%any, prio 28
Mar 17 12:41:17 server-name charon: 07[CFG] found matching ike config: %any...%any with prio 28
Mar 17 12:41:17 server-name charon: 07[IKE] MY.CLNT.IP.ADR is initiating an IKE_SA
Mar 17 12:41:17 server-name charon: 07[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Mar 17 12:41:17 server-name charon: 07[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 07[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 07[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] configured proposals: IKE:AES_GCM_16_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Mar 17 12:41:17 server-name charon: 07[IKE] local host is behind NAT, sending keep alives
Mar 17 12:41:17 server-name charon: 07[IKE] remote host is behind NAT
Mar 17 12:41:17 server-name charon: 07[IKE] sending cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 07[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Mar 17 12:41:17 server-name charon: 07[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500] (465 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[500] to MY.CLNT.IP.ADR[500]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin IKE_SA (unnamed)[1]
Mar 17 12:41:17 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:41:17 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:41:17 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:17 server-name charon: 08[MGR] IKE_SA (unnamed)[1] successfully checked out
Mar 17 12:41:17 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (3408 bytes)
Mar 17 12:41:17 server-name charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERT CERTREQ AUTH N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV) SA TSi TSr ]
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 39:9e:66:a7:20:3c:4d:06:fb:62:6b:65:87:22:35:57:a0:a0:0a:22
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 01:f0:33:4c:1a:a1:d9:ee:5b:7b:a9:de:43:bc:02:7d:57:09:33:fb
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 88:a9:5a:ef:c0:84:fc:13:74:41:6b:b1:63:32:c2:cf:92:59:bb:3b
...
Mar 17 12:41:17 server-name charon: 08[IKE] received cert request for unknown ca with keyid 4f:9c:7d:21:79:9c:ad:0e:d8:b9:0c:57:9f:1a:02:99:e7:90:f3:87
Mar 17 12:41:17 server-name charon: 08[IKE] received 67 cert requests for an unknown ca
Mar 17 12:41:17 server-name charon: 08[IKE] received end entity cert "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] looking for peer configs matching INT.SRVR.IP.ADR[%any]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey", match: 1/1/28 (me/other/ike)
Mar 17 12:41:17 server-name charon: 08[CFG] selected peer config 'ikev2-pubkey'
Mar 17 12:41:17 server-name charon: 08[CFG]   using certificate "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=me" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   using trusted ca certificate "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[CFG] checking certificate status of "CN=me"
Mar 17 12:41:17 server-name charon: 08[CFG] ocsp check skipped, no ocsp found
Mar 17 12:41:17 server-name charon: 08[CFG] certificate status is not available
Mar 17 12:41:17 server-name charon: 08[CFG]   certificate "CN=EXT.SRVR.IP.ADR" key: 4096 bit RSA
Mar 17 12:41:17 server-name charon: 08[CFG]   reached self-signed root ca with a path length of 0
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'CN=me' with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar 17 12:41:17 server-name charon: 08[IKE] peer supports MOBIKE
Mar 17 12:41:17 server-name charon: 08[IKE] authentication of 'EXT.SRVR.IP.ADR' (myself) with RSA signature successful
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] established between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:41:17 server-name charon: 08[IKE] IKE_SA ikev2-pubkey[1] state change: CONNECTING => ESTABLISHED
Mar 17 12:41:17 server-name charon: 08[IKE] sending end entity cert "CN=EXT.SRVR.IP.ADR"
Mar 17 12:41:17 server-name charon: 08[IKE] peer requested virtual IP %any
Mar 17 12:41:17 server-name charon: 08[CFG] assigning new lease to 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] assigning virtual IP 10.10.10.1 to peer 'CN=me'
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[IKE] building INTERNAL_IP4_DNS attribute
Mar 17 12:41:17 server-name charon: 08[CFG] looking for a child config for 0.0.0.0/0 === 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] proposing traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[CFG]   candidate "ikev2-pubkey" with prio 5+1
Mar 17 12:41:17 server-name charon: 08[CFG] found matching child config "ikev2-pubkey" with prio 6
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Mar 17 12:41:17 server-name charon: 08[CFG] selecting proposal:
Mar 17 12:41:17 server-name charon: 08[CFG]   proposal matches
Mar 17 12:41:17 server-name charon: 08[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Mar 17 12:41:17 server-name charon: 08[KNL] got SPI c6bcf84d
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for us:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[CFG] selecting traffic selectors for other:
Mar 17 12:41:17 server-name charon: 08[CFG]  config: 10.10.10.1/32, received: 0.0.0.0/0 => match: 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI c6bcf84d and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 32 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding SAD entry with SPI b74162a4 and reqid {1}
Mar 17 12:41:17 server-name charon: 08[KNL]   using encryption algorithm AES_CBC with key size 256
Mar 17 12:41:17 server-name charon: 08[KNL]   using integrity algorithm HMAC_SHA1_96 with key size 160
Mar 17 12:41:17 server-name charon: 08[KNL]   using replay window of 0 packets
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] adding policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:41:17 server-name charon: 08[KNL] policy already exists, try to update it
Mar 17 12:41:17 server-name charon: 08[KNL] policy 0.0.0.0/0 === 10.10.10.1/32 out already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] getting a local address in traffic selector 0.0.0.0/0
Mar 17 12:41:17 server-name charon: 08[KNL] using host %any
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface name for index 2
Mar 17 12:41:17 server-name charon: 08[KNL] using 172.26.0.1 as nexthop and eth0 as dev to reach MY.CLNT.IP.ADR/32
Mar 17 12:41:17 server-name charon: 08[KNL] installing route: 10.10.10.1/32 via 172.26.0.1 src %any dev eth0
Mar 17 12:41:17 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 in already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[KNL] policy 10.10.10.1/32 === 0.0.0.0/0 fwd already exists, increasing refcount
Mar 17 12:41:17 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 191808, refcount 2]
Mar 17 12:41:17 server-name charon: 08[IKE] CHILD_SA ikev2-pubkey{1} established with SPIs c6bcf84d_i b74162a4_o and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:41:17 server-name charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_6_ADDR) ]
Mar 17 12:41:17 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (2048 bytes)
Mar 17 12:41:17 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:17 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:41:37 server-name charon: 10[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:37 server-name charon: 10[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:37 server-name charon: 10[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:37 server-name charon: 10[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:37 server-name charon: 10[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:41:47 server-name dhclient[358]: XMT: Renew on eth0, interval 9070ms.
Mar 17 12:41:47 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:41:47 server-name charon: 11[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 11[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 11[MGR] checkin of IKE_SA successful
Mar 17 12:41:47 server-name charon: 12[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:47 server-name charon: 12[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:41:47 server-name charon: 12[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:41:47 server-name charon: 12[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:47 server-name charon: 12[MGR] checkin of IKE_SA successful
Mar 17 12:41:56 server-name charon: 13[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:41:56 server-name charon: 13[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:41:56 server-name charon: 13[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:41:56 server-name charon: 13[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:41:56 server-name charon: 13[MGR] checkin of IKE_SA successful
...
Mar 17 12:49:35 server-name charon: 16[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:35 server-name charon: 16[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:35 server-name charon: 16[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:35 server-name charon: 16[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:35 server-name charon: 16[MGR] checkin of IKE_SA successful
Mar 17 12:49:51 server-name charon: 05[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:51 server-name charon: 05[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:51 server-name charon: 05[KNL] querying policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:49:51 server-name charon: 05[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:51 server-name charon: 05[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 06[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 06[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:49:55 server-name charon: 06[KNL] querying policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:49:55 server-name charon: 06[IKE] sending DPD request
Mar 17 12:49:55 server-name charon: 06[IKE] queueing IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 06[IKE]   activating IKE_DPD task
Mar 17 12:49:55 server-name charon: 06[ENC] generating INFORMATIONAL request 0 [ ]
Mar 17 12:49:55 server-name charon: 06[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 06[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 06[MGR] checkin of IKE_SA successful
Mar 17 12:49:55 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:49:55 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:49:55 server-name charon: 07[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:55 server-name charon: 07[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:55 server-name charon: 07[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:49:55 server-name charon: 07[ENC] parsed INFORMATIONAL response 0 [ ]
Mar 17 12:49:55 server-name charon: 07[IKE] activating new tasks
Mar 17 12:49:55 server-name charon: 07[IKE] nothing to initiate
Mar 17 12:49:55 server-name charon: 07[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:55 server-name charon: 07[MGR] checkin of IKE_SA successful
Mar 17 12:49:57 server-name dhclient[358]: PRC: Renewing lease on eth0.
Mar 17 12:49:57 server-name dhclient[358]: XMT: Renew on eth0, interval 10290ms.
Mar 17 12:49:57 server-name dhclient[358]: RCV: Reply message on eth0 from fe80::60:52ff:fe0a:c10e.
Mar 17 12:49:59 server-name charon: 09[MGR] checkout IKEv2 SA with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:49:59 server-name charon: 09[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:49:59 server-name charon: 09[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:49:59 server-name charon: 09[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 08[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 08[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 08[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[ENC] parsed INFORMATIONAL request 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[IKE] received DELETE for ESP CHILD_SA with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] querying SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[IKE] closing CHILD_SA ikev2-pubkey{1} with SPIs c6bcf84d_i (1148939 bytes) b74162a4_o (21040410 bytes) and TS 0.0.0.0/0 === 10.10.10.1/32
Mar 17 12:50:00 server-name charon: 08[IKE] sending DELETE for ESP CHILD_SA with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[IKE] CHILD_SA closed
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 0.0.0.0/0 === 10.10.10.1/32 out [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 in [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] policy still used by another CHILD_SA, not removed
Mar 17 12:50:00 server-name charon: 08[KNL] updating policy 10.10.10.1/32 === 0.0.0.0/0 fwd [priority 391808, refcount 1]
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 0.0.0.0/0 === 10.10.10.1/32 out
Mar 17 12:50:00 server-name charon: 08[KNL] getting iface index for eth0
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 in
Mar 17 12:50:00 server-name charon: 08[KNL] deleting policy 10.10.10.1/32 === 0.0.0.0/0 fwd
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI c6bcf84d
Mar 17 12:50:00 server-name charon: 08[KNL] deleting SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[KNL] deleted SAD entry with SPI b74162a4
Mar 17 12:50:00 server-name charon: 08[ENC] generating INFORMATIONAL response 2 [ D ]
Mar 17 12:50:00 server-name charon: 08[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 08[MGR] checkin IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 08[MGR] checkin of IKE_SA successful
Mar 17 12:50:00 server-name charon: 04[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500]
Mar 17 12:50:00 server-name charon: 03[NET] waiting for data on sockets
Mar 17 12:50:00 server-name charon: 11[MGR] checkout IKEv2 SA by message with SPIs cc34c04e15f31fd2_i e5bd885ad183b108_r
Mar 17 12:50:00 server-name charon: 11[MGR] IKE_SA ikev2-pubkey[1] successfully checked out
Mar 17 12:50:00 server-name charon: 11[NET] received packet: from MY.CLNT.IP.ADR[4500] to INT.SRVR.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[ENC] parsed INFORMATIONAL request 3 [ D ]
Mar 17 12:50:00 server-name charon: 11[IKE] received DELETE for IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] deleting IKE_SA ikev2-pubkey[1] between INT.SRVR.IP.ADR[EXT.SRVR.IP.ADR]...MY.CLNT.IP.ADR[CN=me]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: ESTABLISHED => DELETING
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA deleted
Mar 17 12:50:00 server-name charon: 11[ENC] generating INFORMATIONAL response 3 [ ]
Mar 17 12:50:00 server-name charon: 11[NET] sending packet: from INT.SRVR.IP.ADR[4500] to MY.CLNT.IP.ADR[4500] (80 bytes)
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy IKE_SA ikev2-pubkey[1]
Mar 17 12:50:00 server-name charon: 11[IKE] IKE_SA ikev2-pubkey[1] state change: DELETING => DESTROYING
Mar 17 12:50:00 server-name charon: 11[CFG] lease 10.10.10.1 by 'CN=me' went offline
Mar 17 12:50:00 server-name charon: 11[MGR] checkin and destroy of IKE_SA successful

Windows 报告的连接属性:

DataEncryption = Require maximum
PrerequisiteEntry = 
AutoLogon = No
UseRasCredentials = Yes
Authentication Type = Machine Certificate 
Ipv4DefaultGateway = Yes
Ipv4AddressAssignment = By Server
Ipv4DNSServerAssignment = By Server
Ipv6DefaultGateway = Yes
Ipv6AddressAssignment = By Server
Ipv6DNSServerAssignment = By Server
IpDnsFlags = Register primary domain suffix
IpNBTEnabled = Yes
UseFlags = Private Connection
ConnectOnWinlogon = No
Mobility enabled for IKEv2 = Yes.
Dial-in User = admin
VpnStrategy = IKEv2

当连接被冻结(不通过流量)时,swanctl --list-sasreprts 如下

ikev2-pubkey: #1, ESTABLISHED, IKEv2, f77fbfbe7c371b32_i e0e250355a87db62_r*
   local  'EXT.SRVR.IP.ADR' @ INT.SRVR.IP.ADR[4500]
   remote 'CN=me' @ MY.CLNT.IP.ADR[4500] [10.10.10.1]
   AES_CBC-256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
   established 287s ago
   ikev2-pubkey: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
     installed 287s ago
     in  ce57563f, 792014 bytes,  4493 packets,   150s ago
     out 6b24b7fd, 10904301 bytes, 10680 packets,     1s ago
     local  0.0.0.0/0
     remote 10.10.10.1/32

Windows 还显示连接正常,事件查看器中没有错误迹象,SEP 防火墙日志中也没有相关的阻止数据包。

服务器:Debian 4.9.246-2,strongSwan 5.5.1。

客户端:Windows 2008 R2、Agile VPN(通过连接属性设置)

这种行为的原因可能是什么以及如何解决?

我该怎么做才能找出确切的原因?

如果有任何帮助,我将不胜感激。

UPD1:当传出流量变得相对较高时,连接最常(或可能总是)冻结。例如,当我访问 时speedtest.net,连接在尝试测量上传速度时冻结。

UPD2:其他设备在同一个本地网络上工作正常,在同一个路由器后面,NAT,ISP等。这清楚地表明问题只与使用W2k8的特定机器有关。机器上有 SEP 防火墙,但这不是罪魁祸首——关闭它不会影响行为。Strongswan也几乎不相关,因为它是一个已经建立的冻结隧道。

windows vpn linux strongswan ikev2