关于【ipsec】的问题- 第1页

The Coding Penguin

Asked: 2023-06-28 23:32:46 +0800 CST

IPSec 隧道一直有效，直到重新生成密钥，然后获取 NO_PROPOSAL_CHOSEN

6

语境

我在办公室的 Raspberry Pi 和云中的 pfSense 防火墙之间建立了一条站点到站点的 IPSec 隧道。我在 Raspberry Pi 端使用 Strongswan。

问题

我的隧道建立并运行良好一段时间，但当它必须自行重新加密时，协商失败。

我是否缺少一些明显的东西？

日志（Raspberry 侧）

初始连接

raspberrypi charon[2422]: 09[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
raspberrypi charon[2422]: 09[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
raspberrypi charon[2422]: 09[IKE] CHILD_SA net-net{1} established with SPIs c3eaa3c7_i c944ab71_o and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon[2422]: 09[IKE] CHILD_SA net-net{1} established with SPIs c3eaa3c7_i c944ab71_o and TS RASPI_NET/24 === PFSENSE_NET/16

重新生成密钥（这就是出错的地方）

raspberrypi charon[507]: 11[NET] received packet: from PFSENSE_IP[4500] to RASPI_LOCAL_IP[4500] (80 bytes)
raspberrypi charon[507]: 11[ENC] parsed INFORMATIONAL request 153 [ D ]
raspberrypi charon[507]: 11[IKE] received DELETE for ESP CHILD_SA with SPI ce632e5b
raspberrypi charon[507]: 11[IKE] closing CHILD_SA net-net{1} with SPIs ccc38dd0_i (94042284 bytes) ce632e5b_o (5169556 bytes) and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon[507]: 11[IKE] closing CHILD_SA net-net{1} with SPIs ccc38dd0_i (94042284 bytes) ce632e5b_o (5169556 bytes) and TS RASPI_NET/24 === PFSENSE_NET/16
raspberrypi charon[507]: 11[IKE] sending DELETE for ESP CHILD_SA with SPI ccc38dd0
raspberrypi charon[507]: 11[IKE] CHILD_SA closed
raspberrypi charon[507]: 11[ENC] generating INFORMATIONAL response 153 [ D ]
raspberrypi charon[507]: 11[NET] sending packet: from RASPI_LOCAL_IP[4500] to PFSENSE_IP[4500] (80 bytes)
raspberrypi charon[507]: 12[NET] received packet: from PFSENSE_IP[4500] to RASPI_LOCAL_IP[4500] (80 bytes)
raspberrypi charon[507]: 12[ENC] parsed INFORMATIONAL request 154 [ ]
raspberrypi charon[507]: 12[ENC] generating INFORMATIONAL response 154 [ ]
raspberrypi charon[507]: 12[NET] sending packet: from RASPI_LOCAL_IP[4500] to PFSENSE_IP[4500] (80 bytes)
raspberrypi charon[507]: 06[NET] received packet: from PFSENSE_IP[4500] to RASPI_LOCAL_IP[4500] (640 bytes)
raspberrypi charon[507]: 06[ENC] parsed CREATE_CHILD_SA request 155 [ N(ESP_TFC_PAD_N) SA No KE TSi TSr ]
raspberrypi charon[507]: 06[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
raspberrypi charon[507]: 06[CFG] received proposals: ESP:AES_GCM_16_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_12_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_8_256/MODP_2048/NO_EXT_SEQ, ESP:AES_GCM_16_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
raspberrypi charon[507]: 06[CFG] configured proposals: ESP:AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
raspberrypi charon[507]: 06[IKE] no acceptable proposal found
raspberrypi charon[507]: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
raspberrypi charon[507]: 06[ENC] generating CREATE_CHILD_SA response 155 [ N(NO_PROP) ]
raspberrypi charon[507]: 06[NET] sending packet: from RASPI_LOCAL_IP[4500] to PFSENSE_IP[4500] (80 bytes)
raspberrypi charon[507]: 01[JOB] CHILD_SA ESP/0xccc38dd0/RASPI_LOCAL_IP not found for rekey
raspberrypi charon[507]: 08[JOB] CHILD_SA ESP/0xccc38dd0/RASPI_LOCAL_IP not found for rekey

我尝试过做什么

如果我通过 SSH 连接到 Raspberry 并运行ipsec restart，隧道将再次建立并正常工作，直到下一次重新生成密钥。

我无法理解为什么这些建议在重新生成密钥时不匹配（如果它们与初始连接匹配）。此外，我确实在 swanctl 配置文件中要求了不同的算法。

我尝试更改两侧的配置，但问题似乎始终位于 Raspberry 一侧（顺便说一句，pfSense 仅适用于响应程序）。

配置文件

`/etc/swanctl/conf.d/myfile.conf`

connections {
  gw-gw {
    local_addrs = RASPI_LAN_IP
    remote_addrs = PFSENSE_IP
    local {
      auth = psk
      id = RASPI_PUBLIC_IP
    }
    remote {
      auth = psk
      id = PFSENSE_IP
    }
    children {
      net-net {
        local_ts = RASPI_NET/24
        remote_ts = PFSENSE_NET/16
        start_action = start
        dpd_action = restart
      }
    }
    version = 2
    dpd_delay = 60
    mobike = no
    proposals = aes128-sha256-modp2048,default
  }
}

secrets {
  ike-1 {
    id-1 = RASPI_PUBLIC_IP
    id-2 = PFSENSE_IP
    secret = "MYPSK"
  }
}

pfSense

阶段1

阶段2

Amin Khoshnood

Asked: 2019-07-24 01:50:45 +0800 CST

IPsec IKEv2 成功，但 Linux VTI 不适用于 SNAT

3

如果您认为troubleshooting IPsec is tedious，请忘记我的日志，只是let me know the implementation process，我仍然很困惑，任何信息都有帮助。

我删除了 SPI，这是我的 IP 映射：

Our private IP address:
10.1.1.2
Our S-NAT IP address:
172.16.0.1
Our Pubic/EIP address:
1.1.1.1
CheckPoint GW:
2.2.2.2
Instance behind CheckPoint:
192.168.1.1

在左侧，我在 AWS EC2 实例的 1:1 NAT 和弹性 IP 后面有 StrongSWAN，配置如下：

/etc/ipsec.conf：

config setup
    # strictcrlpolicy=yes
    # uniqueids = no
    charondebug="ike 2, knl 2, cfg 2"

conn %default
    keyexchange=ikev2
    ike=aes256-sha256-modp2048
    ikelifetime=86400s
    esp=aes256-sha256-modp2048
    lifetime=10800s
    keyingtries=%forever
    dpddelay=30s
    dpdtimeout=120s
    dpdaction=restart

conn Tunnel1
    auto=start
    left=10.1.1.2 # Our private IP address
    leftsubnet=172.16.0.1/32 # Our S-NAT IP address
    leftauth=psk
    leftid=1.1.1.1 # Our Pubic/EIP address
    right=2.2.2.2 # CheckPoint GW
    rightsubnet=192.168.1.1/32 # Instance behind CheckPoint 
    rightauth=psk
    rightid=2.2.2.2 # CheckPoint GW
    type=tunnel
    compress=no
    mark=42

/etc/ipsec.secrets：

1.1.1.1 2.2.2.2 : PSK "OURSECRET"

/etc/strongswan.d/charon.conf：

install_routes = no
install_virtual_ip = no

右侧有一个位于防火墙后面的 CheckPoint 设备，仅当数据包的源为 172.16.0.1/32 且其目标为 192.168.1.1/32 时才接受策略。

但是我的接口上没有那个 IP，它是一个伪 IP，可以从右侧（检查点）隐藏我们的私有范围。

此实例应充当路由器并通过 IPsec 隧道传递来自其他实例的流量，但每个数据包都应 SNAT 到 172.16.0.1/32。

我启动了SongSWAN：

systemctl start strongswan && systemctl status -l strongswan

Loaded: loaded (/lib/systemd/system/strongswan.service; disabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-07-23 10:20:22 EEST; 12s ago
  Process: 2163 ExecStart=/usr/sbin/ipsec start (code=exited, status=0/SUCCESS)
  Process: 2160 ExecStartPre=/bin/mkdir -p /var/lock/subsys (code=exited, status=0/SUCCESS)
 Main PID: 2190 (starter)
    Tasks: 18
   Memory: 12.2M
      CPU: 54ms
   CGroup: /system.slice/strongswan.service
           ├─2190 /usr/lib/ipsec/starter --daemon charon
           └─2191 /usr/lib/ipsec/charon --use-syslog --debug-ike 2 --debug-knl 2 --debug-cfg 2

配置iptables：

iptables --append INPUT -s 2.2.2.2 -j ACCEPT
iptables --append INPUT -d 2.2.2.2 -j ACCEPT
iptables --table mangle --append FORWARD -o Tunnel1 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

检查 IKEv2 是否成功：ipsec statusall

Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1087-aws, x86_64):
  uptime: 79 seconds, since Jul 23 10:20:22 2019
  malloc: sbrk 1646592, mmap 0, used 568016, free 1078576
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity
Listening IP addresses:
  10.1.1.2
Connections:
     Tunnel1:  10.1.1.2...2.2.2.2  IKEv2, dpddelay=30s
     Tunnel1:   local:  [1.1.1.1] uses pre-shared key authentication
     Tunnel1:   remote: [2.2.2.2] uses pre-shared key authentication
     Tunnel1:   child:  172.16.0.1/32 === 192.168.1.1/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
     Tunnel1[1]: ESTABLISHED 79 seconds ago, 10.1.1.2[1.1.1.1]...2.2.2.2[2.2.2.2]
     Tunnel1[1]: IKEv2 SPIs: ##**REMOVED**##* ##**REMOVED**##, pre-shared key reauthentication in 23 hours
     Tunnel1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
     Tunnel1{1}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c05ce72f_i 35f8fdaa_o
     Tunnel1{1}:  AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 2 hours
     Tunnel1{1}:   172.16.0.1/32 === 192.168.1.1/32

检查是否已添加 XFRM 策略：ip -s -s xfrm 策略：

src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
    dir fwd action allow index 82 priority 2819 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2019-07-23 10:20:22 use -
    mark 0x2a/0xffffffff
    tmpl src 2.2.2.2 dst 10.1.1.2
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 192.168.1.1/32 dst 172.16.0.1/32 uid 0
    dir in action allow index 72 priority 2819 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2019-07-23 10:20:22 use -
    mark 0x2a/0xffffffff
    tmpl src 2.2.2.2 dst 10.1.1.2
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff
src 172.16.0.1/32 dst 192.168.1.1/32 uid 0
    dir out action allow index 65 priority 2819 share any flag  (0x00000000)
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 0(sec), hard 0(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2019-07-23 10:20:22 use -
    mark 0x2a/0xffffffff
    tmpl src 10.1.1.2 dst 2.2.2.2
        proto esp spi 0x00000000(0) reqid 1(0x00000001) mode tunnel
        level required share any
        enc-mask ffffffff auth-mask ffffffff comp-mask ffffffff

ip -s -s xfrm 状态：

src 10.1.1.2 dst 2.2.2.2
    proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    mark 0x2a/0xffffffff
    auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
    enc cbc(aes) ##**REMOVED**## (256 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 9745(sec), hard 10800(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2019-07-23 10:20:22 use -
    stats:
      replay-window 0 replay 0 failed 0
src 2.2.2.2 dst 10.1.1.2
    proto esp spi ##**REMOVED**##(##**REMOVED**##) reqid 1(0x00000001) mode tunnel
    replay-window 32 seq 0x00000000 flag af-unspec (0x00100000)
    mark 0x2a/0xffffffff
    auth-trunc hmac(sha256) ##**REMOVED**## (256 bits) 128
    enc cbc(aes) ##**REMOVED**## (256 bits)
    encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
    lifetime config:
      limit: soft (INF)(bytes), hard (INF)(bytes)
      limit: soft (INF)(packets), hard (INF)(packets)
      expire add: soft 10057(sec), hard 10800(sec)
      expire use: soft 0(sec), hard 0(sec)
    lifetime current:
      0(bytes), 0(packets)
      add 2019-07-23 10:20:22 use -
    stats:
      replay-window 0 replay 0 failed 0

创建 VTI 设备：

ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 192.168.1.1/32 dev Tunnel1
ip link set Tunnel1 up mtu 1419

禁用隧道策略并添加 iptables TCPMSS：

sysctl -w net.ipv4.conf.Tunnel1.disable_policy=1
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables --table mangle --append FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

但是当我用源 172.16.0.1 ping 192.168.1.1 时，我得到Destination Host Unreachable.

ping 192.168.1.1 OR ping -I 172.16.0.1 192.168.1.1 OR ping -I Tunnel1 192.168.1.1

ping -c 3 -I 172.16.0.1 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 172.16.0.1 Tunnel1: 56(84) bytes of data.
From 172.16.0.1 icmp_seq=1 Destination Host Unreachable
From 172.16.0.1 icmp_seq=2 Destination Host Unreachable
From 172.16.0.1 icmp_seq=3 Destination Host Unreachable

--- 192.168.1.1 ping statistics ---
3 packets transmitted, 0 received, +3 errors, 100% packet loss, time 1998ms

这是其他一些日志： ip 地址显示：

3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN group default qlen 1
    link/ipip 10.1.1.2 peer 2.2.2.2
    inet 172.16.0.1 peer 192.168.1.1/32 scope global Tunnel1
       valid_lft forever preferred_lft forever

ip -s -s 链接显示：

3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1
    link/ipip 0.0.0.0 brd 0.0.0.0
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        0       0       0       0
    TX errors: aborted  fifo   window heartbeat transns
               0        0       0       0       0
4: Tunnel1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1419 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1
    link/ipip 10.1.1.2 peer 2.2.2.2
    RX: bytes  packets  errors  dropped overrun mcast
    0          0        0       0       0       0
    RX errors: length   crc     frame   fifo    missed
               0        0       0       0       0
    TX: bytes  packets  errors  dropped carrier collsns
    0          0        14      0       14      0
    TX errors: aborted  fifo   window heartbeat transns
               0        0       0       0       0

ip -s 隧道显示隧道 1：

Tunnel1: ip/ip  remote 2.2.2.2  local 10.1.1.2  ttl inherit  key 42
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            14     0        14       0

ifconfig -a:

Tunnel1   Link encap:IPIP Tunnel  HWaddr
          inet addr:172.16.0.1  P-t-P:192.168.1.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP  MTU:1419  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:14 dropped:0 overruns:0 carrier:14
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
ip_vti0   Link encap:IPIP Tunnel  HWaddr
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

我在 AWS EC2 上禁用了源和目标检查，并将 AWS 安全组中所有流量的右侧（检查点）IP 地址列入白名单，我确定支持 NAT-Traversal，我可以通过 tcpdump 看到它的流量：tcpdump -i any - nnnNq 主机 2.2.2.2

10:32:02.983136 IP 10.1.1.2.500 > 2.2.2.2.500: UDP, length 1084
10:32:03.035572 IP 2.2.2.2.500 > 10.1.1.2.500: UDP, length 708
10:32:03.044827 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 372
10:32:03.108335 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 276
10:32:27.042735 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:32:33.110661 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84
10:32:33.159623 IP 2.2.2.2.4500 > 10.1.1.2.4500: UDP, length 84
10:32:57.043342 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 1
10:33:03.110977 IP 10.1.1.2.4500 > 2.2.2.2.4500: UDP, length 84

CheckPoint 显示隧道已建立，但我在发送 ping 数据包时没有收到任何 tcpdump。journalctl -fu strongswan 可从此处获得：

https://pastebin.com/AuephC04

我也以这种方式尝试了 VTI 端点，但它没有进行任何更改：

ip tunnel add Tunnel1 local 10.1.1.2 remote 2.2.2.2 mode vti key 42
ip addr add 172.16.0.1/32 remote 0.0.0.0/0 dev Tunnel1
ip link set Tunnel1 up mtu 1419

我是否正确实施了这个结构？我应该在 VTI 设备上设置伪 IP 吗？我应该添加另一个 iptables 规则来应用 MARK 这样的东西吗？

iptables -t mangle -A INPUT -p esp -s 2.2.2.2 -d 1.1.1.1 -j MARK --set-xmark 42

Versions:

ipsec --版本：

Linux strongSwan U5.3.5/K4.4.0-1087-aws

lsb_release -a：

Distributor ID: Ubuntu
Description:    Ubuntu 16.04.6 LTS
Release:    16.04
Codename:   xenial

dpkg -l | grep -i strongswan：

ii  libcharon-extra-plugins          5.3.5-1ubuntu3.8                           amd64        strongSwan charon library (extra plugins)
ii  libstrongswan                    5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library
ii  libstrongswan-standard-plugins   5.3.5-1ubuntu3.8                           amd64        strongSwan utility and crypto library (standard plugins)
ii  strongswan                       5.3.5-1ubuntu3.8                           all          IPsec VPN solution metapackage
ii  strongswan-charon                5.3.5-1ubuntu3.8                           amd64        strongSwan Internet Key Exchange daemon
ii  strongswan-libcharon             5.3.5-1ubuntu3.8                           amd64        strongSwan charon library
ii  strongswan-starter               5.3.5-1ubuntu3.8                           amd64        strongSwan daemon starter and configuration file parser
ii  strongswan-tnc-base              5.3.5-1ubuntu3.8                           amd64        strongSwan Trusted Network Connect's (TNC) - base files

在此先感谢您的帮助。

melmansuri

Asked: 2018-12-19 02:40:42 +0800 CST

StrongSwan - ipsec pki 命令

2

我想知道为什么我第一次运行“ipsec pki”命令来获取私钥时，这个密钥会很快生成，但是下次你尝试运行相同的命令来获取这个密钥时，因为你已经删除了旧的大约需要5-10分钟。

elbarna

Asked: 2018-01-01 08:52:52 +0800 CST

ipsec on linux，一个简单快速的问题

0

是我的第一个VPN，用于测试

这是我的简单网络方案

LAN1(private 10.10.0.0/24) --->VPN-----internet---<VPN---<LAN2(private 10.20.0.0/24)

在/etc/ipsec.conf我使用..

...
        left=ippublicserver1
        leftid=fqdnserverA
        leftsubnet=10.10.0.0/24
        right=ippublicserver2
        rightsubnet=10.20.0.0/24
....

我的问题真的很简单..，在我必须使用的serverB上

一模一样的ipsec.conf
A Different ipsec.confwhere rigthsubnet 变成 leftsubnet？

我认为..B，是正确的吗？

IPSec 隧道一直有效，直到重新生成密钥，然后获取 NO_PROPOSAL_CHOSEN

语境

问题

日志（Raspberry 侧）

初始连接

重新生成密钥（这就是出错的地方）

我尝试过做什么

配置文件

`/etc/swanctl/conf.d/myfile.conf`

pfSense

阶段1

阶段2

IPsec IKEv2 成功，但 Linux VTI 不适用于 SNAT

StrongSwan - ipsec pki 命令

ipsec on linux，一个简单快速的问题

模块 i915 可能缺少固件 /lib/firmware/i915/*

无法获取 jessie backports 存储库

如何将 GPG 私钥和公钥导出到文件

我们如何运行存储在变量中的命令？

如何配置 systemd-resolved 和 systemd-networkd 以使用本地 DNS 服务器来解析本地域和远程 DNS 服务器来解析远程域？

dist-upgrade 后 Kali Linux 中的 apt-get update 错误 [重复]

如何从 systemctl 服务日志中查看最新的 x 行

Nano - 跳转到文件末尾

grub 错误：你需要先加载内核

如何下载软件包而不是使用 apt-get 命令安装它？

问题[ipsec](unix)

语境

问题

日志（Raspberry 侧）

初始连接

重新生成密钥（这就是出错的地方）

我尝试过做什么

配置文件

/etc/swanctl/conf.d/myfile.conf

pfSense

阶段1

阶段2

`/etc/swanctl/conf.d/myfile.conf`