×

开源strongswan/openswan/ipsectools与腾讯云协商IPSEC VPN实操

hqy hqy 发表于2019-03-28 17:54:04 浏览12497 评论0

抢沙发发表评论

https://cloud.tencent.com/developer/article/1356861


写在最前面:在接入腾讯云的大量客户中,很多客户并不会购买专用的vpn硬件设备,而是使用第三方的开源软件,如strongswan,openswan,以及ipsec-tools这些工具,在客户对接的过程中,尤其是协商出现问题的时候,客户经常会问到,腾讯云的IPSEC VPN是否和这些第三方设备兼容,是否对接成功过;所以,在实际运维过程中,为了打消客户的疑虑,以及快速帮助客户解决协商中的出现的问题,于是有了下面这个文章,希望对运维以及售后的同学能有所帮助;

1.使用strongswan与VSR协商 IPSEC VPN

1.1 安装strongswan

从腾讯云前台购买一台带外网IP的VM子机,选择安装Centos系统,使用内网地址模拟兴趣流来触发协商;

外网地址:139.199.67.188

内网地址: 10.135.151.136

root@VM_0_175_centos etc# yum -y install strongswa

………………….

Installed:

strongswan.x86_64 0:5.4.0-2.el6   /strongswan的5.4版本/

Dependency Installed:

trousers.x86_64 0:0.3.13-2.el6

1.2 配置文件目录

进入安装后的配置文件目录,/etc/strongswan,在配置前先对所有的配置文件进行备份;

root@VM_0_175_centos etc# cd /etc/strongswan/

root@VM_0_175_centos strongswan# cp ipsec.conf ipsec.conf.backkup

root@VM_0_175_centos strongswan# cp strongswan.conf strongswan.conf.backup

1.3 修改ipsec.conf

Ipsec.conf文件定义了和对端设备协商时的阶段一以及阶段二所使用的认证加密等参数,如下是修改后的参数,许多用不到的参数已经删除掉;

root@VM_151_136_centos strongswan# cat ipsec.conf

ipsec.conf - strongSwan IPsec configuration file

basic configuration

config setup

# strictcrlpolicy=yes
 uniqueids = never
 charondebug="ike 4, knl 4, net 4, cfg 4"

conn %defualt

type=tunnel                 /使用tunnel模式/
ikelifetime=60m
keylife=5m
dpddelay=10s                /云上的VSR默认不开启DPD功能,此处可以注释掉/
rekeymargin=3m
keyingtries=3

mobike=no

conn site-to-site-Qcloud

keyexchange=ikev1           /这里暂时要指定协商的版本为ikev1/
left=10.135.151.136          /本端内网地址以及转发的网关/
leftid=139.199.67.188        /本端发起协商的公网IP,同时也时协商中的local-id/
leftsubnet=10.135.151.0/24   /本端内网子机地址段/
leftfirewall=no
right=123.207.13.44
rightid=123.207.13.44
rightsubnet=10.0.0.0/16
authby=secret               /协商认证的方式,key/
ike=aes128-sha1-modp1024
esp=aes128-sha1
auto=start                 /可以使用协议触发,及启动strongswan时自动触发协商/

1.4 修改 strongswan.conf

Strongswan.conf对strongswan运行以及加载做的基本设定,这个文件对具体协商没有太大的影响,主要使用的就是日志,在协商过程中检查对应的日志文件来定位协商错误,可以使用默认的配置文件;

root@VM_151_136_centos strongswan# cat strongswan.conf

strongswan.conf - strongSwan configuration file

Refer to the strongswan.conf(5) manpage for details

Configuration changes should be made in the included files

charon {

    duplicheck.enable = no   /关闭冗余检查,允许连接多个设备/
    load_modular = yes
    plugins {
	     include strongswan.d/charon/*.conf
    }
    filelog {
              /var/log/strongswan.charon.log {
               time_format = %b %e %T
               default = 2      /定义日志级别/
               append = no     /strongswan重启之后覆盖之前的日志/
               flush_line = yes   /日志文件写磁盘/
           }
   }

}

include strongswan.d/*.conf

1.5 修改密钥文件

密钥文件,这个文件中定义了要和对端设备进行协商时使用的pre-shared信息,必须要指定两端的地址;

root@VM_151_136_centos strongswan# cat ipsec.secrets

/etc/ipsec.secrets - strongSwan IPsec secrets f

139.199.67.188 123.207.13.44 : PSK "111"

/此处切记 :冒号左右要有空格,我在实验的时候,发现一直都协商不起来,调试了好久一直都是失败,最后检查发现是这里缺了一个空格,而空格很容易被忽略掉,所以我在这里被坑了好久/

1.6 触发协商strongswan

在协商之前,建议关闭iptables(可选,保险起见直接关掉)

root@VM_151_136_centos strongswan# /etc/init.d/iptables stop

root@VM_151_136_centos strongswan#sudo strongswan restart

Ipsec的协商一般都是由兴趣流来触发,最简单的办法就是从任意一端的内网子机上,发送一个能匹配兴趣流规则的ping包,strongswan就会基于规则对这个包进行vpn封装;

除此以外;每次启动strongswan协议也会触发ipsec 的自动协商,所以在协商的过程中,一定要查看协议的协商日志,针对具体的报错信息来对配置进行修改;

同样的,也可以从腾讯云上的VSR设备上主动发起协商,本端做为responder来,协商的效果是一样的;

协商日志的目录如下,一定要检查日志,通过日志来判断协商中出现的问题;

root@VM_151_136_centos strongswan#cat /var/log/strongswan.charon.log

1.7 协商成功后的strongswan的状态

检查协商日志,发现没有什么错误,那么接下来就要检查下ipsec的状态了,使用下面的命令后,如果看到这样的状态就意味着连接成功了;

root@VM_151_136_centos strongswan# sudo strongswan statusall

Status of IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-573.el6.x86_64, x86_64):

uptime: 17 minutes, since Nov 29 18:55:52 2016

malloc: sbrk 536576, mmap 0, used 441552, free 95024

worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3

loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp

Listening IP addresses:

10.135.151.136

Connections:

site-to-site-TC-DSP:  10.135.151.136...123.207.13.44  IKEv1

site-to-site-TC-DSP:   local:  139.199.67.188 uses pre-shared key authentication

site-to-site-TC-DSP:   remote: 123.207.13.44 uses pre-shared key authentication

site-to-site-TC-DSP:   child:  10.135.151.0/24 === 10.0.0.0/16 TUNNEL

Security Associations (1 up, 0 connecting):

site-to-site-TC-DSP1: ESTABLISHED 17 minutes ago, 10.135.151.136139.199.67.188...123.207.13.44123.207.13.44

site-to-site-TC-DSP1: IKEv1 SPIs: e8cf3b95ed742c56_i* 1dc07691877ed2be_r, pre-shared key reauthentication in 2 hours

site-to-site-TC-DSP1: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

site-to-site-TC-DSP{5}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5be9505_i 4e2748c7_o

site-to-site-TC-DSP{5}:  AES_CBC_128/HMAC_SHA1_96, 11928 bytes_i (142 pkts, 1s ago), 11928 bytes_o (142 pkts, 1s ago), rekeying in 43 minutes

site-to-site-TC-DSP{5}:   10.135.151.0/24 === 10.0.0.0/16

1.8 调试中的报错

错误一: 调试过程中出现“error writing to socket, invalid argument.”

网上搜索了一番,strongswan的官网就有记录这样一个bug,但是问题原因不尽相同,我是最后将配置参数中的left改为内网地址之后,这个错误就消失了,在实际的操作过程中,不同的环境可能不一样,要具体问题具体分析,参考如下链接

https://wiki.strongswan.org/issues/543

2.使用Libreswan(Openswan)与VSR协商IPSEC VPN

2.1 设备信息

Openswan同样还是基于腾讯云前台购买的一台Liunx CVM云主机,选择的操作系统为CentOS6.8_X86-64,同样申请一个外网地址,然后使用内网地址来模拟兴趣流并触发ipsec的协商;

root@VM_121_70_centos ~# uname -r

2.6.32-642.6.2.el6.x86_64

内外地址: 10.135.121.70

外网地址:123.207.60.24

2.2 安装openswan

为了简化安装过程以及节约安装时间,还是采用yum源的方式安装:在安装中,发现yum源自动给我安装了lbreswan,后面查了下,这个和openswan也没有多大的区别,干脆就用这个文件来协商;

root@VM_121_70_centos ~# yum -y install openswan

Loaded plugins: fastestmirror, security

Installed:

libreswan.x86_64 0:3.15-7.3.el6

Dependency Installed:        /#安装一个包,检测到4个依赖包#/

ldns.x86_64 0:1.6.16-7.el6.2           libevent.x86_64 0:1.4.13-4.el6                           libevent2.x86_64 0:2.0.21-2.el6          unbound-libs.x86_64 0:1.4.20-23.el6.3

Complete!

2.3 检查安装目录及配置文件

openswan安装完后,ipsec 参数配置文件以及密钥文件均在/etc的根目录下,没有向ipsectools一样统一放在一个单独的目录下;

root@VM_121_70_centos etc# ipsec –version  /#查看安装的版本信息#/

Linux Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64

root@VM_121_70_centos ~# ll /etc/ipsec.conf

-rw-r--r-- 1 root root 2380 Mar 22 20:51 /etc/ipsec.conf

root@VM_121_70_centos ~# ll /etc/ipsec.secrets

-rw------- 1 root root 31 Mar 22 20:51 /etc/ipsec.secrets

root@VM_121_70_centos ~# ll /etc/ipsec.d/

total 8

drwx------ 2 root root 4096 Jul  6 12:49 policies

-rw-r--r-- 1 root root 1338 Mar 22 20:51 v6neighbor-hole.conf

2.4 准备ipsec.conf文件

这个文件中定义了要和对端那个地址,协商中使用什么样的加密,认证参数等,由于中间协商过程较为繁琐,所以配置过程忽略,只展示最后配置的文件,可能不同的环境和参数有不同的配置文件,配置仅供参考:

root@VM_121_70_centos etc# cat ipsec.conf

/etc/ipsec.conf - Libreswan IPsec configuration file

This file:  /etc/ipsec.conf

Enable when using this configuration file with openswan instead of libreswan

#version 2

Manual:     ipsec.conf.5

basic configuration

config setup

# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
protostack=netkey
logfile=/var/log/pluto.log
nat_traversal=yes  /#在协商的时候,最好启用NAT-T协商#/
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10

It is best to add your IPsec connections as separate files in /etc/ipsec.d/

include /etc/ipsec.d/*.conf

conn 183.60.249.29

authby=secret     /#使用密钥的方式认证#/
auto=start
ike=3des-md5;modp1024  /#对应到ike proposal中的协商参数,注意中间的分号#/
ikelifetime=86400
#aggrmode=yes     /#如果想使用aggressive模式协商的话#/
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-sha1
compress=no
pfs=no
type=tunnel
left=10.135.121.70
leftsubnet=10.135.121.0/24
leftnexthop=%defaultroute
right=183.60.249.29
rightsubnet=10.100.43.0/24
rightnexthop=%defaultroute

2.5 准备ipsec.secrets文件

root@VM_121_70_centos etc# cat ipsec.secrets

include /etc/ipsec.d/*.secrets

#site-A-publicIP site-B-publicIP: PSK "pre-shared key"

10.135.121.70 183.60.249.29: PSK "123456"

/#定义协商过程中使用PSK方式的密钥,以及协商两端的ID信息,两边协商的实际IP必须完全匹配上这里的配置文件才可以,否则会报错;#/

2.6 调试openswan

2.6.1 关闭iptables

root@VM_121_70_centos etc# service iptables stop

iptables: Setting chains to policy ACCEPT: filter            OK

iptables: Flushing firewall rules:                           OK

iptables: Unloading modules:                                 OK

2.6.2 启动ipsec服务(ipsec start)

Openswan由ipsec提供启动文件,可以使用ipsec –help查询有哪些命令;

root@VM_121_70_centos etc# ipsec start

Redirecting to: service ipsec start

Starting pluto IKE daemon for IPsec: Initializing NSS database

See 'man pluto' if you want to protect the NSS database with a password

.                                                            OK

root@VM_121_70_centos etc# netstat -apn | grep 500  /#正常启动ispec没有报错,且网卡正常侦听500和4500端口;#/

udp        0      0 127.0.0.1:500               0.0.0.0:*                        12215/pluto

udp        0      0 10.135.121.70:500           0.0.0.0:*                               12215/pluto

udp        0      0 127.0.0.1:4500              0.0.0.0:*                               12215/pluto

udp        0      0 10.135.121.70:4500          0.0.0.0:*                               12215/pluto

这里没有报错并不意味着没有问题,继续查看启动的详细日志;

2.6.3 检查配置文件ipsec verify

root@VM_121_70_centos etc# ipsec verify

Verifying installed system and configuration files

Version check and ipsec on-path                   OK

Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64

Checking for IPsec support in kernel               OK

NETKEY: Testing XFRM related proc values

     ICMP default/send_redirects              	[NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

     ICMP default/accept_redirects            	[NOT DISABLED]

Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!

     XFRM larval drop                         	[OK]

Pluto ipsec.conf syntax                           OK

Hardware random device                             N/A

Checking rp_filter                                 ENABLED

/proc/sys/net/ipv4/conf/default/rp_filter         ENABLED

/proc/sys/net/ipv4/conf/eth0/rp_filter           ENABLED

rp_filter is not fully aware of IPsec and should be disabled

Checking that pluto is running                     OK

Pluto listening for IKE on udp 500               OK

Pluto listening for IKE/NAT-T on udp 4500         OK

Pluto ipsec.secret syntax                         OK

Checking 'ip' command                             OK

Checking 'iptables' command                       OK

Checking 'prelink' command does not interfere with FIPS IN USE

Checking for obsolete ipsec.conf options           OK

Opportunistic Encryption                           DISABLED

ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help

中间这些重定向的规则并不影响协商,但是协商成功后可能导致内网的地址无法ping通;所以还是尽量修改的好,对应有强迫症和完美主义者来说,中间是见不得有红色的报错存在的;

修改转发规则,不允许重定向:

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter

root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

root@VM_121_70_centos etc#vi /etc/sysctl.conf

修改 net.ipv4.ip_forward = 1

root@VM_121_70_centos etc# sysctl -p

net.ipv4.ip_forward = 1

另外每次修改配置文件后需要重启下ipsec的服务;

root@VM_121_70_centos etc# ipsec restart

查看启动后是否有错误,可以检查日志文件:

root@VM_121_70_centos etc# cat /var/log/pluto.log

….

2.7 配置 VSR协商参数

vpngw-m2dqykt1acl advanced 3003

vpngw-m2dqykt1-acl-ipv4-adv-3003rule 0 permit ip source 10.100.43.0 0.0.0.255 destination 10.135.121.0 0.0.0.255

vpngw-m2dqykt1-acl-ipv4-adv-3003exit

vpngw-m2dqykt1ipsec transform-set trans2

vpngw-m2dqykt1-ipsec-transform-set-trans2 esp encryption-algorithm 3des-cbc

vpngw-m2dqykt1-ipsec-transform-set-trans2 esp authentication-algorithm sha1

vpngw-m2dqykt1-ipsec-transform-set-trans2exit

vpngw-m2dqykt1ike proposal 2

vpngw-m2dqykt1-ike-proposal-2 encryption-algorithm 3des-cbc

vpngw-m2dqykt1-ike-proposal-2exit

vpngw-m2dqykt1ike keychain keychain2

vpngw-m2dqykt1-ike-keychain-keychain2pre-shared-key address 123.207.60.24 key simple 123456

vpngw-m2dqykt1-ike-keychain-keychain2exit

vpngw-m2dqykt1ike profile profileName2

vpngw-m2dqykt1-ike-profile-profileName2keychain keychain2

vpngw-m2dqykt1-ike-profile-profileName2local-identity address 183.60.249.29

vpngw-m2dqykt1-ike-profile-profileName2match remote identity address 123.207.60.24 32

vpngw-m2dqykt1-ike-profile-profileName2exit

vpngw-m2dqykt1ipsec policy policy1 2 isakmp

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2transform-set trans2

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2security acl 3003

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2remote-address 123.207.60.24

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2ike-profile profileName2

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2exit

检查配置无误后开始出发协商,并打开调试信息检查日志;

2.8 调试中遇到的问题

2.8.1 无法使用对应的公网地址标识任意一端的连接

网上查询了下,遇到这个问题的人还比较多,可能的原因是自己的设备上并没有配置123 或者183的公网地址那么在配置文件中指定right or left的地址时候,就无法找到对应的地址而报错;于是修改ipsec.conf文件:

Jul  8 20:46:59: "demo-openswan-H3CVSR": We cannot identify ourselves with either end of this connection.  123.207.60.24 or 183.60.249.29 are not usable

#left=123.207.60.24
left=10.135.121.70
#right=183.60.249.29
right=10.100.43.199

/#注释掉上面的两行,并将上边两行的内容替换为两边的内网地址,同时新增加下面的2行内容#/

leftnexthop=%defaultroute
rightnexthop=%defaultroute

/#重启ipsec服务,检查日志,没有这个报错,问题解决#/

Jul  9 15:57:42: loading secrets from "/etc/ipsec.secrets"

Jul  9 15:57:42: no secrets filename matched "/etc/ipsec.d/*.secrets"

Jul  9 15:57:42: WARNING: using a weak secret (PSK)

Jul  9 15:57:42: "183.60.249.29" #1: initiating Main Mode

======================================================

2.8.2 没有找到指定对应策略授权的连接

对于这个报错,网上search了很久的信息,也看到很多人都有同样的报错,但是都没有找到解决的办法,中间还尝试使用aggressive模式来协商,但是依然是同样的报错,最后仔细考虑之后,发现在ipsec.conf配置中,由于right部分写的是10.100.43.199,所以当发送公网地址183.60.249.29的协商包就会报错找不到对应的策略,于是需要修改right为对应的公网地址后,报错消失;

right=183.60.249.29
#right=10.100.43.199

Jul  8 21:10:46: packet from 183.60.249.29:500: initial Main Mode message received on 10.135.121.70:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW

2.8.3 协商参数不一致

在main模式的协商中,参数在做比对的时候,VSR一侧默认是DH group1,但是在libreswan这边是没有配置的,导致两边的DH group参数不一致;于是在VSR侧手动指定IKE profile中引用proposal,避免多组proposal依次比对,并指定引用的proposal中DH group2,同时在libreswan中添加modp的配置,报错消失;

ike=3des-md5;modp1024

Jul  9 18:35:49: "183.60.249.29" #8: responding to Main Mode

Jul  9 18:35:49: "183.60.249.29" #8: OAKLEY_GROUP 1 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION

Jul  9 18:35:49: "183.60.249.29" #8: no acceptable Oakley Transform

Jul  9 18:35:49: "183.60.249.29" #8: sending notification NO_PROPOSAL_CHOSEN to 183.60.249.29:500

2.8.4 没有指定的预共享密钥

在main模式的最后协商时候,报错找不到对应的PSK密钥,检查配置文件后发现,原先的配置中指定的是2个公网地址,但是从left这边是使用内网地址发起的协商,密钥必须要两边的IP地址对都匹配才可以,于是修改ipsec.secrets之后,报错消失;

10.135.121.70 183.60.249.29: PSK "123456"

Jul  9 18:38:24: "183.60.249.29" #1: Can't authenticate: no preshared key found for 10.135.121.70' and183.60.249.29'.  Attribute OAKLEY_AUTHENTICATION_METHOD

Jul  9 18:38:24: "183.60.249.29" #1: no acceptable Oakley Transform

Jul  9 18:38:24: "183.60.249.29" #1: sending notification NO_PROPOSAL_CHOSEN to 183.60.249.29:500

2.8.5 无效的ID信息

从日志信息可以了解到,这时候参数,共享密钥的协商已经没有问题了,而libreswan这边可以看到169.254.128.21这个协商ID,说明从libreswan这边主动发起协商的时候,VSR这一侧并没有用指定的协商参数来回应才导致的,仔细检查阶段的配置,发现在认证算法上没有匹配,修改两边的配置参数,问题解决,终于协商成功;

Jul  9 18:40:26: "183.60.249.29" #1: STATE_MAIN_I3: sent MI3, expecting MR3

Jul  9 18:40:26: "183.60.249.29" #1: Main mode peer ID is ID_IPV4_ADDR: '169.254.128.21'

Jul  9 18:40:26: "183.60.249.29" #1: we require IKEv1 peer to have ID '183.60.249.29', but peer declares '169.254.128.21'

Jul  9 18:40:26: "183.60.249.29" #1: sending encrypted notification INVALID_ID_INFORMATION to 183.60.249.29:4500

Jul  9 18:40:31: "183.60.249.29" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA

2.9. 协商成功

2.9.1. libreswan部分协商信息

Jul  9 22:25:44: packet from 183.60.249.29:500: received Vendor ID payload RFC 3947

Jul  9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-03

Jul  9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-02_n

Jul  9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-00

Jul  9 22:25:44: "183.60.249.29" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)

Jul  9 22:25:44: "183.60.249.29" #2: responding to Main Mode

Jul  9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1

Jul  9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R1: sent MR1, expecting MI2

Jul  9 22:25:44: "183.60.249.29" #2: received Vendor ID payload Dead Peer Detection

Jul  9 22:25:44: "183.60.249.29" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT

Jul  9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2

Jul  9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R2: sent MR2, expecting MI3

Jul  9 22:25:44: "183.60.249.29" #2: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28

Jul  9 22:25:44: | ISAKMP Notification Payload

Jul  9 22:25:44: |   00 00 00 1c  00 00 00 01  01 10 60 02

Jul  9 22:25:44: "183.60.249.29" #2: Main mode peer ID is ID_IPV4_ADDR: '183.60.249.29'

Jul  9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3

Jul  9 22:25:44: "183.60.249.29" #2: new NAT mapping for #2, was 183.60.249.29:500, now 183.60.249.29:4500

Jul  9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1024}

Jul  9 22:25:44: "183.60.249.29" #2: the peer proposed: 10.135.121.0/24:0/0 -> 10.100.43.0/24:0/0

Jul  9 22:25:44: "183.60.249.29" #3: responding to Quick Mode proposal {msgid:cc3508fa}

Jul  9 22:25:44: "183.60.249.29" #3:     us: 10.135.121.0/24===10.135.121.70<10.135.121.70>

Jul  9 22:25:44: "183.60.249.29" #3:   them: 183.60.249.29<183.60.249.29>===10.100.43.0/24

Jul  9 22:25:44: "183.60.249.29" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1

Jul  9 22:25:44: "183.60.249.29" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c348f73 <0x967e5068 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=183.60.249.29:4500 DPD=passive}

Jul  9 22:25:44: "183.60.249.29" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2

Jul  9 22:25:44: "183.60.249.29" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c348f73 <0x967e5068 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=183.60.249.29:4500 DPD=passive}

2.9.2 VSR部分协商信息

可以正常ping通云主机内网地址,ike sa以及ipsec sa协商正常;

<vpngw-m2dqykt1>ping -a 10.100.43.199 10.135.121.70

Ping 10.135.121.70 (10.135.121.70) from 10.100.43.199: 56 data bytes, press CTRL_C to break

Request time out

56 bytes from 10.135.121.70: icmp_seq=1 ttl=64 time=4.905 ms

56 bytes from 10.135.121.70: icmp_seq=2 ttl=64 time=4.927 ms

56 bytes from 10.135.121.70: icmp_seq=3 ttl=64 time=4.812 ms

56 bytes from 10.135.121.70: icmp_seq=4 ttl=64 time=4.929 ms

--- Ping statistics for 10.135.121.70 ---

5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss

round-trip min/avg/max/std-dev = 4.812/4.893/4.929/0.048 ms

<vpngw-m2dqykt1>dis

<vpngw-m2dqykt1>display ike sa

Connection-ID   Remote                Flag         DOI


111             123.207.60.24         RD           IPsec

Flags:

RD--READY RL--REPLACED FD-FADING RK-REKEY

<vpngw-m2dqykt1>dis

<vpngw-m2dqykt1>display ipsec sa b

<vpngw-m2dqykt1>display ipsec sa brief


Interface/Global          Dst Address       SPI         Protocol    Status


Reth1                     123.207.60.24     2524860520  ESP         Active

Reth1                     169.254.128.21    204771187   ESP         Active

<vpngw-m2dqykt1>

2.10. 总结

2.10.1 协商中使用到命令

Ipsec restart

Ipsec status

Ipsec look

Tail –f /var/log/pluto.log

具体可以使用ipsec –help命令查看,在调试的过程中,一定要实时的查看对应的日志信息,这样就可以针对报错信息,来对配置进行修正;

2.10.2 协商方式

在本次的协商过程中,libreswan这一侧是使用的内网地址来发起协商,所以启用NAT-T时必须的,但是由于采用预共享密钥的形式,所以不一定要用aggressive mode,但是如果使用aggressive模式,应该也是可以协商成功的,(使用aggressive模式的必要条件是对端公网地址变化,但是又要使用pre-shared key的方式认证)这边就不做一一举例了;

3.使用IPsecTools与VSR协商IPSEC VPN

3.1设备信息

设备信息:同样还是在腾讯云前台购买一台带公网地址云主机作为本次模拟调试的设备,选择安装的还是Centos系统,设备信息如下:

root@VM_0_2_centos ~# uname -r

3.10.0-327.36.3.el7.x86_64

公网地址:119.29.202.116

内网地址:10.0.0.2

3.2. 安装ipsec tools

这里建议使用yum的方式安装,简单明了,不要尝试使用源码编译,否则你会看到一系列的需要安装依赖包的错误提示,光是安装软件就会耗费大量的时间;

root@VM_0_2_centos ~# yum -y install ipsec-tools

Downloading packages:

ipsec-tools-0.8.2-5.el7.x86_64.rpm

Installed:

ipsec-tools.x86_64 0:0.8.2-5.el7

Complete!

3.3 检查目录与文件

IPsec-Tools中的racoon工具实现了IKE的功能,既实现了双向认证,又能建立和维护IPsec SA。下面使用psk的认证方法配置racoon。

进入安装后的配置,文件信息如下:

root@VM_0_2_centos ~# ll /etc/racoon

total 16

drwx------ 2 root root 4096 Apr 28  2016 certs

-rw------- 1 root root  212 Apr 28  2016 psk.txt  /#指定协商中使用的共享密钥#/

-rw------- 1 root root  843 Apr 28  2016 racoon.conf   /#加密认证模式等协商参数#/

drwx------ 2 root root 4096 Jul  4 09:00 scripts

?psk.txt 用于标识对端VPNGW以及制定协商所使用的pre-shared key信息;

?racoon.conf  IPsec SA的协商配置文件;

?Certs 使用证书认证的时候才会用到,本文暂时以预共享密钥的方式认证;

注意: 系统安装后是没有setkey.txt文件,需要自己创建并编辑内容;

3.4 配置psk.txt文件

先备份这配置文件

root@VM_0_2_centos ~# cp /etc/racoon/psk.txt /backup

编辑后的文件如下,指定和对端VPNGW 183.60.249.126协商的pre-shared 可以为123456,中间需要间隔一个空格;

root@VM_0_2_centos racoon# cat psk.txt

file for pre-shared keys used for IKE authentication

format is:  'identifier' 'key'

For example:

183.60.249.29 123456

/需要注意的是,ipsec-tools的密钥配置文件和strongswan以及openswan稍微不同,没有指定本端地址和协议参数PSK,虽然没有冒号,但是中间仍然需要留一个空格/

3.5 配置setkey文件

Setkey文件中写入了协商过程总的兴趣流以及协商时使用的ipsec tunnel模式等信息,非常重要,但是系统安装完ispe-tools后,并没有生成这个文件,那么就自己在raconn目录下创建一个并编辑对应的内容;

root@VM_0_2_centos racoon# find / -name "setkey.conf"  /#机器上没有找到这个文件#/

root@VM_0_2_centos racoon# vi setkey.conf           /#编辑内容如下所示#/

flush;

spdflush;

spdadd 10.0.0.0/24 10.100.43.0/24 any -P out ipsec esp/tunnel/119.29.202.116-183.60.249.29/require;

spdadd 10.100.43.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/183.60.249.29-119.29.202.116/require;

以上的参数解释:/10.0.0.0/24 本段兴趣流网段,10.100.43.0/24 对端兴趣流网段,119.29.202.116-183.60.249.29 两端协商IPSEC tunnel的公网地址;/

配置完成后检查配置是否有问题,如果有问题就会报错;

root@VM_0_2_centos racoon# setkey -f /etc/racoon/setkey.conf   /#检查setkey文件配置#/

3.6 配置raconn.conf文件

先备份这配置文件

root@VM_0_2_centos ~# cp /etc/racoon/racoon.conf /backup

由于中间协商过程较为繁琐,所以配置过程忽略,只展示最终的配置文件,可能不同的环境和参数有不同的配置文件,配置仅供参考:

root@VM_0_2_centos racoon# cat racoon.conf

Racoon IKE daemon configuration file.

See 'man racoon.conf' for a description of the format and entries.

path include "/etc/racoon";

path pre_shared_key "psk.txt";

path certificate "/etc/racoon/certs";

path script "/etc/racoon/scripts";

remote anonymous

{

    exchange_mode main;
    my_identifier address "119.29.202.116";
    peers_identifier address "183.60.249.29";
    nat_traversal on;
    #my_identifier fqdn "host.name.of.vpn.client";
    #certificate_type x509 "client.crt" "client.key";
    #ca_type x509 "ca.crt";
    #mode_cfg on;
    #script "p1_up_down" phase1_up;
    #script "p1_up_down" phase1_down;
proposal
{
	lifetime time 24 hours;
    encryption_algorithm 3des;
	hash_algorithm sha1;
	#authentication_method xauth_rsa_client;
    authentication_method pre_shared_key;
	dh_group 1;
}

}

sainfo anonymous

{

#pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;

}

3.7 启动racoon服务

在配置完racoon.conf文件后,检测文件配置,发现设备一直提示语法错误,但是这个语句的配置规则是设备原生自带的,最后检查后发现是缺少部分配置;

root@VM_0_2_centos racoon# racoon -d -F -f /etc/racoon/racoon.conf

Foreground mode.

2017-07-04 19:18:26: ERROR: racoon: MLS support is not enabled. /#这个错误可以忽略#/

2017-07-04 19:18:26: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)

2017-07-04 19:18:26: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)

2017-07-04 19:18:26: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2017-07-04 19:18:26: DEBUG: call pfkey_send_register for AH

2017-07-04 19:18:26: DEBUG: call pfkey_send_register for ESP

2017-07-04 19:18:26: DEBUG: call pfkey_send_register for IPCOMP

2017-07-04 19:18:26: DEBUG: reading config file /etc/racoon/racoon.conf

2017-07-04 19:18:26: ERROR: /etc/racoon/racoon.conf:27: "}" DH group required.

2017-07-04 19:18:26: ERROR: fatal parse failure (1 errors)

racoon: failed to parse configuration file.

提示需要配置DH group,修改配置文件,启用DH group1,

Google之后,提示这个错误可以忽略,2017-07-04 19:18:26: ERROR: racoon: MLS support is not enabled.

继续debug。。。。

root@VM_0_2_centos racoon# racoon -d -F -f /etc/racoon/racoon.conf

Foreground mode.

2017-07-04 19:24:32: ERROR: racoon: MLS support is not enabled.

2017-07-04 19:24:32: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)

2017-07-04 19:24:32: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)

2017-07-04 19:24:32: INFO: Reading configuration from "/etc/racoon/racoon.conf"

2017-07-04 19:24:32: DEBUG: call pfkey_send_register for AH

2017-07-04 19:24:32: DEBUG: call pfkey_send_register for ESP

2017-07-04 19:24:32: DEBUG: call pfkey_send_register for IPCOMP

2017-07-04 19:24:32: DEBUG: reading config file /etc/racoon/racoon.conf

2017-07-04 19:24:32: DEBUG: no check of compression algorithm; not supported in sadb message.

2017-07-04 19:24:32: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0

2017-07-04 19:24:32: DEBUG: open /var/racoon/racoon.sock as racoon management.

2017-07-04 19:24:32: DEBUG: Netlink: address 10.0.0.2 added

2017-07-04 19:24:32: INFO: 10.0.0.2500 used for NAT-T

2017-07-04 19:24:32: INFO: 10.0.0.2500 used as isakmp port (fd=8)

2017-07-04 19:24:32: INFO: 10.0.0.24500 used for NAT-T

2017-07-04 19:24:32: INFO: 10.0.0.24500 used as isakmp port (fd=9)

2017-07-04 19:24:32: DEBUG: Netlink: address 127.0.0.0 added

2017-07-04 19:24:32: INFO: 127.0.0.0500 used for NAT-T

2017-07-04 19:24:32: INFO: 127.0.0.0500 used as isakmp port (fd=10)

2017-07-04 19:24:32: INFO: 127.0.0.04500 used for NAT-T

2017-07-04 19:24:32: INFO: 127.0.0.04500 used as isakmp port (fd=11)

2017-07-04 19:24:32: DEBUG: Netlink: address 127.0.0.1 added

2017-07-04 19:24:32: INFO: 127.0.0.1500 used for NAT-T

2017-07-04 19:24:32: INFO: 127.0.0.1500 used as isakmp port (fd=12)

2017-07-04 19:24:32: INFO: 127.0.0.14500 used for NAT-T

2017-07-04 19:24:32: INFO: 127.0.0.14500 used as isakmp port (fd=13)

2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()

2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message

2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()

2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message

2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.100.43.0/240 10.0.0.0/240 proto=any dir=in

2017-07-04 19:24:32: DEBUG: db :0x7f8ec0667b90: 10.100.43.0/240 10.0.0.0/240 proto=any dir=fwd

2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()

2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message

2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.0.0.0/240 10.100.43.0/240 proto=any dir=out

2017-07-04 19:24:32: DEBUG: db :0x7f8ec0667b90: 10.100.43.0/240 10.0.0.0/240 proto=any dir=fwd

2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.0.0.0/240 10.100.43.0/240 proto=any dir=out

2017-07-04 19:24:32: DEBUG: db :0x7f8ec0668b30: 10.100.43.0/240 10.0.0.0/240 proto=any dir=in

3.8 部署VSR协商参数

IPSEC tools配置完毕,我们开始配置VSR设备,在实际的云前台部署时,配置是自动下发到设备上的,但是为了举例展示,设备采用命令行手动配置的方式;

vpngw-m2dqykt1ike keychain  keychain1

vpngw-m2dqykt1-ike-keychain-keychain1pre-shared-key address 119.29.202.116 key simple 123456

vpngw-m2dqykt1-ike-keychain-keychain1quit

vpngw-m2dqykt1ike proposal 1

vpngw-m2dqykt1-ike-proposal-1authentication-algorithm sha

vpngw-m2dqykt1-ike-proposal-1authentication-method pre-share

vpngw-m2dqykt1-ike-proposal-1exit

vpngw-m2dqykt1ike profile profileName1

vpngw-m2dqykt1-ike-profile-profileName1local-identity address 183.60.249.29

vpngw-m2dqykt1-ike-profile-profileName1match remote identity address 119.29.202.116

vpngw-m2dqykt1-ike-profile-profileName1keychain keychain1

vpngw-m2dqykt1-ike-profile-profileName1exchange-mode main

vpngw-m2dqykt1-ike-profile-profileName1exit

vpngw-m2dqykt1ipsec transform-set trans1

vpngw-m2dqykt1-ipsec-transform-set-trans1protocol esp

vpngw-m2dqykt1-ipsec-transform-set-trans1esp authentication-algorithm sha1

vpngw-m2dqykt1-ipsec-transform-set-trans1esp encryption-algorithm 3des-cbc

vpngw-m2dqykt1-ipsec-transform-set-trans1quit

vpngw-m2dqykt1acl advanced 3002

vpngw-m2dqykt1-acl-ipv4-adv-3002rule  0 permit ip source 10.100.43.0 0.0.0.255 destination 10.0.0.0 0.0.0.255

vpngw-m2dqykt1-acl-ipv4-adv-3002exit

vpngw-m2dqykt1ipsec policy policy1 1 isakmp

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1transform-set trans1

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1security acl 3002

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1remote-address 119.29.202.116

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1ike-profile profileName1

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1sa duration time-based 3600

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1sa duration traffic-based 184000

vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1quit

vpngw-m2dqykt1interface reth1

vpngw-m2dqykt1-Reth1ipsec apply policy policy1

vpngw-m2dqykt1-Reth1exit

3.9 开始协商

3.9.1 proposal参数不一致

从腾讯云这边的VSR设备使用ping包来触发协商(ping -a 10.100.43.199 10.0.0.2),并在ispectools这边开启debug 打印,观察日志,

2017-07-04 19:46:43: DEBUG: type=Life Duration, flag=0x0000, lorv=4

2017-07-04 19:46:43: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=2

2017-07-04 19:46:43: DEBUG: trns#=2, trns-id=IKE

2017-07-04 19:46:43: DEBUG:   lifetime = 86400

2017-07-04 19:46:43: DEBUG:   lifebyte = 0

2017-07-04 19:46:43: DEBUG:   enctype = DES-CBC

2017-07-04 19:46:43: DEBUG:   encklen = 0

2017-07-04 19:46:43: DEBUG:   hashtype = SHA

2017-07-04 19:46:43: DEBUG:   authmethod = pre-shared key

2017-07-04 19:46:43: DEBUG:   dh_group = 768-bit MODP group

2017-07-04 19:46:43: ERROR: no suitable proposal found.

2017-07-04 19:46:43: 183.60.249.29 ERROR: failed to get valid proposal.

2017-07-04 19:46:43: 183.60.249.29 ERROR: failed to pre-process ph1 packet (side: 1, status 1).

2017-07-04 19:46:43: 183.60.249.29 ERROR: phase1 negotiation failed.

发现每次都打印没有找到对应的proposal,结果比对两边的侧后,发现ipsec-tools这边没有设定lifetime,于是加上一行lifetime time 24 hours; 保证两边的一致,重新发起协商,发现proposal协商通过;

2017-07-04 19:51:19: DEBUG: trns#=1, trns-id=IKE

2017-07-04 19:51:19: DEBUG:   lifetime = 86400

2017-07-04 19:51:19: DEBUG:   lifebyte = 0

2017-07-04 19:51:19: DEBUG:   enctype = 3DES-CBC

2017-07-04 19:51:19: DEBUG:   encklen = 0

2017-07-04 19:51:19: DEBUG:   hashtype = SHA

2017-07-04 19:51:19: DEBUG:   authmethod = pre-shared key

2017-07-04 19:51:19: DEBUG:   dh_group = 768-bit MODP group

2017-07-04 19:51:19: DEBUG: an acceptable proposal found.

2017-07-04 19:51:19: DEBUG: hmac(modp768)

2017-07-04 19:51:19: DEBUG: agreed on pre-shared key auth.

3.10 协商成功

3.10.1 VSR侧协商信息

从VSR设备侧发起协商,使用ping包来触发,检查IKE SA 以及IPSEC SA,协商成功;

<vpngw-m2dqykt1>display ipsec sa


Interface: Reth1



IPsec policy: policy1

Sequence number: 1

Mode: ISAKMP


Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1736
Tunnel:
    local  address: 169.254.128.21
    remote address: 119.29.202.116
Flow:
    sour addr: 10.100.43.0/255.255.255.0  port: 0  protocol: ip
    dest addr: 10.0.0.0/255.255.255.0  port: 0  protocol: ip
[Inbound ESP SAs]
  SPI: 2689102830 (0xa04873ee)
  Connection ID: 21474836481
  Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
  SA duration (kilobytes/sec): 184000/3600
  SA remaining duration (kilobytes/sec): 184000/3549
  Max received sequence-number: 0
  Anti-replay check enable: Y
  Anti-replay window size: 64
  UDP encapsulation used for NAT traversal: Y
  Status: Active
[Outbound ESP SAs]
  SPI: 230870860 (0x0dc2cf4c)
  Connection ID: 64424509440
  Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
  SA duration (kilobytes/sec): 184000/3600
  SA remaining duration (kilobytes/sec): 183999/3549
  Max sent sequence-number: 2
  UDP encapsulation used for NAT traversal: Y
  Status: Active

<vpngw-m2dqykt1>dis

<vpngw-m2dqykt1>display ike sa verbose


Connection ID: 9

Outside VPN:

Inside VPN:

Profile: profileName1

Transmitting entity: Initiator


Local IP: 169.254.128.21

Local ID type: IPV4_ADDR

Local ID: 183.60.249.29

Remote IP: 119.29.202.116

Remote ID type: IPV4_ADDR

Remote ID: 119.29.202.116

Authentication-method: PRE-SHARED-KEY

Authentication-algorithm: SHA1

Encryption-algorithm: 3DES-CBC

Life duration(sec): 86400

Remaining key duration(sec): 86340

Exchange-mode: Main

Diffie-Hellman group: Group 1

NAT traversal: Detected

Extend authentication: Disabled

Assigned IP address:

<vpngw-m2dqykt1>display ipsec sa b

<vpngw-m2dqykt1>display ipsec sa brief


Interface/Global          Dst Address       SPI         Protocol    Status


Reth1                     119.29.202.116    230870860   ESP         Active

Reth1                     169.254.128.21    2689102830  ESP         Active

<vpngw-m2dqykt1>

3.10.2 Ipsec-tools协商参数

在Ipsectools这里,只有可以看到使用setkey –D的协商信息,说明ipsec中可以对后续的数据流进行加密传输了,也就意味着协商成功;

root@VM_0_2_centos racoon# setkey -D

10.0.0.24500 183.60.249.294500

esp-udp mode=tunnel spi=4094358944(0xf40af5a0) reqid=0(0x00000000)
E: 3des-cbc  21f9a17d 353b67b4 14bf08ae 87897273 948191f1 b23e13dd
A: hmac-sha1  3b24b820 ffed4ef7 ee32172c 35af0144 67d1b085
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul  4 20:07:28 2017	current: Jul  4 20:12:48 2017
diff: 320(s)	hard: 3600(s)	soft: 2880(s)
last:                     	hard: 0(s)	soft: 0(s)
current: 0(bytes)	hard: 0(bytes)	soft: 0(bytes)
allocated: 0	hard: 0	soft: 0
sadb_seq=1 pid=20143 refcnt=0

183.60.249.294500 10.0.0.24500

esp-udp mode=tunnel spi=88888734(0x054c559e) reqid=0(0x00000000)
E: 3des-cbc  2d07fe6b 28bc6840 159cf64f df7bdff4 7c6fc6d6 16edaa00
A: hmac-sha1  9884ed5e a6d07acf 7273fce6 65ca9872 cfdc73dc
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul  4 20:07:28 2017	current: Jul  4 20:12:48 2017
diff: 320(s)	hard: 3600(s)	soft: 2880(s)
last: Jul  4 20:07:30 2017	hard: 0(s)	soft: 0(s)
current: 336(bytes)	hard: 0(bytes)	soft: 0(bytes)
allocated: 4	hard: 0	soft: 0
sadb_seq=0 pid=20143 refcnt=0

root@VM_0_2_centos racoon#


打赏

本文链接:https://www.kinber.cn/post/449.html 转载需授权!

分享到:


推荐本站淘宝优惠价购买喜欢的宝贝:

image.png

 您阅读本篇文章共花了: 

群贤毕至

访客