Linux 网络重启后 Openswan 隧道不工作
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/10813000/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Openswan tunnel not working after network restart
提问by user1403360
I observed some strange behaviour while trying to create ipsec connection. I configured ipsec between cisco asa and my Linux box and it works as expected. But when I restart the network service on my Linux box or restart the port on the cisco side, the tunnel stops working but tunnel status is up:
我在尝试创建 ipsec 连接时观察到一些奇怪的行为。我在 cisco asa 和我的 Linux 机器之间配置了 ipsec,它按预期工作。但是当我在 Linux 机器上重新启动网络服务或在 cisco 端重新启动端口时,隧道停止工作但隧道状态已启动:
/etc/init.d/ipsec status
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
IPsec running - pluto pid: 2684
pluto pid 2684
1 tunnels up
some eroutes exist
When I try to connect to the other side (telnet, ping, ssh), the connection doesn't work.
当我尝试连接到另一端(telnet、ping、ssh)时,连接不起作用。
My /etc/ipsec.conf looks like this:
我的 /etc/ipsec.conf 看起来像这样:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
And my /etc/ipsec.d/myvpn.conf looks like this:
我的 /etc/ipsec.d/myvpn.conf 看起来像这样:
conn myvpn
authby=secret # Key exchange method
left=server-ip # Public Internet IP address of the
# LEFT VPN device
leftsubnet=server-ip/32 # Subnet protected by the LEFT VPN device
leftnexthop=%defaultroute # correct in many situations
right=asa-ip # Public Internet IP address of
# the RIGHT VPN device
rightsubnet=network/16 # Subnet protected by the RIGHT VPN device
rightnexthop=asa-ip # correct in many situations
auto=start # authorizes and starts this connection
# on booting
auth=esp
esp=aes-sha1
compress=no
When I restart the openswan service everything starts working, but i think there should be some logic that does this automatically. has anyone an idea what i am missing?
当我重新启动 openswan 服务时,一切都开始工作,但我认为应该有一些逻辑可以自动执行此操作。有谁知道我错过了什么?
采纳答案by mikebabcock
You probably want to enable dead peer detection if available on both sides. Dead peer detection notices when the tunnel isn't actually working anymore and disconnects or resets it.
如果双方都可用,您可能希望启用死对等检测。死对等点检测会注意到隧道何时不再实际工作并断开连接或重置它。
If not available, you can also try changing your session renegotiation time down very low; your tunnel will create new keys frequently and set up new tunnels to replace the old ones on a regular basis effectively recreating the tunnel after that timeout when the session has gone down.
如果不可用,您也可以尝试将会话重新协商时间降低到非常低;您的隧道将频繁创建新密钥并设置新隧道以定期替换旧隧道,从而在会话关闭时在超时后有效地重新创建隧道。
For PPP sessions on Linux myself, I simply have a "service ipsec restart" in /etc/ppp/ip-up.local to restart all tunnels whenever the PPP device comes back online.
对于 Linux 上的 PPP 会话,我只需在 /etc/ppp/ip-up.local 中设置一个“service ipsec restart”即可在 PPP 设备重新联机时重新启动所有隧道。
YMMV.
天啊。
回答by twinsant
Just try DPD, but not work.
尝试 DPD,但不起作用。
So I just learned from mikebabcock.
所以我刚刚从 mikebabcock 那里学到了东西。
add the following line in my /etc/ppp/ip-down
在我的 /etc/ppp/ip-down 中添加以下行
service ipsec restart
With this workaround, now L2TP/IPSec worked like a charm.
有了这个变通方法,现在 L2TP/IPSec 的工作就像一个魅力。
回答by Denis V
I don't like the idea restarting ipsec every time you lose connection. Actually /usr/libexec/ipsec/_updownis ran on different actions in ipsec. The same script can be run on leftupdown/rightupdown. But the problem is that it doesn't perform any actual command when the remote client connects back to your host. To fix this issue you need add doroute replaceafter up-client)in /usr/libexec/ipsec/_updown.netkey (if you use Netkey of course):
我不喜欢每次失去连接时重新启动 ipsec 的想法。实际上/usr/libexec/ipsec/_updown是在 ipsec 中运行不同的操作。可以在 leftupdown/rightupdown 上运行相同的脚本。但问题是当远程客户端连接回您的主机时,它不执行任何实际命令。要解决此问题,您需要在 /usr/libexec/ipsec/_updown.netkeydoroute replace之后添加up-client)(当然如果您使用 Netkey):
# ...skipped...
#
up-client)
# connection to my client subnet coming up
# If you are doing a custom version, firewall commands go here.
doroute replace
#
# ...skipped...
But be aware, this file will be overwritten, if you update your packages, so just put it somewhere else, and then add the following commands to your connection config:
但请注意,如果您更新软件包,此文件将被覆盖,因此只需将其放在其他地方,然后将以下命令添加到您的连接配置中:
rightupdown="/usr/local/libexec/ipsec/_updown"
leftupdown="/usr/local/libexec/ipsec/_updown"
Now the routes will be restored as soon as the remote connects back to your server.
现在,只要远程连接回您的服务器,路由就会恢复。
回答by giuseppe
Also to me, for strange reasons DPDnot work properly in every situation.
I use this script to check every minute the status. The scripts runs on the Peer (e.g. the Firewall):
对我来说也是如此,出于奇怪的原因,DPD不能在每种情况下都正常工作。我使用这个脚本每分钟检查一次状态。脚本在 Peer 上运行(例如防火墙):
C=$(ipsec auto --status | grep "established" | wc -l)
if [ $C -eq 0 ]
then
echo "Tunnel is down... Restarting"
ipsec restart
else
echo "Tunnel is up...Bye!"
fi
回答by Wiz
this could happen because of iptables rules.
Be sure to have enabled the udp port 500 and the esp protocol towards the remote public ip address.
这可能是由于 iptables 规则而发生的。
确保已启用 udp 端口 500 和远程公共 IP 地址的 esp 协议。
Example:
例子:
iptables -A OUTPUT -p udp -d 1.2.3.4 --dport 500 -j ACCEPT
iptables -A OUTPUT -p esp -d 1.2.3.4 -j ACCEPT
Bye
再见
