Strongswan IKEv2 REAUTH запрос

Question

Strongswan IKEv2 REAUTH запрос

Я успешно создал соединение IKEv2 между маршрутизатором Mikrotik с модулем LTE и сервером Strongswan. Mikrotik имеет непубличный динамический IP-адрес, назначенный SIM-картой.

Strongswan:

config setup
   charondebug="all"
   uniqueids=yes
   strictcrlpolicy=no

conn %default
keyexchange=ikev2

conn tunnel 
   reauth=no
   rightsendcert=never
   left=87.236.194.196
   leftsubnet=192.168.80.0/24
   right=%any
   rightsubnet=0.0.0.0/0
   keyingtries=0
   ikelifetime=1h
   lifetime=8h
   dpddelay=30
   dpdtimeout=120
   dpdaction=clear
   authby=secret
   auto=route
   type=tunnel

Mikrotik:

/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-   cbc lifetime=1h pfs-group=none
/ip ipsec peer add address=89.187.144.196/32 dh-group=modp1024 enc-algorithm=aes-256 exchange-mode=ike2 lifetime=8h secret=XYZ
/ip ipsec policy add dst-address=192.168.80.0/24 sa-dst-address=89.187.144.196 sa-src-address=0.0.0.0 src-address=192.168.40.0/24 tunnel=yes

Все отлично работает, когда повторная аутентификация отключена в разделе conn. Когда повторная проверка подлинности включена (по умолчанию), повторная проверка подлинности разрывает туннель IPsec и соединение восстанавливается.

May 14 10:05:50 mvvk4-1 charon: 05[IKE] initiator did not reauthenticate as requested
May 14 10:05:50 mvvk4-1 charon: 05[IKE] reauthenticating IKE_SA tunnel[137] actively
May 14 10:05:50 mvvk4-1 charon: 05[IKE] deleting IKE_SA tunnel[137] between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:50 mvvk4-1 charon: 05[IKE] sending DELETE for IKE_SA tunnel[137]
May 14 10:05:50 mvvk4-1 charon: 05[ENC] generating INFORMATIONAL request 34 [ D ]
May 14 10:05:50 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (92 bytes)
May 14 10:05:50 mvvk4-1 charon: 13[ENC] parsed INFORMATIONAL response 34 [ ]
May 14 10:05:50 mvvk4-1 charon: 13[IKE] IKE_SA deleted
May 14 10:05:50 mvvk4-1 charon: 13[IKE] restarting CHILD_SA tunnel
May 14 10:05:50 mvvk4-1 charon: 13[IKE] unable to resolve %any, initiate aborted
May 14 10:05:50 mvvk4-1 charon: 13[MGR] tried to check-in and delete nonexisting IKE_SA
May 14 10:05:50 mvvk4-1 charon: 13[IKE] reauthenticating IKE_SA failed
May 14 10:05:53 mvvk4-1 charon: 05[NET] received packet: from    89.24.32.111[61529] to 87.236.194.196[4500] (296 bytes)
May 14 10:05:53 mvvk4-1 charon: 05[ENC] parsed IKE_SA_INIT request 0 [ N(NATD_D_IP) N(NATD_S_IP) No KE SA ]
May 14 10:05:53 mvvk4-1 charon: 05[IKE] 89.24.32.111 is initiating an IKE_SA
May 14 10:05:53 mvvk4-1 charon: 05[IKE] remote host is behind NAT
May 14 10:05:53 mvvk4-1 charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
May 14 10:05:53 mvvk4-1 charon: 05[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (312 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[NET] received packet: from 89.24.32.111[61529] to 87.236.194.196[4500] (316 bytes)
May 14 10:05:53 mvvk4-1 charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(INIT_CONTACT) SA TSi TSr ]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] looking for peer configs matching 87.236.194.196[%any]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[CFG] selected peer config 'tunnel'
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '100.111.170.80' with pre-shared key successful
May 14 10:05:53 mvvk4-1 charon: 14[IKE] authentication of '87.236.194.196' (myself) with pre-shared key
May 14 10:05:53 mvvk4-1 charon: 14[IKE] IKE_SA tunnel[144] established between 87.236.194.196[87.236.194.196]...89.24.32.111[100.111.170.80]
May 14 10:05:53 mvvk4-1 charon: 14[IKE] scheduling reauthentication in 3346s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] maximum IKE_SA lifetime 3526s
May 14 10:05:53 mvvk4-1 charon: 14[IKE] CHILD_SA tunnel{126} established with SPIs c1db676c_i 09f7b444_o and TS 192.168.80.0/24 === 192.168.88.0/24
May 14 10:05:53 mvvk4-1 charon: 14[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
May 14 10:05:53 mvvk4-1 charon: 14[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (220 bytes)
May 14 10:06:23 mvvk4-1 charon: 04[IKE] sending DPD request
May 14 10:06:23 mvvk4-1 charon: 04[ENC] generating INFORMATIONAL request 0 [ ]
May 14 10:06:23 mvvk4-1 charon: 04[NET] sending packet: from 87.236.194.196[4500] to 89.24.32.111[61529] (76 bytes)

Нет проблем с повторным вводом.

Я хотел бы спросить вас, где может быть проблема - на стороне Mikrotik, на стороне сервера или это связано с NAT? Спасибо.

0

strongswan

Источник

Petr W. 21 май '18 в 19:09

0 ответов

Другие вопросы по тегам strongswan