https://cloud.tencent.com/developer/article/1356861
写在最前面:在接入腾讯云的大量客户中,很多客户并不会购买专用的vpn硬件设备,而是使用第三方的开源软件,如strongswan,openswan,以及ipsec-tools这些工具,在客户对接的过程中,尤其是协商出现问题的时候,客户经常会问到,腾讯云的IPSEC VPN是否和这些第三方设备兼容,是否对接成功过;所以,在实际运维过程中,为了打消客户的疑虑,以及快速帮助客户解决协商中的出现的问题,于是有了下面这个文章,希望对运维以及售后的同学能有所帮助;
1.使用strongswan与VSR协商 IPSEC VPN
1.1 安装strongswan
从腾讯云前台购买一台带外网IP的VM子机,选择安装Centos系统,使用内网地址模拟兴趣流来触发协商;
外网地址:139.199.67.188
内网地址: 10.135.151.136
root@VM_0_175_centos etc# yum -y install strongswa
………………….
Installed:
strongswan.x86_64 0:5.4.0-2.el6 /strongswan的5.4版本/
Dependency Installed:
trousers.x86_64 0:0.3.13-2.el6
1.2 配置文件目录
进入安装后的配置文件目录,/etc/strongswan,在配置前先对所有的配置文件进行备份;
root@VM_0_175_centos etc# cd /etc/strongswan/
root@VM_0_175_centos strongswan# cp ipsec.conf ipsec.conf.backkup
root@VM_0_175_centos strongswan# cp strongswan.conf strongswan.conf.backup
1.3 修改ipsec.conf
Ipsec.conf文件定义了和对端设备协商时的阶段一以及阶段二所使用的认证加密等参数,如下是修改后的参数,许多用不到的参数已经删除掉;
root@VM_151_136_centos strongswan# cat ipsec.conf
ipsec.conf - strongSwan IPsec configuration file
basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = never
charondebug="ike 4, knl 4, net 4, cfg 4"
conn %defualt
type=tunnel /使用tunnel模式/
ikelifetime=60m
keylife=5m
dpddelay=10s /云上的VSR默认不开启DPD功能,此处可以注释掉/
rekeymargin=3m
keyingtries=3
mobike=no
conn site-to-site-Qcloud
keyexchange=ikev1 /这里暂时要指定协商的版本为ikev1/
left=10.135.151.136 /本端内网地址以及转发的网关/
leftid=139.199.67.188 /本端发起协商的公网IP,同时也时协商中的local-id/
leftsubnet=10.135.151.0/24 /本端内网子机地址段/
leftfirewall=no
right=123.207.13.44
rightid=123.207.13.44
rightsubnet=10.0.0.0/16
authby=secret /协商认证的方式,key/
ike=aes128-sha1-modp1024
esp=aes128-sha1
auto=start /可以使用协议触发,及启动strongswan时自动触发协商/
1.4 修改 strongswan.conf
Strongswan.conf对strongswan运行以及加载做的基本设定,这个文件对具体协商没有太大的影响,主要使用的就是日志,在协商过程中检查对应的日志文件来定位协商错误,可以使用默认的配置文件;
root@VM_151_136_centos strongswan# cat strongswan.conf
strongswan.conf - strongSwan configuration file
Refer to the strongswan.conf(5) manpage for details
Configuration changes should be made in the included files
charon {
duplicheck.enable = no /关闭冗余检查,允许连接多个设备/
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
/var/log/strongswan.charon.log {
time_format = %b %e %T
default = 2 /定义日志级别/
append = no /strongswan重启之后覆盖之前的日志/
flush_line = yes /日志文件写磁盘/
}
}
}
include strongswan.d/*.conf
1.5 修改密钥文件
密钥文件,这个文件中定义了要和对端设备进行协商时使用的pre-shared信息,必须要指定两端的地址;
root@VM_151_136_centos strongswan# cat ipsec.secrets
/etc/ipsec.secrets - strongSwan IPsec secrets f
139.199.67.188 123.207.13.44 : PSK "111"
/此处切记 :冒号左右要有空格,我在实验的时候,发现一直都协商不起来,调试了好久一直都是失败,最后检查发现是这里缺了一个空格,而空格很容易被忽略掉,所以我在这里被坑了好久/
1.6 触发协商strongswan
在协商之前,建议关闭iptables(可选,保险起见直接关掉)
root@VM_151_136_centos strongswan# /etc/init.d/iptables stop
root@VM_151_136_centos strongswan#sudo strongswan restart
Ipsec的协商一般都是由兴趣流来触发,最简单的办法就是从任意一端的内网子机上,发送一个能匹配兴趣流规则的ping包,strongswan就会基于规则对这个包进行vpn封装;
除此以外;每次启动strongswan协议也会触发ipsec 的自动协商,所以在协商的过程中,一定要查看协议的协商日志,针对具体的报错信息来对配置进行修改;
同样的,也可以从腾讯云上的VSR设备上主动发起协商,本端做为responder来,协商的效果是一样的;
协商日志的目录如下,一定要检查日志,通过日志来判断协商中出现的问题;
root@VM_151_136_centos strongswan#cat /var/log/strongswan.charon.log
1.7 协商成功后的strongswan的状态
检查协商日志,发现没有什么错误,那么接下来就要检查下ipsec的状态了,使用下面的命令后,如果看到这样的状态就意味着连接成功了;
root@VM_151_136_centos strongswan# sudo strongswan statusall
Status of IKE charon daemon (strongSwan 5.4.0, Linux 2.6.32-573.el6.x86_64, x86_64):
uptime: 17 minutes, since Nov 29 18:55:52 2016
malloc: sbrk 536576, mmap 0, used 441552, free 95024
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aes des rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp
Listening IP addresses:
10.135.151.136
Connections:
site-to-site-TC-DSP: 10.135.151.136...123.207.13.44 IKEv1
site-to-site-TC-DSP: local: 139.199.67.188 uses pre-shared key authentication
site-to-site-TC-DSP: remote: 123.207.13.44 uses pre-shared key authentication
site-to-site-TC-DSP: child: 10.135.151.0/24 === 10.0.0.0/16 TUNNEL
Security Associations (1 up, 0 connecting):
site-to-site-TC-DSP1: ESTABLISHED 17 minutes ago, 10.135.151.136139.199.67.188...123.207.13.44123.207.13.44
site-to-site-TC-DSP1: IKEv1 SPIs: e8cf3b95ed742c56_i* 1dc07691877ed2be_r, pre-shared key reauthentication in 2 hours
site-to-site-TC-DSP1: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
site-to-site-TC-DSP{5}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5be9505_i 4e2748c7_o
site-to-site-TC-DSP{5}: AES_CBC_128/HMAC_SHA1_96, 11928 bytes_i (142 pkts, 1s ago), 11928 bytes_o (142 pkts, 1s ago), rekeying in 43 minutes
site-to-site-TC-DSP{5}: 10.135.151.0/24 === 10.0.0.0/16
1.8 调试中的报错
错误一: 调试过程中出现“error writing to socket, invalid argument.”
网上搜索了一番,strongswan的官网就有记录这样一个bug,但是问题原因不尽相同,我是最后将配置参数中的left改为内网地址之后,这个错误就消失了,在实际的操作过程中,不同的环境可能不一样,要具体问题具体分析,参考如下链接
https://wiki.strongswan.org/issues/543
2.使用Libreswan(Openswan)与VSR协商IPSEC VPN
2.1 设备信息
Openswan同样还是基于腾讯云前台购买的一台Liunx CVM云主机,选择的操作系统为CentOS6.8_X86-64,同样申请一个外网地址,然后使用内网地址来模拟兴趣流并触发ipsec的协商;
root@VM_121_70_centos ~# uname -r
2.6.32-642.6.2.el6.x86_64
内外地址: 10.135.121.70
外网地址:123.207.60.24
2.2 安装openswan
为了简化安装过程以及节约安装时间,还是采用yum源的方式安装:在安装中,发现yum源自动给我安装了lbreswan,后面查了下,这个和openswan也没有多大的区别,干脆就用这个文件来协商;
root@VM_121_70_centos ~# yum -y install openswan
Loaded plugins: fastestmirror, security
Installed:
libreswan.x86_64 0:3.15-7.3.el6
Dependency Installed: /#安装一个包,检测到4个依赖包#/
ldns.x86_64 0:1.6.16-7.el6.2 libevent.x86_64 0:1.4.13-4.el6 libevent2.x86_64 0:2.0.21-2.el6 unbound-libs.x86_64 0:1.4.20-23.el6.3
Complete!
2.3 检查安装目录及配置文件
openswan安装完后,ipsec 参数配置文件以及密钥文件均在/etc的根目录下,没有向ipsectools一样统一放在一个单独的目录下;
root@VM_121_70_centos etc# ipsec –version /#查看安装的版本信息#/
Linux Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64
root@VM_121_70_centos ~# ll /etc/ipsec.conf
-rw-r--r-- 1 root root 2380 Mar 22 20:51 /etc/ipsec.conf
root@VM_121_70_centos ~# ll /etc/ipsec.secrets
-rw------- 1 root root 31 Mar 22 20:51 /etc/ipsec.secrets
root@VM_121_70_centos ~# ll /etc/ipsec.d/
total 8
drwx------ 2 root root 4096 Jul 6 12:49 policies
-rw-r--r-- 1 root root 1338 Mar 22 20:51 v6neighbor-hole.conf
2.4 准备ipsec.conf文件
这个文件中定义了要和对端那个地址,协商中使用什么样的加密,认证参数等,由于中间协商过程较为繁琐,所以配置过程忽略,只展示最后配置的文件,可能不同的环境和参数有不同的配置文件,配置仅供参考:
root@VM_121_70_centos etc# cat ipsec.conf
/etc/ipsec.conf - Libreswan IPsec configuration file
This file: /etc/ipsec.conf
Enable when using this configuration file with openswan instead of libreswan
#version 2
Manual: ipsec.conf.5
basic configuration
config setup
# which IPsec stack to use, "netkey" (the default), "klips" or "mast".
protostack=netkey
logfile=/var/log/pluto.log
nat_traversal=yes /#在协商的时候,最好启用NAT-T协商#/
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
It is best to add your IPsec connections as separate files in /etc/ipsec.d/
include /etc/ipsec.d/*.conf
conn 183.60.249.29
authby=secret /#使用密钥的方式认证#/
auto=start
ike=3des-md5;modp1024 /#对应到ike proposal中的协商参数,注意中间的分号#/
ikelifetime=86400
#aggrmode=yes /#如果想使用aggressive模式协商的话#/
## phase 1 ##
keyexchange=ike
## phase 2 ##
phase2=esp
phase2alg=3des-sha1
compress=no
pfs=no
type=tunnel
left=10.135.121.70
leftsubnet=10.135.121.0/24
leftnexthop=%defaultroute
right=183.60.249.29
rightsubnet=10.100.43.0/24
rightnexthop=%defaultroute
2.5 准备ipsec.secrets文件
root@VM_121_70_centos etc# cat ipsec.secrets
include /etc/ipsec.d/*.secrets
#site-A-publicIP site-B-publicIP: PSK "pre-shared key"
10.135.121.70 183.60.249.29: PSK "123456"
/#定义协商过程中使用PSK方式的密钥,以及协商两端的ID信息,两边协商的实际IP必须完全匹配上这里的配置文件才可以,否则会报错;#/
2.6 调试openswan
2.6.1 关闭iptables
root@VM_121_70_centos etc# service iptables stop
iptables: Setting chains to policy ACCEPT: filter OK
iptables: Flushing firewall rules: OK
iptables: Unloading modules: OK
2.6.2 启动ipsec服务(ipsec start)
Openswan由ipsec提供启动文件,可以使用ipsec –help查询有哪些命令;
root@VM_121_70_centos etc# ipsec start
Redirecting to: service ipsec start
Starting pluto IKE daemon for IPsec: Initializing NSS database
See 'man pluto' if you want to protect the NSS database with a password
. OK
root@VM_121_70_centos etc# netstat -apn | grep 500 /#正常启动ispec没有报错,且网卡正常侦听500和4500端口;#/
udp 0 0 127.0.0.1:500 0.0.0.0:* 12215/pluto
udp 0 0 10.135.121.70:500 0.0.0.0:* 12215/pluto
udp 0 0 127.0.0.1:4500 0.0.0.0:* 12215/pluto
udp 0 0 10.135.121.70:4500 0.0.0.0:* 12215/pluto
这里没有报错并不意味着没有问题,继续查看启动的详细日志;
2.6.3 检查配置文件ipsec verify
root@VM_121_70_centos etc# ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path OK
Libreswan 3.15 (netkey) on 2.6.32-642.6.2.el6.x86_64
Checking for IPsec support in kernel OK
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax OK
Hardware random device N/A
Checking rp_filter ENABLED
/proc/sys/net/ipv4/conf/default/rp_filter ENABLED
/proc/sys/net/ipv4/conf/eth0/rp_filter ENABLED
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running OK
Pluto listening for IKE on udp 500 OK
Pluto listening for IKE/NAT-T on udp 4500 OK
Pluto ipsec.secret syntax OK
Checking 'ip' command OK
Checking 'iptables' command OK
Checking 'prelink' command does not interfere with FIPS IN USE
Checking for obsolete ipsec.conf options OK
Opportunistic Encryption DISABLED
ipsec verify: encountered 9 errors - see 'man ipsec_verify' for help
中间这些重定向的规则并不影响协商,但是协商成功后可能导致内网的地址无法ping通;所以还是尽量修改的好,对应有强迫症和完美主义者来说,中间是见不得有红色的报错存在的;
修改转发规则,不允许重定向:
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/send_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/send_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/lo/send_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/accept_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/accept_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/lo/accept_redirects
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/default/rp_filter
root@VM_121_70_centos etc# echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
root@VM_121_70_centos etc#vi /etc/sysctl.conf
修改 net.ipv4.ip_forward = 1
root@VM_121_70_centos etc# sysctl -p
net.ipv4.ip_forward = 1
另外每次修改配置文件后需要重启下ipsec的服务;
root@VM_121_70_centos etc# ipsec restart
查看启动后是否有错误,可以检查日志文件:
root@VM_121_70_centos etc# cat /var/log/pluto.log
….
2.7 配置 VSR协商参数
vpngw-m2dqykt1acl advanced 3003
vpngw-m2dqykt1-acl-ipv4-adv-3003rule 0 permit ip source 10.100.43.0 0.0.0.255 destination 10.135.121.0 0.0.0.255
vpngw-m2dqykt1-acl-ipv4-adv-3003exit
vpngw-m2dqykt1ipsec transform-set trans2
vpngw-m2dqykt1-ipsec-transform-set-trans2 esp encryption-algorithm 3des-cbc
vpngw-m2dqykt1-ipsec-transform-set-trans2 esp authentication-algorithm sha1
vpngw-m2dqykt1-ipsec-transform-set-trans2exit
vpngw-m2dqykt1ike proposal 2
vpngw-m2dqykt1-ike-proposal-2 encryption-algorithm 3des-cbc
vpngw-m2dqykt1-ike-proposal-2exit
vpngw-m2dqykt1ike keychain keychain2
vpngw-m2dqykt1-ike-keychain-keychain2pre-shared-key address 123.207.60.24 key simple 123456
vpngw-m2dqykt1-ike-keychain-keychain2exit
vpngw-m2dqykt1ike profile profileName2
vpngw-m2dqykt1-ike-profile-profileName2keychain keychain2
vpngw-m2dqykt1-ike-profile-profileName2local-identity address 183.60.249.29
vpngw-m2dqykt1-ike-profile-profileName2match remote identity address 123.207.60.24 32
vpngw-m2dqykt1-ike-profile-profileName2exit
vpngw-m2dqykt1ipsec policy policy1 2 isakmp
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2transform-set trans2
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2security acl 3003
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2remote-address 123.207.60.24
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2ike-profile profileName2
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-2exit
检查配置无误后开始出发协商,并打开调试信息检查日志;
2.8 调试中遇到的问题
2.8.1 无法使用对应的公网地址标识任意一端的连接
网上查询了下,遇到这个问题的人还比较多,可能的原因是自己的设备上并没有配置123 或者183的公网地址那么在配置文件中指定right or left的地址时候,就无法找到对应的地址而报错;于是修改ipsec.conf文件:
Jul 8 20:46:59: "demo-openswan-H3CVSR": We cannot identify ourselves with either end of this connection. 123.207.60.24 or 183.60.249.29 are not usable
#left=123.207.60.24
left=10.135.121.70
#right=183.60.249.29
right=10.100.43.199
/#注释掉上面的两行,并将上边两行的内容替换为两边的内网地址,同时新增加下面的2行内容#/
leftnexthop=%defaultroute
rightnexthop=%defaultroute
/#重启ipsec服务,检查日志,没有这个报错,问题解决#/
Jul 9 15:57:42: loading secrets from "/etc/ipsec.secrets"
Jul 9 15:57:42: no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 9 15:57:42: WARNING: using a weak secret (PSK)
Jul 9 15:57:42: "183.60.249.29" #1: initiating Main Mode
======================================================
2.8.2 没有找到指定对应策略授权的连接
对于这个报错,网上search了很久的信息,也看到很多人都有同样的报错,但是都没有找到解决的办法,中间还尝试使用aggressive模式来协商,但是依然是同样的报错,最后仔细考虑之后,发现在ipsec.conf配置中,由于right部分写的是10.100.43.199,所以当发送公网地址183.60.249.29的协商包就会报错找不到对应的策略,于是需要修改right为对应的公网地址后,报错消失;
right=183.60.249.29
#right=10.100.43.199
Jul 8 21:10:46: packet from 183.60.249.29:500: initial Main Mode message received on 10.135.121.70:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
2.8.3 协商参数不一致
在main模式的协商中,参数在做比对的时候,VSR一侧默认是DH group1,但是在libreswan这边是没有配置的,导致两边的DH group参数不一致;于是在VSR侧手动指定IKE profile中引用proposal,避免多组proposal依次比对,并指定引用的proposal中DH group2,同时在libreswan中添加modp的配置,报错消失;
ike=3des-md5;modp1024
Jul 9 18:35:49: "183.60.249.29" #8: responding to Main Mode
Jul 9 18:35:49: "183.60.249.29" #8: OAKLEY_GROUP 1 not supported. Attribute OAKLEY_GROUP_DESCRIPTION
Jul 9 18:35:49: "183.60.249.29" #8: no acceptable Oakley Transform
Jul 9 18:35:49: "183.60.249.29" #8: sending notification NO_PROPOSAL_CHOSEN to 183.60.249.29:500
2.8.4 没有指定的预共享密钥
在main模式的最后协商时候,报错找不到对应的PSK密钥,检查配置文件后发现,原先的配置中指定的是2个公网地址,但是从left这边是使用内网地址发起的协商,密钥必须要两边的IP地址对都匹配才可以,于是修改ipsec.secrets之后,报错消失;
10.135.121.70 183.60.249.29: PSK "123456"
Jul 9 18:38:24: "183.60.249.29" #1: Can't authenticate: no preshared key found for 10.135.121.70' and
183.60.249.29'. Attribute OAKLEY_AUTHENTICATION_METHOD
Jul 9 18:38:24: "183.60.249.29" #1: no acceptable Oakley Transform
Jul 9 18:38:24: "183.60.249.29" #1: sending notification NO_PROPOSAL_CHOSEN to 183.60.249.29:500
2.8.5 无效的ID信息
从日志信息可以了解到,这时候参数,共享密钥的协商已经没有问题了,而libreswan这边可以看到169.254.128.21这个协商ID,说明从libreswan这边主动发起协商的时候,VSR这一侧并没有用指定的协商参数来回应才导致的,仔细检查阶段的配置,发现在认证算法上没有匹配,修改两边的配置参数,问题解决,终于协商成功;
Jul 9 18:40:26: "183.60.249.29" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jul 9 18:40:26: "183.60.249.29" #1: Main mode peer ID is ID_IPV4_ADDR: '169.254.128.21'
Jul 9 18:40:26: "183.60.249.29" #1: we require IKEv1 peer to have ID '183.60.249.29', but peer declares '169.254.128.21'
Jul 9 18:40:26: "183.60.249.29" #1: sending encrypted notification INVALID_ID_INFORMATION to 183.60.249.29:4500
Jul 9 18:40:31: "183.60.249.29" #1: Quick Mode message is unacceptable because it is for an incomplete ISAKMP SA
2.9. 协商成功
2.9.1. libreswan部分协商信息
Jul 9 22:25:44: packet from 183.60.249.29:500: received Vendor ID payload RFC 3947
Jul 9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-03
Jul 9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-02_n
Jul 9 22:25:44: packet from 183.60.249.29:500: ignoring Vendor ID payload draft-ietf-ipsec-nat-t-ike-00
Jul 9 22:25:44: "183.60.249.29" #2: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jul 9 22:25:44: "183.60.249.29" #2: responding to Main Mode
Jul 9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 9 22:25:44: "183.60.249.29" #2: received Vendor ID payload Dead Peer Detection
Jul 9 22:25:44: "183.60.249.29" #2: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT+peer behind NAT
Jul 9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 9 22:25:44: "183.60.249.29" #2: ignoring informational payload IPSEC_INITIAL_CONTACT, msgid=00000000, length=28
Jul 9 22:25:44: | ISAKMP Notification Payload
Jul 9 22:25:44: | 00 00 00 1c 00 00 00 01 01 10 60 02
Jul 9 22:25:44: "183.60.249.29" #2: Main mode peer ID is ID_IPV4_ADDR: '183.60.249.29'
Jul 9 22:25:44: "183.60.249.29" #2: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 9 22:25:44: "183.60.249.29" #2: new NAT mapping for #2, was 183.60.249.29:500, now 183.60.249.29:4500
Jul 9 22:25:44: "183.60.249.29" #2: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=oakley_3des_cbc_192 integ=md5 group=MODP1024}
Jul 9 22:25:44: "183.60.249.29" #2: the peer proposed: 10.135.121.0/24:0/0 -> 10.100.43.0/24:0/0
Jul 9 22:25:44: "183.60.249.29" #3: responding to Quick Mode proposal {msgid:cc3508fa}
Jul 9 22:25:44: "183.60.249.29" #3: us: 10.135.121.0/24===10.135.121.70<10.135.121.70>
Jul 9 22:25:44: "183.60.249.29" #3: them: 183.60.249.29<183.60.249.29>===10.100.43.0/24
Jul 9 22:25:44: "183.60.249.29" #3: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 9 22:25:44: "183.60.249.29" #3: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x0c348f73 <0x967e5068 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=183.60.249.29:4500 DPD=passive}
Jul 9 22:25:44: "183.60.249.29" #3: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 9 22:25:44: "183.60.249.29" #3: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x0c348f73 <0x967e5068 xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=183.60.249.29:4500 DPD=passive}
2.9.2 VSR部分协商信息
可以正常ping通云主机内网地址,ike sa以及ipsec sa协商正常;
<vpngw-m2dqykt1>ping -a 10.100.43.199 10.135.121.70
Ping 10.135.121.70 (10.135.121.70) from 10.100.43.199: 56 data bytes, press CTRL_C to break
Request time out
56 bytes from 10.135.121.70: icmp_seq=1 ttl=64 time=4.905 ms
56 bytes from 10.135.121.70: icmp_seq=2 ttl=64 time=4.927 ms
56 bytes from 10.135.121.70: icmp_seq=3 ttl=64 time=4.812 ms
56 bytes from 10.135.121.70: icmp_seq=4 ttl=64 time=4.929 ms
--- Ping statistics for 10.135.121.70 ---
5 packet(s) transmitted, 4 packet(s) received, 20.0% packet loss
round-trip min/avg/max/std-dev = 4.812/4.893/4.929/0.048 ms
<vpngw-m2dqykt1>dis
<vpngw-m2dqykt1>display ike sa
Connection-ID Remote Flag DOI
111 123.207.60.24 RD IPsec
Flags:
RD--READY RL--REPLACED FD-FADING RK-REKEY
<vpngw-m2dqykt1>dis
<vpngw-m2dqykt1>display ipsec sa b
<vpngw-m2dqykt1>display ipsec sa brief
Interface/Global Dst Address SPI Protocol Status
Reth1 123.207.60.24 2524860520 ESP Active
Reth1 169.254.128.21 204771187 ESP Active
<vpngw-m2dqykt1>
2.10. 总结
2.10.1 协商中使用到命令
Ipsec restart
Ipsec status
Ipsec look
Tail –f /var/log/pluto.log
具体可以使用ipsec –help命令查看,在调试的过程中,一定要实时的查看对应的日志信息,这样就可以针对报错信息,来对配置进行修正;
2.10.2 协商方式
在本次的协商过程中,libreswan这一侧是使用的内网地址来发起协商,所以启用NAT-T时必须的,但是由于采用预共享密钥的形式,所以不一定要用aggressive mode,但是如果使用aggressive模式,应该也是可以协商成功的,(使用aggressive模式的必要条件是对端公网地址变化,但是又要使用pre-shared key的方式认证)这边就不做一一举例了;
3.使用IPsecTools与VSR协商IPSEC VPN
3.1设备信息
设备信息:同样还是在腾讯云前台购买一台带公网地址云主机作为本次模拟调试的设备,选择安装的还是Centos系统,设备信息如下:
root@VM_0_2_centos ~# uname -r
3.10.0-327.36.3.el7.x86_64
公网地址:119.29.202.116
内网地址:10.0.0.2
3.2. 安装ipsec tools
这里建议使用yum的方式安装,简单明了,不要尝试使用源码编译,否则你会看到一系列的需要安装依赖包的错误提示,光是安装软件就会耗费大量的时间;
root@VM_0_2_centos ~# yum -y install ipsec-tools
Downloading packages:
ipsec-tools-0.8.2-5.el7.x86_64.rpm
Installed:
ipsec-tools.x86_64 0:0.8.2-5.el7
Complete!
3.3 检查目录与文件
IPsec-Tools中的racoon工具实现了IKE的功能,既实现了双向认证,又能建立和维护IPsec SA。下面使用psk的认证方法配置racoon。
进入安装后的配置,文件信息如下:
root@VM_0_2_centos ~# ll /etc/racoon
total 16
drwx------ 2 root root 4096 Apr 28 2016 certs
-rw------- 1 root root 212 Apr 28 2016 psk.txt /#指定协商中使用的共享密钥#/
-rw------- 1 root root 843 Apr 28 2016 racoon.conf /#加密认证模式等协商参数#/
drwx------ 2 root root 4096 Jul 4 09:00 scripts
?psk.txt 用于标识对端VPNGW以及制定协商所使用的pre-shared key信息;
?racoon.conf IPsec SA的协商配置文件;
?Certs 使用证书认证的时候才会用到,本文暂时以预共享密钥的方式认证;
注意: 系统安装后是没有setkey.txt文件,需要自己创建并编辑内容;
3.4 配置psk.txt文件
先备份这配置文件
root@VM_0_2_centos ~# cp /etc/racoon/psk.txt /backup
编辑后的文件如下,指定和对端VPNGW 183.60.249.126协商的pre-shared 可以为123456,中间需要间隔一个空格;
root@VM_0_2_centos racoon# cat psk.txt
file for pre-shared keys used for IKE authentication
format is: 'identifier' 'key'
For example:
183.60.249.29 123456
/需要注意的是,ipsec-tools的密钥配置文件和strongswan以及openswan稍微不同,没有指定本端地址和协议参数PSK,虽然没有冒号,但是中间仍然需要留一个空格/
3.5 配置setkey文件
Setkey文件中写入了协商过程总的兴趣流以及协商时使用的ipsec tunnel模式等信息,非常重要,但是系统安装完ispe-tools后,并没有生成这个文件,那么就自己在raconn目录下创建一个并编辑对应的内容;
root@VM_0_2_centos racoon# find / -name "setkey.conf" /#机器上没有找到这个文件#/
root@VM_0_2_centos racoon# vi setkey.conf /#编辑内容如下所示#/
flush;
spdflush;
spdadd 10.0.0.0/24 10.100.43.0/24 any -P out ipsec esp/tunnel/119.29.202.116-183.60.249.29/require;
spdadd 10.100.43.0/24 10.0.0.0/24 any -P in ipsec esp/tunnel/183.60.249.29-119.29.202.116/require;
以上的参数解释:/10.0.0.0/24 本段兴趣流网段,10.100.43.0/24 对端兴趣流网段,119.29.202.116-183.60.249.29 两端协商IPSEC tunnel的公网地址;/
配置完成后检查配置是否有问题,如果有问题就会报错;
root@VM_0_2_centos racoon# setkey -f /etc/racoon/setkey.conf /#检查setkey文件配置#/
3.6 配置raconn.conf文件
先备份这配置文件
root@VM_0_2_centos ~# cp /etc/racoon/racoon.conf /backup
由于中间协商过程较为繁琐,所以配置过程忽略,只展示最终的配置文件,可能不同的环境和参数有不同的配置文件,配置仅供参考:
root@VM_0_2_centos racoon# cat racoon.conf
Racoon IKE daemon configuration file.
See 'man racoon.conf' for a description of the format and entries.
path include "/etc/racoon";
path pre_shared_key "psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote anonymous
{
exchange_mode main;
my_identifier address "119.29.202.116";
peers_identifier address "183.60.249.29";
nat_traversal on;
#my_identifier fqdn "host.name.of.vpn.client";
#certificate_type x509 "client.crt" "client.key";
#ca_type x509 "ca.crt";
#mode_cfg on;
#script "p1_up_down" phase1_up;
#script "p1_up_down" phase1_down;
proposal
{
lifetime time 24 hours;
encryption_algorithm 3des;
hash_algorithm sha1;
#authentication_method xauth_rsa_client;
authentication_method pre_shared_key;
dh_group 1;
}
}
sainfo anonymous
{
#pfs_group 2;
lifetime time 1 hour;
encryption_algorithm 3des;
authentication_algorithm hmac_sha1,hmac_md5;
compression_algorithm deflate;
}
3.7 启动racoon服务
在配置完racoon.conf文件后,检测文件配置,发现设备一直提示语法错误,但是这个语句的配置规则是设备原生自带的,最后检查后发现是缺少部分配置;
root@VM_0_2_centos racoon# racoon -d -F -f /etc/racoon/racoon.conf
Foreground mode.
2017-07-04 19:18:26: ERROR: racoon: MLS support is not enabled. /#这个错误可以忽略#/
2017-07-04 19:18:26: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2017-07-04 19:18:26: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)
2017-07-04 19:18:26: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2017-07-04 19:18:26: DEBUG: call pfkey_send_register for AH
2017-07-04 19:18:26: DEBUG: call pfkey_send_register for ESP
2017-07-04 19:18:26: DEBUG: call pfkey_send_register for IPCOMP
2017-07-04 19:18:26: DEBUG: reading config file /etc/racoon/racoon.conf
2017-07-04 19:18:26: ERROR: /etc/racoon/racoon.conf:27: "}" DH group required.
2017-07-04 19:18:26: ERROR: fatal parse failure (1 errors)
racoon: failed to parse configuration file.
提示需要配置DH group,修改配置文件,启用DH group1,
Google之后,提示这个错误可以忽略,2017-07-04 19:18:26: ERROR: racoon: MLS support is not enabled.
继续debug。。。。
root@VM_0_2_centos racoon# racoon -d -F -f /etc/racoon/racoon.conf
Foreground mode.
2017-07-04 19:24:32: ERROR: racoon: MLS support is not enabled.
2017-07-04 19:24:32: INFO: @(#)ipsec-tools 0.8.2 (http://ipsec-tools.sourceforge.net)
2017-07-04 19:24:32: INFO: @(#)This product linked OpenSSL 1.0.1e-fips 11 Feb 2013 (http://www.openssl.org/)
2017-07-04 19:24:32: INFO: Reading configuration from "/etc/racoon/racoon.conf"
2017-07-04 19:24:32: DEBUG: call pfkey_send_register for AH
2017-07-04 19:24:32: DEBUG: call pfkey_send_register for ESP
2017-07-04 19:24:32: DEBUG: call pfkey_send_register for IPCOMP
2017-07-04 19:24:32: DEBUG: reading config file /etc/racoon/racoon.conf
2017-07-04 19:24:32: DEBUG: no check of compression algorithm; not supported in sadb message.
2017-07-04 19:24:32: DEBUG: getsainfo params: loc='ANONYMOUS' rmt='ANONYMOUS' peer='NULL' client='NULL' id=0
2017-07-04 19:24:32: DEBUG: open /var/racoon/racoon.sock as racoon management.
2017-07-04 19:24:32: DEBUG: Netlink: address 10.0.0.2 added
2017-07-04 19:24:32: INFO: 10.0.0.2500 used for NAT-T
2017-07-04 19:24:32: INFO: 10.0.0.2500 used as isakmp port (fd=8)
2017-07-04 19:24:32: INFO: 10.0.0.24500 used for NAT-T
2017-07-04 19:24:32: INFO: 10.0.0.24500 used as isakmp port (fd=9)
2017-07-04 19:24:32: DEBUG: Netlink: address 127.0.0.0 added
2017-07-04 19:24:32: INFO: 127.0.0.0500 used for NAT-T
2017-07-04 19:24:32: INFO: 127.0.0.0500 used as isakmp port (fd=10)
2017-07-04 19:24:32: INFO: 127.0.0.04500 used for NAT-T
2017-07-04 19:24:32: INFO: 127.0.0.04500 used as isakmp port (fd=11)
2017-07-04 19:24:32: DEBUG: Netlink: address 127.0.0.1 added
2017-07-04 19:24:32: INFO: 127.0.0.1500 used for NAT-T
2017-07-04 19:24:32: INFO: 127.0.0.1500 used as isakmp port (fd=12)
2017-07-04 19:24:32: INFO: 127.0.0.14500 used for NAT-T
2017-07-04 19:24:32: INFO: 127.0.0.14500 used as isakmp port (fd=13)
2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()
2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message
2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()
2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message
2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.100.43.0/240 10.0.0.0/240 proto=any dir=in
2017-07-04 19:24:32: DEBUG: db :0x7f8ec0667b90: 10.100.43.0/240 10.0.0.0/240 proto=any dir=fwd
2017-07-04 19:24:32: DEBUG: pk_recv: retry0 recv()
2017-07-04 19:24:32: DEBUG: got pfkey X_SPDDUMP message
2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.0.0.0/240 10.100.43.0/240 proto=any dir=out
2017-07-04 19:24:32: DEBUG: db :0x7f8ec0667b90: 10.100.43.0/240 10.0.0.0/240 proto=any dir=fwd
2017-07-04 19:24:32: DEBUG: sub:0x7ffdc359be00: 10.0.0.0/240 10.100.43.0/240 proto=any dir=out
2017-07-04 19:24:32: DEBUG: db :0x7f8ec0668b30: 10.100.43.0/240 10.0.0.0/240 proto=any dir=in
3.8 部署VSR协商参数
IPSEC tools配置完毕,我们开始配置VSR设备,在实际的云前台部署时,配置是自动下发到设备上的,但是为了举例展示,设备采用命令行手动配置的方式;
vpngw-m2dqykt1ike keychain keychain1
vpngw-m2dqykt1-ike-keychain-keychain1pre-shared-key address 119.29.202.116 key simple 123456
vpngw-m2dqykt1-ike-keychain-keychain1quit
vpngw-m2dqykt1ike proposal 1
vpngw-m2dqykt1-ike-proposal-1authentication-algorithm sha
vpngw-m2dqykt1-ike-proposal-1authentication-method pre-share
vpngw-m2dqykt1-ike-proposal-1exit
vpngw-m2dqykt1ike profile profileName1
vpngw-m2dqykt1-ike-profile-profileName1local-identity address 183.60.249.29
vpngw-m2dqykt1-ike-profile-profileName1match remote identity address 119.29.202.116
vpngw-m2dqykt1-ike-profile-profileName1keychain keychain1
vpngw-m2dqykt1-ike-profile-profileName1exchange-mode main
vpngw-m2dqykt1-ike-profile-profileName1exit
vpngw-m2dqykt1ipsec transform-set trans1
vpngw-m2dqykt1-ipsec-transform-set-trans1protocol esp
vpngw-m2dqykt1-ipsec-transform-set-trans1esp authentication-algorithm sha1
vpngw-m2dqykt1-ipsec-transform-set-trans1esp encryption-algorithm 3des-cbc
vpngw-m2dqykt1-ipsec-transform-set-trans1quit
vpngw-m2dqykt1acl advanced 3002
vpngw-m2dqykt1-acl-ipv4-adv-3002rule 0 permit ip source 10.100.43.0 0.0.0.255 destination 10.0.0.0 0.0.0.255
vpngw-m2dqykt1-acl-ipv4-adv-3002exit
vpngw-m2dqykt1ipsec policy policy1 1 isakmp
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1transform-set trans1
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1security acl 3002
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1remote-address 119.29.202.116
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1ike-profile profileName1
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1sa duration time-based 3600
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1sa duration traffic-based 184000
vpngw-m2dqykt1-ipsec-policy-isakmp-policy1-1quit
vpngw-m2dqykt1interface reth1
vpngw-m2dqykt1-Reth1ipsec apply policy policy1
vpngw-m2dqykt1-Reth1exit
3.9 开始协商
3.9.1 proposal参数不一致
从腾讯云这边的VSR设备使用ping包来触发协商(ping -a 10.100.43.199 10.0.0.2),并在ispectools这边开启debug 打印,观察日志,
2017-07-04 19:46:43: DEBUG: type=Life Duration, flag=0x0000, lorv=4
2017-07-04 19:46:43: DEBUG: prop#=1, prot-id=ISAKMP, spi-size=0, #trns=2
2017-07-04 19:46:43: DEBUG: trns#=2, trns-id=IKE
2017-07-04 19:46:43: DEBUG: lifetime = 86400
2017-07-04 19:46:43: DEBUG: lifebyte = 0
2017-07-04 19:46:43: DEBUG: enctype = DES-CBC
2017-07-04 19:46:43: DEBUG: encklen = 0
2017-07-04 19:46:43: DEBUG: hashtype = SHA
2017-07-04 19:46:43: DEBUG: authmethod = pre-shared key
2017-07-04 19:46:43: DEBUG: dh_group = 768-bit MODP group
2017-07-04 19:46:43: ERROR: no suitable proposal found.
2017-07-04 19:46:43: 183.60.249.29 ERROR: failed to get valid proposal.
2017-07-04 19:46:43: 183.60.249.29 ERROR: failed to pre-process ph1 packet (side: 1, status 1).
2017-07-04 19:46:43: 183.60.249.29 ERROR: phase1 negotiation failed.
发现每次都打印没有找到对应的proposal,结果比对两边的侧后,发现ipsec-tools这边没有设定lifetime,于是加上一行lifetime time 24 hours; 保证两边的一致,重新发起协商,发现proposal协商通过;
2017-07-04 19:51:19: DEBUG: trns#=1, trns-id=IKE
2017-07-04 19:51:19: DEBUG: lifetime = 86400
2017-07-04 19:51:19: DEBUG: lifebyte = 0
2017-07-04 19:51:19: DEBUG: enctype = 3DES-CBC
2017-07-04 19:51:19: DEBUG: encklen = 0
2017-07-04 19:51:19: DEBUG: hashtype = SHA
2017-07-04 19:51:19: DEBUG: authmethod = pre-shared key
2017-07-04 19:51:19: DEBUG: dh_group = 768-bit MODP group
2017-07-04 19:51:19: DEBUG: an acceptable proposal found.
2017-07-04 19:51:19: DEBUG: hmac(modp768)
2017-07-04 19:51:19: DEBUG: agreed on pre-shared key auth.
3.10 协商成功
3.10.1 VSR侧协商信息
从VSR设备侧发起协商,使用ping包来触发,检查IKE SA 以及IPSEC SA,协商成功;
<vpngw-m2dqykt1>display ipsec sa
Interface: Reth1
IPsec policy: policy1
Sequence number: 1
Mode: ISAKMP
Tunnel id: 0
Encapsulation mode: tunnel
Perfect Forward Secrecy:
Inside VPN:
Extended Sequence Numbers enable: N
Traffic Flow Confidentiality enable: N
Path MTU: 1736
Tunnel:
local address: 169.254.128.21
remote address: 119.29.202.116
Flow:
sour addr: 10.100.43.0/255.255.255.0 port: 0 protocol: ip
dest addr: 10.0.0.0/255.255.255.0 port: 0 protocol: ip
[Inbound ESP SAs]
SPI: 2689102830 (0xa04873ee)
Connection ID: 21474836481
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 184000/3600
SA remaining duration (kilobytes/sec): 184000/3549
Max received sequence-number: 0
Anti-replay check enable: Y
Anti-replay window size: 64
UDP encapsulation used for NAT traversal: Y
Status: Active
[Outbound ESP SAs]
SPI: 230870860 (0x0dc2cf4c)
Connection ID: 64424509440
Transform set: ESP-ENCRYPT-3DES-CBC ESP-AUTH-SHA1
SA duration (kilobytes/sec): 184000/3600
SA remaining duration (kilobytes/sec): 183999/3549
Max sent sequence-number: 2
UDP encapsulation used for NAT traversal: Y
Status: Active
<vpngw-m2dqykt1>dis
<vpngw-m2dqykt1>display ike sa verbose
Connection ID: 9
Outside VPN:
Inside VPN:
Profile: profileName1
Transmitting entity: Initiator
Local IP: 169.254.128.21
Local ID type: IPV4_ADDR
Local ID: 183.60.249.29
Remote IP: 119.29.202.116
Remote ID type: IPV4_ADDR
Remote ID: 119.29.202.116
Authentication-method: PRE-SHARED-KEY
Authentication-algorithm: SHA1
Encryption-algorithm: 3DES-CBC
Life duration(sec): 86400
Remaining key duration(sec): 86340
Exchange-mode: Main
Diffie-Hellman group: Group 1
NAT traversal: Detected
Extend authentication: Disabled
Assigned IP address:
<vpngw-m2dqykt1>display ipsec sa b
<vpngw-m2dqykt1>display ipsec sa brief
Interface/Global Dst Address SPI Protocol Status
Reth1 119.29.202.116 230870860 ESP Active
Reth1 169.254.128.21 2689102830 ESP Active
<vpngw-m2dqykt1>
3.10.2 Ipsec-tools协商参数
在Ipsectools这里,只有可以看到使用setkey –D的协商信息,说明ipsec中可以对后续的数据流进行加密传输了,也就意味着协商成功;
root@VM_0_2_centos racoon# setkey -D
10.0.0.24500 183.60.249.294500
esp-udp mode=tunnel spi=4094358944(0xf40af5a0) reqid=0(0x00000000)
E: 3des-cbc 21f9a17d 353b67b4 14bf08ae 87897273 948191f1 b23e13dd
A: hmac-sha1 3b24b820 ffed4ef7 ee32172c 35af0144 67d1b085
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 4 20:07:28 2017 current: Jul 4 20:12:48 2017
diff: 320(s) hard: 3600(s) soft: 2880(s)
last: hard: 0(s) soft: 0(s)
current: 0(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 0 hard: 0 soft: 0
sadb_seq=1 pid=20143 refcnt=0
183.60.249.294500 10.0.0.24500
esp-udp mode=tunnel spi=88888734(0x054c559e) reqid=0(0x00000000)
E: 3des-cbc 2d07fe6b 28bc6840 159cf64f df7bdff4 7c6fc6d6 16edaa00
A: hmac-sha1 9884ed5e a6d07acf 7273fce6 65ca9872 cfdc73dc
seq=0x00000000 replay=4 flags=0x00000000 state=mature
created: Jul 4 20:07:28 2017 current: Jul 4 20:12:48 2017
diff: 320(s) hard: 3600(s) soft: 2880(s)
last: Jul 4 20:07:30 2017 hard: 0(s) soft: 0(s)
current: 336(bytes) hard: 0(bytes) soft: 0(bytes)
allocated: 4 hard: 0 soft: 0
sadb_seq=0 pid=20143 refcnt=0
root@VM_0_2_centos racoon#
推荐本站淘宝优惠价购买喜欢的宝贝:
本文链接:https://hqyman.cn/post/449.html 非本站原创文章欢迎转载,原创文章需保留本站地址!
休息一下~~