Tengo una conexión VPN a través de IPSEC (strongswan) funcionando correctamente. Sin embargo, al menos una vez al día la conexión se interrumpe. Creo que tiene que ver con el cambio de claves, consulte los registros:
Aug 25 02:34:25 myserver charon: 09[KNL] creating rekey job for CHILD_SA ESP/0xcbd335d0/xxx.xxx.xxx.xxx
Aug 25 02:34:25 myserver charon: 10[IKE] establishing CHILD_SA infonline_datapool{2} reqid 1
Aug 25 02:34:25 myserver charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Aug 25 02:34:25 myserver charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA
2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Aug 25 02:34:25 myserver charon: 12[IKE] no acceptable proposal found
Aug 25 02:34:25 myserver charon: 12[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 25 02:34:25 myserver charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI cbd2f4c3
Aug 25 02:34:25 myserver charon: 11[IKE] CHILD_SA rekeying failed, trying again in 10 seconds
Aug 25 02:34:35 myserver charon: 15[IKE] establishing CHILD_SA infonline_datapool{3} reqid 1
Aug 25 02:34:35 myserver charon: 06[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Aug 25 02:34:35 myserver charon: 06[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA
2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Aug 25 02:34:35 myserver charon: 06[IKE] no acceptable proposal found
Aug 25 02:34:35 myserver charon: 06[IKE] failed to establish CHILD_SA, keeping IKE_SA
Aug 25 02:34:35 myserver charon: 06[IKE] sending DELETE for ESP CHILD_SA with SPI c068db7b
Aug 25 02:34:35 myserver charon: 07[IKE] received DELETE for ESP CHILD_SA with SPI c7a90494
Aug 25 02:34:35 myserver charon: 07[IKE] closing CHILD_SA infonline_datapool{1} with SPIs cbd335d0_i (34701240 bytes) c7a90494_o (451113 bytes) and TS yyy.yyy.yyy.0/25 === 10.10.42.0/24
Aug 25 02:34:35 myserver charon: 07[IKE] sending DELETE for ESP CHILD_SA with SPI cbd335d0
Aug 25 02:34:35 myserver charon: 07[IKE] CHILD_SA closed
Aug 25 02:34:35 myserver charon: 07[IKE] detected CHILD_REKEY collision with CHILD_DELETE
Aug 25 02:34:35 myserver charon: 09[IKE] received DELETE for unknown ESP CHILD_SA with SPI 632d34ba
Aug 25 02:34:35 myserver charon: 09[IKE] CHILD_SA closed
Aug 25 02:34:35 myserver charon: 10[IKE] received DELETE for unknown ESP CHILD_SA with SPI 632d34ba
Aug 25 02:34:35 myserver charon: 10[IKE] CHILD_SA closed
Aug 25 02:34:35 myserver charon: 12[IKE] received DELETE for IKE_SA infonline_datapool[1]
Aug 25 02:34:35 myserver charon: 12[IKE] deleting IKE_SA infonline_datapool[1] between xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]...yyy.yyy.yyy.yyy[yyy.yyy.yyy.yyy]
Aug 25 02:34:35 myserver charon: 12[IKE] IKE_SA deleted
Supongo que las líneas clave aquí son:
Aug 25 02:34:25 myserver charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ
Aug 25 02:34:25 myserver charon: 12[CFG] configured proposals: ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA
2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Aug 25 02:34:25 myserver charon: 12[IKE] no acceptable proposal found
La configuración es
conn conn_name
type=tunnel
authby=secret
left=xxx.xxx.xxx.xxx
leftsubnet=xxx.xxx.xxx.0/25
right=yyy.yyy.yyy.yyy
rightsubnet=10.10.42.0/24
ike=aes256-sha256-modp2048
ikelifetime=86400s
esp=aes256-sha1-modp2048
pfs=yes
auto=start
¿Cómo configuro la conexión para que no se rompa? (Cuando reinicio ipsec, se conecta bien).
Respuesta1
Tu análisis es acertado, ahora sólo te queda sacar las conclusiones correctas :)
Puede ver los algoritmos que propone el par en los mensajes de registro que señaló. Dado que configuró SHA-1 y el par propone SHA-256, no hay coincidencia (la propuesta predeterminada que sigue a la que configuró incluye SHA-256, pero no grupos DH, por lo que tampoco coincide).
Entonces la solución es bastante simple: configurar esp=aes256-sha256-modp2048
.