簡單的 Strongswan 安裝導致無法透過 (Open)SSH 存取伺服器

tag-icon tag-icon networking debian strongswan
簡單的 Strongswan 安裝導致無法透過 (Open)SSH 存取伺服器

在遠端電腦(Debian 11.7 / Kernel 5.10.0-23-amd64)上工作時,我安裝了 Strongswan 將其配置為 VPN 用戶端。

apt install strongswan

此後,服務strongswan-starter.service正在啟動,主機變得無法存取。幸運的是,我可以透過實體停用該服務systemctl disable strongswan-starter.service並重新啟動。

但是每當我執行「systemctl start Strongswan-starter.service」時,我的 openssh 連線就會遺失。

我在啟動服務時唯一注意到的是以下內容:

May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 21:45:25 machinename charon: 08[KNL] received netlink error: Permission denied (13)
May 29 21:45:25 machinename charon: 08[KNL] installing route failed: 2a00:6020:4e2a:8000::/64 src 2a00:xxxx:4e2a:xxxx:6a1d:xxxx:xxxx:9579 dev ipsec0
May 29 21:45:25 machinename charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 21:45:25 machinename charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

IP192.168.189.1是路由器位址。但從本地物理控制台我可以 ping google 等。

我首先關注bypass-lan 插件,因為它僅在安裝libcharon-extra-plugin 軟體包時出現。

更新

由於這是預設的 Strongswan 安裝,因此此時尚未進行任何配置。所以這些是相關的設定檔

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.

# Sample VPN connections

#conn sample-self-signed
#      leftsubnet=10.1.0.0/16
#      leftcert=selfCert.der
#      leftsendcert=never
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightcert=peerCert.der
#      auto=start

#conn sample-with-ca-cert
#      leftsubnet=10.1.0.0/16
#      leftcert=myCert.pem
#      right=192.168.0.2
#      rightsubnet=10.2.0.0/16
#      rightid="C=CH, O=Linux strongSwan CN=peer name"
#      auto=start

# strongswan.conf
charon {

    plugins {
        eap_dynamic {
            preferred = eap-mschapv2, eap-tls
        }
    }
}

# /etc/strongswan.d/starter.conf
starter {

    # Location of the ipsec.conf file
    # config_file = ${sysconfdir}/ipsec.conf

    # Disable charon plugin load option warning.
    # load_warning = yes

}

更新2

下面是我啟動服務後的完整日誌輸出,並且遠端連線hostmachine已斷開

May 29 23:21:49 hostmachine systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf.
May 29 23:21:49 hostmachine ipsec[6423]: Starting strongSwan 5.9.1 IPsec [starter]...
May 29 23:21:49 hostmachine charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:21:49 hostmachine kernel: [ 3621.243706] NET: Registered protocol family 38
May 29 23:21:49 hostmachine kernel: [ 3621.282054] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.332375] AVX or AES-NI instructions are not detected.
May 29 23:21:50 hostmachine kernel: [ 3621.394450] alg: No test for xcbc(camellia) (xcbc(camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.436211] alg: No test for rfc3686(ctr(camellia)) (rfc3686(ctr-camellia-asm))
May 29 23:21:50 hostmachine kernel: [ 3621.445352] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.559730] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.593517] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.682207] CPU feature 'AVX registers' is not supported.
May 29 23:21:50 hostmachine kernel: [ 3621.750485] tun: Universal TUN/TAP device driver, 1.6
May 29 23:21:50 hostmachine charon: 00[LIB] created TUN device: ipsec0
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Link UP
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained carrier
May 29 23:21:50 hostmachine systemd-networkd[281]: ipsec0: Gained IPv6LL
May 29 23:21:50 hostmachine systemd-udevd[6556]: ethtool: autonegotiation is unset or enabled, the speed and duplex are not writable.
May 29 23:21:50 hostmachine charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:21:50 hostmachine charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:21:50 hostmachine charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:21:50 hostmachine charon: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:21:50 hostmachine charon: 00[CFG] HA config misses local/remote address
May 29 23:21:50 hostmachine charon: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:21:50 hostmachine charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:21:50 hostmachine charon: 00[JOB] spawning 16 worker threads
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for ::1/128
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine charon: 08[IKE] installed bypass policy for fe80::/64
May 29 23:21:50 hostmachine charon: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:21:50 hostmachine charon: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:21:50 hostmachine ipsec[6423]: charon (6427) started after 580 ms
May 29 23:22:04 hostmachine charon: 00[DMN] SIGINT received, shutting down
May 29 23:22:04 hostmachine systemd[1]: Stopping strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf...
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Link DOWN
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine systemd-networkd[281]: ipsec0: Lost carrier
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for ::1/128
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine charon: 00[IKE] uninstalling bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.1, Linux 5.10.0-23-amd64, x86_64)
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] created TUN device: ipsec0
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] loaded 0 RADIUS server configurations
May 29 23:22:04 hostmachine ipsec[6427]: 00[CFG] HA config misses local/remote address
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm drbg curl attr kernel-libipsec kernel-netlink resolve socket-default bypass-lan connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
May 29 23:22:04 hostmachine ipsec[6427]: 00[LIB] dropped capabilities, running as uid 0, gid 0
May 29 23:22:04 hostmachine ipsec[6427]: 00[JOB] spawning 16 worker threads
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.17.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.18.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 172.25.0.0/16
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.0/24
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy 192.168.189.1/32 === 192.168.189.1/32 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 192.168.189.1/32
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for ::1/128
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for 2a00:xxxx:xxxx:8000::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] installed bypass policy for fe80::/64
May 29 23:22:04 hostmachine ipsec[6427]: 08[IKE] interface change for bypass policy for fe80::/64 (from enp1s0 to ipsec0)
May 29 23:22:04 hostmachine ipsec[6427]: 08[KNL] error installing route with policy fe80::/64 === fe80::/64 out

任何想法都受到高度讚賞。

相關內容