强天鹅IPSec隧道不能正常重建。为什么DPD还在继续？

Question

我在两台机器之间有一个IPSec隧道，其中一台(启动器)有两个接口(data0和data1)。data0接口的度量为100，data1为70，因此在最初创建连接时使用data1接口，因为它具有更好的度量。

连接结束后，我取下data1接口的ip，应该使用新的CHILD_SA和使用data0接口的新虚拟ip重新建立连接。

但这是不可能的。所发生的情况是，data0整数试图使第一个CHILD_SA处于活动状态，无限地发送DPD请求。

如何使CHILD_SA关闭，并在使用data0接口的地方创建一个新的？

data0 - 10.3.219.27/16
data1 - 10.3.219.28/16
initiator's vti0 ip: 173.164.0.1
responder's vti0 ip: 192.168.169.1

发起者的配置DPD和rekeying：

version=1
keyingtries=0
aggressive=no
dpd_delay=10
dpd_timeout=50
policies=yes
dpd_action=restart
close_action=start

https://pastecode.xyz/view/3f89dfdd中的日志记录

在我删除接口之前，ipsec状态：

Listening IP addresses:
  10.3.219.27
  10.3.219.28
  173.164.0.1
Connections:
   conn-vti0:  0.0.0.0...94.26.49.38  IKEv1, dpddelay=10s
   conn-vti0:   local:  [tve53] uses pre-shared key authentication
   conn-vti0:   local:  [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
   conn-vti0:   remote: [fortinetconfig4] uses pre-shared key authentication
     ch_vti0:   child:  dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
   conn-vti0[80]: ESTABLISHED 15 minutes ago, 10.3.219.28[tve53]...94.26.49.38[fortinetconfig4]
   conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r, rekeying in 3 hours
   conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
     ch_vti0{51}:  INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
     ch_vti0{51}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 4276555 bytes_i (9500 pkts, 0s ago), 1913489 bytes_o (8751 pkts, 0s ago), rekeying in 39 minutes
     ch_vti0{51}:   173.164.0.1/32 === 192.168.169.0/24

ipsec声明--在我做完之后：

Listening IP addresses:
  10.3.219.27
  173.164.0.1
Connections:
   conn-vti0:  0.0.0.0...94.26.49.38  IKEv1, dpddelay=10s
   conn-vti0:   local:  [tve53] uses pre-shared key authentication
   conn-vti0:   local:  [loc-2] uses XAuth authentication: any with XAuth identity 'config4'
   conn-vti0:   remote: [fortinetconfig4] uses pre-shared key authentication
     ch_vti0:   child:  dynamic === 192.168.169.0/24 TUNNEL, dpdaction=restart
Security Associations (2 up, 0 connecting):
   conn-vti0[81]: ESTABLISHED 8 seconds ago, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
   conn-vti0[81]: IKEv1 SPIs: 8425e35cef48f8b5_i* 490188becb87d6ad_r, rekeying in 3 hours
   conn-vti0[81]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
     ch_vti0{51}:  INSTALLED, TUNNEL, reqid 32, ESP in UDP SPIs: c44c6569_i bda13b22_o
     ch_vti0{51}:  AES_CBC_128/HMAC_SHA2_256_128/ECP_384_BP, 7958755 bytes_i (17317 pkts, 9s ago), 3480780 bytes_o (15870 pkts, 9s ago), rekeying in 24 minutes
     ch_vti0{51}:   173.164.0.1/32 === 192.168.169.0/24
   conn-vti0[80]: REKEYING, 10.3.219.27[tve53]...94.26.49.38[fortinetconfig4]
   conn-vti0[80]: IKEv1 SPIs: ac8dfb7c5f24676a_i* 1fc2d2d23231b5ed_r
   conn-vti0[80]: IKE proposal: AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096

Answer 1

当您想在WAN连接上实现故障转移时，您需要配置具有正确度量/优先级的接口，然后手动切换，或者实现ping/http连接自动切换.但也适合静态路线。

当接口data1关闭时，ipv4和ipv6 IP必须更换/更新：

ip a (newer tool)
ifconfig -a (older tool)

而且路由也需要改变，这样流量就可以使用data0。向以下机构查询：

ip r (using newer ip tool)
route -n (older command)

具体来说，检查是否有任何剩余的IP，例如，ipv6 IP，即使ipv4 IP已经消失。