当两个客户端具有相同的本地局域网地址时,IPsec/L2TP连接失败
当两个客户端具有相同的本地局域网地址时,IPsec/L2TP连接失败
提问于 2021-07-16 00:52:18
我们偶尔会遇到strongSwan (charon)提供的IPsec/L2TP远程访问VPN的问题。
今天,一个用户无法连接。我查看了charon日志,并注意到另一个现有会话受到了影响。公共部分是本地局域网地址(192.168.0.18)。
在charon.log里一切都很安静。然后用户B连接(50.xx.xx.xx)。用户A (70.xx.xx.xx)的会话立即创建日志。当用户B的尝试失败(l2tp断开连接)时,一切又恢复了平静。
Charon日志摘录:
Jul 16 01:14:59 01[IKE] <21363> 50.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:14:59 08[IKE] <remote-access|21362> closing CHILD_SA remote-access{45249} with SPIs c9ea7827_i (59714 bytes) 08d6c880_o (43106 bytes) and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:14:59 08[IKE] <remote-access|21362> deleting IKE_SA remote-access[21362] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:14:59 08[IKE] <remote-access|21363> IKE_SA remote-access[21363] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:00 06[IKE] <remote-access|21363> CHILD_SA remote-access{45251} established with SPIs cc91da0f_i 0e42f461_o and TS abc.61.143.254/32[udp/l2f] === 50.68.170.211/32[udp/58401]
Jul 16 01:15:02 15[IKE] <21364> 70.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:15:03 11[IKE] <remote-access|21363> closing CHILD_SA remote-access{45251} with SPIs cc91da0f_i (331 bytes) 0e42f461_o (300 bytes) and TS abc.61.143.254/32[udp/l2f] === 50.xxx.xxx.xxx/32[udp/58401]
Jul 16 01:15:03 11[IKE] <remote-access|21363> deleting IKE_SA remote-access[21363] between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:03 11[IKE] <remote-access|21364> IKE_SA remote-access[21364] established between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:03 07[IKE] <remote-access|21364> CHILD_SA remote-access{45252} established with SPIs cca08f41_i 0da530b5_o and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:15:22 11[IKE] <21365> 50.xxx.xxx.xxx is initiating a Main Mode IKE_SA
Jul 16 01:15:23 07[IKE] <remote-access|21364> closing CHILD_SA remote-access{45252} with SPIs cca08f41_i (12135 bytes) 0da530b5_o (8428 bytes) and TS abc.61.143.254/32[udp/l2f] === 70.xxx.xxx.xxx/32[udp/63717]
Jul 16 01:15:23 07[IKE] <remote-access|21364> deleting IKE_SA remote-access[21364] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:23 07[IKE] <remote-access|21365> IKE_SA remote-access[21365] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]
Jul 16 01:15:23 12[IKE] <remote-access|21365> CHILD_SA remote-access{45253} established with SPIs c28d018d_i 0dbb052e_o and TS abc.61.143.254/32[udp/l2f] === 50.xxx.xxx.xxx/32[udp/58401]
Jul 16 01:15:26 15[KNL] 10.255.255.0 appeared on ppp1
Jul 16 01:15:26 14[KNL] 10.255.255.0 disappeared from ppp1我看不出本地LAN地址会如何影响服务器。但这两种联系之间的冲突是一致的。日志就在上面的日志之前和之后。
回答 1
Server Fault用户
发布于 2021-07-16 07:20:10
问题是客户端发送他们的私有IP地址作为他们的身份。您可以在日志消息中看到[]中的标识:
deleting IKE_SA remote-access[21362] between abc.61.143.254[abc.61.143.254]...70.xxx.xxx.xxx[192.168.0.18]
IKE_SA remote-access[21363] established between abc.61.143.254[abc.61.143.254]...50.xxx.xxx.xxx[192.168.0.18]因此,两个IKE_SAs都在标识192.168.0.18和abc.61.143.254之间。
根据unique (swanctl.conf)或uniqueids (ipsec.conf)的设置,将删除副本。为了避免这种情况,禁用此唯一性检查,方法是将其设置为no,或者,如果客户端发送INITIAL_CONTACT通知,则将其设置为never。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1069757
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号