带有racoon的ipsec vpn在第一阶段重新协商时丢弃stream量

我们在连接到Checkpoint防火墙的Linux上运行racoon。连接正常，但是我们看到每24小时的stream量中断，对应于阶段1的重新logging。

我们的设置如下：

本地方面

在Amazon Linux上从RPM安装的ipsec-tools 0.8.0中的racoon。

本地IP：10.130.0.253
本地子网：10.130.0.252/30

这在AWS VPC内部运行，即在私有子网上。所以我们启用了NAT穿越。我们将VPN绑定到子接口，并使用iptables将vpn连接转换为主地址，并将目标为远程LAN的NATstream量转换为子接口。这使主机可以充当其他主机的VPN网关，效果很好。 iptables规则：

Chain POSTROUTING (policy ACCEPT) target prot opt source destination SNAT all -- 10.130.0.253 2.2.2.2 to:10.100.200.112 SNAT all -- 0.0.0.0/0 10.128.80.0/24 to:10.130.0.253

远程端：

VPN网关IP：2.2.2.2（匿名）
远程子网：10.128.80.0/24

我们的本地configuration如下：

/etc/racoon/racoon.conf：

 # Racoon IKE daemon configuration file. # See 'man racoon.conf' for a description of the format and entries. log debug2; path include "/etc/racoon"; path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; path script "/etc/racoon/scripts"; # Listen on sub-interface - initial connection to establish tunnel is translated to primary IP by iptables listen { isakmp 10.130.0.253 [500]; isakmp_natt 10.130.0.253 [4500]; } timer { natt_keepalive 1 minute ; } # CP VPN-1 remote 2.2.2.2 { exchange_mode main; lifetime time 24 hour; nat_traversal on; dpd_delay 20; proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } } # net-to-net sainfo address 10.130.0.252/30 any address 10.128.80.0/24 any { pfs_group 2; lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; } # gateway to gateway sainfo address 10.130.0.253/32 any address 2.2.2.2/32 any { lifetime time 1 hour; encryption_algorithm 3des; authentication_algorithm hmac_sha1 ; compression_algorithm deflate ; }

/etc/racoon/setkey.sh

 #!/sbin/setkey -f # First of all flush the SPD database flush; spdflush; # Gateway to Gateway spdadd 10.130.0.253 2.2.2.2 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique; spdadd 2.2.2.2 10.130.0.253 any -P in ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique; # Linux-racoon -> CP VPN-1 spdadd 10.130.0.252/30 10.128.80.0/24 any -P out ipsec esp/tunnel/10.130.0.253-2.2.2.2/unique; # CP VPN-1 > Linux-racoon spdadd 10.128.80.0/24 10.130.0.252/30 any -P in ipsec esp/tunnel/2.2.2.2-10.130.0.253/unique;

我们最近在监视VPN时收到了一些警报，所以我设置了一个更详细的监视脚本，每分钟连接到远程服务器。看来，我们每24小时都会收到很大的停机时间。我的脚本显示连接何时closures，何时重新连接：

 Fri Jan 18 20:24:33 UTC 2013 Connection went down Fri Jan 18 20:48:36 UTC 2013 Connection came up Sat Jan 19 20:48:36 UTC 2013 Connection went down Sat Jan 19 21:00:40 UTC 2013 Connection came up Sun Jan 20 21:00:38 UTC 2013 Connection went down Sun Jan 20 21:12:43 UTC 2013 Connection came up

正如你所看到的，连接在最后一次出现后的24小时内就会closures。

这些中断似乎与VPN日志中的阶段1重新协商相对应，因为阶段1生命周期为24小时，这是有意义的：

星期五：

 Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7 Jan 18 20:24:32 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:13b2510d0bc467f9:ff649237b81a65b7 Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7) Jan 18 20:36:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=213727991(0xcbd3af7) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=3400029604(0xcaa855a4) Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 18 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=264213233(0xfbf92f1) Jan 18 20:48:35 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=919162535(0x36c94ea7)

星期六：

 Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 19 20:48:34 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:c4978718cd291fde:01245a461d26cc34 Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d) Jan 19 20:48:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6) Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=229822093(0xdb2ce8d) Jan 19 21:00:36 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=2536548534(0x9730a8b6) Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 19 21:00:37 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 19 21:00:38 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=111999639(0x6acfa97) Jan 19 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=577442054(0x226b1106)

星期日：

 Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA expired 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 20 21:00:38 ip-10-100-200-112 racoon: INFO: ISAKMP-SA deleted 10.130.0.253[500]-2.2.2.2[500] spi:8b7e98a2cc9d55cb:0b4e8a4cbca2ada9 Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b) Jan 20 21:00:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586) Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 2.2.2.2[500]->10.130.0.253[500] spi=131435403(0x7d58b8b) Jan 20 21:12:39 ip-10-100-200-112 racoon: INFO: IPsec-SA expired: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=272995718(0x10459586) Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: IPsec-SA request for 2.2.2.2 queued due to no phase1 found. Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: initiate new phase 1 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: begin Identity Protection mode. Jan 20 21:12:40 ip-10-100-200-112 racoon: INFO: ISAKMP-SA established 10.130.0.253[500]-2.2.2.2[500] spi:e6d2b9ccb25f4992:31807020144b9a1e Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: initiate new phase 2 negotiation: 10.130.0.253[500]<=>2.2.2.2[500] Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=179370287(0xab0f92f) Jan 20 21:12:41 ip-10-100-200-112 racoon: INFO: IPsec-SA established: ESP/Tunnel 10.130.0.253[500]->2.2.2.2[500] spi=1696204357(0x651a0645)

所以看来第一阶段的重新谈判至less需要12分钟。有谁知道为什么这可能是，我们可以做些什么来解决它，所以我们可以有不间断的VPNstream量？

如果您启用死对等检测，则假设我已正确诊断问题，则Racoon应该检测阶段1到期，并自动重新协商。

默认情况下，dpd被禁用;

dpd_delay 0; 是默认的。

在dpd检查之间设置一个合理的数字，以秒为单位，将启用它;

dpd_delay 30;

现在在我的ipsec vpn愤怒的尝试这是做同样的事情。

对不起，回答我自己的问题 – 我从IPSec工具移到Openswan，VPN现在是完全稳定的。似乎ipsec-tools是一个死的项目，而Openswan是维护的，现在是RHEL默认的VPN解决scheme。