Site-to-site strongswan已经启动，但远程VPC的stream量立即下降

我们有2个站点，我们的主要站点在东部（IAD），我们的“远程”站点在西部（SFO）。这是我们的设置：

IAD：

IAD-堡垒
IAD-S2S

SFO：

SFO-堡垒
SFO-S2S

目前，我们使用堡垒主机连接到我们的SFO网站，它对我们来说工作正常。

我按照这里的步骤https://aws.amazon.com/articles/5472675506466066和这里https://www.zeitgeist.se/2013/11/22/strongswan-howto-create-your-own-vpn/设置build立一个S2S VPNpipe道。我能够获得连接build立使用本地IP（通过堡垒主机）和公共IP，并能够从一个实例到另一个SSH。

然而，一旦连接完成，我们就失去了从IAD到SFO的连接。我已经检查了安全组，并确认我仍然能够在没有VPNpipe道的情况下连接。一旦我发出ipsec stop ，我可以再次连接。

这种行为告诉我分裂隧道有什么问题，但是我一直在这个几个小时没有运气。我究竟做错了什么？

下面是configuration文件和日志。实际的端点已被编辑。

[site1] conn vpc-sfo-b leftcert=leftcert.pem leftid=site1.example.com leftsubnet=10.10.0.0/16 right=%site2.example.com rightid=site2.example.com rightsubnet=10.20.0.0/16 auto=start authby=pubkey mobike=no type=tunnel

[site2] conn vpc-iad-a leftcert=rightcert.pem [email protected] leftsubnet=10.20.0.0/16 right=%site1.example.com rightid=site1.example.com rightsubnet=10.10.0.0/16 auto=add authby=pubkey mobike=no

[log] Sep 8 21:25:28 iad-a-s2s-1 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.2.1, Linux 3.16.0-4-amd64, x86_64) Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loaded ca certificate "C=US, O=My-Company, CN=My-Company Root CA" from '/etc/ipsec.d/cacerts/strongswanCert.pem' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loading secrets from '/var/lib/strongswan/ipsec.secrets.inc' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/clientKey.pem' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/strongswanKey.pem' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[CFG] loaded RSA private key from '/etc/ipsec.d/private/vpnHostKey.pem' Sep 8 21:25:28 iad-a-s2s-1 charon: 00[LIB] loaded plugins: charon addrblock aes af-alg agent attr ccm certexpire cmac constraints ctr dhcp dnskey eap-aka eap-gtc eap-identity eap-md5 eap-mschapv2 eap-tls eap-tnc eap-ttls error-notify farp fips-prf gcm gcrypt ldap led lookip openssl pgp pkcs11 pkcs12 pkcs7 pkcs8 pubkey rc2 rdrand resolve sshkey test-vectors tnc-tnccs unity xauth-pam xcbc sha1 sha2 md5 pem pkcs1 gmp random nonce x509 curl revocation hmac stroke kernel-netlink socket-default eap-radius updown xauth-generic xauth-eap Sep 8 21:25:28 iad-a-s2s-1 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies) Sep 8 21:25:28 iad-a-s2s-1 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Sep 8 21:25:28 iad-a-s2s-1 charon: 00[JOB] spawning 16 worker threads Sep 8 21:25:28 iad-a-s2s-1 charon: 11[CFG] received stroke: add connection 'vpc-sfo-b' Sep 8 21:25:28 iad-a-s2s-1 charon: 11[CFG] left nor right host is our side, assuming left=local Sep 8 21:25:28 iad-a-s2s-1 charon: 11[CFG] loaded certificate "C=US, O=My-Company, CN=site1.example.com" from 'vpnHostCert.pem' Sep 8 21:25:28 iad-a-s2s-1 charon: 11[CFG] added configuration 'vpc-sfo-b' Sep 8 21:25:28 iad-a-s2s-1 charon: 13[CFG] received stroke: initiate 'vpc-sfo-b' Sep 8 21:25:28 iad-a-s2s-1 charon: 13[IKE] initiating IKE_SA vpc-sfo-b[1] to xxx.xxx.xxx.xxx Sep 8 21:25:28 iad-a-s2s-1 charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Sep 8 21:25:28 iad-a-s2s-1 charon: 13[NET] sending packet: from 10.10.100.73[500] to xxx.xxx.xxx.xxx[500] (1420 bytes) Sep 8 21:25:28 iad-a-s2s-1 charon: 15[NET] received packet: from xxx.xxx.xxx.xxx[500] to 10.10.100.73[500] (465 bytes) Sep 8 21:25:28 iad-a-s2s-1 charon: 15[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] local host is behind NAT, sending keep alives Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] remote host is behind NAT Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] received cert request for "C=US, O=My-Company, CN=My-Company Root CA" Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] sending cert request for "C=US, O=My-Company, CN=My-Company Root CA" Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] authentication of 'site1.example.com' (myself) with RSA signature successful Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] sending end entity cert "C=US, O=My-Company, CN=site1.example.com" Sep 8 21:25:28 iad-a-s2s-1 charon: 15[IKE] establishing CHILD_SA vpc-sfo-b Sep 8 21:25:28 iad-a-s2s-1 charon: 15[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH SA TSi TSr N(EAP_ONLY) ] Sep 8 21:25:28 iad-a-s2s-1 charon: 15[NET] sending packet: from 10.10.100.73[4500] to xxx.xxx.xxx.xxx[4500] (1804 bytes) Sep 8 21:25:32 iad-a-s2s-1 charon: 16[IKE] retransmit 1 of request with message ID 1 Sep 8 21:25:32 iad-a-s2s-1 charon: 16[NET] sending packet: from 10.10.100.73[4500] to xxx.xxx.xxx.xxx[4500] (1804 bytes) Sep 8 21:25:40 iad-a-s2s-1 charon: 05[IKE] retransmit 2 of request with message ID 1 Sep 8 21:25:40 iad-a-s2s-1 charon: 05[NET] sending packet: from 10.10.100.73[4500] to xxx.xxx.xxx.xxx[4500] (1804 bytes) Sep 8 21:25:40 iad-a-s2s-1 charon: 04[NET] received packet: from xxx.xxx.xxx.xxx[4500] to 10.10.100.73[4500] (1580 bytes) Sep 8 21:25:40 iad-a-s2s-1 charon: 04[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH SA TSi TSr N(AUTH_LFT) ] Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] received end entity cert "C=US, O=My-Company, CN=site2.example.com" Sep 8 21:25:40 iad-a-s2s-1 charon: 04[CFG] using certificate "C=US, O=My-Company, CN=site2.example.com" Sep 8 21:25:40 iad-a-s2s-1 charon: 04[CFG] using trusted ca certificate "C=US, O=My-Company, CN=My-Company Root CA" Sep 8 21:25:40 iad-a-s2s-1 charon: 04[CFG] checking certificate status of "C=US, O=My-Company, CN=site2.example.com" Sep 8 21:25:40 iad-a-s2s-1 charon: 04[CFG] certificate status is not available Sep 8 21:25:40 iad-a-s2s-1 charon: 04[CFG] reached self-signed root ca with a path length of 0 Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] authentication of 'site2.example.com' with RSA signature successful Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] IKE_SA vpc-sfo-b[1] established between 10.10.100.73[site1.example.com]...xxx.xxx.xxx.xxx[site2.example.com] Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] scheduling reauthentication in 9865s Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] maximum IKE_SA lifetime 10405s Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] CHILD_SA vpc-sfo-b{1} established with SPIs c0fc00ec_i c36b6d2a_o and TS 10.10.0.0/16 === 10.20.0.0/16 Sep 8 21:25:40 iad-a-s2s-1 charon: 04[IKE] received AUTH_LIFETIME of 9757s, scheduling reauthentication in 9217s Sep 8 21:26:13 iad-a-s2s-1 charon: 14[IKE] sending keep alive to xxx.xxx.xxx.xxx[4500]