AlexanderG3
-
Posts
9 -
Joined
-
Last visited
Content Type
Profiles
Forums
Gallery
Downloads
Blogs
Events
Posts posted by AlexanderG3
-
-
On 8/27/2021 at 6:22 PM, krass said:
У вас он на ветке stable or long term? попробуйте long term -- может поможет....
Спасибо. Уже на long term. Включил PFS - стало 3 rekey проходить норм, четвертый падает.
-
Спасибо большое, буду копать в сторону ROS. Вы мне очень помогли, очень рад, что у Keenetic такая замечательная поддержка. Если что то узнаю про микротик - напишу.
-
К сожалению, IPSec SA без разрыва L2TP не обновился: прошло 8 часов и соединение упало. Скажите, пожалуйста, куда еще можно посмотреть, чтобы решить проблему?
11[IKE] initiator did not reauthenticate as requested
Aug 27 16:28:54 ipsec
11[IKE] reauthenticating IKE_SA L2TP0[176] actively
Aug 27 16:28:54 ipsec
11[IKE] sending XAuth vendor ID
Aug 27 16:28:54 ipsec
11[IKE] sending DPD vendor ID
Aug 27 16:28:54 ipsec
11[IKE] sending FRAGMENTATION vendor ID
Aug 27 16:28:54 ipsec
11[IKE] sending NAT-T (RFC 3947) vendor ID
Aug 27 16:28:54 ipsec
11[IKE] sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Aug 27 16:28:54 ipsec
11[IKE] initiating Main Mode IKE_SA L2TP0[177] to IP_Mikrotik
Aug 27 16:28:54 ipsec
16[IKE] received NAT-T (RFC 3947) vendor ID
Aug 27 16:28:54 ipsec
16[IKE] received XAuth vendor ID
Aug 27 16:28:54 ipsec
16[IKE] received DPD vendor ID
Aug 27 16:28:54 ipsec
16[IKE] received FRAGMENTATION vendor ID
Aug 27 16:28:54 ipsec
16[CFG] received proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 27 16:28:54 ipsec
16[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
Aug 27 16:28:54 ipsec
16[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Aug 27 16:28:55 ipsec
09[IKE] found linked key for crypto map 'L2TP0'
Aug 27 16:28:55 ipsec
08[IKE] schedule delete of duplicate IKE_SA for peer 'IP_Mikrotik' due to uniqueness policy and suspected reauthentication
Aug 27 16:28:55 ipsec
08[IKE] IKE_SA L2TP0[177] established between IP_Keenetic[IP_Keenetic]...IP_Mikrotik[IP_Mikrotik]
Aug 27 16:28:55 ipsec
08[IKE] scheduling reauthentication in 3566s
Aug 27 16:28:55 ipsec
08[IKE] maximum IKE_SA lifetime 3586s
Aug 27 16:28:55 ndm
IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 2, active CHILD SA: 1.
Aug 27 16:29:05 ipsec
09[IKE] deleting IKE_SA L2TP0[176] between IP_Keenetic[IP_Keenetic]...IP_Mikrotik[IP_Mikrotik]
Aug 27 16:29:05 ipsec
09[IKE] sending DELETE for IKE_SA L2TP0[176]
Aug 27 16:29:05 ndm
IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1.
Aug 27 16:30:22 ndhcps
Aug 27 16:30:56 pppd_L2TP0
No response to 3 echo-requests
Aug 27 16:30:56 pppd_L2TP0
Serial link appears to be disconnected. -
При изменении только ipsec proposal lifetime обновление ISAKMP-SA проходит корректно(видно как на стороне микротика так и на стороне кинетика, служебный тоннель строится). Теперь осталось дождаться чтобы IPSec SA тоже обновились по проcшествию soft lifetime (hard 28800, soft 06:24:00). Напишу результат.
-
Для тестирования, чтобы меньше ждать обновления ключа поставил lifetime 3600, если менять один параметр ipsec proposal lifetime, то ключ по видимому обновляется, а вот если это же значение поставить для ipsec transform-set, то все возвращается к той же ситуации как была, только уже не раз в шесть часов, а раз в час. Поставлю 20000 и подожду, как с этой настройкой дела будут.
-
Спасибо, сейчас поставлю - вернусь с результатом.
-
Спасибо за быстрый ответ. Это параметр ipsec proposal lifetime на уровне интерфейса L2TP?
-
Добрый день.
Регулярно раз в шесть часов падает L2TP/IPSec, в логах видно:
[I] Aug 24 23:04:33 ipsec: 05[IKE] received NAT-T (RFC 3947) vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received draft-ietf-ipsec-nat-t-ike-00 vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received Cisco Unity vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] received DPD vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] W1.X1.Y1.Z1 is initiating a Main Mode IKE_SA
[I] Aug 24 23:04:33 ipsec: 05[CFG] received proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Aug 24 23:04:33 ipsec: 05[CFG] configured proposals: IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_384, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/ECP_256, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC=128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:3DES_CBC/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024
[I] Aug 24 23:04:33 ipsec: 05[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
[I] Aug 24 23:04:33 ipsec: 05[IKE] sending XAuth vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] sending DPD vendor ID
[I] Aug 24 23:04:33 ipsec: 05[IKE] sending NAT-T (RFC 3947) vendor ID
[I] Aug 24 23:04:33 ipsec: 10[IKE] linked key for crypto map '(unnamed)' is not found, still searching
[I] Aug 24 23:04:33 ipsec: 11[CFG] looking for pre-shared key peer configs matching W2.X2.Y2.Z2...W1.X1.Y1.Z1[W1.X1.Y1.Z1]
[I] Aug 24 23:04:33 ipsec: 11[CFG] selected peer config "L2TP0"
[I] Aug 24 23:04:33 ipsec: 11[IKE] detected reauth of existing IKE_SA, adopting 1 children and 0 virtual IPs
[I] Aug 24 23:04:33 ipsec: 11[IKE] schedule delete of duplicate IKE_SA for peer 'W1.X1.Y1.Z1' due to uniqueness policy and suspected reauthentication
[I] Aug 24 23:04:33 ipsec: 11[IKE] IKE_SA L2TP0[106] established between W2.X2.Y2.Z2[W2.X2.Y2.Z2]...W1.X1.Y1.Z1[W1.X1.Y1.Z1]
[I] Aug 24 23:04:33 ipsec: 11[IKE] scheduling reauthentication in 28767s
[I] Aug 24 23:04:33 ipsec: 11[IKE] maximum IKE_SA lifetime 28787s
[I] Aug 24 23:04:34 ndm: IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 2, active CHILD SA: 1.
[I] Aug 24 23:04:43 ipsec: 08[IKE] deleting IKE_SA L2TP0[105] between W2.X2.Y2.Z2[W2.X2.Y2.Z2]...W1.X1.Y1.Z1[W1.X1.Y1.Z1]
[I] Aug 24 23:04:43 ipsec: 08[IKE] sending DELETE for IKE_SA L2TP0[105]
[I] Aug 24 23:04:44 ndm: IpSec::CryptoMapInfo: "L2TP0": crypto map active IKE SA: 1, active CHILD SA: 1.
[I] Aug 24 23:06:35 pppd_L2TP0: No response to 3 echo-requests
[I] Aug 24 23:06:35 pppd_L2TP0: Serial link appears to be disconnected.
[I] Aug 24 23:06:35 pppd_L2TP0: Connect time 386.1 minutes.
[I] Aug 24 23:06:35 pppd_L2TP0: Sent 505126 bytes, received 1072468 bytes.
[I] Aug 24 23:06:35 ndm: Network::Interface::Ip: "L2TP0": IP address cleared.Пожалуйста помогите решить проблему.
L2TP/IPSec падает соединение при обновлении ключа (Keenetic Giga 3 - Mikrotik)
in Обсуждение IPsec, OpenVPN и других туннелей
Posted
Да, тоже уже решил, что к ним надо обращаться. Напишу здесь результат в случае решения вопроса.