Jump to content

IPSec Virtual IP отключается через час


Recommended Posts

Спасибо за релиз 2.08, очень ждал. Обновился, подключился к 5 GHz Wi-Fi, подключился по IPSec Virtual IP, через ~54 минуты прослушивания радио (экран при этом был включён) коннект оборвался. Роутер, к счастью, больше не перезагружается. Вот кусок лога:

Скрытый текст
Feb 18 18:05:00ipsec
15[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ
Feb 18 18:05:00ipsec
15[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 18:05:00ipsec
15[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 18:05:00ipsec
15[IKE] received 3600s lifetime, configured 28800s
Feb 18 18:05:00ipsec
15[IKE] received 0 lifebytes, configured 21474836480
Feb 18 18:05:00ipsec
15[IKE] detected rekeying of CHILD_SA MyIPSec{3}
Feb 18 18:05:00ipsec
11[IKE] CHILD_SA MyIPSec{4} established with SPIs c40ffa46_i 0b6e290f_o and TS 0.0.0.0/0 === 192.168.2.1/32
Feb 18 18:05:00ndm
kernel: EIP93: build outbound ESP connection, [P0] (SPI=0b6e290f)
Feb 18 18:05:00ndm
kernel: EIP93: build outbound ESP connection, [P1] (SPI=0b6e290f)
Feb 18 18:05:00ndm
kernel: EIP93: build inbound ESP connection, [P0] (SPI=c40ffa46)
Feb 18 18:05:00ndm
kernel: EIP93: build inbound ESP connection, [P1] (SPI=c40ffa46)

 
Feb 18 18:10:46ndm
kernel: hrtimer: interrupt took 52623 ns
Feb 18 18:10:59ipsec
05[IKE] received NAT-T (RFC 3947) vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 18:10:59ipsec
05[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 18:10:59ipsec
05[IKE] received XAuth vendor ID
Feb 18 18:10:59ipsec
05[IKE] received Cisco Unity vendor ID
Feb 18 18:10:59ipsec
05[IKE] received FRAGMENTATION vendor ID
Feb 18 18:10:59ipsec
05[IKE] received DPD vendor ID
Feb 18 18:10:59ipsec
05[IKE] 192.168.1.26 is initiating a Main Mode IKE_SA
Feb 18 18:10:59ipsec
05[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#
Feb 18 18:10:59ipsec
05[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 18:10:59ipsec
05[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 18:10:59ipsec
05[IKE] sending XAuth vendor ID
Feb 18 18:10:59ipsec
05[IKE] sending DPD vendor ID
Feb 18 18:10:59ipsec
05[IKE] sending Cisco Unity vendor ID
Feb 18 18:10:59ipsec
05[IKE] sending FRAGMENTATION vendor ID
Feb 18 18:10:59ipsec
05[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 18 18:10:59ipsec
06[IKE] linked key for crypto map '(unnamed)' is not found, still searching
Feb 18 18:10:59ipsec
08[CFG] looking for XAuthInitPSK peer configs matching 11.222.33.444...192.168.1.26[192.168.1.26]
Feb 18 18:10:59ipsec
08[CFG] selected peer config "MyIPSec"
Feb 18 18:11:04ipsec
10[IKE] received DELETE for IKE_SA MyIPSec[3]
Feb 18 18:11:04ipsec
10[IKE] deleting IKE_SA MyIPSec[3] between 11.222.33.444[mykeenetic.net]...192.168.1.26[192.168.1.26]
Feb 18 18:11:04ndm
IpSec::Configurator: crypto map "MyIPSec": remote client "iphone7_ipsec" disconnected.
Feb 18 18:11:04ndm
IpSec::Configurator: removing unexisting client.
Feb 18 18:11:04ndm
IpSec::Configurator: crypto map "MyIPSec": remote client "iphone7_ipsec" disconnected.
Feb 18 18:11:04ndm
kernel: EIP93: release SPI c40ffa46
Feb 18 18:11:04ndm
kernel: EIP93: release SPI 0b6e290f
Feb 18 18:11:04ndm
kernel: EIP93: release SPI c229deac
Feb 18 18:11:04ndm
kernel: EIP93: release SPI 0b2752b6
Feb 18 18:11:04ipsec
10[CFG] lease 192.168.2.1 by 'iphone7_ipsec' went offline
Feb 18 18:11:05ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Feb 18 18:11:05ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Feb 18 18:11:07ipsec
11[IKE] sending retransmit 1 of request message ID 1484891311, seq 1
Feb 18 18:11:16ipsec
06[IKE] sending retransmit 2 of request message ID 1484891311, seq 1
Feb 18 18:11:25ipsec
13[IKE] sending retransmit 3 of request message ID 1484891311, seq 1
Feb 18 18:11:29ipsec
07[JOB] deleting half open IKE_SA after timeout

 

Link to comment
Share on other sites

Повторяется, в 18:31 подключился к IPSec, в 19:25 разрыв.

Скрытый текст
Feb 18 18:11:07ipsec
11[IKE] sending retransmit 1 of request message ID 1484891311, seq 1
Feb 18 18:11:16ipsec
06[IKE] sending retransmit 2 of request message ID 1484891311, seq 1
Feb 18 18:11:25ipsec
13[IKE] sending retransmit 3 of request message ID 1484891311, seq 1
Feb 18 18:11:29ipsec
07[JOB] deleting half open IKE_SA after timeout
Feb 18 18:16:20ndhcps
_WEBADMIN: DHCPDISCOVER received from 11:22:33:44:55:66.
Feb 18 18:16:20ndhcps
_WEBADMIN: making OFFER of 192.168.1.27 to 11:22:33:44:55:66.
Feb 18 18:16:20ndhcps
_WEBADMIN: DHCPREQUEST received (STATE_SELECTING) for 192.168.1.27 from 11:22:33:44:55:66.
Feb 18 18:16:21ndhcps
_WEBADMIN: sending ACK of 192.168.1.27 to 11:22:33:44:55:66.
Feb 18 18:31:28ipsec
15[IKE] received NAT-T (RFC 3947) vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 18:31:28ipsec
15[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 18:31:28ipsec
15[IKE] received XAuth vendor ID
Feb 18 18:31:28ipsec
15[IKE] received Cisco Unity vendor ID
Feb 18 18:31:28ipsec
15[IKE] received FRAGMENTATION vendor ID
Feb 18 18:31:28ipsec
15[IKE] received DPD vendor ID
Feb 18 18:31:28ipsec
15[IKE] 192.168.1.26 is initiating a Main Mode IKE_SA
Feb 18 18:31:28ipsec
15[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#
Feb 18 18:31:28ipsec
15[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 18:31:28ipsec
15[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 18:31:28ipsec
15[IKE] sending XAuth vendor ID
Feb 18 18:31:28ipsec
15[IKE] sending DPD vendor ID
Feb 18 18:31:28ipsec
15[IKE] sending Cisco Unity vendor ID
Feb 18 18:31:28ipsec
15[IKE] sending FRAGMENTATION vendor ID
Feb 18 18:31:28ipsec
15[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 18 18:31:28ipsec
11[IKE] linked key for crypto map '(unnamed)' is not found, still searching
Feb 18 18:31:28ipsec
16[CFG] looking for XAuthInitPSK peer configs matching 11.222.33.444...192.168.1.26[192.168.1.26]
Feb 18 18:31:28ipsec
16[CFG] selected peer config "MyIPSec"
Feb 18 18:31:28ipsec
07[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Feb 18 18:31:28ipsec
07[IKE] XAuth authentication of 'iphone7_ipsec' successful
Feb 18 18:31:28ipsec
05[IKE] IKE_SA MyIPSec[5] established between 11.222.33.444[mykeenetic.net]...192.168.1.26[192.168.1.26]
Feb 18 18:31:28ipsec
05[IKE] scheduling reauthentication in 28776s
Feb 18 18:31:28ipsec
05[IKE] maximum IKE_SA lifetime 28796s
Feb 18 18:31:28ndm
IpSec::Configurator: crypto map "MyIPSec" active IKE SA: 1, active CHILD SA: 0.
Feb 18 18:31:28ipsec
06[IKE] peer requested virtual IP %any
Feb 18 18:31:28ipsec
06[CFG] reassigning offline lease to 'iphone7_ipsec'
Feb 18 18:31:28ipsec
06[IKE] assigning virtual IP 192.168.2.1 to peer 'iphone7_ipsec'
Feb 18 18:31:28ipsec
09[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ
Feb 18 18:31:28ipsec
09[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 18:31:28ipsec
09[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 18:31:28ipsec
09[IKE] received 3600s lifetime, configured 28800s
Feb 18 18:31:28ipsec
09[IKE] received 0 lifebytes, configured 21474836480
Feb 18 18:31:28ipsec
12[IKE] CHILD_SA MyIPSec{5} established with SPIs cdf9637d_i 032dff81_o and TS 0.0.0.0/0 === 192.168.2.1/32
Feb 18 18:31:28ndm
IpSec::Configurator: crypto map "MyIPSec" is up: remote client "iphone7_ipsec" with IP "192.168.2.1" connected.
Feb 18 18:31:29ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Feb 18 18:31:29ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Feb 18 18:31:29ndm
kernel: EIP93: build inbound ESP connection, [P0] (SPI=cdf9637d)
Feb 18 18:31:29ndm
kernel: EIP93: build inbound ESP connection, [P1] (SPI=cdf9637d)
Feb 18 18:31:29ndm
kernel: EIP93: build outbound ESP connection, [P0] (SPI=032dff81)
Feb 18 18:31:29ndm
kernel: EIP93: build outbound ESP connection, [P1] (SPI=032dff81)
Feb 18 18:52:14wmond
WifiMaster1/AccessPoint0: (MT76x2) STA(b8:53:ac:17:6a:eb) set key done in WPA2/WPA2PSK.
Feb 18 19:03:39wmond
WifiMaster1/AccessPoint0: (MT76x2) STA(b8:53:ac:17:6a:eb) had been aged-out and disassociated.
Feb 18 19:19:29ipsec
16[CFG] received proposals: ESP:AES_CBC=256/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=256/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:AES_CBC=128/HMAC_MD5_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/#/#/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_MD5_96/#/#/NO_EXT_SEQ
Feb 18 19:19:29ipsec
16[CFG] configured proposals: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 19:19:29ipsec
16[CFG] selected proposal: ESP:AES_CBC=128/HMAC_SHA1_96/#/#/NO_EXT_SEQ
Feb 18 19:19:29ipsec
16[IKE] received 3600s lifetime, configured 28800s
Feb 18 19:19:29ipsec
16[IKE] received 0 lifebytes, configured 21474836480
Feb 18 19:19:29ipsec
16[IKE] detected rekeying of CHILD_SA MyIPSec{5}
Feb 18 19:19:29ipsec
07[IKE] CHILD_SA MyIPSec{6} established with SPIs c614a749_i 0a5ec9df_o and TS 0.0.0.0/0 === 192.168.2.1/32
Feb 18 19:19:29ndm
kernel: EIP93: build outbound ESP connection, [P0] (SPI=0a5ec9df)
Feb 18 19:19:29ndm
kernel: EIP93: build outbound ESP connection, [P1] (SPI=0a5ec9df)
Feb 18 19:19:29ndm
kernel: EIP93: build inbound ESP connection, [P0] (SPI=c614a749)
Feb 18 19:19:29ndm
kernel: EIP93: build inbound ESP connection, [P1] (SPI=c614a749)
Feb 18 19:21:01wmond
WifiMaster1/AccessPoint0: (MT76x2) STA(11:22:33:44:55:66) had associated successfully.
Feb 18 19:21:02wmond
WifiMaster1/AccessPoint0: (MT76x2) STA(11:22:33:44:55:66) set key done in WPA2/WPA2PSK.
Feb 18 19:23:05ndm
kernel: EIP93: PE ring[85] error: AUTH_ERR
Feb 18 19:25:28ipsec
10[IKE] received NAT-T (RFC 3947) vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-08 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-07 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-06 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-05 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-04 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-03 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-02 vendor ID
Feb 18 19:25:28ipsec
10[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 18 19:25:28ipsec
10[IKE] received XAuth vendor ID
Feb 18 19:25:28ipsec
10[IKE] received Cisco Unity vendor ID
Feb 18 19:25:28ipsec
10[IKE] received FRAGMENTATION vendor ID
Feb 18 19:25:28ipsec
10[IKE] received DPD vendor ID
Feb 18 19:25:28ipsec
10[IKE] 192.168.1.26 is initiating a Main Mode IKE_SA
Feb 18 19:25:28ipsec
10[CFG] received proposals: IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_2048/#, IKE:AES_CBC=256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1536/#, IKE:AES_CBC=256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=256/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:AES_CBC=128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#, IKE:DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#, IKE:DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024/#
Feb 18 19:25:28ipsec
10[CFG] configured proposals: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 19:25:28ipsec
10[CFG] selected proposal: IKE:AES_CBC=128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024/#
Feb 18 19:25:28ipsec
10[IKE] sending XAuth vendor ID
Feb 18 19:25:28ipsec
10[IKE] sending DPD vendor ID
Feb 18 19:25:28ipsec
10[IKE] sending Cisco Unity vendor ID
Feb 18 19:25:28ipsec
10[IKE] sending FRAGMENTATION vendor ID
Feb 18 19:25:28ipsec
10[IKE] sending NAT-T (RFC 3947) vendor ID
Feb 18 19:25:28ipsec
13[IKE] linked key for crypto map '(unnamed)' is not found, still searching
Feb 18 19:25:28ipsec
15[CFG] looking for XAuthInitPSK peer configs matching 11.222.33.44...192.168.1.26[192.168.1.26]
Feb 18 19:25:28ipsec
15[CFG] selected peer config "MyIPSec"
Feb 18 19:25:34ipsec
16[IKE] received DELETE for IKE_SA MyIPSec[5]
Feb 18 19:25:34ipsec
16[IKE] deleting IKE_SA MyIPSec[5] between 11.222.33.444[mykeenetic.net]...192.168.1.26[192.168.1.26]
Feb 18 19:25:34ndm
IpSec::Configurator: crypto map "MyIPSec": remote client "iphone7_ipsec" disconnected.
Feb 18 19:25:34ndm
IpSec::Configurator: removing unexisting client.
Feb 18 19:25:34ndm
IpSec::Configurator: crypto map "MyIPSec": remote client "iphone7_ipsec" disconnected.
Feb 18 19:25:34ndm
kernel: EIP93: release SPI c614a749
Feb 18 19:25:34ndm
kernel: EIP93: release SPI 0a5ec9df
Feb 18 19:25:34ndm
kernel: EIP93: release SPI cdf9637d
Feb 18 19:25:34ndm
kernel: EIP93: release SPI 032dff81
Feb 18 19:25:34ipsec
16[CFG] lease 192.168.2.1 by 'iphone7_ipsec' went offline
Feb 18 19:25:34ndm
IpSec::IpSecNetfilter: start reloading netfilter configuration...
Feb 18 19:25:34ndm
IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Feb 18 19:25:36ipsec
05[IKE] sending retransmit 1 of request message ID 518658586, seq 1
Feb 18 19:25:45ipsec
13[IKE] sending retransmit 2 of request message ID 518658586, seq 1
Feb 18 19:25:55ipsec
05[IKE] sending retransmit 3 of request message ID 518658586, seq 1
Feb 18 19:25:58ipsec
12[JOB] deleting half open IKE_SA after timeout

 

Link to comment
Share on other sites

Вообще странно, выходит, что именно iOS сначала выполняет rekey, а потом сама разрывает соединение.

Возможно эти вещи связаны:
https://wiki.strongswan.org/issues/2090

В конце февраля выйдет новая версия strongswan с этим патчем, добавим ее в 2.09 и проверим.

Link to comment
Share on other sites

@Le ecureuil главное, я зарепортил, а Вы взяли на заметку. На всякий случай, iPhone 7, iOS 10.2.1 (14D27) это последний официальный релиз. Стоит создавать тикет в SD и указывать ссылку на этот топик?

Link to comment
Share on other sites

17 часов назад, JIABP сказал:

@Le ecureuil главное, я зарепортил, а Вы взяли на заметку. На всякий случай, iPhone 7, iOS 10.2.1 (14D27) это последний официальный релиз. Стоит создавать тикет в SD и указывать ссылку на этот топик?

Попробуйте написать.

  • Thanks 1
Link to comment
Share on other sites

Попробовал подключиться с ноутбука на Windows 10 - всё работает корректно, соединение длилось примерно 1 час и 2 минуты, потом я вручную отключился. В общем, Windows-клиент автоматом после 55 минут не отключается и всё работает корректно.

Link to comment
Share on other sites

Если мы говорим про IOS или MacOS с его кривым ракуном, то проблема в том что они не могут сделать reauth если его инициирует сервер, а reauth для IKEv1 обязателен.

Только если они инициирует его сами. При этом lifitime жестко вшит, и составляет 3600 секунд.

Для Apple надо настраивать strongswan так, что бы сервер сам никогда не инициировал reath и rekey.

 

Примерно так (кусок конфига выстраданный долгой отладкой, ковырянием сорцов и перепиской с авторами стронгсвана):

 

    ikelifetime=70m
    lifetime=70m
    rekeyfuzz=0%
    margintime=5m

 

При авторизации только по PSK или сертификату, без Xauth, то будет работать. Если дополнительно настроить XAuth по паролю, то работать все равно не будут. Продукты apple не хранят в памяти логин\пароль, и НЕ умеют заново запросить его у пользователя.

 

Link to comment
Share on other sites

2 часа назад, gaaronk сказал:

Если мы говорим про IOS или MacOS с его кривым ракуном, то проблема в том что они не могут сделать reauth если его инициирует сервер, а reauth для IKEv1 обязателен.

Только если они инициирует его сами. При этом lifitime жестко вшит, и составляет 3600 секунд.

Для Apple надо настраивать strongswan так, что бы сервер сам никогда не инициировал reath и rekey.

 

Примерно так (кусок конфига выстраданный долгой отладкой, ковырянием сорцов и перепиской с авторами стронгсвана):

 

    ikelifetime=70m
    lifetime=70m
    rekeyfuzz=0%
    margintime=5m

 

При авторизации только по PSK или сертификату, без Xauth, то будет работать. Если дополнительно настроить XAuth по паролю, то работать все равно не будут. Продукты apple не хранят в памяти логин\пароль, и НЕ умеют заново запросить его у пользователя.

 

Спасибо за интересные наблюдения, примем к сведению.

Link to comment
Share on other sites

25 minutes ago, Le ecureuil said:

Спасибо за интересные наблюдения, примем к сведению.

И в догонку. Если делать lifetime большим, например сутки, то strongswan не закрывает уже не используемые CHILD_SA пока не истечет их таймаут. Поэтому 70 минут было выбрано "для красоты", что бы swan оперативно закрывал все лишнее.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...