Jump to content

Несколько IPSec туннелей плохо уживаются вместе


Recommended Posts

@Le ecureuil Добрый вечер,

дано - кучка IPIP over IPSec ikev2 туннелей

Сервер На KN1010 и к нему цепляются различные клиенты.

Периодически его начинается "штормить", переподключение клиента приводит к сбросу другого туннеля, и так по кругу

В логе выглядит примерно так:

Скрытый текст

[E] Jun  4 20:12:41 ndm: IpSec::Configurator: crypto map "IPIP7" is appeared down.
Jun  4 20:12:41 ndm: IpSec::Configurator: "IPIP7": crypto map active IKE SA: 0, active CHILD SA: 0.
Jun  4 20:12:41 ndm: Network::Interface::SecureIPTunnel: "IPIP7": IPsec layer is down, shutdown tunnel layer.
Jun  4 20:12:41 ndm: Network::Interface::SecureIPTunnel: "IPIP7": secured tunnel is down.
Jun  4 20:12:41 ndm: IpSec::Manager: IP secure connection "IPIP7" was stopped.
Jun  4 20:12:41 ndm: kernel: Disable SMB fastpath
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 10.0.1.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.4.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.8.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.9.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 192.168.1.1/255.255.255.0
Jun  4 20:12:43 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP4".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP7".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP8".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP9".
Jun  4 20:12:43 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
Jun  4 20:12:43 ndm: IpSec::Configurator: start applying IPsec configuration.
Jun  4 20:12:43 ndm: IpSec::Configurator: IPsec configuration applying is done.
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP4" shutdown started.
Jun  4 20:12:43 ipsec: 14[CFG] received stroke: unroute 'IPIP4'
Jun  4 20:12:43 ipsec: 16[CFG] received stroke: terminate 'IPIP4{*}'
Jun  4 20:12:43 ipsec: 09[IKE] closing CHILD_SA IPIP4{282} with SPIs c42b497b_i (0 bytes) ca10af22_o (0 bytes) and TS 178.234.218.141/32[ipencap] === 176.59.33.77/32[ipencap]
Jun  4 20:12:43 ipsec: 09[IKE] sending DELETE for ESP CHILD_SA with SPI c42b497b
Jun  4 20:12:43 ipsec: 11[CFG] received stroke: terminate 'IPIP4[*]'
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP4" shutdown complete.
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP7" shutdown started.
Jun  4 20:12:43 ipsec: 13[CFG] received stroke: unroute 'IPIP7'
Jun  4 20:12:43 ipsec: 08[CFG] received stroke: terminate 'IPIP7{*}'
Jun  4 20:12:43 ipsec: 08[CFG] no CHILD_SA named 'IPIP7' found
Jun  4 20:12:44 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
Jun  4 20:12:44 ipsec: 14[CFG] received stroke: terminate 'IPIP7[*]'
Jun  4 20:12:44 ipsec: 14[CFG] no IKE_SA named 'IPIP7' found
Jun  4 20:12:44 ndm: IpSec::Configurator: crypto map "IPIP7" shutdown complete.
Jun  4 20:12:44 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Jun  4 20:12:44 ndm: IpSec::Configurator: crypto map "IPIP8" shutdown started.
Jun  4 20:12:44 ipsec: 06[CFG] received stroke: unroute 'IPIP8'
Jun  4 20:12:44 ipsec: 07[CFG] received stroke: terminate 'IPIP8{*}'

Сброс IPIP7 приводит к сбросу живых IPIP4 и IPIP8

Так может продолжаться достаточно долго(вплоть до нескольких часов), потом утаканивается.

Можно это как то починить?

Для примера селфтесты с сервера и пары клиентов.

Edited by r13
  • Upvote 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...