Периодически падает канал ipsec
-
Добрый день!
Есть 2 территориально удаленных офиса, в каждой из них стоит pfsence 2.2.6, канал IPsec сеть - сеть настроен и работает. Раза 2-3 в сутки тоннель падает, помогает подняться тоннелю перезагрузка Reboot. А бывает дни когда и не падает канал ipsec. Вот часть логов момент очередного падения туннеля. Помогите, как можно решить проблему?
Настройки ipsec во вложении.
Feb 16 13:59:45 ipsec_starter[34042]:
Feb 16 13:59:45 ipsec_starter[34042]: 'con1000' routed
Feb 16 13:59:45 charon: 11[CFG] received stroke: route 'con1000'
Feb 16 13:59:45 charon: 12[CFG] added configuration 'con1000'
Feb 16 13:59:45 charon: 12[CFG] received stroke: add connection 'con1000'
Feb 16 13:59:45 charon: 11[CFG] deleted connection 'con1000'
Feb 16 13:59:45 charon: 11[CFG] received stroke: delete connection 'con1000'
Feb 16 13:59:45 ipsec_starter[34042]:
Feb 16 13:59:45 charon: 12[CFG] received stroke: unroute 'con1000'
Feb 16 13:59:45 charon: 11[CFG] rereading crls from '/var/etc/ipsec/ipsec.d/crls'
Feb 16 13:59:45 charon: 11[CFG] rereading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Feb 16 13:59:45 charon: 11[CFG] rereading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Feb 16 13:59:45 charon: 11[CFG] rereading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Feb 16 13:59:45 charon: 11[CFG] rereading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Feb 16 13:59:45 charon: 11[CFG] loaded IKE secret for %any 195.208.147.130
Feb 16 13:59:45 charon: 11[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Feb 16 13:59:45 charon: 11[CFG] rereading secrets
Feb 16 13:59:42 charon: 12[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:59:42 charon: 12[ENC] <con1000|1>generating INFORMATIONAL_V1 request 3153188270 [ HASH N(DPD_ACK) ]
Feb 16 13:59:42 charon: 12[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 12227133 [ HASH N(DPD) ]
Feb 16 13:59:42 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (84 bytes)
Feb 16 13:59:32 charon: 12[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:59:32 charon: 12[ENC] <con1000|1>generating INFORMATIONAL_V1 request 2600896587 [ HASH N(DPD_ACK) ]
Feb 16 13:59:32 charon: 12[ENC] <con1000|1>parsed INFORMATIONAL_V1 request 3532844901 [ HASH N(DPD) ]
Feb 16 13:59:32 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (84 bytes)
Feb 16 13:59:22 charon: 12[IKE] <con1000|1>CHILD_SA con1000{3} established with SPIs c532637b_i c25c12c9_o and TS 192.168.1.0/24|/0 === 192.168.5.0/24|/0
Feb 16 13:59:22 charon: 12[ENC] <con1000|1>parsed QUICK_MODE request 2286312687 [ HASH ]
Feb 16 13:59:22 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (52 bytes)
Feb 16 13:59:22 charon: 12[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (172 bytes)
Feb 16 13:59:22 charon: 12[ENC] <con1000|1>generating QUICK_MODE response 2286312687 [ HASH SA No ID ID ]
Feb 16 13:59:22 charon: 12[IKE] <con1000|1>detected rekeying of CHILD_SA con1000{2}
Feb 16 13:59:22 charon: 12[ENC] <con1000|1>parsed QUICK_MODE request 2286312687 [ HASH SA No ID ID ]
Feb 16 13:59:22 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (172 bytes)
Feb 16 13:59:18 charon: 12[IKE] <con1000|1>CHILD_SA con1000{2} established with SPIs c13d4043_i c449ca02_o and TS 192.168.1.0/24|/0 === 192.168.5.0/24|/0
Feb 16 13:59:18 charon: 12[ENC] <con1000|1>parsed QUICK_MODE request 3351537976 [ HASH ]
Feb 16 13:59:18 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (52 bytes)
Feb 16 13:59:18 charon: 12[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (172 bytes)
Feb 16 13:59:18 charon: 12[ENC] <con1000|1>generating QUICK_MODE response 3351537976 [ HASH SA No ID ID ]
Feb 16 13:59:18 charon: 12[ENC] <con1000|1>parsed QUICK_MODE request 3351537976 [ HASH SA No ID ID ]
Feb 16 13:59:18 charon: 12[NET] <con1000|1>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (172 bytes)
Feb 16 13:59:18 charon: 12[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (68 bytes)
Feb 16 13:59:18 charon: 12[ENC] <con1000|1>generating ID_PROT response 0 [ ID HASH ]
Feb 16 13:59:18 charon: 12[IKE] <con1000|1>maximum IKE_SA lifetime 28338s
Feb 16 13:59:18 charon: 12[IKE] <con1000|1>scheduling reauthentication in 27798s
Feb 16 13:59:18 charon: 12[IKE] <con1000|1>IKE_SA con1000[1] established between 92.125.153.114[92.125.153.114]…195.208.147.130[195.208.147.130]
Feb 16 13:59:18 charon: 12[CFG] <1> selected peer config "con1000"
Feb 16 13:59:18 charon: 12[CFG] <1> looking for pre-shared key peer configs matching 92.125.153.114…195.208.147.130[195.208.147.130]
Feb 16 13:59:18 charon: 12[ENC] <1> parsed ID_PROT request 0 [ ID HASH ]
Feb 16 13:59:18 charon: 12[NET] <1> received packet: from 195.208.147.130[500] to 92.125.153.114[500] (68 bytes)
Feb 16 13:59:18 charon: 14[NET] <1> sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (236 bytes)
Feb 16 13:59:18 charon: 14[ENC] <1> generating ID_PROT response 0 [ KE No NAT-D NAT-D ]
Feb 16 13:59:18 charon: 14[ENC] <1> parsed ID_PROT request 0 [ KE No NAT-D NAT-D ]
Feb 16 13:59:18 charon: 14[NET] <1> received packet: from 195.208.147.130[500] to 92.125.153.114[500] (236 bytes)
Feb 16 13:59:18 charon: 14[NET] <1> sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (176 bytes)
Feb 16 13:59:18 charon: 14[ENC] <1> generating ID_PROT response 0 [ SA V V V V V ]
Feb 16 13:59:18 charon: 14[IKE] <1> 195.208.147.130 is initiating a Main Mode IKE_SA
Feb 16 13:59:18 charon: 14[IKE] <1> received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Feb 16 13:59:18 charon: 14[IKE] <1> received NAT-T (RFC 3947) vendor ID
Feb 16 13:59:18 charon: 14[IKE] <1> received FRAGMENTATION vendor ID
Feb 16 13:59:18 charon: 14[IKE] <1> received Cisco Unity vendor ID
Feb 16 13:59:18 charon: 14[IKE] <1> received DPD vendor ID
Feb 16 13:59:18 charon: 14[IKE] <1> received XAuth vendor ID
Feb 16 13:59:18 charon: 14[ENC] <1> parsed ID_PROT request 0 [ SA V V V V V V ]
Feb 16 13:59:13 ipsec_starter[34042]:
Feb 16 13:59:13 ipsec_starter[34042]: 'con1000' routed
Feb 16 13:59:13 charon: 14[CFG] received stroke: route 'con1000'
Feb 16 13:59:13 charon: 16[CFG] added configuration 'con1000'
Feb 16 13:59:13 charon: 16[CFG] received stroke: add connection 'con1000'
Feb 16 13:59:13 ipsec_starter[34042]: charon (34065) started after 280 ms
Feb 16 13:59:13 charon: 00[JOB] spawning 16 worker threads
Feb 16 13:59:13 charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock unity
Feb 16 13:59:13 charon: 00[CFG] loaded 0 RADIUS server configurations
Feb 16 13:59:13 charon: 00[CFG] opening triplet file /var/etc/ipsec/ipsec.d/triplets.dat failed: No such file or directory
Feb 16 13:59:13 charon: 00[CFG] loaded IKE secret for %any 195.208.147.130
Feb 16 13:59:13 charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Feb 16 13:59:13 charon: 00[CFG] loading crls from '/var/etc/ipsec/ipsec.d/crls'
Feb 16 13:59:13 charon: 00[CFG] loading attribute certificates from '/var/etc/ipsec/ipsec.d/acerts'
Feb 16 13:59:13 charon: 00[CFG] loading ocsp signer certificates from '/var/etc/ipsec/ipsec.d/ocspcerts'
Feb 16 13:59:13 charon: 00[CFG] loading aa certificates from '/var/etc/ipsec/ipsec.d/aacerts'
Feb 16 13:59:13 charon: 00[CFG] loading ca certificates from '/var/etc/ipsec/ipsec.d/cacerts'
Feb 16 13:59:13 charon: 00[CFG] ipseckey plugin is disabled
Feb 16 13:59:12 charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Feb 16 13:59:12 charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Feb 16 13:59:12 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, FreeBSD 10.1-RELEASE-p25, i386)
Feb 16 13:59:12 ipsec_starter[33536]: no known IPsec stack detected, ignoring!
Feb 16 13:59:12 ipsec_starter[33536]: no KLIPS IPsec stack detected
Feb 16 13:59:12 ipsec_starter[33536]: no netkey IPsec stack detected
Feb 16 13:59:12 ipsec_starter[33536]: Starting strongSwan 5.3.5 IPsec [starter]…
Feb 16 13:57:51 charon: 08[ENC] <con1000|3>parsed INFORMATIONAL_V1 request 1593844505 [ HASH N(DPD_ACK) ]
Feb 16 13:57:51 charon: 08[NET] <con1000|3>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (84 bytes)
Feb 16 13:57:51 charon: 08[NET] <con1000|3>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:57:51 charon: 08[ENC] <con1000|3>generating INFORMATIONAL_V1 request 395834558 [ HASH N(DPD_ACK) ]
Feb 16 13:57:51 charon: 08[ENC] <con1000|3>parsed INFORMATIONAL_V1 request 1888211790 [ HASH N(DPD) ]
Feb 16 13:57:51 charon: 08[NET] <con1000|3>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (84 bytes)
Feb 16 13:57:51 charon: 08[NET] <con1000|3>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:57:51 charon: 08[ENC] <con1000|3>generating INFORMATIONAL_V1 request 2259044384 [ HASH N(DPD) ]
Feb 16 13:57:51 charon: 08[IKE] <con1000|3>sending DPD request
Feb 16 13:57:43 charon: 10[KNL] <con1000|3>unable to query SAD entry with SPI c3a661a7: No such file or directory (2)
Feb 16 13:57:41 charon: 07[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:57:41 charon: 07[ENC] <con1000|1>generating INFORMATIONAL_V1 request 1688437574 [ HASH D ]
Feb 16 13:57:41 charon: 07[IKE] <con1000|1>sending DELETE for IKE_SA con1000[1]
Feb 16 13:57:41 charon: 07[IKE] <con1000|1>deleting IKE_SA con1000[1] between 92.125.153.114[92.125.153.114]…195.208.147.130[195.208.147.130]
Feb 16 13:57:41 charon: 08[NET] <con1000|3>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:57:41 charon: 08[ENC] <con1000|3>generating INFORMATIONAL_V1 request 3552771533 [ HASH N(DPD_ACK) ]
Feb 16 13:57:41 charon: 08[ENC] <con1000|3>parsed INFORMATIONAL_V1 request 2470768186 [ HASH N(DPD) ]
Feb 16 13:57:41 charon: 08[NET] <con1000|3>received packet: from 195.208.147.130[500] to 92.125.153.114[500] (84 bytes)
Feb 16 13:57:40 charon: 08[NET] <con1000|1>sending packet: from 92.125.153.114[500] to 195.208.147.130[500] (84 bytes)
Feb 16 13:57:40 charon: 08[ENC] <con1000|1>generating INFORMATIONAL_V1 request 3672267382 [ HASH N(DPD) ]
Feb 16 13:57:40 charon: 08[IKE] <con1000|1>sending DPD request
Feb 16 13:57:33 charon: 01[KNL] <con1000|3>unable to query SAD entry with SPI c3a661a7: No such file or directory (2)
Feb 16 13:57:31 charon: 12[KNL] <con1000|3>unable to query SAD entry with SPI c3a661a7: No such file or directory (2)
Feb 16 13:57:31 charon: 12[IKE] <con1000|3>CHILD_SA con1000{4} established with SPIs ce17f6
</con1000|3></con1000|3></con1000|3></con1000|1></con1000|1></con1000|1></con1000|3></con1000|3></con1000|3></con1000|3></con1000|1></con1000|1></con1000|1></con1000|1></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|3></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1></con1000|1> -
Доброе.
По тому, что нашлось по фразе unable to query SAD entry with SPI в гугле - это проблема со strongswan.
В кач-ве решения - обновиться до 2.3.х или проще и лучше - исп. Openvpn. -
Большое спасибо! Буду переходить на OpenVPN!