use*_*360 4 linux vpn centos ipsec
我在尝试创建ipsec连接时发现了一些奇怪的行为.我在cisco asa和我的Linux机器之间配置了ipsec,它按预期工作.但是,当我在Linux机器上重新启动网络服务或重新启动cisco端的端口时,隧道将停止工作,但隧道状态已启动:
/etc/init.d/ipsec status
/usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled
IPsec running - pluto pid: 2684
pluto pid 2684
1 tunnels up
some eroutes exist
当我尝试连接到另一端(telnet,ping,ssh)时,连接不起作用.
我的/etc/ipsec.conf看起来像这样:
# /etc/ipsec.conf - Openswan IPsec configuration file
#
# Manual: ipsec.conf.5
#
# Please place your own config files in /etc/ipsec.d/ ending in .conf
version 2.0 # conforms to second version of ipsec.conf specification
# basic configuration
config setup
# Debug-logging controls: "none" for (almost) none, "all" for lots.
# klipsdebug=none
# plutodebug="control parsing"
# For Red Hat Enterprise Linux and Fedora, leave protostack=netkey
protostack=netkey
nat_traversal=yes
virtual_private=
oe=off
# Enable this if you see "failed to find any available worker"
nhelpers=0
#You may put your configuration (.conf) file in the "/etc/ipsec.d/" and uncomment this.
include /etc/ipsec.d/*.conf
我的/etc/ipsec.d/myvpn.conf看起来像这样:
conn myvpn
authby=secret # Key exchange method
left=server-ip # Public Internet IP address of the
# LEFT VPN device
leftsubnet=server-ip/32 # Subnet protected by the LEFT VPN device
leftnexthop=%defaultroute # correct in many situations
right=asa-ip # Public Internet IP address of
# the RIGHT VPN device
rightsubnet=network/16 # Subnet protected by the RIGHT VPN device
rightnexthop=asa-ip # correct in many situations
auto=start # authorizes and starts this connection
# on booting
auth=esp
esp=aes-sha1
compress=no
当我重新启动openswan服务时,一切都开始工作,但我认为应该有一些自动执行此操作的逻辑.有谁知道我错过了什么?
如果双方都可用,您可能希望启用死对等检测.当隧道实际上不再工作并断开或重置隧道时,死对等检测会发出通知.
如果不可用,您还可以尝试将会话重新协商时间降低到非常低的水平; 您的隧道将频繁创建新密钥并设置新隧道以定期替换旧隧道,以便在会话中断时超时后有效地重新创建隧道.
对于Linux本身的PPP会话,我只需在/etc/ppp/ip-up.local中进行"service ipsec restart",以便在PPP设备重新联机时重启所有隧道.
因人而异.
| 归档时间: |
|
| 查看次数: |
12574 次 |
| 最近记录: |