strongswan ipsec debug

bobz9652025-03-11 17:50

site to site 场景

moon 端: 启动即正常

bash 复制代码 
▶ k exec -it -n ns1                   moon-0 -- bash
Defaulted container "ipsec-vpn" out of: ipsec-vpn, keepalived
root@moon-0:/# cat check
#!/bin/bash
set -eux


# ---loop check connection moon-sun remote public ip ---
while ! ping -n -c 1 172.19.0.102; do
    echo "Waiting for 172.19.0.102 to respond..."
    sleep 5
done


# ---loop check connection moon-mars remote public ip ---
while ! ping -n -c 1 172.19.0.103; do
    echo "Waiting for 172.19.0.103 to respond..."
    sleep 5
done



# loop check ss -tunlp | grep 4500
while ! ss -tunlp | grep 4500; do
    echo "Waiting for charon-systemd to start..."
    sleep 5
done

if [ -d "/etc/host-init-strongswan" ]; then
    if [ ! -f "/etc/host-init-strongswan/copy-hosts.sh" ]; then
        \cp -f /copy-hosts.sh /etc/host-init-strongswan/copy-hosts.sh
        bash "/etc/host-init-strongswan/copy-hosts.sh"
    fi
fi

/usr/sbin/swanctl --load-all
swanctl --list-conns
# after ping remote private cidr ip
# this --list-sas will show the ESTABLISHED
/usr/sbin/swanctl --list-sas
/usr/sbin/swanctl --stats

ip xfrm state
ip xfrm policy

# 检查结果
root@moon-0:/# ./check
+ ping -n -c 1 172.19.0.102
PING 172.19.0.102 (172.19.0.102): 56 data bytes
64 bytes from 172.19.0.102: icmp_seq=0 ttl=62 time=1.665 ms
--- 172.19.0.102 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.665/1.665/1.665/0.000 ms
+ ping -n -c 1 172.19.0.103
PING 172.19.0.103 (172.19.0.103): 56 data bytes
64 bytes from 172.19.0.103: icmp_seq=0 ttl=63 time=1.059 ms
--- 172.19.0.103 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.059/1.059/1.059/0.000 ms
+ ss -tunlp
+ grep 4500
udp   UNCONN 0      0            0.0.0.0:4500      0.0.0.0:*    users:(("charon-systemd",pid=1,fd=16))
udp   UNCONN 0      0               [::]:4500         [::]:*    users:(("charon-systemd",pid=1,fd=14))
+ '[' -d /etc/host-init-strongswan ']'
+ /usr/sbin/swanctl --load-all
loaded ike secret 'ike-1'
loaded ike secret 'ike-11'
loaded ike secret 'ike-12'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'gw-gw-moon-sun'
loaded connection 'gw-gw-moon-mars'
successfully loaded 2 connections, 0 unloaded
+ swanctl --list-conns
gw-gw-moon-sun: IKEv2, reauthentication every 10800s, no rekeying
  local:  10.1.0.2
  remote: 172.19.0.102
  local pre-shared key authentication:
    id: moon.vpn.gw.com
  remote pre-shared key authentication:
    id: sun.vpn.gw.com
  net-net: TUNNEL, rekeying every 5400s or 500000000 bytes or 1000000 packets
    local:  10.1.0.0/24
    remote: 10.2.0.0/24
gw-gw-moon-mars: IKEv2, reauthentication every 10800s, no rekeying
  local:  10.1.0.2
  remote: 172.19.0.103
  local pre-shared key authentication:
    id: moon.vpn.gw.com
  remote pre-shared key authentication:
    id: mars.vpn.gw.com
  net-net: TUNNEL, rekeying every 5400s or 500000000 bytes or 1000000 packets
    local:  10.1.0.0/24
    remote: 172.21.0.0/16
+ /usr/sbin/swanctl --list-sas
gw-gw-moon-mars: #5, ESTABLISHED, IKEv2, 0bdf656e184cd76e_i 14b8758a500c89e9_r*
  local  'moon.vpn.gw.com' @ 10.1.0.2[4500]
  remote 'mars.vpn.gw.com' @ 172.19.0.103[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
  established 32s ago, reauth in 9854s
  net-net: #4, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 32s ago, rekeying in 4890s, expires in 5908s
    in  cfb9ae91,      0 bytes,     0 packets
    out c7790b69,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 172.21.0.0/16
gw-gw-moon-sun: #3, ESTABLISHED, IKEv2, b0a9a91ee5c29e8a_i a92c2c434fe7d76f_r*
  local  'moon.vpn.gw.com' @ 10.1.0.2[4500]
  remote 'sun.vpn.gw.com' @ 172.19.0.102[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
  established 128s ago, reauth in 10260s
  net-net: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 128s ago, rekeying in 5036s, expires in 5812s
    in  c78f70db,      0 bytes,     0 packets
    out cce095ee,      0 bytes,     0 packets
    local  10.1.0.0/24
    remote 10.2.0.0/24
+ /usr/sbin/swanctl --stats
uptime: 2 minutes, since Mar 11 07:51:53 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 10
IKE_SAs: 2 total, 0 half-open
mallinfo: sbrk 3280896, mmap 0, used 1442448, free 1838448
loaded plugins: charon-systemd test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
+ ip xfrm state # 这个地方是重要源隧道外部IP和目标隧道外部IP, 确认来往都是一对
src 10.1.0.2 dst 172.19.0.103
	proto esp spi 0xc7790b69 reqid 2 mode tunnel
	replay-window 0 flag af-unspec
	aead rfc4106(gcm(aes)) 0xa5a4585ea4c1434c45325ba054e11163dae182e7 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.19.0.103 dst 10.1.0.2
	proto esp spi 0xcfb9ae91 reqid 2 mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0xbda5317f053118258452417b0bdf98d622ecdfd1 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 10.1.0.2 dst 172.19.0.102
	proto esp spi 0xcce095ee reqid 1 mode tunnel
	replay-window 0 flag af-unspec
	aead rfc4106(gcm(aes)) 0x3dbb32027e8b51cc850ae23303b1b475a156a3ee 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.19.0.102 dst 10.1.0.2
	proto esp spi 0xc78f70db reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0x2c4349fc8902e1550e9fd9721cd3c1380afc0e09 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
+ ip xfrm policy # 这个地方是重要源隧道内部子网和目标隧道内部子网,确认 dir in|dir out| dir fwd 三项
src 10.1.0.0/24 dst 172.21.0.0/16
	dir out priority 379519 ptype main
	tmpl src 10.1.0.2 dst 172.19.0.103
		proto esp spi 0xc7790b69 reqid 2 mode tunnel
src 172.21.0.0/16 dst 10.1.0.0/24
	dir fwd priority 379519 ptype main
	tmpl src 172.19.0.103 dst 10.1.0.2
		proto esp reqid 2 mode tunnel
src 172.21.0.0/16 dst 10.1.0.0/24
	dir in priority 379519 ptype main
	tmpl src 172.19.0.103 dst 10.1.0.2
		proto esp reqid 2 mode tunnel
src 10.1.0.0/24 dst 10.2.0.0/24
	dir out priority 375423 ptype main
	tmpl src 10.1.0.2 dst 172.19.0.102
		proto esp spi 0xcce095ee reqid 1 mode tunnel
src 10.2.0.0/24 dst 10.1.0.0/24
	dir fwd priority 375423 ptype main
	tmpl src 172.19.0.102 dst 10.1.0.2
		proto esp reqid 1 mode tunnel
src 10.2.0.0/24 dst 10.1.0.0/24
	dir in priority 375423 ptype main
	tmpl src 172.19.0.102 dst 10.1.0.2
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 # 如果只有全 0 肯定是不对的
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main

另一端 sun,启动不正常

bash 复制代码 
▶ k exec -it -n kube-system           strongswan-kube-ovn-control-plane -- bash
Defaulted container "strongswan" out of: strongswan, load
root@kube-ovn-control-plane:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0@if198: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether ea:3f:5a:7d:da:67 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.18.0.3/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fc00:f853:ccd:e793::3/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::e83f:5aff:fe7d:da67/64 scope link
       valid_lft forever preferred_lft forever
3: kube-ipvs0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
    link/ether 3e:8d:df:89:4e:ba brd ff:ff:ff:ff:ff:ff
    inet 10.96.0.1/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.96.0.10/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.99.220.27/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.101.6.79/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.99.252.147/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.105.73.102/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.111.57.98/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.111.68.105/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.111.132.28/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.104.198.188/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.111.81.68/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.109.91.15/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.102.128.41/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
    inet 10.110.106.233/32 scope global kube-ipvs0
       valid_lft forever preferred_lft forever
4: ovs-system: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
    link/ether 86:77:d6:90:d1:e3 brd ff:ff:ff:ff:ff:ff
5: br-int: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether c2:5d:03:cc:bd:cd brd ff:ff:ff:ff:ff:ff
6: mirror0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether c2:72:09:8b:87:1b brd ff:ff:ff:ff:ff:ff
    inet6 fe80::c072:9ff:fe8b:871b/64 scope link
       valid_lft forever preferred_lft forever
7: vxlan_sys_4789: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 65000 qdisc noqueue master ovs-system state UNKNOWN group default qlen 1000
    link/ether 0a:82:79:77:b0:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::882:79ff:fe77:b014/64 scope link
       valid_lft forever preferred_lft forever
8: ovn0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether 9a:25:e1:41:4b:2c brd ff:ff:ff:ff:ff:ff
    inet 100.64.0.2/16 brd 100.64.255.255 scope global ovn0
       valid_lft forever preferred_lft forever
    inet6 fe80::9825:e1ff:fe41:4b2c/64 scope link
       valid_lft forever preferred_lft forever
16: ab55e86b03b5_h@if15: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 42:2a:21:69:1a:e2 brd ff:ff:ff:ff:ff:ff link-netnsid 2
    inet6 fe80::402a:21ff:fe69:1ae2/64 scope link
       valid_lft forever preferred_lft forever
17: eth1@if201: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master ovs-system state UP group default
    link/ether e6:9f:e6:80:62:35 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::e49f:e6ff:fe80:6235/64 scope link
       valid_lft forever preferred_lft forever
18: eth2@if204: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 02:92:06:03:57:f5 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.21.0.3/16 brd 172.21.255.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 fc00:5645:6976:1737::3/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::92:6ff:fe03:57f5/64 scope link
       valid_lft forever preferred_lft forever
19: br-external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
    link/ether e6:9f:e6:80:62:35 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.3/16 brd 172.19.255.255 scope global br-external
       valid_lft forever preferred_lft forever
    inet 172.19.0.103/32 scope global br-external
       valid_lft forever preferred_lft forever
    inet6 fc00:adb1:b29b:608d::3/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::e49f:e6ff:fe80:6235/64 scope link
       valid_lft forever preferred_lft forever
21: 79eb9f44511b_h@if20: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue master ovs-system state UP group default qlen 1000
    link/ether 22:8f:48:61:3a:8c brd ff:ff:ff:ff:ff:ff link-netnsid 1
    inet6 fe80::208f:48ff:fe61:3a8c/64 scope link
       valid_lft forever preferred_lft forever
23: 06db1b29d313_h@if22: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc htb master ovs-system state UP group default qlen 1000
    link/ether ce:43:47:59:c0:e8 brd ff:ff:ff:ff:ff:ff link-netnsid 3
    inet6 fe80::cc43:47ff:fe59:c0e8/64 scope link
       valid_lft forever preferred_lft forever
root@kube-ovn-control-plane:/# cat /etc/swanctl/swanctl.conf
connections {

    gw-gw-mars-moon {
      local_addrs  = 172.19.0.103
      remote_addrs = 172.19.0.101
      local {
         auth = psk
         id = mars.vpn.gw.com
      }
      remote {
         auth = psk
         id = moon.vpn.gw.com
      }
      children {
         net-net {
            local_ts = 172.21.0.0/16
            remote_ts = 10.1.0.0/24
            dpd_action = restart
            start_action = start
            updown = /usr/lib/ipsec/_updown iptables
            rekey_time = 5400
            rekey_bytes = 500000000
            rekey_packets = 1000000
            esp_proposals = aes128gcm128-x25519
         }
      }
      version = 2
      mobike = no
      reauth_time = 10800
      proposals = aes128-sha256-x25519
   }

}
secrets {


   ike-1 {
      id-1 = mars.vpn.gw.com
      secret = 789
   }
   ike-11 {
      id-11 = moon.vpn.gw.com
      secret = 123
   }


}
root@kube-ovn-control-plane:/etc/swanctl# ./check
+ ping -n -c 1 172.19.0.101
PING 172.19.0.101 (172.19.0.101): 56 data bytes
64 bytes from 172.19.0.101: icmp_seq=0 ttl=63 time=0.916 ms
--- 172.19.0.101 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.916/0.916/0.916/0.000 ms
+ ss -tunlp
+ grep 4500
udp   UNCONN 0      0            0.0.0.0:4500       0.0.0.0:*    users:(("charon-systemd",pid=29,fd=16))
udp   UNCONN 0      0               [::]:4500          [::]:*    users:(("charon-systemd",pid=29,fd=14))
+ '[' -d /etc/host-init-strongswan ']'
+ '[' '!' -f /etc/host-init-strongswan/copy-hosts.sh ']'
+ /usr/sbin/swanctl --load-all
loaded ike secret 'ike-1'
loaded ike secret 'ike-11'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'gw-gw-mars-moon'
successfully loaded 1 connections, 0 unloaded
+ swanctl --list-conns
gw-gw-mars-moon: IKEv2, reauthentication every 10800s, no rekeying
  local:  172.19.0.103
  remote: 172.19.0.101
  local pre-shared key authentication:
    id: mars.vpn.gw.com
  remote pre-shared key authentication:
    id: moon.vpn.gw.com
  net-net: TUNNEL, rekeying every 5400s or 500000000 bytes or 1000000 packets
    local:  172.21.0.0/16
    remote: 10.1.0.0/24
+ /usr/sbin/swanctl --list-sas
+ /usr/sbin/swanctl --stats
uptime: 4 minutes, since Mar 11 07:52:10 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 0
IKE_SAs: 0 total, 0 half-open
mallinfo: sbrk 3211264, mmap 0, used 1243104, free 1968160
loaded plugins: charon-systemd test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
+ ip xfrm state # 这里为空
+ ip xfrm policy # 这里只有全 0,连接就没建立
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main

手动触发连接建立

bash 复制代码 
root@kube-ovn-control-plane:/etc/swanctl# swanctl --initiate --child net-net  gw-gw-mars-moon
[IKE] initiating IKE_SA gw-gw-mars-moon[2] to 172.19.0.101
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from 172.19.0.103[500] to 172.19.0.101[500] (240 bytes)
[NET] received packet: from 172.19.0.101[500] to 172.19.0.103[500] (248 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
[IKE] remote host is behind NAT
[IKE] authentication of 'mars.vpn.gw.com' (myself) with pre-shared key
[IKE] establishing CHILD_SA net-net{1}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from 172.19.0.103[4500] to 172.19.0.101[4500] (272 bytes)
[NET] received packet: from 172.19.0.101[4500] to 172.19.0.103[4500] (224 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
[IKE] authentication of 'moon.vpn.gw.com' with pre-shared key successful
[IKE] IKE_SA gw-gw-mars-moon[2] established between 172.19.0.103[mars.vpn.gw.com]...172.19.0.101[moon.vpn.gw.com]
[IKE] scheduling reauthentication in 10334s
[IKE] maximum IKE_SA lifetime 11414s
[CFG] selected proposal: ESP:AES_GCM_16_128/NO_EXT_SEQ
[IKE] CHILD_SA net-net{1} established with SPIs c4d8cdb4_i c5d38a31_o and TS 172.21.0.0/16 === 10.1.0.0/24
initiate completed successfully
root@kube-ovn-control-plane:/etc/swanctl# ./check
+ ping -n -c 1 172.19.0.101
PING 172.19.0.101 (172.19.0.101): 56 data bytes
64 bytes from 172.19.0.101: icmp_seq=0 ttl=63 time=0.701 ms
--- 172.19.0.101 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.701/0.701/0.701/0.000 ms
+ ss -tunlp
+ grep 4500
udp   UNCONN 0      0            0.0.0.0:4500       0.0.0.0:*    users:(("charon-systemd",pid=29,fd=16))
udp   UNCONN 0      0               [::]:4500          [::]:*    users:(("charon-systemd",pid=29,fd=14))
+ '[' -d /etc/host-init-strongswan ']'
+ '[' '!' -f /etc/host-init-strongswan/copy-hosts.sh ']'
+ /usr/sbin/swanctl --load-all
loaded ike secret 'ike-1'
loaded ike secret 'ike-11'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'gw-gw-mars-moon'
successfully loaded 1 connections, 0 unloaded
+ swanctl --list-conns
gw-gw-mars-moon: IKEv2, reauthentication every 10800s, no rekeying
  local:  172.19.0.103
  remote: 172.19.0.101
  local pre-shared key authentication:
    id: mars.vpn.gw.com
  remote pre-shared key authentication:
    id: moon.vpn.gw.com
  net-net: TUNNEL, rekeying every 5400s or 500000000 bytes or 1000000 packets
    local:  172.21.0.0/16
    remote: 10.1.0.0/24
+ /usr/sbin/swanctl --list-sas
gw-gw-mars-moon: #2, ESTABLISHED, IKEv2, 8523d62b2b73662d_i* 10b129f4bb7dc763_r
  local  'mars.vpn.gw.com' @ 172.19.0.103[4500]
  remote 'moon.vpn.gw.com' @ 172.19.0.101[4500]
  AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
  established 20s ago, reauth in 10314s
  net-net: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
    installed 20s ago, rekeying in 5179s, expires in 5920s
    in  c4d8cdb4,      0 bytes,     0 packets
    out c5d38a31,      0 bytes,     0 packets
    local  172.21.0.0/16
    remote 10.1.0.0/24
+ /usr/sbin/swanctl --stats
uptime: 6 minutes, since Mar 11 07:52:10 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 2
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 3215360, mmap 0, used 1361664, free 1853696
loaded plugins: charon-systemd test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
+ ip xfrm state # 两个方向具备
src 172.19.0.103 dst 172.19.0.101
	proto esp spi 0xc5d38a31 reqid 1 mode tunnel
	replay-window 0 flag af-unspec
	aead rfc4106(gcm(aes)) 0x1c4610419b674fd6fcc1e34f7599db9fff7dbea4 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.19.0.101 dst 172.19.0.103
	proto esp spi 0xc4d8cdb4 reqid 1 mode tunnel
	replay-window 32 flag af-unspec
	aead rfc4106(gcm(aes)) 0x1f1f37f1a6cb4587db9b40d469626b4678f15b32 128
	encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
	anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
+ ip xfrm policy # dir in | dir out| dir fwd 具备
src 172.21.0.0/16 dst 10.1.0.0/24
	dir out priority 379519 ptype main
	tmpl src 172.19.0.103 dst 172.19.0.101
		proto esp spi 0xc5d38a31 reqid 1 mode tunnel
src 10.1.0.0/24 dst 172.21.0.0/16
	dir fwd priority 379519 ptype main
	tmpl src 172.19.0.101 dst 172.19.0.103
		proto esp reqid 1 mode tunnel
src 10.1.0.0/24 dst 172.21.0.0/16
	dir in priority 379519 ptype main
	tmpl src 172.19.0.101 dst 172.19.0.103
		proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main
src ::/0 dst ::/0
	socket in priority 0 ptype main
src ::/0 dst ::/0
	socket out priority 0 ptype main

路由定位

如下路由需要具备,如果如上 ip xfrm state 或者 ip xfrm policy 不存在(不正确),即使路由存在,也抓不到发出的包

bash 复制代码 
root@moon-0:/# ip route show table 220
10.2.0.0/24 via 10.1.0.1 dev eth0 proto static src 10.1.0.2
172.21.0.0/16 via 10.1.0.1 dev eth0 proto static src 10.1.0.2
root@moon-0:/#

iptables nat 定位

如下规则需要具备

bash 复制代码 
root@moon-0:/# iptables-save
# Generated by iptables-save v1.8.9 (nf_tables) on Tue Mar 11 08:16:29 2025
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.21.0.0/16 -d 10.1.0.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 2 --proto esp -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -d 172.21.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 2 --proto esp -j ACCEPT
-A FORWARD -s 10.2.0.0/24 -d 10.1.0.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -s 10.1.0.0/24 -d 10.2.0.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Tue Mar 11 08:16:29 2025
root@moon-0:/#
相关推荐
tan180°21 分钟前
版本控制器Git(1)
c++·git·后端
GoGeekBaird22 分钟前
69天探索操作系统-第50天:虚拟内存管理系统
后端·操作系统
_丿丨丨_26 分钟前
Django下防御Race Condition
网络·后端·python·django
JohnYan1 小时前
工作笔记 - btop安装和使用
后端·操作系统
我愿山河人间1 小时前
Dockerfile 和 Docker Compose:容器化世界的两大神器
后端
掘金码甲哥1 小时前
golang倒腾一款简配的具有请求排队功能的并发受限服务器
后端
重庆穿山甲1 小时前
装饰器模式实战指南:动态增强Java对象的能力
后端
卑微小文1 小时前
企业级IP代理安全防护:数据泄露风险的5个关键防御点
前端·后端·算法
lovebugs1 小时前
如何保证Redis与MySQL双写一致性?分布式场景下的终极解决方案
后端·面试
斑鸠喳喳1 小时前
模块系统 JPMS
java·后端
热门推荐
01如何在WPS和Word/Excel中直接使用DeepSeek功能02DeepSeek各版本说明与优缺点分析03本地部署DeepSeek教程(Mac版本)04从零安装 LLaMA-Factory 微调 Qwen 大模型成功及所有的坑05如何本地部署AI智能体平台,带你手搓一个AI Agent06DeepSeek R1本地化部署 Ollama + Chatbox 打造最强 AI 工具07DeepSeek RAGFlow构建本地知识库系统08Windows 11 安装 Dify 完整指南 非docker环境09本地化部署AI知识库:基于Ollama+DeepSeek+AnythingLLM保姆级教程10组基轨迹建模 GBTM的介绍与实现(Stata 或 R)