启用PFS时、IPsec客户端会挂起
适用场景
- ONTAP9.8P3
- LibresWAN 4.4
- IPsec
- 完全正向保密(PFS)
问题描述
- 当PFS处于打开状态时、LibresWAN IPsec连接将挂起
Charon log将显示第2阶段IPsec SA重新建立密钥失败
Mar 30 21:19:54.383 08[CFG] received proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMar 30 21:19:54.383 08[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQMar 30 21:19:54.384 08[IKE] no acceptable proposal foundMar 30 21:19:54.384 08[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:19:56.782 08[IKE] establishing CHILD_SA vs1000:adm_864_1000{23} reqid 15Mar 30 21:19:56.784 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA builtMar 30 21:19:56.784 08[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:19:56.784 08[IKE] CHILD_SA rekeying failed, trying again in 9 secondsMar 30 21:20:05.786 05[IKE] establishing CHILD_SA vs1000:adm_864_vs1000{24} reqid 15Mar 30 21:20:05.788 05[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA builtMar 30 21:20:05.788 05[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:20:05.788 05[IKE] CHILD_SA rekeying failed, trying again in 13 seconds- 命令
"security ipsec show-ipsecsa -node <node> -vserver <svm>"显示为空