跳转到主内容

由于Libreswan配置问题描述、重新启动后、只有一个客户端能够在特定时间维护IPsec通道

Views:
Visibility:
Public
Votes:
0
Category:
ontap-9
Specialty:
nas<a>2009879868</a>
Last Updated:

适用场景

  • ONTAP 9及更高版本
  • IPsec
  • Libreswan
  • NFS

问题描述

  • 为IPsec和IPsec通道配置的多个客户端在客户端重新启动后无法建立。
  • 只有一个客户端能够建立IPsec通道,即当客户端重新启动时,IPsec通道无法建立,并且客户端上出现以下错误:

[root@libreswan_client ~]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating v2 parent SA
133 "mytunnel" #1: STATE_PARENT_I1: initiate
002 "mytunnel" #1: local IKE proposals for mytunnel (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_384_192;DH=ECP_384
133 "mytunnel" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "mytunnel" #1: WARNING: connection mytunnel PSK length of 19 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
002 "mytunnel" #1: local ESP/AH proposals for mytunnel (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
134 "mytunnel" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha384_192 prf=sha2_384 group=DH20}
002 "mytunnel" #2: IKE SA authentication request rejected: AUTHENTICATION_FAILED

  • 客户端1重新启动,IPsec连接和挂载工作正常。
  • 但是 ,当客户端2重新启动时,它将无法建立IPsec通信,挂载将无误地挂起。
  • 以下命令 运行以重新建立IPsec连接并挂载工作:

::>security ipsec policy modify -vserver vs912 -is-enabled true -name <Policy_Name>

  • 下次重新启动客户端1时,它将无法建立IPsec 通道,并出现相同的错误。
  • 如果 security ipsec policy modify 运行命令为client1建立IPsec通信, client1开始正常工作,但client2现在将无法建立连接(如果重新启动)。
  • 客户端IPsec配置如下所示。 

sudo cat /etc/ipsec.d/ipsec.conf
conn mytunnel
     left=10.216.41.46
    leftid=@client_side_identity
     right=10.216.41.176
    rightid=@ontap_side_identity
     ikev2=insist
     ike=aes_256-sha384;dh20
     phase2alg=aes_gcm256-null
     authby=secret
     type=transport
     auto=add

  • ONTAP显示了以下配置。

cdot_vsim9_9_11::*> security ipsec policy show -vserver vs912 -fields local-identity,remote-identity
vserver name         local-identity remote-identity
------- ------------------- -------------- ---------------
vs912   10.216.41.46_policy ontap_side_identity client_side_identity  --> For client1
vs912   10.216.41.79_policy ontap_side_identity client_side_identity  --> For client2

Sign in to view the entire content of this KB article.

New to NetApp?

Learn more about our award-winning Support

NetApp provides no representations or warranties regarding the accuracy or reliability or serviceability of any information or recommendations provided in this publication or with respect to any results that may be obtained by the use of the information or observance of any recommendations provided herein. The information in this document is distributed AS IS and the use of this information or the implementation of any recommendations or techniques herein is a customer's responsibility and depends on the customer's ability to evaluate and integrate them into the customer's operational environment. This document and the information contained herein may be used solely in connection with the NetApp products discussed in this document.