由于Libreswan配置问题描述、重新启动后、只有一个客户端能够在特定时间维护IPsec通道
适用场景
- ONTAP 9及更高版本
- IPsec
- Libreswan
- NFS
问题描述
- 为IPsec和IPsec通道配置的多个客户端在客户端重新启动后无法建立。
- 只有一个客户端能够建立IPsec通道,即当客户端重新启动时,IPsec通道无法建立,并且客户端上出现以下错误:
[root@libreswan_client ~]# ipsec auto --up mytunnel
002 "mytunnel" #1: initiating v2 parent SA
133 "mytunnel" #1: STATE_PARENT_I1: initiate
002 "mytunnel" #1: local IKE proposals for mytunnel (IKE SA initiator selecting KE): 1:IKE:ENCR=AES_CBC_256;PRF=HMAC_SHA2_384;INTEG=HMAC_SHA2_384_192;DH=ECP_384
133 "mytunnel" #1: STATE_PARENT_I1: sent v2I1, expected v2R1
002 "mytunnel" #1: WARNING: connection mytunnel PSK length of 19 bytes is too short for sha2_384 PRF in FIPS mode (24 bytes required)
002 "mytunnel" #1: local ESP/AH proposals for mytunnel (IKE SA initiator emitting ESP/AH proposals): 1:ESP:ENCR=AES_GCM_C_256;INTEG=NONE;DH=NONE;ESN=DISABLED
134 "mytunnel" #2: STATE_PARENT_I2: sent v2I2, expected v2R2 {auth=IKEv2 cipher=aes_256 integ=sha384_192 prf=sha2_384 group=DH20}
002 "mytunnel" #2: IKE SA authentication request rejected: AUTHENTICATION_FAILED
- 客户端1重新启动,IPsec连接和挂载工作正常。
- 但是 ,当客户端2重新启动时,它将无法建立IPsec通信,挂载将无误地挂起。
- 以下命令 运行以重新建立IPsec连接并挂载工作:
::>security ipsec policy modify -vserver vs912 -is-enabled true -name <Policy_Name>
- 下次重新启动客户端1时,它将无法建立IPsec 通道,并出现相同的错误。
- 如果
security ipsec policy modify运行命令为client1建立IPsec通信, client1开始正常工作,但client2现在将无法建立连接(如果重新启动)。 - 客户端IPsec配置如下所示。
sudo cat /etc/ipsec.d/ipsec.conf
conn mytunnel
left=10.216.41.46
leftid=@client_side_identity
right=10.216.41.176
rightid=@ontap_side_identity
ikev2=insist
ike=aes_256-sha384;dh20
phase2alg=aes_gcm256-null
authby=secret
type=transport
auto=add
- ONTAP显示了以下配置。
cdot_vsim9_9_11::*> security ipsec policy show -vserver vs912 -fields local-identity,remote-identity
vserver name local-identity remote-identity
------- ------------------- -------------- ---------------
vs912 10.216.41.46_policy ontap_side_identity client_side_identity --> For client1
vs912 10.216.41.79_policy ontap_side_identity client_side_identity --> For client2