启动IPSec命令挂起
启动IPSec命令挂起
提问于 2018-09-10 17:06:37
我试图在AWS EC2 (两个虚拟机)中使用StrongSwan在Docker中的两个区域之间建立VPN连接。然而,当我试图启动连接时,我得到了大量的错误。
命令sudo ipsec start --nofork和sudo ipsec restart分别给出以下错误:
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[374]: Starting strongSwan 5.3.5 IPsec [starter]...
00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: NONCE_GEN
00[LIB] feature CUSTOM:libcharon-receiver in critical plugin 'charon' has unmet dependency: HASHER:HASH_SHA1
00[LIB] feature CUSTOM:libcharon-sa-managers in critical plugin
'charon' has unmet dependency: HASHER:HASH_SHA1 00[LIB] failed to load 3 critical plugin features
00[DMN] initialization failed - aborting charon
charon has quit: initialization failed
ipsec_starter[374]: charon has quit: initialization failed
charon refused to be started
ipsec_starter[374]: charon refused to be started
ipsec starter stopped
ipsec_starter[374]: ipsec starter stopped和
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[389]: Starting strongSwan 5.3.5 IPsec [starter]...
root@b65e01b190f6:/etc# ipsec_starter[408]: charon has quit:
initialization failed
ipsec_starter[408]: charon refused to be started
ipsec_starter[408]: ipsec starter stopped(第二个挂起在最后一个命令之后,必须用Ctrl+C退出)
为了修复一些错误,我注释掉了行:
load_modular =是
在档案中:
/etc/strongswan.conf
现在运行相同的命令输出:
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[413]: Starting strongSwan 5.3.5 IPsec [starter]...
00[LIB] expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied
00[LIB] expanding file pattern '/etc/strongswan.d/*.conf' failed: Permission denied
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB] opening directory '/etc/ipsec.d/cacerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[LIB] opening directory '/etc/ipsec.d/aacerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[LIB] opening directory '/etc/ipsec.d/ocspcerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[LIB] opening directory '/etc/ipsec.d/acerts' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[LIB] opening directory '/etc/ipsec.d/crls' failed: Permission denied
00[CFG] reading directory failed
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for B.B.B.B X.X.X.X
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (426) started after 20 ms
ipsec_starter[413]: charon (426) started after 20 ms
11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] algorithm 'sha_256' not recognized
11[CFG] skipped invalid proposal string: aes256-sha_256-modp1024
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to X.X.X.X
13[IKE] configured DH group MODP_NONE not supported
13[MGR] tried to check-in and delete nonexisting IKE_SA和
Stopping strongSwan IPsec failed: starter is not running
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[444]: Starting strongSwan 5.3.5 IPsec [starter]...
root@b65e01b190f6:/etc# ipsec_starter[463]: charon (464) started after 20 ms现在,这两个命令都挂在那里,所以我不确定注释掉这一行是否有帮助。
expanding file pattern '/etc/strongswan.d/charon/*.conf' failed: Permission denied行可能会导致我的许多错误,但我不知道如何修复它,因为我已经是Docker中的根用户。
我还包括了我的Dockerfile的一部分,以防止可能有助于:
FROM ubuntu:16.04
RUN apt update && apt install -y --no-install-recommends apt-utils
RUN apt -y install sudo
RUN apt upgrade -y
RUN apt install strongswan -y
RUN apt install nano -y
RUN apt install openssh-client -y
RUN apt install kmod
RUN echo "IdentityFile ~/.ssh/id_rsa" >> /etc/ssh/ssh_config
RUN sudo rm /etc/ipsec.conf
RUN touch /etc/ipsec.conf
RUN echo "# basic configuration" >> /etc/ipsec.conf \
&& echo "config setup" >> /etc/ipsec.conf \
&& echo ' charondebug="all"' >> /etc/ipsec.conf \
&& echo " uniqueids=yes" >> /etc/ipsec.conf \
&& echo " strictcrlpolicy=no" >> /etc/ipsec.conf \
&& echo "" >> /etc/ipsec.conf \
&& echo "conn A-to-B" >> /etc/ipsec.conf \
&& echo " authby=secret" >> /etc/ipsec.conf \
&& echo " left=A.A.A.A" >> /etc/ipsec.conf \
&& echo " leftid=B.B.B.B" >> /etc/ipsec.conf \
&& echo " leftsubnet=A.C.C.C/16" >> /etc/ipsec.conf \
&& echo " right=X.X.X.X" >> /etc/ipsec.conf \
&& echo " rightsubnet=Y.Y.Y.Y/16" >> /etc/ipsec.conf \
&& echo " ike=aes256-sha_256-modp1024!" >> /etc/ipsec.conf \
&& echo " esp=aes256-sha2_256!" >> /etc/ipsec.conf \
&& echo " keyingtries=0" >> /etc/ipsec.conf \
&& echo " ikelifetime=1h" >> /etc/ipsec.conf \
&& echo " lifetime=8h" >> /etc/ipsec.conf \
&& echo " dpddelay=30" >> /etc/ipsec.conf \
&& echo " dpdtimeout=120" >> /etc/ipsec.conf \
&& echo " dpdaction=restart" >> /etc/ipsec.conf \
&& echo " auto=start" >> /etc/ipsec.conf
RUN sudo rm /etc/ipsec.secrets
RUN touch /etc/ipsec.secrets
RUN echo "'B.B.B.B X.X.X.X : PSK "mykey"' >> /etc/ipsec.secrets
RUN echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
RUN sudo sysctl -p /etc/sysctl.conf另一个实例上的Dockerfile与交换的IP文件几乎是一样的。
编辑:更新(不是原始问题的一部分)
我改变了加密算法,因为mod1024已经不足以满足strongSwan的标准了。我现在使用:
ike=aes128gcm16-prfsha256-ecp256,aes256gcm16-prfsha384-ecp384!
esp=aes128gcm16-ecp256,aes256gcm16-ecp384!这修正了一些错误。我还使用了以下命令:
sudo docker run -itv ~:/mnt/ nameHere bash但是添加了标签--cap-add=NET_ADMIN,所有的预连接错误都消失了。但是,在尝试连接连接时出现了一个新的错误,该连接将在5次尝试后超时。
root@aaaaaaaaaa:/etc# sudo ipsec start --nofork
Starting strongSwan 5.3.5 IPsec [starter]...
ipsec_starter[482]: Starting strongSwan 5.3.5 IPsec [starter]...
00[DMN] Starting IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-1065-aws, x86_64)
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG] loaded IKE secret for X.X.X.X Y.Y.Y.Y
00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
00[LIB] dropped capabilities, running as uid 0, gid 0
00[JOB] spawning 16 worker threads
charon (495) started after 20 ms
ipsec_starter[482]: charon (495) started after 20 ms
11[CFG] received stroke: add connection 'A-to-B'
11[CFG] left nor right host is our side, assuming left=local
11[CFG] added configuration 'A-to-B'
13[CFG] received stroke: initiate 'A-to-B'
13[IKE] initiating IKE_SA A-to-B[1] to Y.Y.Y.Y
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) ]
13[NET] sending packet: from X.X.X.X[500] to Y.Y.Y.Y[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
15[IKE] retransmit 1 of request with message ID 0
15[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
.
.
.
04[IKE] retransmit 5 of request with message ID 0
04[NET] sending packet: from X.X.X.X (private ip)[500] to Y.Y.Y.Y (public ip of other connection)[500] (284 bytes)
10[NET] error writing to socket: Invalid argument
03[IKE] giving up after 5 retransmits
03[IKE] establishing IKE_SA failed, peer not responding它现在挂在这里,直到我用另一个CTRL+C杀死它。任何想法都将不胜感激。
回答 1
Ask Ubuntu用户
发布于 2020-06-16 09:03:51
我也遇到了同样的问题,我从日志中发现,拒绝权限的原因是apparmor。
audit: type=1400 audit(1592238171.739:83): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/charon/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
audit: type=1400 audit(1592238171.739:84): apparmor="DENIED" operation="open" profile="/usr/lib/ipsec/charon" name="/var/lib/docker/overlay2/02767f1d398d73371577bf0894a350595be9cecaecdbb9f416b7f421ae7820eb/diff/etc/strongswan.d/" pid=46257 comm="charon" requested_mask="r" denied_mask="r" fsuid=0 ouid=0简单的解决方法是使用命令apparmor停止aa-teardown (您可以看到使用aa-status启用的规则),但显然这并不是最优的,真正的解决方案是修改包含在/etc/apparmor.d/usr.lib.ipsec.charon中的charon规则。
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1074037
复制相关文章
相似问题
腾讯云开发者
