重启命令:?
[root@WWW strongswan]# strongswan restart
Stopping strongSwan IPsec...
Starting weakSwan 5.7.2 IPsec [starter]...
?查看状态命令
[root@WWW strongswan]# systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; vendor preset: disabled)
Active: inactive (dead)
strongswan下存在位置及文件:
位置:
/etc/strongswan/
存在的文件:?
[root@WWW strongswan]# ls
ipsec.conf ipsec.d ipsec.secrets strongswan.conf strongswan.d swanctl
查看对端请求有没有过来:
[root@WWW strongswan]# tcpdump udp port 500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:03:28.873876 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
17:03:28.874362 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf
17:03:59.566502 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
17:03:59.567170 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf
17:04:30.245163 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
agg
17:04:30.245629 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf
phase 1 I agg代表一阶段请求、phase 2/others R inf代表2阶段请求,一阶段请求是协商协议的过程,两端协议是否一致等,2阶段就是传输数据了。
查询请求的详细内容:
[root@WWW strongswan]# tcpdump -i eth0 -vnn udp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:08:05.411695 IP (tos 0x20, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 382)
1xx.xxx.xx.xx9.500 > 1xx.1x.0.x.500: isakmp 1.0 msgid 00000000: phase 1 I agg:
(sa: doi=ipsec situation=identity
(p: #1 protoid=isakmp transform=1
(t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))
(ke: key len=128)
(nonce: n len=32)
(id: idtype=FQDN protoid=0 port=0 len=2 jc)
(vid: len=8)
(vid: len=16)
(vid: len=20)
(vid: len=16)
(vid: len=16)
17:08:05.412180 IP (tos 0x0, ttl 64, id 2097, offset 0, flags [DF], proto UDP (17), length 84)
1xx.1x.0.x.500 > 1xx.xxx.xx.xx9.500: isakmp 1.0 msgid c74d4d92: phase 2/others R inf:
(n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED spi=2c152607a27e3d2be311701e9fb67cb2)
17:08:10.868246 IP (tos 0x0, ttl 64, id 50112, offset 0, flags [DF], proto UDP (17), length 88)
1xx.1x.0.x.44126 > 1xx.2xx.2xx.2xx.53: 44429+ A? monitor.internal.cn-east-2.xxxx-xxx.com. (60)
17:08:10.868245 IP (tos 0x0, ttl 64, id 50111, offset 0, flags [DF], proto UDP (17), length 88)
1xx.1x.0.x.55549 > 1xx.2xx.2xx.2xx.53: 2238+ AAAA? monitor.internal.cn-east-2.xxxx-xxx.com. (60)
17:08:10.871035 IP (tos 0x0, ttl 56, id 50112, offset 0, flags [none], proto UDP (17), length 104)
1xx.2xx.2xx.2xx.53 > 1xx.1x.0.x.44126: 44429 1/0/0 monitor.internal.cn-east-2.xxxx-xxx.com. A 1xx.x7.xx9.1xx (76)
17:08:10.871072 IP (tos 0x0, ttl 56, id 50111, offset 0, flags [none], proto UDP (17), length 170)
1xx.2xx.2xx.2xx.53 > 1xx.1x.0.x.55549: 2238 0/1/0 (142)
type=AUTHENTICATION-FAILED,说明第二阶段认证失败
查看日志:
打开strongswan.conf文件
[root@WWW strongswan]# ls
ipsec.conf ?ipsec.d ?ipsec.secrets ?strongswan.conf ?strongswan.conf.bak ?strongswan.d ?swanctl
[root@WWW strongswan]# cat strongswan.conf
加入日志配置项filelog部分:
charon {
load_modular = yes
i_dont_care_about_security_and_use_aggressive_mode_psk = yes
plugins {
include strongswan.d/charon/*.conf
}
filelog {
charon {
# path to the log file, specify this as section name in versions prior to 5.7.0
path = /var/log/charon.log
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = no
# increase default loglevel for all daemon subsystems
default = 2
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}
}
}
查看日志:
进入到日志文件夹下
cd /var/log/
查看charonlog文件?