strongswan相关命令

发布时间:2023年12月20日

重启命令:?

[root@WWW strongswan]# strongswan restart
Stopping strongSwan IPsec...
Starting weakSwan 5.7.2 IPsec [starter]...

?查看状态命令

[root@WWW strongswan]#  systemctl status strongswan
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using ipsec.conf
   Loaded: loaded (/usr/lib/systemd/system/strongswan.service; disabled; vendor preset: disabled)
   Active: inactive (dead)

strongswan下存在位置及文件:

位置:

/etc/strongswan/

存在的文件:?

[root@WWW strongswan]# ls
ipsec.conf  ipsec.d  ipsec.secrets  strongswan.conf  strongswan.d  swanctl

查看对端请求有没有过来:

[root@WWW strongswan]# tcpdump udp port 500 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:03:28.873876 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
17:03:28.874362 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf
17:03:59.566502 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
17:03:59.567170 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf
17:04:30.245163 IP 1xx.xxx.xx.xx9.isakmp > shanghaiVPN.isakmp: isakmp: phase 1 I agg
agg
17:04:30.245629 IP shanghaiVPN.isakmp > 1xx.xxx.xx.xx9.isakmp: isakmp: phase 2/others R inf

phase 1 I agg代表一阶段请求、phase 2/others R inf代表2阶段请求,一阶段请求是协商协议的过程,两端协议是否一致等,2阶段就是传输数据了。

查询请求的详细内容:


[root@WWW strongswan]# tcpdump -i eth0 -vnn udp
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
17:08:05.411695 IP (tos 0x20, ttl 52, id 0, offset 0, flags [DF], proto UDP (17), length 382)
    1xx.xxx.xx.xx9.500 > 1xx.1x.0.x.500: isakmp 1.0 msgid 00000000: phase 1 I agg:
    (sa: doi=ipsec situation=identity
        (p: #1 protoid=isakmp transform=1
            (t: #1 id=ike (type=enc value=3des)(type=hash value=md5)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration value=7080))))
    (ke: key len=128)
    (nonce: n len=32)
    (id: idtype=FQDN protoid=0 port=0 len=2 jc)
    (vid: len=8)
    (vid: len=16)
    (vid: len=20)
    (vid: len=16)
    (vid: len=16)
17:08:05.412180 IP (tos 0x0, ttl 64, id 2097, offset 0, flags [DF], proto UDP (17), length 84)
    1xx.1x.0.x.500 > 1xx.xxx.xx.xx9.500: isakmp 1.0 msgid c74d4d92: phase 2/others R inf:
    (n: doi=ipsec proto=isakmp type=AUTHENTICATION-FAILED spi=2c152607a27e3d2be311701e9fb67cb2)
17:08:10.868246 IP (tos 0x0, ttl 64, id 50112, offset 0, flags [DF], proto UDP (17), length 88)
    1xx.1x.0.x.44126 > 1xx.2xx.2xx.2xx.53: 44429+ A? monitor.internal.cn-east-2.xxxx-xxx.com. (60)
17:08:10.868245 IP (tos 0x0, ttl 64, id 50111, offset 0, flags [DF], proto UDP (17), length 88)
    1xx.1x.0.x.55549 > 1xx.2xx.2xx.2xx.53: 2238+ AAAA? monitor.internal.cn-east-2.xxxx-xxx.com. (60)
17:08:10.871035 IP (tos 0x0, ttl 56, id 50112, offset 0, flags [none], proto UDP (17), length 104)
    1xx.2xx.2xx.2xx.53 > 1xx.1x.0.x.44126: 44429 1/0/0 monitor.internal.cn-east-2.xxxx-xxx.com. A 1xx.x7.xx9.1xx (76)
17:08:10.871072 IP (tos 0x0, ttl 56, id 50111, offset 0, flags [none], proto UDP (17), length 170)
    1xx.2xx.2xx.2xx.53 > 1xx.1x.0.x.55549: 2238 0/1/0 (142)

type=AUTHENTICATION-FAILED,说明第二阶段认证失败

查看日志:

打开strongswan.conf文件

[root@WWW strongswan]# ls
ipsec.conf ?ipsec.d ?ipsec.secrets ?strongswan.conf ?strongswan.conf.bak ?strongswan.d ?swanctl
[root@WWW strongswan]# cat strongswan.conf

加入日志配置项filelog部分:

charon {
        load_modular = yes
        i_dont_care_about_security_and_use_aggressive_mode_psk = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
      filelog {
            charon {
      # path to the log file, specify this as section name in versions prior to 5.7.0
          path = /var/log/charon.log
      # add a timestamp prefix
        time_format = %b %e %T
      # prepend connection name, simplifies grepping
        ike_name = yes
      # overwrite existing files
        append = no
      # increase default loglevel for all daemon subsystems
        default = 2
      # flush each line to disk
        flush_line = yes
    }
    stderr {
      # more detailed loglevel for a specific subsystem, overriding the
      # default loglevel.
        ike = 2
        knl = 3
        }
        }
}

查看日志:

进入到日志文件夹下

cd /var/log/

查看charonlog文件?

文章来源:https://blog.csdn.net/bingxuesiyang/article/details/135058697
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。