Несколько IPSec туннелей плохо уживаются вместе

[r13]

@Le ecureuil Добрый вечер,

дано - кучка IPIP over IPSec ikev2 туннелей

Сервер На KN1010 и к нему цепляются различные клиенты.

Периодически его начинается "штормить", переподключение клиента приводит к сбросу другого туннеля, и так по кругу

В логе выглядит примерно так:

Скрытый текст

[E] Jun  4 20:12:41 ndm: IpSec::Configurator: crypto map "IPIP7" is appeared down.
Jun  4 20:12:41 ndm: IpSec::Configurator: "IPIP7": crypto map active IKE SA: 0, active CHILD SA: 0.
Jun  4 20:12:41 ndm: Network::Interface::SecureIPTunnel: "IPIP7": IPsec layer is down, shutdown tunnel layer.
Jun  4 20:12:41 ndm: Network::Interface::SecureIPTunnel: "IPIP7": secured tunnel is down.
Jun  4 20:12:41 ndm: IpSec::Manager: IP secure connection "IPIP7" was stopped.
Jun  4 20:12:41 ndm: kernel: Disable SMB fastpath
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 10.0.1.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.4.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.8.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 172.45.9.1/255.255.255.0
Jun  4 20:12:41 ndm: kernel: Enable SMB fastpath for 192.168.1.1/255.255.255.0
Jun  4 20:12:43 ndm: IpSec::Manager: create IPsec reconfiguration transaction...
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "VPNL2TPServer".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP4".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP7".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP8".
Jun  4 20:12:43 ndm: IpSec::Manager: add config for crypto map "IPIP9".
Jun  4 20:12:43 ndm: IpSec::Manager: IPsec reconfiguration transaction was created.
Jun  4 20:12:43 ndm: IpSec::Configurator: start applying IPsec configuration.
Jun  4 20:12:43 ndm: IpSec::Configurator: IPsec configuration applying is done.
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP4" shutdown started.
Jun  4 20:12:43 ipsec: 14[CFG] received stroke: unroute 'IPIP4'
Jun  4 20:12:43 ipsec: 16[CFG] received stroke: terminate 'IPIP4{*}'
Jun  4 20:12:43 ipsec: 09[IKE] closing CHILD_SA IPIP4{282} with SPIs c42b497b_i (0 bytes) ca10af22_o (0 bytes) and TS 178.234.218.141/32[ipencap] === 176.59.33.77/32[ipencap]
Jun  4 20:12:43 ipsec: 09[IKE] sending DELETE for ESP CHILD_SA with SPI c42b497b
Jun  4 20:12:43 ipsec: 11[CFG] received stroke: terminate 'IPIP4[*]'
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP4" shutdown complete.
Jun  4 20:12:43 ndm: IpSec::Configurator: crypto map "IPIP7" shutdown started.
Jun  4 20:12:43 ipsec: 13[CFG] received stroke: unroute 'IPIP7'
Jun  4 20:12:43 ipsec: 08[CFG] received stroke: terminate 'IPIP7{*}'
Jun  4 20:12:43 ipsec: 08[CFG] no CHILD_SA named 'IPIP7' found
Jun  4 20:12:44 ndm: IpSec::IpSecNetfilter: start reloading netfilter configuration...
Jun  4 20:12:44 ipsec: 14[CFG] received stroke: terminate 'IPIP7[*]'
Jun  4 20:12:44 ipsec: 14[CFG] no IKE_SA named 'IPIP7' found
Jun  4 20:12:44 ndm: IpSec::Configurator: crypto map "IPIP7" shutdown complete.
Jun  4 20:12:44 ndm: IpSec::IpSecNetfilter: netfilter configuration reloading is done.
Jun  4 20:12:44 ndm: IpSec::Configurator: crypto map "IPIP8" shutdown started.
Jun  4 20:12:44 ipsec: 06[CFG] received stroke: unroute 'IPIP8'
Jun  4 20:12:44 ipsec: 07[CFG] received stroke: terminate 'IPIP8{*}'

Сброс IPIP7 приводит к сбросу живых IPIP4 и IPIP8

Так может продолжаться достаточно долго(вплоть до нескольких часов), потом утаканивается.

Можно это как то починить?

Для примера селфтесты с сервера и пары клиентов.

Изменено 4 июня, 2018 пользователем r13