由 青兴 今天调试了一天的ipsec,目前问题已经解决!我管理的这台ipsec客户端是连接集团一台防火墙ipsec服务器端的,用于连接2地的网络。发生ipsec断网之前,我们机房突发跳电,造成Centos7.9的服务器断电关机,系统重启后,ipsec VPN与集团虚拟线路就不通了,系统在重启前后,没有修改过任何配置文件,所以我一直以为是对端集团防火墙ipsec服务器有修改过配置信息。在得到集团同事未修改的确定答复后,我一直在我的Centos7.9服务器端系统调试,尝试查看与ipsec相关的所有配置,运行调试指令,查看指令结果,后来当我查看/var/log/secure日志信息时,发现了问题此次故障的原凶,请看日志。
[root@gateway strongswan]# tail -f /var/log/secure
Oct 24 21:03:54 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
Oct 24 21:04:00 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:04:04 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
Oct 24 21:04:07 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
Oct 24 21:04:11 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:04:20 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:04:30 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
Oct 24 21:04:31 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:04:41 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:04:51 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:05:00 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:05:11 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
Oct 24 21:05:12 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
日志里最关键的几行在告诉我们问题根源——不是 proposal 或 PSK 本身不匹配,而是系统里还有另一个 IPsec 实例在处理对端的请求包(pluto),导致请求被这个ipsec实例提前接管。请求没有被 strongSwan 的 charon 正确接管/授权。相关联的日志如下:
通过查看系统状态 charon (42394) started,说明 strongSwan 的 charon 已经启动。
但 /var/log/secure 日志中大量来自 pluto[…] 的日志(initial Main Mode message received … but no connection has been authorized with policy PSK+IKEV1_ALLOW / phase 1 message is part of an unknown exchange)。pluto 是 LibreSwan/Openswan 的守护进程,不是 strongSwan 的 守护进程charon。两者会互相冲突,导致对端的报文被 pluto 拦截并报“没有授权的策略”,而strongSwan的守护进程 charon 没机会完成握手 —— 因此连接一直卡在 CONNECTING。
解决思路:只运行一个 IPsec 实例(用 strongSwan/charon),停止并移除或禁用其它(例如 libreswan/openswan/pluto)。下面是按步骤安全排查并修复的方法:
[root@gateway strongswan]# ps aux | egrep ‘charon|pluto|strongswan|libreswan|openswan|ipsec’ | grep -v egrep
root 42393 0.0 0.0 51972 816 ? Ss 21:03 0:00 /usr/libexec/strongswan/starter –daemon charon
root 42394 0.2 0.0 1464900 7572 ? Ssl 21:03 0:00 /usr/libexec/strongswan/charon –use-syslog –debug-cfg 2 –debug-knl 2 –debug-ike 2 –debug-net 2
root 48507 0.0 0.0 112824 996 pts/1 S+ 21:07 0:00 grep -E –color=auto charon|pluto|strongswan|libreswan|openswan|ipsec
root 158603 0.3 0.0 1464992 7756 ? Sl 16:12 0:56 charon-systemd -F -d -v
root 214727 0.0 0.0 524340 8652 ? Ssl 10:55 0:00 /usr/libexec/ipsec/pluto –leak-detective –config /etc/ipsec.conf –nofork
[root@gateway-hr strongswan]# systemctl status ipsec
ipsec.service – Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; vendor preset: disabled)
Active: active (running) since 五 2025-10-24 10:55:11 CST; 10h ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Main PID: 214727 (pluto)
Status: “Startup completed.”
CGroup: /system.slice/ipsec.service
└─214727 /usr/libexec/ipsec/pluto –leak-detective –config /etc/ipsec.conf –nofork
10月 24 21:07:42 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:07:52 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:07:57 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
10月 24 21:08:01 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:08:08 gateway pluto[214727]: packet from 223.107.76.X:500: phase 1 message is part of an unknown exchange
10月 24 21:08:12 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:08:22 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:08:32 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:08:42 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
10月 24 21:08:52 gateway pluto[214727]: packet from 223.107.76.X:500: initial Main Mode message received on 58.210.118.X:500 but no connection has been authorized with policy PSK+IKEV1_ALLOW
停止ipsec服务
[root@gateway strongswan]# systemctl stop ipsec
禁用ipsec服务
[root@gateway strongswan]# systemctl disable ipsec
停止ipsec服务后,再重新启动strongswan。
[root@gateway strongswan]#systemctl restart strongswan
ipsec连接在等待5分钟后,ipsec连接恢复正常。
结语:主要原因是centos系统在配置完strongSwan ipsec时,没有禁用其它ipsec服务,只是暂时停止了服务,此次系统重启时,跟随系统启动了,造成了多个ipsec服务在系统中运行,造成冲突。致使ipsec vpn连接失败!
ipsec正常连通后,查看ipsec运行效果的指令,请参考
[root@gateway strongswan]# swanctl –stats
uptime: 88 seconds, since Oct 26 20:40:18 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 3
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 2809856, mmap 0, used 616736, free 2193120
loaded plugins: charon-systemd pkcs11 tpm aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt fips-prf gmp curve25519 chapoly xcbc cmac hmac ctr ccm gcm curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-sim eap-aka eap-aka-3gpp eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap xauth-pam xauth-noauth dhcp led duplicheck unity counters
[root@gateway strongswan]# swanctl –list-sas
tohr: #1, ESTABLISHED, IKEv1, 296533cc0b5f7c42_i 162ce32d1723bfbb_r*
local ‘58.210.118.X’ @ 58.210.118.X[4500]
remote ‘223.107.76.X’ @ 223.107.76.X[4500]
AES_CBC-128/HMAC_MD5_96/PRF_HMAC_MD5/MODP_768
established 122s ago, rekeying in 13045s
tohr-child: #1, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_MD5_96
installed 122s ago, rekeying in 3136s, expires in 3838s
in cab0a062, 233 bytes, 3 packets, 19s ago
out ee201c82, 261 bytes, 3 packets, 16s ago
local 10.10.10.0/24
remote 10.20.101.0/24
[root@gateway strongswan]# swanctl –list-conns
tohr: IKEv1, reauthentication every 14400s, dpd delay 30s
local: 58.210.118.X
remote: 223.107.76.X
local pre-shared key authentication:
id: 58.210.118.X
remote pre-shared key authentication:
id: 223.107.76.X
tohr-child: TUNNEL, rekeying every 3600s, dpd action is clear
local: 10.10.10.0/24
remote: 10.20.101.0/24
[root@gateway strongswan]# ip xfrm
monitor policy state
[root@gateway strongswan]# ip xfrm
monitor policy state
[root@gateway strongswan]# ip xfrm
monitor policy state
[root@gateway strongswan]# ip xfrm state
src 58.210.118.163 dst 223.107.76.166
proto esp spi 0xee201c82 reqid 1 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(md5) 0x1cd8625b5141a848432d40e1a597be68 96
enc cbc(aes) 0x065f01c1a87299935c1acb9720238c93
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x8, bitmap 0x00000000
src 223.107.76.166 dst 58.210.118.163
proto esp spi 0xcab0a062 reqid 1 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0x297fbb67b5d222dc82591d14a6a699d4 96
enc cbc(aes) 0xa8f36746e1faa1c789f2f67d09948c8c
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x8, oseq 0x0, bitmap 0x000000ff
[root@gateway strongswan]# ip xfrm policy
src 10.10.10.0/24 dst 10.20.101.0/24
dir out priority 375423 ptype main
tmpl src 58.210.118.X dst 223.107.76.X
proto esp spi 0xee201c82 reqid 1 mode tunnel
src 10.20.101.0/24 dst 10.10.10.0/24
dir fwd priority 375423 ptype main
tmpl src 223.107.76.X dst 58.210.118.X
proto esp reqid 1 mode tunnel
src 10.20.101.0/24 dst 10.10.10.0/24
dir in priority 375423 ptype main
tmpl src 223.107.76.X dst 58.210.118.X
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
[root@gateway strongswan]# ip xfrm monitor
Async event (0x10) replay update
src 58.210.118.X dst 223.107.76.X reqid 0x1 protocol esp SPI 0xee201c82
Async event (0x10) replay update
src 223.107.76.X dst 58.210.118.X reqid 0x1 protocol esp SPI 0xcab0a062
Async event (0x20) timer expired
src 58.210.118.X dst 223.107.76.X reqid 0x1 protocol esp SPI 0xee201c82
Async event (0x20) timer expired
src 223.107.76.X dst 58.210.118.X reqid 0x1 protocol esp SPI 0xcab0a062