IPSecクライアントがPFSの実行時にハングしました
環境
- ONTAP9.8P3
- Libreswan 4.4
- IPSec
- Perfect Forward Secrecy(PFS)
問題
- Libreswan IPsec接続は'PFSがオンのときにハングします
Charon logフェーズ2のIPsec SAのキーの再生成に失敗したことが表示されます
Mar 30 21:19:54.383 08[CFG] received proposals: ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQMar 30 21:19:54.383 08[CFG] configured proposals: ESP:AES_GCM_16_256/NO_EXT_SEQMar 30 21:19:54.384 08[IKE] no acceptable proposal foundMar 30 21:19:54.384 08[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:19:56.782 08[IKE] establishing CHILD_SA vs1000:adm_864_1000{23} reqid 15Mar 30 21:19:56.784 08[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA builtMar 30 21:19:56.784 08[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:19:56.784 08[IKE] CHILD_SA rekeying failed, trying again in 9 secondsMar 30 21:20:05.786 05[IKE] establishing CHILD_SA vs1000:adm_864_vs1000{24} reqid 15Mar 30 21:20:05.788 05[IKE] received NO_PROPOSAL_CHOSEN notify, no CHILD_SA builtMar 30 21:20:05.788 05[IKE] failed to establish CHILD_SA, keeping IKE_SAMar 30 21:20:05.788 05[IKE] CHILD_SA rekeying failed, trying again in 13 seconds- コマンドで
"security ipsec show-ipsecsa -node <node> -vserver <svm>"は空と表示されます