LINUX.ORG.RU

mikrotik, ikev2, ipsec

 ,


0

1

Добрый день!

Коллеги, помогите разобраться с проблемой, пожалуйста. Проблема на серверной стороне или на стороне клиента? Соединение рвется каждые пару секунд

vps - адрес Mikrotik, tele2 и wifi - адрес на iOS

03:30:00 ipsec,info acquired 10.0.88.249 address for __TELE2__, 01-ike
03:30:01 ipsec,info new ike2 SA (R): __VPS__[500]-__WIFI__[500] spi:30e41204fd1b0541:7f380206ae0af9f9
03:30:01 ipsec,info,account peer authorized: __VPS__[4500]-__WIFI__[4500] spi:30e41204fd1b0541:7f380206ae0af9f9
03:30:01 ipsec,info killing ike2 SA: __VPS__[4500]-__TELE2__[65416] spi:0ae2fdfa3151043b:0e56ca87db64ba62
03:30:01 ipsec,info releasing address 10.0.88.249
03:30:01 ipsec,info acquired 10.0.88.253 address for __WIFI__, 01-ike
03:30:08 ipsec,info new ike2 SA (R): __VPS__[500]-__TELE2__[25024] spi:3d8b3a9bae048758:073fe7b8d363b1b3
03:30:08 ipsec,info,account peer authorized: __VPS__[4500]-__TELE2__[65416] spi:3d8b3a9bae048758:073fe7b8d363b1b3
03:30:08 ipsec,info killing ike2 SA: __VPS__[4500]-__WIFI__[4500] spi:30e41204fd1b0541:7f380206ae0af9f9
03:30:08 ipsec,info releasing address 10.0.88.253
03:30:08 ipsec,info acquired 10.0.88.249 address for __TELE2__, 01-ike
03:30:10 ipsec,info new ike2 SA (R): __VPS__[500]-__WIFI__[500] spi:a96bb8e575c633d6:c6eee78965e0b120
03:30:10 ipsec,info,account peer authorized: __VPS__[4500]-__WIFI__[4500] spi:a96bb8e575c633d6:c6eee78965e0b120
03:30:10 ipsec,info killing ike2 SA: __VPS__[4500]-__TELE2__[65416] spi:3d8b3a9bae048758:073fe7b8d363b1b3
03:30:10 ipsec,info releasing address 10.0.88.249
03:30:10 ipsec,info acquired 10.0.88.253 address for __WIFI__, 01-ike
03:30:16 ipsec,info new ike2 SA (R): __VPS__[500]-__TELE2__[25024] spi:d4f6ccf296344fd9:ce5d61c47d63d64d
03:30:16 ipsec,info,account peer authorized: __VPS__[4500]-__TELE2__[65416] spi:d4f6ccf296344fd9:ce5d61c47d63d64d
03:30:16 ipsec,info killing ike2 SA: __VPS__[4500]-__WIFI__[4500] spi:a96bb8e575c633d6:c6eee78965e0b120
03:30:16 ipsec,info releasing address 10.0.88.253
03:30:16 ipsec,info acquired 10.0.88.249 address for __TELE2__, 01-ike
03:30:17 ipsec,info new ike2 SA (R): __VPS__[500]-__WIFI__[500] spi:f7b1719bfdfe0dda:365dec7519a74048
03:30:18 ipsec,info,account peer authorized: __VPS__[4500]-__WIFI__[4500] spi:f7b1719bfdfe0dda:365dec7519a74048
03:30:18 ipsec,info killing ike2 SA: __VPS__[4500]-__TELE2__[65416] spi:d4f6ccf296344fd9:ce5d61c47d63d64d
03:30:18 ipsec,info releasing address 10.0.88.249
03:30:18 ipsec,info acquired 10.0.88.253 address for __WIFI__, 01-ike
03:30:24 ipsec,info new ike2 SA (R): __VPS__[500]-__TELE2__[25024] spi:7309ef83e940cc76:383e52937bcb58ed
03:30:24 ipsec,info,account peer authorized: __VPS__[4500]-__TELE2__[65416] spi:7309ef83e940cc76:383e52937bcb58ed
03:30:24 ipsec,info killing ike2 SA: __VPS__[4500]-__WIFI__[4500] spi:f7b1719bfdfe0dda:365dec7519a74048
03:30:24 ipsec,info releasing address 10.0.88.253
03:30:24 ipsec,info acquired 10.0.88.249 address for __TELE2__, 01-ike
03:30:25 ipsec,info new ike2 SA (R): __VPS__[500]-__WIFI__[500] spi:2016f203517113bf:82a3bec8fddeeb3c
03:30:25 ipsec,info,account peer authorized: __VPS__[4500]-__WIFI__[4500] spi:2016f203517113bf:82a3bec8fddeeb3c
03:30:25 ipsec,info killing ike2 SA: __VPS__[4500]-__TELE2__[65416] spi:7309ef83e940cc76:383e52937bcb58ed
03:30:25 ipsec,info releasing address 10.0.88.249
03:30:25 ipsec,info acquired 10.0.88.253 address for __WIFI__, 01-ike
/ip ipsec mode-config
add address-pool=pool2 address-prefix-length=32 name=modeconf2 split-include=0.0.0.0/0 static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name=group2
/ip ipsec profile
add dh-group=ecp384 enc-algorithm=aes-256 hash-algorithm=sha512 name=profile2
/ip ipsec peer
add exchange-mode=ike2 local-address=__VPS__ name=peer2 passive=yes profile=profile2
/ip ipsec proposal
add auth-algorithms=sha512 enc-algorithms=aes-256-gcm lifetime=8h name=proposal2 pfs-group=ecp384
/ip ipsec identity
add auth-method=digital-signature certificate=vps-ike.p12 generate-policy=port-strict match-by=certificate mode-config=modeconf2 peer=peer2 policy-template-group=group2 remote-certificate=01-ike.crt remote-id=ignore
/ip ipsec policy
add dst-address=10.0.88.0/24 group=group2 proposal=proposal2 src-address=0.0.0.0/0 template=yes