Добрый день! Кто сможет помочь? Вопрос встал в тупик. Есть два сервера в Hetzner, между ними работал в transport mode туннель под управлением strongswan. Работал стабильно без сбоев около полугода. По неизвестным причинам данный vpn перестал работать. Привожу конфиг обоих сторон
1-host
config setup
uniqueids=yes
charondebug=1
conn %default
type=transport
keyingtries=%forever
authby=secret
esp=aes256-sha1
ike=aes256-sha1-modp1024
keylife=8h
keyexchange=ikev2
dpddelay=30s
dpdtimeout=120s
dpdaction=hold
left=*.*.*.*
conn balancer
leftsubnet=172.16.0.0/24
right=*.*.*.*
rightsubnet=192.168.70.0/24
auto=start
2-host
config setup
uniqueids=yes
conn %default
type=transport
keyingtries=%forever
authby=secret
esp=aes256-sha1
ike=aes256-sha1-modp1024
keylife=8h
keyexchange=ikev2
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
mobike=no
aggressive=yes
inactivity=5000
left=*.*.*.*
conn dev
leftsubnet=192.168.70.0/24
right=*.*.*.*
rightsubnet=172.16.0.0/24
auto=start
При установке соединения получаем с 1-го хоста получаем
initiating IKE_SA balancer01[9] to *.*.*.*
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from *.*.*.*[500] to *.*.*.*[500] (1276 bytes)
received packet: from *.*.*.*[500] to *.*.*.*[500] (330 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(HASH_ALG) N(MULT_AUTH) ]
authentication of '*.*.*.*' (myself) with pre-shared key
establishing CHILD_SA balancer
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH N(USE_TRANSP) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) N(MULT_AUTH) N(EAP_ONLY) ]
sending packet: from *.*.*.*[4500] to *.*.*.*[4500] (444 bytes)
received packet: from *.*.*.*[4500] to *.*.*.*[4500] (124 bytes)
parsed IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(TS_UNACCEPT) ]
authentication of '*.*.*.*' with pre-shared key successful
IKE_SA balancer01[9] established between *.*.*.*[*.*.*.*]...*.*.*.*[*.*.*.*]
scheduling reauthentication in 10205s
maximum IKE_SA lifetime 10745s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'balancer' failed
При установке соединения со 2-хоста
establishing CHILD_SA develspace
generating CREATE_CHILD_SA request 3 [ N(USE_TRANSP) SA No TSi TSr ]
sending packet: from *.*.*.*[4500] to *.*.*.*[4500] (332 bytes)
received packet: from *.*.*.*[4500] to *.*.*.*[4500] (76 bytes)
parsed CREATE_CHILD_SA response 3 [ N(TS_UNACCEPT) ]
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'develspace' failed
Перерыл все не знаю куда копать.
PS если на обоих концах вместо trasport tunnel, то все работает.
