Ubuntu 上的 iOS/Mac 兼容 IPSec VPN 伺服器
我從 Xen VPS 主機上購買了 VPS,而且它的負載相當輕,所以我想在它上面執行一個 VPN。我正在拍攝的配置是“roadwarrior”風格,因為我想在我不在家時用它來保護我的 iPhone 和 Mac 的連接。請記住,我是一名程序員,而不是系統管理員,所以這對我來說都是陌生的。
在未能使 StrongSWAN/PPP/xL2TP 設置正常工作後,我遇到了 racoon,這似乎是一個非常簡單的選擇。我試圖避免使用證書,因為在 iOS 設備上獲取證書的過程可能很煩人(只是猜測)。因此,我已經在 VPS 上配置了 racoon,以便我可以成功連接到它並通過系統使用者數據庫支持的 XAUTH 進行身份驗證。這一切似乎都在工作,它是 NAT/網路的東西不起作用,我完全不喜歡它。
我的 VPS 執行的是 Ubuntu 10.10。我得到以下輸出
ifconfig
(我猜它可能是相關的):eth0 Link encap:Ethernet HWaddr 00:16:3e:4a:7f:29 inet addr:69.172.231.11 Bcast:69.172.231.63 Mask:255.255.255.192 inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0 TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:553246281 (553.2 MB) TX bytes:5237753987 (5.2 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0 TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
這是我的浣熊配置文件:
path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; timer { natt_keepalive 10sec; } remote anonymous { exchange_mode main, aggressive, base; doi ipsec_doi; situation identity_only; nat_traversal on; script "/etc/racoon/phase1-up.sh" phase1_up; script "/etc/racoon/phase1-down.sh" phase1_down; generate_policy on; ike_frag on; passive on; my_identifier address 69.172.231.11; peers_identifier fqdn "zcr.me"; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 2; } proposal_check claim; } sainfo anonymous { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } mode_cfg { auth_source system; save_passwd on; network4 10.1.0.0; pool_size 100; }
該配置是從網路周圍的各種教程中拼湊而成的,所以它可能……很奇怪。當我連接到 VPN 時,客戶端會收到以下輸出:
4/12/11 2:21:43 PM racoon[191] Connecting. 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2). 4/12/11 2:21:43 PM racoon[191] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode). 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (MODE-Config). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 1). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (Initiator, Quick-Mode message 2). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode). 4/12/11 2:22:03 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:03 PM racoon[191] IKEv1 Information-Notice: transmit success. (R-U-THERE?). 4/12/11 2:22:03 PM racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request). 4/12/11 2:22:04 PM racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response). 4/12/11 2:22:04 PM racoon[191] IKE Packet: receive success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
相同的連接在伺服器端生成以下輸出:
Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500] Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode. Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match. Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads. Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500] Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0 Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username" Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683 Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768] Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found, try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e) Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out" Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy, deleting it. Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910. Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0 Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name
我認為部分問題可能源於 phase1up 和 phase1down 腳本。
phase1-up.sh:
#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require; spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require; " | setkey -c
phase1-down.sh:
#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require; spddelete ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require; " | setkey -c
所有這一切都發生了,客戶端說它已成功連接到 IP 地址 10.1.0.0。那時,任何連接到網際網路的嘗試都會立即失敗。這就是問題所在。
**編輯:**這裡有更多的診斷資訊。
當我連接到 VPN 時,對 VPS 的公共 IP 地址的 ping 是成功的。但是,ping 到 8.8.8.8(VPN 設置為預設使用的 DNS 伺服器)會產生超時。因此,根本無法解析任何主機名。
第二次編輯:
» route -nv Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 69.172.231.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0 0.0.0.0 69.172.231.1 0.0.0.0 UG 0 0 0 eth0 » iptables -L -nv Chain INPUT (policy ACCEPT 49270 packets, 6376K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 42570 packets, 8573K bytes) pkts bytes target prot opt in out source destination
你從哪裡得到的
phase1-up.sh
和phase1-down.sh
腳本?在 racoon 發行版中應該有一些例子,在.../racoon/samples/roadwarrior/client/
. 嘗試使用這些。作為一個快速實驗,您可以將這些腳本中所有出現的 192.168.1.0/24 替換為 10.1.0.0/24,但我不知道您是如何在 Ubuntu VPS 上設置網路的。如果這些步驟都不起作用,請發布命令的輸出route -nv iptables -L -nv
在你的 Ubuntu VPS 上。
看起來您的問題與 IPSEC 無關。開箱即用的 Ubuntu 不會路由任何數據包,因此這樣的連接只會讓您訪問您的伺服器,而不是網際網路。
您需要做的是遵循這樣的教程:https ://help.ubuntu.com/community/Internet/ConnectionSharing
這將幫助您將 Ubuntu 設置為啟用 NAT 和路由的路由器/防火牆。
您可以跳過有關 DHCP 的部分,因為您已經通過 IPSEC 獲得了 IP。