Ubuntu

Ubuntu 上的 iOS/Mac 兼容 IPSec VPN 伺服器

  • April 21, 2011

我從 Xen VPS 主機上購買了 VPS,而且它的負載相當輕,所以我想在它上面執行一個 VPN。我正在拍攝的配置是“roadwarrior”風格,因為我想在我不在家時用它來保護我的 iPhone 和 Mac 的連接。請記住,我是一名程序員,而不是系統管理員,所以這對我來說都是陌生的。

在未能使 StrongSWAN/PPP/xL2TP 設置正常工作後,我遇到了 racoon,這似乎是一個非常簡單的選擇。我試圖避免使用證書,因為在 iOS 設備上獲取證書的過程可能很煩人(只是猜測)。因此,我已經在 VPS 上配置了 racoon,以便我可以成功連接到它並通過系統使用者數據庫支持的 XAUTH 進行身份驗證。這一切似乎都在工作,它是 NAT/網路的東西不起作用,我完全不喜歡它。

我的 VPS 執行的是 Ubuntu 10.10。我得到以下輸出ifconfig(我猜它可能是相關的):

eth0      Link encap:Ethernet  HWaddr 00:16:3e:4a:7f:29  
         inet addr:69.172.231.11  Bcast:69.172.231.63  Mask:255.255.255.192
         inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link
         UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
         RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0
         TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:1000 
         RX bytes:553246281 (553.2 MB)  TX bytes:5237753987 (5.2 GB)
lo        Link encap:Local Loopback  
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:16436  Metric:1
         RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0
         TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0

這是我的浣熊配置文件:

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

timer {
       natt_keepalive 10sec;
}

remote anonymous {
       exchange_mode main, aggressive, base;
       doi ipsec_doi;
       situation identity_only;
       nat_traversal on;
       script "/etc/racoon/phase1-up.sh" phase1_up;
       script "/etc/racoon/phase1-down.sh" phase1_down;
       generate_policy on;
       ike_frag on;
       passive on;
       my_identifier address 69.172.231.11;
       peers_identifier fqdn "zcr.me";
       proposal {
               encryption_algorithm aes;
               hash_algorithm sha1;
               authentication_method xauth_psk_server;
               dh_group 2;
       }
       proposal_check claim;
}


sainfo anonymous {
       encryption_algorithm aes;
       authentication_algorithm hmac_sha1;
       compression_algorithm deflate;
}

mode_cfg {
       auth_source system;
       save_passwd on;
       network4 10.1.0.0;
       pool_size 100;
}

該配置是從網路周圍的各種教程中拼湊而成的,所以它可能……很奇怪。當我連接到 VPN 時,客戶端會收到以下輸出:

4/12/11 2:21:43 PM  racoon[191] Connecting.
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (MODE-Config).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 1).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (Initiator, Quick-Mode message 2).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode).
4/12/11 2:22:03 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Information-Notice: transmit success. (R-U-THERE?).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: receive success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

相同的連接在伺服器端生成以下輸出:

Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500]
Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode.
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD
Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match.
Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads.
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500]
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match
Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER
Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request
Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0
Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username"
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683
Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768]
Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found, try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e)
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out"
Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy, deleting it.
Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910.
Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0
Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name

我認為部分問題可能源於 phase1up 和 phase1down 腳本。

phase1-up.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any
       -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require;
spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any
       -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require;
" | setkey -c

phase1-down.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;

spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any
       -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spddelete  ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any
       -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

所有這一切都發生了,客戶端說它已成功連接到 IP 地址 10.1.0.0。那時,任何連接到網際網路的嘗試都會立即失敗。這就是問題所在。

**編輯:**這裡有更多的診斷資訊。

當我連接到 VPN 時,對 VPS 的公共 IP 地址的 ping 是成功的。但是,ping 到 8.8.8.8(VPN 設置為預設使用的 DNS 伺服器)會產生超時。因此,根本無法解析任何主機名。

第二次編輯:

» route -nv      
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
69.172.231.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         69.172.231.1    0.0.0.0         UG    0      0        0 eth0

» iptables -L -nv
Chain INPUT (policy ACCEPT 49270 packets, 6376K bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42570 packets, 8573K bytes)
pkts bytes target     prot opt in     out     source               destination         

你從哪裡得到的phase1-up.shphase1-down.sh腳本?在 racoon 發行版中應該有一些例子,在.../racoon/samples/roadwarrior/client/. 嘗試使用這些。作為一個快速實驗,您可以將這些腳本中所有出現的 192.168.1.0/24 替換為 10.1.0.0/24,但我不知道您是如何在 Ubuntu VPS 上設置網路的。如果這些步驟都不起作用,請發布命令的輸出

route -nv
iptables -L -nv

在你的 Ubuntu VPS 上。

看起來您的問題與 IPSEC 無關。開箱即用的 Ubuntu 不會路由任何數據包,因此這樣的連接只會讓您訪問您的伺服器,而不是網際網路。

您需要做的是遵循這樣的教程:https ://help.ubuntu.com/community/Internet/ConnectionSharing

這將幫助您將 Ubuntu 設置為啟用 NAT 和路由的路由器/防火牆。

您可以跳過有關 DHCP 的部分,因為您已經通過 IPSEC 獲得了 IP。

引用自:https://serverfault.com/questions/258962