Ubuntu
Strongswan (IKEv2) 連接已建立,但沒有流量路由
我以前看過幾次這樣的問題,但到目前為止,他們都沒有解決我的問題。
我正在嘗試在我的 Ubuntu 伺服器上設置一個 IKEv2 VPN,以便使用 Strongswan 與我的 Windows Phone 一起使用。連接似乎設置正確,但沒有路由數據包,我無法 ping VPN 客戶端的 IP 地址。
我的伺服器的內網是192.168.1.0/24,我的伺服器IP是192.168.1.110,在NAT後面。
/var/log/syslog
May 8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500] May 8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ] May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09 May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20 May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19 May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02 May 8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA May 8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives May 8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT May 8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx" May 8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] May 8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919] May 8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500] May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER May 8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ] May 8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx" May 8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca May 8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245] May 8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn' May 8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request May 8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE May 8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful May 8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx" May 8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ] May 8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500] May 8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ] May 8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai' May 8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5) May 8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] May 8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500] May 8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] May 8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] May 8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500] May 8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] May 8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established May 8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ] May 8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500] May 8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ] May 8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful May 8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP May 8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245] May 8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s May 8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s May 8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6 May 8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai' May 8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai' May 8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp] May 8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0 May 8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ] May 8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:22 seanco-server charon: 16[IKE] sending keep alive May 8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282] May 8 09:50:32 seanco-server charon: 10[IKE] sending DPD request May 8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
/etc/ipsec.conf
config setup strictcrlpolicy = no charonstart = yes plutostart = no conn windows-phone-vpn auto = route compress = no dpdaction = clear pfs = no keyexchange = ikev2 type = tunnel left = %any leftfirewall = yes leftauth = pubkey leftid = steakscorp.org leftcert = /etc/apache2/ssl/start-ssl.crt leftca = /etc/apache2/ssl/start-ssl-ca.pem leftsendcert = always leftsubnet = 0.0.0.0/0 right = %any rightauth = eap-mschapv2 eap_identity = %any rightca = /etc/ipsec.d/cacerts/vpnca.pem rightsendcert = ifasked rightsourceip = 10.8.0.0/24 #leftprotoport = 17/1701 #rightprotoport = 17/%any
如果配置
eth1 Link encap:Ethernet HWaddr aa:00:04:00:0a:04 inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:157187 errors:0 dropped:0 overruns:0 frame:0 TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:121434663 (121.4 MB) TX bytes:129069773 (129.0 MB) Interrupt:21 Memory:fe9e0000-fea00000 ham0 Link encap:Ethernet HWaddr 7a:79:19:da:fb:84 inet addr:25.218.251.132 Bcast:25.255.255.255 Mask:255.0.0.0 inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link inet6 addr: 2620:9b::19da:fb84/96 Scope:Global UP BROADCAST RUNNING MULTICAST MTU:1404 Metric:1 RX packets:1622 errors:0 dropped:0 overruns:0 frame:0 TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:384780 (384.7 KB) TX bytes:1249410 (1.2 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:6554 errors:0 dropped:0 overruns:0 frame:0 TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:2036987 (2.0 MB) TX bytes:2036987 (2.0 MB)
iptables
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014 *mangle :PREROUTING ACCEPT [604388:58921019] :INPUT ACCEPT [4937028:2589137657] :FORWARD ACCEPT [22:1366] :OUTPUT ACCEPT [3919078:5188868578] :POSTROUTING ACCEPT [4008714:5195778648] :AS0_MANGLE_PRE_REL_EST - [0:0] :AS0_MANGLE_TUN - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN -A AS0_MANGLE_PRE_REL_EST -j ACCEPT -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff -A AS0_MANGLE_TUN -j ACCEPT COMMIT # Completed on Fri May 9 10:33:46 2014 # Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014 *filter :INPUT ACCEPT [1737:217459] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [16831:20344894] :AS0_ACCEPT - [0:0] :AS0_IN - [0:0] :AS0_IN_POST - [0:0] :AS0_IN_PRE - [0:0] :AS0_OUT - [0:0] :AS0_OUT_LOCAL - [0:0] :AS0_OUT_S2C - [0:0] :AS0_U_ADMIN_IN - [0:0] :AS0_U_USERLOCA_IN - [0:0] :AS0_WEBACCEPT - [0:0] :fail2ban-apache - [0:0] :fail2ban-apache-404 - [0:0] :fail2ban-apache-noscript - [0:0] :fail2ban-apache-overflows - [0:0] :fail2ban-apache-postflood - [0:0] :fail2ban-ip-blocklist - [0:0] :fail2ban-repeatoffender - [0:0] :fail2ban-ssh - [0:0] :fail2ban-ssh-ddos - [0:0] -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404 -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A INPUT -i lo -j AS0_ACCEPT -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT -A INPUT -p tcp -j fail2ban-ip-blocklist -A INPUT -p tcp -j fail2ban-repeatoffender -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE -A FORWARD -o as0t+ -j AS0_OUT_S2C -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL -A AS0_ACCEPT -j ACCEPT -A AS0_IN -d 10.0.8.1/32 -j ACCEPT -A AS0_IN -j AS0_IN_POST -A AS0_IN_POST -o as0t+ -j AS0_OUT -A AS0_IN_POST -j DROP -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN -A AS0_IN_PRE -j ACCEPT -A AS0_OUT -j DROP -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP -A AS0_OUT_LOCAL -j ACCEPT -A AS0_OUT_S2C -j AS0_OUT -A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT -A AS0_U_ADMIN_IN -j AS0_IN_POST -A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT -A AS0_U_USERLOCA_IN -j AS0_IN_POST -A AS0_WEBACCEPT -j ACCEPT -A fail2ban-apache -j RETURN -A fail2ban-apache-404 -j RETURN -A fail2ban-apache-noscript -j RETURN -A fail2ban-apache-overflows -j RETURN -A fail2ban-apache-postflood -j RETURN -A fail2ban-ip-blocklist -j RETURN -A fail2ban-repeatoffender -j RETURN -A fail2ban-ssh -j RETURN -A fail2ban-ssh-ddos -j RETURN COMMIT # Completed on Fri May 9 10:33:46 2014 # Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014 *nat :PREROUTING ACCEPT [906:84714] :INPUT ACCEPT [860:81590] :OUTPUT ACCEPT [233:50740] :POSTROUTING ACCEPT [233:50740] :AS0_NAT - [0:0] :AS0_NAT_POST_REL_EST - [0:0] :AS0_NAT_PRE - [0:0] :AS0_NAT_PRE_REL_EST - [0:0] :AS0_NAT_TEST - [0:0] -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE -A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE -A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE -A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110 -A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132 -A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1 -A AS0_NAT -j ACCEPT -A AS0_NAT_POST_REL_EST -j ACCEPT -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST -A AS0_NAT_PRE -j AS0_NAT -A AS0_NAT_PRE_REL_EST -j ACCEPT -A AS0_NAT_TEST -o as0t+ -j ACCEPT -A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT -A AS0_NAT_TEST -j AS0_NAT COMMIT # Completed on Fri May 9 10:33:46 2014
ip xfrm 策略
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701 dir fwd priority 1920 tmpl src 166.147.118.120 dst 192.168.1.110 proto esp reqid 3 mode tunnel src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701 dir in priority 1920 tmpl src 166.147.118.120 dst 192.168.1.110 proto esp reqid 3 mode tunnel src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701 dir out priority 1920 tmpl src 192.168.1.110 dst 166.147.118.120 proto esp reqid 3 mode tunnel
有些事情對我來說有點奇怪(不應該在連接建立時啟動 ipsec0 或其他東西嗎?),但我在這一點上很難過,非常感謝一些幫助。
編輯:註釋掉 protoport 行並關閉 tun0 介面。
你需要:
>$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source "your VPN host IP" >$ service iptables save >$ service iptables restart >$ service ipsec restart
是否啟用了 ipv4 轉發?
$sudo sysctl -w net.ipv4.ip_forward=1
您是否添加了 MASQUERADE POSTROUTING 規則?
$sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE