客戶端流量不通過 VPN 路由
我嘗試使用 Strongswan Android 應用程序在伺服器和 Android 手機之間創建一個簡單的 Strongswan 連接。
我的 Android 手機資訊:
Android 8.0.0
使用 Samsung Experience 9.0 這是 Galaxy A5 (2017) 型號我嘗試同時使用 4G 和 Wifi 我的 Strongswan 應用已開啟
version 2.3.0
,2020 年 6 月更新我的伺服器資訊:這是一個
Ubuntu 18.04
最新的 VPS我的 Strongswan 伺服器配置如下我手動下載
Strongswan 5.9.0
然後使用./configure --prefix=/custompath/strongroot --disable-stroke --with-piddir=/custompath/strongroot/var/run --enable-eap-dynamic --enable-eap-mschapv2 --enable-eap-aka --enable-eap-identity --enable-md4 make make install
我的 strongswan.conf 如下
charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf
我的伺服器端 swanctl.conf 如下
connections { server { pools = primary-pool-ipv4, primary-pool-ipv6 local { auth = pubkey certs = <server_crt> id = <server_id> } remote { auth = eap-dynamic id = %any } children { client { } } } } secrets { eap-test { id = <user_id> secret = <user_password> } } pools { primary-pool-ipv4 { addrs = 10.0.0.0/24 dns = 8.8.8.8 } primary-pool-ipv6 { addrs = 2620:0:2d0:200::7/97 } }
伺服器以 root 身份使用以下命令啟動,並顯示這些結果
/custompath/strongroot/libexec/ipsec/charon & /custompath/strongroot/sbin/swanctl -q loaded certificate from '/custompath/strongroot/etc/swanctl/x509/<server_crt' loaded certificate from '/custompath/strongroot/etc/swanctl/x509ca/<CA_crt>' loaded rsa key from '/custompath/strongroot/etc/swanctl/private/<server_key>' loaded eap secret 'eap-test' no authorities found, 0 unloaded loaded pool 'primary-pool-ipv4' loaded pool 'primary-pool-ipv6' successfully loaded 2 pools, 0 unloaded loaded connection 'server' successfully loaded 1 connections, 0 unloaded
和那些日誌
[CFG] loaded certificate 'C=FR, O=Test, CN=<server_id>' [CFG] loaded certificate 'C=FR, O=Test, CN=Test CA' [CFG] loaded RSA private key [CFG] loaded EAP shared key with id 'eap-test' for: '<user_id>' [CFG] added vici pool primary-pool-ipv4: 10.0.0.0, 254 entries [CFG] added vici pool primary-pool-ipv6: 2620:0:2d0:200::7, 2147483640 entries [CFG] added vici connection: server
在我的安卓手機上,我在我的 Strongswan 應用程序上使用了以下參數
Server : <server ipv4> VPN Type : IKEv2 EAP (Username/Password) Username : <user_id> Password <user_password> CA certificate : <CA_crt> Server identity : <server_id> Client identity : <user_id>
當我將客戶端登錄到伺服器時,我在伺服器上得到以下日誌:
[NET] <3> received packet: from <client_ip>[33980] to <server_ip>[500] (716 bytes) [ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [IKE] <3> <client_ip> is initiating an IKE_SA [CFG] <3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 [IKE] <3> remote host is behind NAT [IKE] <3> DH group ECP_256 unacceptable, requesting CURVE_25519 [ENC] <3> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] [NET] <3> sending packet: from <server_ip>[500] to <client_ip>[33980] (38 bytes) [NET] <4> received packet: from <client_ip>[33980] to <server_ip>[500] (684 bytes) [ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [IKE] <4> <client_ip> is initiating an IKE_SA [CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 [IKE] <4> remote host is behind NAT [IKE] <4> sending cert request for "C=FR, O=Test, CN=Test CA" [ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [NET] <4> sending packet: from <server_ip>[500] to <client_ip>[33980] (273 bytes) [NET] <4> received packet: from <client_ip>[51380] to <server_ip>[4500] (480 bytes) [ENC] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [IKE] <4> received cert request for "C=FR, O=Test, CN=Test CA" [CFG] <4> looking for peer configs matching <server_ip>[<server_id>]... <client_ip>[<client_id>] [CFG] <server|4> selected peer config 'server' [IKE] <server|4> EAP_AKA method selected [IKE] <server|4> initiating EAP_AKA method (id 0x11) [IKE] <server|4> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding [IKE] <server|4> peer supports MOBIKE [IKE] <server|4> authentication of '<server_id>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] <server|4> sending end entity cert "C=FR, O=Test, CN=<server_id>" [ENC] <server|4> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ] [NET] <server|4> sending packet: from <server_ip>[4500] to <client_ip>[51380] (1184 bytes) [NET] <server|4> received packet: from <client_ip>[51380] to <server_ip>[4500] (80 bytes) [ENC] <server|4> parsed IKE_AUTH request 2 [ EAP/RES/NAK ] [IKE] <server|4> received EAP_NAK, selecting a different EAP method [IKE] <server|4> EAP_MSCHAPV2 method selected [ENC] <server|4> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] [NET] <server|4> sending packet: from <server_ip>[4500] to <client_ip>[51380] (112 bytes) [NET] <server|4> received packet: from <client_ip>[51380] to <server_ip>[4500] (144 bytes) [ENC] <server|4> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] [ENC] <server|4> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] [NET] <server|4> sending packet: from <server_ip>[4500] to <client_ip>[51380] (144 bytes) [NET] <server|4> received packet: from <client_ip>[51380] to <server_ip>[4500] (80 bytes) [ENC] <server|4> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] [IKE] <server|4> EAP method EAP_MSCHAPV2 succeeded, MSK established [ENC] <server|4> generating IKE_AUTH response 4 [ EAP/SUCC ] [NET] <server|4> sending packet: from <server_ip>[4500] to <client_ip>[51380] (80 bytes) [NET] <server|4> received packet: from <client_ip>[51380] to <server_ip>[4500] (96 bytes) [ENC] <server|4> parsed IKE_AUTH request 5 [ AUTH ] [IKE] <server|4> authentication of '<client_id>' with EAP successful [IKE] <server|4> authentication of '<server_id>' (myself) with EAP [IKE] <server|4> IKE_SA server[4] established between <server_ip>[<server_id>]... <client_ip>[<client_id>] [IKE] <server|4> scheduling rekeying in 13701s [IKE] <server|4> maximum IKE_SA lifetime 15141s [IKE] <server|4> peer requested virtual IP %any [CFG] <server|4> reassigning offline lease to '<client_id>' [IKE] <server|4> assigning virtual IP 10.0.0.1 to peer '<client_id>' [IKE] <server|4> peer requested virtual IP %any6 [CFG] <server|4> reassigning offline lease to '<client_id>' [IKE] <server|4> assigning virtual IP 2620:0:2d0:200::7 to peer '<client_id>' [CFG] <server|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ [JOB] watched FD 15 ready to read [JOB] watcher going to poll() 3 fds [JOB] watcher got notification, rebuilding [JOB] watcher going to poll() 4 fds [IKE] <server|4> CHILD_SA client{2} established with SPIs ce546f2f_i 58d283b4_o and TS <server_ip>/32 === 10.0.0.1/32 2620:0:2d0:200::7/128 [ENC] <server|4> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] [NET] <server|4> sending packet: from <server_ip>[4500] to <client_ip>[51380] (288 bytes)
那些在客戶端的日誌
[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ [DMN] Starting IKE service (strongSwan 5.8.4, Android 8.0.0 - R16NW.A520FXXSFCTG8/2020-08-01, SM-A520F - samsung/a5y17ltexx/samsung, Linux 3.18.14-13712092-QB33307948, aarch64) [LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509 [JOB] spawning 16 worker threads [IKE] initiating IKE_SA android[2] to <server_ip> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from <client_internal_ip>[33980] to <server_ip>[500] (716 bytes) [NET] received packet: from <server_ip>[500] to <client_internal_ip>[33980] (38 bytes) [ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ] [IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519 [IKE] initiating IKE_SA android[2] to <server_ip> [ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ] [NET] sending packet: from <client_internal_ip>[33980] to <server_ip>[500] (684 bytes) [NET] received packet: from <server_ip>[500] to <client_internal_ip>[33980] (273 bytes) [ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ] [CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519 [IKE] local host is behind NAT, sending keep alives [IKE] received cert request for "C=FR, O=Test, CN=Test CA" [IKE] sending cert request for "C=FR, O=Test, CN=Test CA" [IKE] establishing CHILD_SA android{2} [ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ] [NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (480 bytes) [NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (1184 bytes) [ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ] [IKE] received end entity cert "C=FR, O=Test, CN=<server_id>" [CFG] using certificate "C=FR, O=Test, CN=<server_id>" [CFG] using trusted ca certificate "C=FR, O=Test, CN=Test CA" [CFG] checking certificate status of "C=FR, O=Test, CN=<server_id>" [CFG] certificate status is not available [CFG] reached self-signed root ca with a path length of 0 [IKE] authentication of '<server_id>' with RSA_EMSA_PKCS1_SHA2_256 successful [IKE] server requested EAP_AKA authentication (id 0x11) [IKE] EAP method not supported, sending EAP_NAK [ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ] [NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (80 bytes) [NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (112 bytes) [ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ] [IKE] server requested EAP_MSCHAPV2 authentication (id 0x0F) [ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ] [NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (144 bytes) [NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (144 bytes) [ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ] [IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan' [ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ] [NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (80 bytes) [NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (80 bytes) [ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ] [IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established [IKE] authentication of '<client_id>' (myself) with EAP [ENC] generating IKE_AUTH request 5 [ AUTH ] [NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (96 bytes) [NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (288 bytes) [ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ] [IKE] authentication of '<server_id>' with EAP successful [IKE] IKE_SA android[2] established between <client_internal_ip>[<client_id>]...<server_ip>[<server_id>] [IKE] scheduling rekeying in 35866s [IKE] maximum IKE_SA lifetime 37666s [IKE] installing DNS server 8.8.8.8 [IKE] installing new virtual IP 10.0.0.1 [IKE] installing new virtual IP 2620:0:2d0:200::7 [CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ [IKE] CHILD_SA android{2} established with SPIs 58d283b4_i ce546f2f_o and TS 10.0.0.1/32 2620:0:2d0:200::7/128 === <server_ip>/32 [DMN] setting up TUN device for CHILD_SA android{2} [DMN] successfully created TUN device [IKE] peer supports MOBIKE
我收到隧道開通的通知。
我添加了一些 iptables 規則,用於基於此連結使用以下命令進行轉發
https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling
我只有 1 個伺服器網路介面(不包括環回),它將被命名為**<server_int>**iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o <server_int> -m policy --dir out --pol ipsec -j ACCEPT iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o <server_int> -j MASQUERADE iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT
我還通過取消註釋以下行來啟動 ipv4(和 ipv6,如果它是正確的方式)的 ip 轉發
/etc/sysctl.conf
net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1
然後使用
sysctl -p /etc/sysctl.conf
重新載入配置但是,當我線上查看我的 IP 時,我發現我仍然獲得了客戶端公共 IP 而不是伺服器 IP。讓我相信 VPN 上沒有任何路由的原因是,當我啟動禁用 VPN 外部所有流量的選項時,我失去了與網際網路的所有連接(除了仍在執行的 VPN 連接)。但我沒有觸及拆分隧道,預設情況下應該將所有內容重定向到 VPN 隧道。
我在這裡錯過了哪一部分?
如果您想通過 VPN 隧道訪問多於伺服器,則必須在流量選擇器中指定。也就是說,更改子配置如下:
client { local_ts = 0.0.0.0/0,::/0 }
預設值是動態的,預設為 IP 地址(如果是客戶端,則為虛擬 IP),您可以在日誌中看到(例如在客戶端上為
10.0.0.1/32 2620:0:2d0:200::7/128 === <server_ip>/32
)。