Vpn

Strongswan:客戶端可以連接到伺服器但無法訪問網際網路

  • December 2, 2021

我已經設置了一個 ipsec 伺服器,過了一會兒我可以從我的 android 設備連接到它。但客戶端沒有網際網路連接。我還添加了 NAT 規則來轉發來自虛擬 IP 的流量,但仍然存在問題。我怎樣才能找到並解決問題?:(

伺服器:/etc/ipsec.conf

conn android
   keyexchange=ikev2
   ike=aes256-sha1-modp1024,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024!
   esp=aes256-sha1,aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256!
   dpdaction=clear
   dpddelay=300s
   rekey=no
   left=example.com
   leftfirewall=yes
   leftauth=pubkey
   leftsubnet=0.0.0.0/0
   leftcert=example.com.crt
   lefthostaccess=yes
   right=%any
   rightfirewall=yes
   rightauth=eap-mschapv2
   rightsendcert=never
   rightsubnet=192.168.31.0/24
   rightsourceip=192.168.31.0/24
   rightdns=8.8.8.8
   eap_identity=%any
   type=tunnel
   auto=add

ip xfrm 策略

src 192.168.31.0/24 dst 0.0.0.0/0 
       dir fwd priority 1955 
       tmpl src x.x.x.x dst y.y.y.y
       proto esp reqid 2 mode tunnel
src 192.168.31.0/24 dst 0.0.0.0/0 
       dir in priority 1955 
       tmpl src x.x.x.x dst y.y.y.y
       proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 192.168.31.0/24 
       dir out priority 1955 
       tmpl src y.y.y.y dst x.x.x.x
       proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
       socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
       socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
       socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
       socket out priority 0 
src ::/0 dst ::/0 
       socket in priority 0 
src ::/0 dst ::/0 
       socket out priority 0 
src ::/0 dst ::/0 
       socket in priority 0 
src ::/0 dst ::/0 
       socket out priority 0

客戶端:用於安卓的strongswan vpn客戶端

最後我發現了問題。添加FORWARD規則來iptables解決我的問題。

您可能需要設置 NAT,並在核心中啟用轉發。以下兩個命令執行此操作:

sudo iptables -t nat -A POSTROUTING -o YOUR_INTERFACE_NAME -j MASQUERADE
sudo sysctl -w net.ipv4.ip_forward=1
sudo sysctl -w net.ipv4.conf.all.forwarding=1

第一個向 POSTROUTING 鏈添加 NAT 規則(更多資訊在這裡),第二個/第三個打開允許伺服器進行任何轉發的設置。

請注意,如果不更改sysctl.conf. 更多資訊在這裡

引用自:https://serverfault.com/questions/722642

相關問答

Windows

Strongswan / Ipsec 多個 roadwarrior 連接不同的子網

  • May 12, 2022
檢視問答
Vpn

IPsec (strongswan) 如何在不打開 UFW 埠的情況下工作?

  • March 22, 2022
檢視問答
Vpn

StrongSwan 和 Zyxel NSG200 之間的站點到站點 IPSec

  • January 17, 2022
檢視問答
Vpn

Strongswan 錯誤:沒有名為“foo”的配置

  • January 26, 2021
檢視問答
Vpn

在兩個 IPsec 隧道之間路由流量

  • December 7, 2020
檢視問答
Vpn

IPsec for Linux - strongSwan vs Openswan vs Libreswan vs other(?)

  • October 11, 2020
檢視問答