雙方都在 NAT 之後的 strongSwan 設置
我正在嘗試在家中設置 strongSwan 伺服器並從另一個網路連接到它。假設
sun
是 VPN 伺服器並且venus
是客戶端。兩者sun
都venus
在 NAT 網路後面。sun
不是我家庭網路的網關。但是,埠 4500、500 和 50 (UDP) 被轉發到sun
.ipsec.conf (太陽)
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charonstart=yes plutostart=no conn venus left=%any leftcert=sunCert.pem right=%any leftsubnet=10.135.1.0/24 rightid="C=IL, O=KrustyKrab, CN=venus" keyexchange=ikev2 auto=add type=tunnel mobike=no include /var/lib/strongswan/ipsec.conf.inc
ipsec.conf(金星)
# ipsec.conf - strongSwan IPsec configuration file # basic configuration config setup charonstart=yes plutostart=no conn krustykrab left=%defaultroute leftsourceip=%config leftid="C=IL, O=KrustyKrab, CN=venus" leftcert=venusCert.pem right=x.x.x.x # My home public IP rightsubnet=10.135.1.0/24 rightid="C=IL, O=KrustyKrab, CN=sun" keyexchange=ikev2 auto=start type=tunnel mobike=no # include /var/lib/strongswan/ipsec.conf.inc
Sun 的私有 IP 是 10.135.1.200 而 Venus 的私有 IP 是 192.168.10.200 這是我嘗試連接時發生的情況:
Sun(yyyy 是 Venus 的公共 IP):
13[NET] received packet: from y.y.y.y[500] to 10.135.1.200[500] 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 13[IKE] y.y.y.y is initiating an IKE_SA 13[IKE] local host is behind NAT, sending keep alives 13[IKE] remote host is behind NAT 13[IKE] sending cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA" 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 13[NET] sending packet: from 10.135.1.200[500] to y.y.y.y[500] 14[IKE] sending keep alive 14[NET] sending packet: from 10.135.1.200[500] to y.y.y.y[500] 15[JOB] deleting half open IKE_SA after timeout
Venus(xxxx 是 Sun 的公共 IP)
13[IKE] initiating IKE_SA krustykrab[1] to x.x.x.x 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] 13[NET] sending packet: from 192.168.10.200[500] to x.x.x.x[500] 14[NET] received packet: from x.x.x.x[500] to 192.168.10.200[500] 14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ] 14[IKE] local host is behind NAT, sending keep alives 14[IKE] remote host is behind NAT 14[IKE] received cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA" 14[IKE] sending cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA" 14[IKE] authentication of 'C=IL, O=KrustyKrab, CN=venus' (myself) with RSA signature successful 14[IKE] sending end entity cert "C=IL, O=KrustyKrab, CN=venus" 14[IKE] establishing CHILD_SA krustykrab 14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] 14[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 09[IKE] retransmit 1 of request with message ID 1 09[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 10[IKE] retransmit 2 of request with message ID 1 10[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 11[IKE] retransmit 3 of request with message ID 1 11[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 14[IKE] sending keep alive 14[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 15[IKE] retransmit 4 of request with message ID 1 15[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 10[IKE] sending keep alive 10[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 12[IKE] sending keep alive 12[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500] 11[IKE] retransmit 5 of request with message ID 1 11[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
金星中的 tcpdump:
16:57:42.389799 IP 192.168.10.200.500 > x.x.x.x.500: isakmp: parent_sa ikev2_init[I] 16:57:42.465073 IP x.x.x.x.500 > 192.168.10.200.500: isakmp: parent_sa ikev2_init[R] 16:57:42.712016 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 16:57:42.712057 IP 192.168.10.200 > x.x.x.x: ip-proto-17 16:57:46.712854 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 16:57:46.712911 IP 192.168.10.200 > x.x.x.x: ip-proto-17 16:57:53.913742 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 16:57:53.913799 IP 192.168.10.200 > x.x.x.x: ip-proto-17 16:58:02.458669 IP x.x.x.x.500 > 192.168.10.200.500: [|isakmp] 16:58:06.874834 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I] 16:58:06.874884 IP 192.168.10.200 > x.x.x.x: ip-proto-17
Sun 中的 tcpdump:
16:59:06.521762 IP y.y.y.y.500 > 10.135.1.200.500: isakmp: parent_sa ikev2_init[I] 16:59:06.556423 IP 10.135.1.200.500 > y.y.y.y.500: isakmp: parent_sa ikev2_init[R] 16:59:26.556324 IP 10.135.1.200.500 > y.y.y.y.500: [|isakmp]
似乎
sun
在埠 4500 中沒有收到數據包,這很奇怪,因為我在其中打開了一個 Python 解釋器venus
並輸入:In [1]: from socket import * In [2]: x = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP) In [3]: x.sendto('', ('x.x.x.x', 4500)) Out[3]: 0
並且收到了數據包:
17:02:45.246769 IP y.y.y.y.44335 > 10.135.1.200.4500: [|isakmp]
我也試過設置
port_nat_t = 6000
在
charon
雙方的部分,但他們仍然嘗試使用埠 4500
由於證書和證書請求
IKE_AUTH
消息可能會變得非常大,以至於它們必須在 IP 層上進行分段(您可以在tcpdump
擷取中看到這些分段venus
)。也許 NAT 機器在sun
重新組裝碎片數據包時遇到了問題,或者只是丟棄了它們。作為一種解決方法,您可以嘗試在兩側安裝兩個對等方的證書,然後進行
rightcert
相應配置,使其指向包含另一個對等方證書的文件。完成後,您可以
rightsendcert=never
在兩端進行配置,以避免發送證書請求。因為leftsendcert
預設對ifasked
等方最終不會發送他們的證書,並且消息大小應該足夠小以避免IP碎片。順便說一句,您不必打開 UDP 埠 50。如果沒有 NAT 遍歷,您需要允許 IP協議50 (ESP),但如果涉及 NAT,ESP 數據包會被 UDP 封裝,因此打開 UDP 埠 500 和 4500 是充足的。