Vpn

雙方都在 NAT 之後的 strongSwan 設置

  • February 17, 2014

我正在嘗試在家中設置 strongSwan 伺服器並從另一個網路連接到它。假設sun是 VPN 伺服器並且venus是客戶端。兩者sunvenus在 NAT 網路後面。sun不是我家庭網路的網關。但是,埠 4500、500 和 50 (UDP) 被轉發到sun.

ipsec.conf (太陽)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
   charonstart=yes
   plutostart=no

conn venus
    left=%any
    leftcert=sunCert.pem
    right=%any
    leftsubnet=10.135.1.0/24
    rightid="C=IL, O=KrustyKrab, CN=venus"
    keyexchange=ikev2
    auto=add
    type=tunnel
    mobike=no

include /var/lib/strongswan/ipsec.conf.inc

ipsec.conf(金星)

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
   charonstart=yes
   plutostart=no

conn krustykrab
    left=%defaultroute
    leftsourceip=%config
    leftid="C=IL, O=KrustyKrab, CN=venus"
    leftcert=venusCert.pem
    right=x.x.x.x # My home public IP 
    rightsubnet=10.135.1.0/24
    rightid="C=IL, O=KrustyKrab, CN=sun"
    keyexchange=ikev2
    auto=start
    type=tunnel
    mobike=no

# include /var/lib/strongswan/ipsec.conf.inc

Sun 的私有 IP 是 10.135.1.200 而 Venus 的私有 IP 是 192.168.10.200 這是我嘗試連接時發生的情況:

Sun(yyyy 是 Venus 的公共 IP):

13[NET] received packet: from y.y.y.y[500] to 10.135.1.200[500]
13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[IKE] y.y.y.y is initiating an IKE_SA
13[IKE] local host is behind NAT, sending keep alives
13[IKE] remote host is behind NAT
13[IKE] sending cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA"
13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
13[NET] sending packet: from 10.135.1.200[500] to y.y.y.y[500]
14[IKE] sending keep alive
14[NET] sending packet: from 10.135.1.200[500] to y.y.y.y[500]
15[JOB] deleting half open IKE_SA after timeout

Venus(xxxx 是 Sun 的公共 IP)

13[IKE] initiating IKE_SA krustykrab[1] to x.x.x.x
13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
13[NET] sending packet: from 192.168.10.200[500] to x.x.x.x[500]
14[NET] received packet: from x.x.x.x[500] to 192.168.10.200[500]
14[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
14[IKE] local host is behind NAT, sending keep alives
14[IKE] remote host is behind NAT
14[IKE] received cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA"
14[IKE] sending cert request for "C=IL, O=KrustyKrab, CN=KrustyKrab CA"
14[IKE] authentication of 'C=IL, O=KrustyKrab, CN=venus' (myself) with RSA signature successful
14[IKE] sending end entity cert "C=IL, O=KrustyKrab, CN=venus"
14[IKE] establishing CHILD_SA krustykrab
14[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ IDr AUTH CP(ADDR DNS) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
14[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
09[IKE] retransmit 1 of request with message ID 1
09[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
10[IKE] retransmit 2 of request with message ID 1
10[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
11[IKE] retransmit 3 of request with message ID 1
11[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
14[IKE] sending keep alive
14[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
15[IKE] retransmit 4 of request with message ID 1
15[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
10[IKE] sending keep alive
10[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
12[IKE] sending keep alive
12[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]
11[IKE] retransmit 5 of request with message ID 1
11[NET] sending packet: from 192.168.10.200[4500] to x.x.x.x[4500]

金星中的 tcpdump:

16:57:42.389799 IP 192.168.10.200.500 > x.x.x.x.500: isakmp: parent_sa ikev2_init[I]
16:57:42.465073 IP x.x.x.x.500 > 192.168.10.200.500: isakmp: parent_sa ikev2_init[R]
16:57:42.712016 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
16:57:42.712057 IP 192.168.10.200 > x.x.x.x: ip-proto-17
16:57:46.712854 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
16:57:46.712911 IP 192.168.10.200 > x.x.x.x: ip-proto-17
16:57:53.913742 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
16:57:53.913799 IP 192.168.10.200 > x.x.x.x: ip-proto-17
16:58:02.458669 IP x.x.x.x.500 > 192.168.10.200.500: [|isakmp]
16:58:06.874834 IP 192.168.10.200.4500 > x.x.x.x.4500: NONESP-encap: isakmp: child_sa  ikev2_auth[I]
16:58:06.874884 IP 192.168.10.200 > x.x.x.x: ip-proto-17

Sun 中的 tcpdump:

16:59:06.521762 IP y.y.y.y.500 > 10.135.1.200.500: isakmp: parent_sa ikev2_init[I]
16:59:06.556423 IP 10.135.1.200.500 > y.y.y.y.500: isakmp: parent_sa ikev2_init[R]
16:59:26.556324 IP 10.135.1.200.500 > y.y.y.y.500: [|isakmp]

似乎sun在埠 4500 中沒有收到數據包,這很奇怪,因為我在其中打開了一個 Python 解釋器venus並輸入:

In [1]: from socket import *
In [2]: x = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)
In [3]: x.sendto('', ('x.x.x.x', 4500))
Out[3]: 0

並且收到了數據包:

17:02:45.246769 IP y.y.y.y.44335 > 10.135.1.200.4500: [|isakmp]

我也試過設置

port_nat_t = 6000

charon雙方的部分,但他們仍然嘗試使用埠 4500

由於證書和證書請求IKE_AUTH消息可能會變得非常大,以至於它們必須在 IP 層上進行分段(您可以在tcpdump擷取中看到這些分段venus)。也許 NAT 機器在sun重新組裝碎片數據包時遇到了問題,或者只是丟棄了它們。

作為一種解決方法,您可以嘗試在兩側安裝兩個對等方的證書,然後進行rightcert相應配置,使其指向包含另一個對等方證書的文件。

完成後,您可以rightsendcert=never在兩端進行配置,以避免發送證書請求。因為leftsendcert預設對ifasked等方最終不會發送他們的證書,並且消息大小應該足夠小以避免IP碎片。

順便說一句,您不必打開 UDP 埠 50。如果沒有 NAT 遍歷,您需要允許 IP協議50 (ESP),但如果涉及 NAT,ESP 數據包會被 UDP 封裝,因此打開 UDP 埠 500 和 4500 是充足的。

引用自:https://serverfault.com/questions/575815