设置如下:
- 互联网上的 PPTP Windows 服务器 (服务器)
- Windows 主机 (HOST)
- 在机器 2 (VM) 上运行的 Linux VM
VM 在 HOST 上运行,其网络适配器连接到 NAT。
HOST 可以使用给定的一组凭据通过 VPN 访问 SERVER,没有任何问题。在 HOST 上运行的 VM 则无法访问。Tcpdump 显示,在我看来,缺少 GRE 响应:
17:17:17.024882 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [S], seq 223797697, win 29200, options [mss 1460,sackOK,TS val 2041885 ecr 0,nop,wscale 7], length 0
17:17:17.265478 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [S.], seq 284096001, ack 223797698, win 65535, options [mss 1460], length 0
17:17:17.265531 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [.], ack 1, win 29200, length 0
17:17:17.266374 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [P.], seq 1:157, ack 1, win 29200, length 156: pptp CTRL_MSGTYPE=SCCRQ PROTO_VER(1.0) FRAME_CAP(AS) BEARER_CAP(DA) MAX_CHAN(65535) FIRM_REV(1) HOSTNAME(local) VENDOR(cananian)
17:17:17.266576 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [.], ack 157, win 65535, length 0
17:17:17.512333 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [P.], seq 1:157, ack 157, win 65535, length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
17:17:17.512370 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [.], ack 157, win 30016, length 0
17:17:18.267029 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [P.], seq 157:325, ack 157, win 30016, length 168: pptp CTRL_MSGTYPE=OCRQ CALL_ID(0) CALL_SER_NUM(0) MIN_BPS(2400) MAX_BPS(10000000) BEARER_TYPE(Any) FRAME_TYPE(E) RECV_WIN(3) PROC_DELAY(0) PHONE_NO_LEN(0) PHONE_NO() SUB_ADDR()
17:17:18.267276 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [.], ack 325, win 65535, length 0
17:17:18.516316 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [P.], seq 157:189, ack 325, win 65535, length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(9) PEER_CALL_ID(0) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(10000000) RECV_WIN(3) PROC_DELAY(0) PHY_CHAN_ID(0)
17:17:18.516353 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [.], ack 189, win 30016, length 0
17:17:18.516617 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 1, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:21.013567 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 2, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:24.018211 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 3, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:27.021510 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 4, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:30.024770 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 5, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:33.027047 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 6, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:36.030701 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 7, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:39.034014 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 8, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:42.037526 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 9, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:45.040779 IP $VM_IP > $SERVER_IP: GREv1, call 9, seq 10, length 36: LCP, Conf-Request (0x01), id 1, length 22
17:17:48.048560 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [P.], seq 325:341, ack 189, win 30016, length 16: pptp CTRL_MSGTYPE=CCRQ CALL_ID(0)
17:17:48.048649 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [F.], seq 341, ack 189, win 30016, length 0
17:17:48.048685 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [.], ack 341, win 65535, length 0
17:17:48.049126 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [.], ack 342, win 65535, length 0
17:17:54.359765 IP $SERVER_IP.pptp > $VM_IP.46712: Flags [F.], seq 189, ack 342, win 65535, length 0
17:17:54.359810 IP $VM_IP.46712 > $SERVER_IP.pptp: Flags [.], ack 190, win 30016, length 0
问题:我应该通过 HOST 上的虚拟机管理程序将额外的端口转发到 VM 吗,或者我是否完全遗漏了一些东西?
答案1
[假设您使用 Linux] 您可能需要添加对“nf_conntrack_pptp”的支持 - 我认为 NAT 不会将 GRE 数据包与 PPTP 关联,因此不会转发它们。根据您的变体,modprobe nf_conntrack_pptp 可能会暂时工作,如果这是问题的原因,则使用 /etc/modprobe.d/* 或将其添加到 /etc/modules 可能是永久修复。