我想要让 Linux 客户端连接到 Linux 网关,以便它可以访问该网络的主机(典型的 road warrior 设置)。
我在服务器端有这个配置:
conn vpnserver-ikev2
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha512-modp4096
esp=aes256-sha512
dpdaction=clear
dpddelay=300s
inactivity=5s
rekey=no
left=%any
leftid=vpn-test.nimblex.com
leftcert=/etc/ipsec.d/certs/vpn-server-cert-new.pem
leftsendcert=always
leftsubnet=172.31.0.0/16
right=%any
rightid=%any
rightauth=eap-radius
rightsourceip=10.10.0.1/16
rightdns=8.8.8.8
rightsendcert=never
eap_identity=%identity
客户端的情况如下:
conn ikev2-rw
right=vpn-test.nimblex.com
rightid=%vpn-test.nimblex.com
rightsubnet=172.31.0.0/16
rightauth=pubkey
leftsourceip=%config
leftauth=eap
eap_identity=123456789
auto=route
身份验证似乎顺利进行,但当我尝试 ping 时,它不起作用。
当我 ping 时,服务器端的日志如下所示:
04[IKE] peer requested virtual IP %any
04[CFG] assigning new lease to '123456789'
04[IKE] assigning virtual IP 10.10.0.1 to peer '123456789'
04[IKE] CHILD_SA vpnserver-ikev2{1} established with SPIs c7b0a75b_i c5fed014_o and TS 172.31.0.0/16 === 10.10.0.1/32
04[CFG] sending RADIUS Accounting-Request to server '172.31.12.234'
04[CFG] received RADIUS Accounting-Response from server '172.31.12.234'
04[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
04[NET] sending packet: from 172.31.9.29[4500] to 82.76.67.8[4500] (304 bytes)
03[JOB] deleting CHILD_SA after 5 seconds of inactivity
03[IKE] closing CHILD_SA vpnserver-ikev2{1} with SPIs c7b0a75b_i (0 bytes) c5fed014_o (0 bytes) and TS 172.31.0.0/16 === 10.10.0.1/32
03[IKE] sending DELETE for ESP CHILD_SA with SPI c7b0a75b
03[ENC] generating INFORMATIONAL request 0 [ D ]
03[NET] sending packet: from 172.31.9.29[4500] to 82.76.67.8[4500] (96 bytes)
02[NET] received packet: from 82.76.67.8[4500] to 172.31.9.29[4500] (96 bytes)
02[ENC] parsed INFORMATIONAL response 0 [ D ]
02[IKE] received DELETE for ESP CHILD_SA with SPI c5fed014
02[IKE] CHILD_SA closed
...在客户端是这样的:
09[IKE] installing DNS server 8.8.8.8 via resolvconf
09[IKE] installing new virtual IP 10.10.0.1
09[IKE] CHILD_SA ikev2-rw{2} established with SPIs c5fed014_i c7b0a75b_o and TS 10.10.0.1/32 === 172.31.0.0/16
09[IKE] peer supports MOBIKE
07[NET] received packet: from 54.89.185.13[4500] to 192.168.1.4[4500] (96 bytes)
07[ENC] parsed INFORMATIONAL request 0 [ D ]
07[IKE] received DELETE for ESP CHILD_SA with SPI c7b0a75b
07[IKE] closing CHILD_SA ikev2-rw{2} with SPIs c5fed014_i (0 bytes) c7b0a75b_o (0 bytes) and TS 10.10.0.1/32 === 172.31.0.0/16
07[IKE] sending DELETE for ESP CHILD_SA with SPI c5fed014
07[IKE] CHILD_SA closed
07[ENC] generating INFORMATIONAL response 0 [ D ]
07[NET] sending packet: from 192.168.1.4[4500] to 54.89.185.13[4500] (96 bytes)
220路由表如下所示:
172.31.0.0/16 via 192.168.1.1 dev wlp4s0 proto static src 192.168.1.4
iptables 已刷新并且 ip_forward 为 1。
从 iPhone 连接时,我可以 ping 通 VPN 网关,但无法 ping 通网络中的其他主机。从 Linux 主机连接时,我甚至无法 ping 通 VPN 网关。
当 VPN 网关上的 tcpdump 收到来自 iPhone 的 ping 时,它看起来像这样:
19:54:17.865831 IP (tos 0x0, ttl 1, id 51961, offset 0, flags [none], proto ICMP (1), length 84)
ip-10-10-0-1.ec2.internal > vpn-test: ICMP echo request, id 37673, seq 0, length 64
... 当我从 iPhone ping 网络中的另一台服务器时:
19:55:04.220726 IP (tos 0x0, ttl 1, id 54334, offset 0, flags [none], proto ICMP (1), length 84)
ip-10-10-0-1.ec2.internal > ip-172-31-15-66.ec2.internal: ICMP echo request, id 7727, seq 0, length 64
...当我从 Linux 主机 ping 时,VPN 服务器上没有收到 ICMP 流量。
在我的 Linux 客户端上,tcpdump 如下所示:
23:01:21.492340 IP (tos 0x0, ttl 64, id 62233, offset 0, flags [DF], proto ICMP (1), length 84)
10.10.0.2 > 172.31.15.66: ICMP echo request, id 21102, seq 1, length 64
我错过了什么?
答案1
auto=route正如 ecdsa 所建议的,使用if是不正确的leftsourceip=%config。
本该如此auto=start。