我尝试在运行 strongswan 5.5.1-4+deb9u4 的 vServer 上复制我在家中的 openWRT 路由器上使用的 strongswan 设置。客户端是 iPad。
uname -a
Linux t 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64 GNU/Linux
猫/等/问题
Debian GNU/Linux 9 \n \l
vServer 具有一个具有公共 IP 地址的接口。
隧道正在运行,但似乎存在路由问题(即 SNAT 似乎可以运行,但无法 ping 任何内容)。我花了几天时间尝试不同的建议解决方案,然后尝试使用此图表了解数据包所采用的底层路径: https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg 但我不确定 tcpdump 和 strongswan 在此图中从哪里注入/检索数据包。
问题:1. 为什么我在 tcpdump 中看不到对 PING 请求的回复?2. 我的设置有问题吗?我该如何找出问题所在?
我通过 tcpdump 捕获了 ICMP 流量。一次来自服务器,一次来自客户端。来自服务器的 ICMP 回显请求收到了我在 tcpdump 中看到的回复。客户端请求确实获得了新的源地址和报头校验和,但客户端没有收到回复,我在 tcpdump 中也看不到回复。
从服务器 ping 8.8.4.4
02:04:14.049413 IP <server public IP> > 8.8.4.4: ICMP echo request, id 6323, seq 1, length 64
0x0000: 4500 0054 0000 4000 4001 6043 dead beef E..T..@.@.`C.R..
0x0010: 0808 0404 0800 fbdc 18b3 0001 fe7d 435d .............}C]
0x0020: 0000 0000 e2c0 0000 0000 0000 1011 1213 ................
0x0030: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 .............!"#
0x0050: 3435 3637
0x0040: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 $%&'()*+,-./0123
从 iPad Ping 至 8.8.4.4
02:04:05.920606 IP 192.168.0.1 > 8.8.4.4: ICMP echo request, id 62833, seq 0, length 64
0x0000: 4500 0054 64c1 0000 4001 4933 c0a8 0001 [email protected]....
0x0010: 0808 0404 0800 c938 f571 0000 3031 3233 .......8.q..0123
0x0020: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0030: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0040: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0050: 3435 3637 4567
02:04:05.920674 IP <server public IP> > 8.8.4.4: ICMP echo request, id 62833, seq 0, length 64
0x0000: 4500 0054 64c1 0000 4001 3b82 dead beef E..Td...@.;..R..
0x0010: 0808 0404 0800 c938 f571 0000 3031 3233 .......8.q..0123
0x0020: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0030: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0040: 3435 3637 3839 4142 4344 4546 3031 3233 456789ABCDEF0123
0x0050: 3435 3637 4567
ipsec配置文件
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
# strictcrlpolicy=yes
# uniqueids = no
# Add connections here.
conn %default
keyexchange=ikev2
conn ipad
left=%any
leftauth=pubkey
leftcert=serverCert.pem
leftsendcert=always
leftid=server
leftsubnet=0.0.0.0/0,::/0
right=%any
rightsourceip=192.168.0.1/32
rightauth=pubkey
rightcert=clientCert.pem
rightid=ipad
auto=add
客户端 IP
VPN IP address: 192.168.0.1
Subnet mask: 255.0.0.0
是否配置
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 15181 bytes 1013666 (989.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 15181 bytes 1013666 (989.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet 127.0.0.2 netmask 255.255.255.255 broadcast 0.0.0.0 destination 127.0.0.2
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
RX packets 407010 bytes 38674278 (36.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 443332 bytes 57928033 (55.2 MiB)
TX errors 0 dropped 26 overruns 0 carrier 0 collisions 0
venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP> mtu 1500
inet <server public IP> netmask 255.255.255.255 broadcast <server public IP> destination <server public IP>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 0 (UNSPEC)
ip xfrm 策略
src 192.168.0.1/32 dst 0.0.0.0/0
dir fwd priority 191808 ptype main
tmpl src <client public IP> dst <server public IP>
proto esp reqid 19 mode tunnel
src 192.168.0.1/32 dst 0.0.0.0/0
dir in priority 191808 ptype main
tmpl src <client public IP> dst <server public IP>
proto esp reqid 19 mode tunnel
src 0.0.0.0/0 dst 192.168.0.1/32
dir out priority 191808 ptype main
tmpl src <server public IP> dst <client public IP>
proto esp reqid 19 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
sysctl -a | grep net.ipv4.conf.all.f
net.ipv4.conf.all.forwarding = 1
从客户端到服务器的公共 IP 的 ping 操作不通过 VPN 隧道:
$tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
05:00:45.896798 IP <client public IP> > <server public IP: ICMP echo request, id 10520, seq 0, length 64
05:00:45.896835 IP <server public IP > <client public IP>: ICMP echo reply, id 10520, seq 0, length 64
从服务器 ping 客户端的私有 IP 有效:
$ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=314 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=314 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=313 ms
从客户端 ping 客户端私有 IP 失败:
<no text>
从客户端 ping google DNS 失败(但您可以看到 SNAT 正在运行):
$tcpdump -v icmp
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
05:17:47.675657 IP (tos 0x0, ttl 64, id 27303, offset 0, flags [none], proto ICMP (1), length 84)
192.168.0.1 > dns.google: ICMP echo request, id 41930, seq 0, length 64
05:17:47.675731 IP (tos 0x0, ttl 64, id 27303, offset 0, flags [none], proto ICMP (1), length 84)
<server public IP > > dns.google: ICMP echo request, id 41930, seq 0, length 64
iptables-save(服务器)
# Generated by iptables-save v1.6.0 on Thu Aug 8 05:23:13 2019
*nat
:PREROUTING ACCEPT [97478:5722453]
:POSTROUTING ACCEPT [2840:200695]
:OUTPUT ACCEPT [2840:200695]
-A POSTROUTING -s 192.168.0.1/32 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.0.1/32 -j SNAT --to-source <server public IP>
COMMIT
# Completed on Thu Aug 8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug 8 05:23:13 2019
*filter
:INPUT ACCEPT [341309:31951703]
:FORWARD ACCEPT [3578:244397]
:OUTPUT ACCEPT [369780:46338370]
COMMIT
# Completed on Thu Aug 8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug 8 05:23:13 2019
*mangle
:PREROUTING ACCEPT [344887:32196100]
:INPUT ACCEPT [341309:31951703]
:FORWARD ACCEPT [3578:244397]
:OUTPUT ACCEPT [369780:46338370]
:POSTROUTING ACCEPT [373358:46582767]
COMMIT
# Completed on Thu Aug 8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug 8 05:23:13 2019
*raw
:PREROUTING ACCEPT [344887:32196100]
:OUTPUT ACCEPT [369780:46338370]
COMMIT
# Completed on Thu Aug 8 05:23:13 2019