Strongswan 是最后一个通过隧道连接的人

Strongswan 是最后一个通过隧道连接的人

我有使用 StrongSwan 的 site2site VPN 隧道。一切似乎都正常 - 除了只有最后连接的人才能获得访问权限。即我从PC1连接,可以ping通另一端的服务器,从PC2连接,现在PC1超时,PC2可以ping通,当我断开PC2的连接时,PC1可以再次ping通。

ipsec statusall

我可以看到从两个连接都收到了数据包,但只返回到其中一个连接。所有通过隧道的数据包都得到了答案,这让我认为这是一个路由问题(服务器仅通过隧道路由最后连接的人)。我对这一切都是新手,所以我很可能忽略了一些非常基本的东西。

# ipsec.conf on serverB (server I am connecting to/going through)
config setup
    charondebug="ike 2, knl -1, cfg 0"

conn tunnel
    authby=secret
    left=10.25.1.0/24
    leftid=serverB
    leftsubnet=10.25.2.0/24
    right=serverA
    rightsubnet=192.168.10.0/24
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    ike=aes256-sha1-modp1024,3des-sha1-modp1024!
    esp=aes256-sha1,3des-sha1!
    dpdaction=clear
    dpddelay=300s

conn incoming
    left=10.25.1.0/24
    leftid=serverB
    leftsubnet=192.168.10.0/24
    leftauth=pubkey
    leftcert=/etc/ipsec.d/certs/cert.pem
    right=%any
    rightid=%any
    rightsourceip=10.25.2.0/24
    rightsubnet=0.0.0.0/0
    rightdns=8.8.8.8,8.8.4.4
    keyexchange=ikev2
    rightauth=eap-mschapv2
    eap_identity=%any
    auto=add
    ike=aes256-sha1-modp1024,3des-sha1-modp1024
    esp=aes256-sha1,3des-sha1
    rekey=no
# iptables-save
# Generated by iptables-save v1.6.1 on Fri Mar  6 10:47:28 2020
*filter
:INPUT ACCEPT [18415:7233797]
:FORWARD ACCEPT [10367:4483972]
:OUTPUT ACCEPT [18804:7027092]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT
# Completed on Fri Mar  6 10:47:28 2020
# ip rule
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
# ip route show table all
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
root@vpn-endpoint-euw2-prod:~# ip route show table all
default via 10.25.1.1 dev ens4 proto dhcp src 10.25.1.2 metric 100
10.25.1.1 dev ens4 proto dhcp scope link src 10.25.1.2 metric 100
local 10.25.1.2 dev ens4 table local proto kernel scope host src 10.25.1.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens4 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::4001:aff:fe19:102 dev ens4 table local proto kernel metric 0 pref medium
ff00::/8 dev ens4 table local metric 256 pref medium
# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc fq_codel state UP group default qlen 1000
    link/ether 42:01:0a:19:01:02 brd ff:ff:ff:ff:ff:ff
    inet 10.25.1.2/32 scope global dynamic ens4
       valid_lft 73441sec preferred_lft 73441sec
    inet6 fe80::4001:aff:fe19:102/64 scope link
       valid_lft forever preferred_lft forever
# logs from connection, irrelevant cert requests omitted

# xx.xx.188.25 - external ip of both clients i am using for testing
# xx.xx.120.2 - serverA (other side of the tunnel)
# xx.xx.14.15 - serverB (server I am connecting to from clients)


Mar  6 14:32:34 vpn-endpoint-euw2-prod charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-1021-gcp, x86_64)
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[JOB] spawning 16 worker threads
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[NET] received packet: from xx.xx.120.2[500] to 10.25.1.2[500] (376 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] xx.xx.120.2 is initiating an IKE_SA
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] local host is behind NAT, sending keep alives
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] remote host is behind NAT
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[NET] sending packet: from 10.25.1.2[500] to xx.xx.120.2[500] (361 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[NET] received packet: from xx.xx.120.2[4500] to 10.25.1.2[4500] (300 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] authentication of 'xx.xx.120.2' with pre-shared key successful
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] peer supports MOBIKE
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] authentication of 'xx.xx.14.15' (myself) with pre-shared key
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] successfully created shared key MAC
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] IKE_SA bf_tunel2[1] established between 10.25.1.2[xx.xx.14.15]...xx.xx.120.2[xx.xx.120.2]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] IKE_SA bf_tunel2[1] state change: CONNECTING => ESTABLISHED
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] scheduling reauthentication in 9998s
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] maximum IKE_SA lifetime 10538s
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] CHILD_SA bf_tunel2{1} established with SPIs c086077e_i c1b1cbeb_o and TS 10.25.2.0/24 === 192.168.10.0/24
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[NET] sending packet: from 10.25.1.2[4500] to xx.xx.120.2[4500] (236 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[NET] received packet: from xx.xx.188.25[500] to 10.25.1.2[500] (1104 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received Vid-Initial-Contact vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] xx.xx.188.25 is initiating an IKE_SA
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] local host is behind NAT, sending keep alives
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] remote host is behind NAT
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[NET] sending packet: from 10.25.1.2[500] to xx.xx.188.25[500] (345 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[ENC] received fragment #1 of 3, waiting for complete IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[ENC] received fragment #2 of 3, waiting for complete IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (336 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] received cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] received 43 cert requests for an unknown ca
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_SERVER attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_ADDRESS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_SERVER attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] peer supports MOBIKE
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] authentication of 'xx.xx.14.15' (myself) with RSA signature successful
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] sending end entity cert "C=UK, O=VPN Server, CN=xx.xx.14.15"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (1248 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (800 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[IKE] received EAP identity 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0x2D)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (108 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (140 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (140 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (76 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] authentication of '192.168.1.10' with EAP successful
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] authentication of 'xx.xx.14.15' (myself) with EAP
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA bf_in[2] established between 10.25.1.2[xx.xx.14.15]...xx.xx.188.25[192.168.1.10]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA bf_in[2] state change: CONNECTING => ESTABLISHED
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] peer requested virtual IP %any
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] assigning virtual IP 10.25.2.1 to peer 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] peer requested virtual IP %any6
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] no virtual IP found for %any6 requested by 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] CHILD_SA bf_in{2} established with SPIs c8553926_i 088be440_o and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (236 bytes)
Mar  6 14:33:08 vpn-endpoint-euw2-prod charon: 13[IKE] sending keep alive to xx.xx.120.2[4500]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[ENC] parsed INFORMATIONAL request 6 [ ]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[ENC] generating INFORMATIONAL response 6 [ ]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[NET] received packet: from xx.xx.188.25[500] to 10.25.1.2[500] (632 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received Vid-Initial-Contact vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] xx.xx.188.25 is initiating an IKE_SA
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] local host is behind NAT, sending keep alives
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] remote host is behind NAT
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[NET] sending packet: from 10.25.1.2[500] to xx.xx.188.25[500] (473 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[ENC] received fragment #1 of 3, waiting for complete IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[ENC] received fragment #2 of 3, waiting for complete IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (384 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] received cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] received 45 cert requests for an unknown ca
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_ADDRESS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_SERVER attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] peer supports MOBIKE
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] authentication of 'xx.xx.14.15' (myself) with RSA signature successful
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] sending end entity cert "C=UK, O=VPN Server, CN=xx.xx.14.15"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (1248 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (800 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[IKE] received EAP identity 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[IKE] initiating EAP_MSCHAPV2 method (id 0x01)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (108 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (140 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (140 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] authentication of '192.168.5.3' with EAP successful
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] authentication of 'xx.xx.14.15' (myself) with EAP
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] IKE_SA bf_in[3] established between 10.25.1.2[xx.xx.14.15]...xx.xx.188.25[192.168.5.3]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] IKE_SA bf_in[3] state change: CONNECTING => ESTABLISHED
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] peer requested virtual IP %any
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] assigning virtual IP 10.25.2.2 to peer 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] peer requested virtual IP %any6
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] no virtual IP found for %any6 requested by 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] CHILD_SA bf_in{3} established with SPIs c447c376_i bdd4e08c_o and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (236 bytes)
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[ENC] parsed INFORMATIONAL request 6 [ D ]
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI bdd4e08c
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] closing CHILD_SA bf_in{3} with SPIs c447c376_i (0 bytes) bdd4e08c_o (0 bytes) and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c447c376
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] CHILD_SA closed

答案1

只需rightsubnet=0.0.0.0/0从 中删除conn incoming,否则你会隧道一切到最后连接的客户端。

分配时虚拟IP对于客户端,不应配置远程流量选择器(rightsubnet在 ipsec.conf 中、在 swanctl.conf 中),如remote_ts文档

相关内容