我正在使用 AWS 托管的 Ubuntu 22 机器上的 StrongSwan 连接到客户的 Watchguard VPN。我已建立连接,但流量为零。我无法 ping 目标,另一端的人无法访问我的机器。
在我的测试 Windows 机器上,它可以连接并允许我 ping 172.30.101.11 而不会出现任何问题,因为 Watchguard 包含适用于 ios、android 和 windows 的连接配置文件/脚本,但没有适用于 Linux 的任何内容 :/
aws 入站端口
启用 4500 和 500 UDP 入站 + ESP(50) 所有端口。
ipsec配置文件
conn PHS-IKEv2-VPN
left=172.31.89.153
leftid=USERNAME
leftauth=eap-mschapv2
type=tunnel
ike=aes256-sha256-modp2048
esp=aes256-sha256-modp2048
right=8.50.50.3
rightid=%any
auto=start
rightsubnet=172.30.101.11/32
rightauth=pubkey
modeconfig=pull *also tired push here. no difference
leftsourceip=%config
我不太喜欢自定义路线,所以我去了我的 Windows 机器,并尽我所能镜像路线
确认 ubuntu 系统层面已启用 ip 转发
sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
表 220 路线。第一个是由 strongswan 创建的其余的是我从 Windows 机器镜像的,但无论有没有额外的路由,我都会得到相同的结果。
172.30.101.11 via 172.31.80.1 dev ens5 proto static src 10.184.123.129
8.50.50.3 via 172.31.80.1 dev ens5 src 172.31.89.153
10.0.0.0/8 dev ens5 scope link src 10.184.123.129
10.184.123.129 dev ens5 scope link src 10.184.123.129
10.255.255.255 dev ens5 scope link src 10.184.123.129
255.255.255.255 dev ens5 scope link src 10.184.123.129
其他路线(系统/aws 生成的路线)
sudo ip route show table main
默认通过 172.31.80.1 dev ens5 proto dhcp 度量 100 默认通过 172.31.80.1 dev ens5 proto dhcp src 172.31.89.153 度量 100 169.254.0.0/16 dev ens5 范围链接度量 1000 172.31.0.2 通过 172.31.80.1 dev ens5 proto dhcp src 172.31.89.153 度量 100 172.31.80.0/20 dev ens5 proto 内核范围链接 src 172.31.89.153 度量 100 172.31.80.1 dev ens5 proto dhcp 范围链接 src 172.31.89.153 度量100
ipsec 状态全部:
Listening IP addresses:
172.31.89.153
Connections:
IKEv2-VPN: 172.31.89.153...8.50.50.3 IKEv1/2
IKEv2-VPN: local: [USERNAME] uses EAP_MSCHAPV2 authentication
IKEv2-VPN: remote: uses public key authentication
IKEv2-VPN: child: dynamic === 172.30.101.11/32 TUNNEL
Security Associations (1 up, 0 connecting):
IKEv2-VPN[1]: ESTABLISHED 17 minutes ago, 172.31.89.153[USERNAME]...8.50.50.3[O=WatchGuard, OU=Fireware, CN=ike2muvpn Server]
IKEv2-VPN[1]: IKEv2 SPIs: a8540d486c9c39c0_i* 16392ad532fb0bcc_r, EAP reauthentication in 2 hours
IKEv2-VPN[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
IKEv2-VPN{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c26bfd03_i 8e77f201_o
IKEv2-VPN{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 29 minutes
IKEv2-VPN{1}: 10.184.123.129/32 === 172.30.101.11/32
日志
Sep 11 04:54:55 14[IKE] IKE_SA PHS-IKEv2-VPN[1] established between 172.31.89.153[GH_Remote]...8.53.54.171[O=WatchGuard, OU=Fireware, CN=ike2muvpn Server]
Sep 11 04:54:55 14[IKE] scheduling reauthentication in 10190s
Sep 11 04:54:55 14[IKE] maximum IKE_SA lifetime 10730s
Sep 11 04:54:55 14[IKE] installing DNS server 54.174.40.213 to /etc/resolv.conf
Sep 11 04:54:55 14[IKE] installing DNS server 52.3.100.184 to /etc/resolv.conf
Sep 11 04:54:55 14[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Sep 11 04:54:55 14[IKE] installing new virtual IP 10.184.123.129
Sep 11 04:54:55 14[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Sep 11 04:54:55 14[IKE] CHILD_SA PHS-IKEv2-VPN{1} established with SPIs c7ee10bb_i cecb1240_o and TS 10.184.123.129/32 === 172.30.101.11/32
Sep 11 04:54:55 14[IKE] peer supports MOBIKE
Sep 11 04:56:56 06[IKE] sending keep alive to 8.53.54.171[4500]
Sep 11 04:58:56 10[IKE] sending keep alive to 8.53.54.171[4500]
从 10.x 接口执行 ping 操作:(与正常 ping 的响应相同)
ping -I 10.184.123.129 172.30.101.11
PING 172.30.101.11 (172.30.101.11) from 10.184.123.129 : 56(84) bytes of data
对应的 TCP 转储
sudo tcpdump -v -i ens5 dst 172.30.101.11
tcpdump: listening on ens5, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:01:23.464363 IP (tos 0x0, ttl 64, id 49668, offset 0, flags [DF], proto ICMP (1), length 84)
ip-172-31-89-153 > 172.30.101.11: ICMP echo request, id 132, seq 1, length 64