我之前已经看到过几次此类问题,但到目前为止,都没有解决我的问题。
我正在尝试使用 Strongswan 在 Ubuntu 服务器上设置 IKEv2 VPN,以便与 Windows Phone 一起使用。连接似乎设置正确,但没有路由数据包,我无法 ping VPN 客户端的 IP 地址。
我的服务器的内部网络是 192.168.1.0/24,我的服务器的 IP 是 192.168.1.110 并且位于 NAT 后面。
/var/log/syslog
May 8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
May 8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
May 8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives
May 8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
May 8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
May 8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
May 8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
May 8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
May 8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
May 8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
May 8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
May 8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May 8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
May 8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
May 8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
May 8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
May 8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
May 8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
May 8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
May 8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
May 8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
May 8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
May 8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
May 8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
May 8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May 8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
May 8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
May 8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
/etc/ipsec.conf
config setup
strictcrlpolicy = no
charonstart = yes
plutostart = no
conn windows-phone-vpn
auto = route
compress = no
dpdaction = clear
pfs = no
keyexchange = ikev2
type = tunnel
left = %any
leftfirewall = yes
leftauth = pubkey
leftid = steakscorp.org
leftcert = /etc/apache2/ssl/start-ssl.crt
leftca = /etc/apache2/ssl/start-ssl-ca.pem
leftsendcert = always
leftsubnet = 0.0.0.0/0
right = %any
rightauth = eap-mschapv2
eap_identity = %any
rightca = /etc/ipsec.d/cacerts/vpnca.pem
rightsendcert = ifasked
rightsourceip = 10.8.0.0/24
#leftprotoport = 17/1701
#rightprotoport = 17/%any
是否配置
eth1 Link encap:Ethernet HWaddr aa:00:04:00:0a:04
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:121434663 (121.4 MB) TX bytes:129069773 (129.0 MB)
Interrupt:21 Memory:fe9e0000-fea00000
ham0 Link encap:Ethernet HWaddr 7a:79:19:da:fb:84
inet addr:25.218.251.132 Bcast:25.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1404 Metric:1
RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:384780 (384.7 KB) TX bytes:1249410 (1.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2036987 (2.0 MB) TX bytes:2036987 (2.0 MB)
iptables
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*mangle
:PREROUTING ACCEPT [604388:58921019]
:INPUT ACCEPT [4937028:2589137657]
:FORWARD ACCEPT [22:1366]
:OUTPUT ACCEPT [3919078:5188868578]
:POSTROUTING ACCEPT [4008714:5195778648]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri May 9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*filter
:INPUT ACCEPT [1737:217459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16831:20344894]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_ADMIN_IN - [0:0]
:AS0_U_USERLOCA_IN - [0:0]
:AS0_WEBACCEPT - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-404 - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-apache-postflood - [0:0]
:fail2ban-ip-blocklist - [0:0]
:fail2ban-repeatoffender - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.8.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_OUT -j DROP
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_ADMIN_IN -j AS0_IN_POST
-A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_USERLOCA_IN -j AS0_IN_POST
-A AS0_WEBACCEPT -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-404 -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-apache-postflood -j RETURN
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Fri May 9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*nat
:PREROUTING ACCEPT [906:84714]
:INPUT ACCEPT [860:81590]
:OUTPUT ACCEPT [233:50740]
:POSTROUTING ACCEPT [233:50740]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
-A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
-A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
-A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri May 9 10:33:46 2014
ip xfrm 策略
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
dir fwd priority 1920
tmpl src 166.147.118.120 dst 192.168.1.110
proto esp reqid 3 mode tunnel
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
dir in priority 1920
tmpl src 166.147.118.120 dst 192.168.1.110
proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
dir out priority 1920
tmpl src 192.168.1.110 dst 166.147.118.120
proto esp reqid 3 mode tunnel
有些事情对我来说看起来有点奇怪(当建立连接时,不应该启动 ipsec0 吗?),但是我现在很困惑,真的很需要一些帮助。
编辑:注释掉protoport 行并关闭tun0接口。
答案1
你需要:
>$ iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT --to-source "your VPN host IP"
>$ service iptables save
>$ service iptables restart
>$ service ipsec restart
答案2
您启用了 ipv4 转发吗?
$sudo sysctl -w net.ipv4.ip_forward=1
您是否添加了 MASQUERADE POSTROUTING 规则?
$sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE