发帖更新时间:26.06 11:22
我正在尝试使用 arch linux 上的 rasperry pi 作为我的 windows phone 8.1 智能手机的 strongswan ikev2 服务器。我想使用客户端证书进行身份验证。我当前的结果是已建立连接。我看到数据包离开隧道,但没有响应数据包进入隧道。有人可以帮忙吗?为了测试目的,智能手机连接到本地 wifi(稍后我想使用 GSM 连接)
本地网络:192.168.178.0/24 隧道 IP:192.168.250.0/24
ipsec.conf:
# ipsec.conf - strongSwan IPsec configuration file
# basic configuration
config setup
strictcrlpolicy=no
# uniqueids = no
# Add connections here.
# Connection from window phone 8.1 with client certificate
conn eap-tls
keyexchange=ikev2
left=%any
leftsubnet=0.0.0.0/0
[email protected]
leftcert=vpnHostCert.pem
leftauth=pubkey
leftfirewall=yes
right=%any
rightauth=eap-tls
# rightsourceip=%dhcp
rightsourceip=192.168.250.0/24
eap_identity=%any
forceencaps = yes
auto=start
# rightsendcert=never
# compress=yes
# rightcert=FranzCert.pem
# esp=aes256-sha1_160-ecp512bp!
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
iptables-保存:
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*filter
:INPUT ACCEPT [33:2276]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [26:2872]
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:10:48 2015
*raw
:PREROUTING ACCEPT [34:2328]
:OUTPUT ACCEPT [28:3264]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:10:48 2015
还是没有进一步的想法吗?
启动 strongswan 后 iptables-save 有进一步的规则:
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*nat
:PREROUTING ACCEPT [4:2319]
:INPUT ACCEPT [4:2319]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.250.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*filter
:INPUT ACCEPT [17:1708]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [14:1960]
-A FORWARD -s 192.168.250.1/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A FORWARD -d 192.168.250.1/32 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
# Generated by iptables-save v1.4.21 on Fri Jun 26 09:14:12 2015
*raw
:PREROUTING ACCEPT [271:22907]
:OUTPUT ACCEPT [191:25761]
-A PREROUTING -s 192.168.250.0/24 -j LOG
-A PREROUTING -d 192.168.250.0/24 -j LOG
COMMIT
# Completed on Fri Jun 26 09:14:12 2015
一个测试:我启动了 strongswan,连接了手机,在 url 框中输入了 192.168.178.1(Fritzbox,路由器)。journalctl 显示以下几行:
Jun 26 09:17:27 alarmpi ipsec_starter[858]: Starting strongSwan 5.3.2 IPsec [starter]...
Jun 26 09:17:27 alarmpi ipsec_starter[867]: charon (868) started after 480 ms
Jun 26 09:17:34 alarmpi vpn[893]: + 192.168.178.23 192.168.250.1/32 == 87.154.185.133 -- 192.168.178.25 == 0.0.0.0/0
Jun 26 09:17:37 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:91:00:00:80:11:3a:6a SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17553 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:38 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:92:00:00:80:11:3a:69 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17554 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:40 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d7:40:00:80:06:ae:98 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7895 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 26 09:17:41 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:34:1e:d8:40:00:80:06:ae:97 SRC=192.168.250.1 DST=192.168.178.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=7896 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:01:48:44:93:00:00:80:11:3a:68 SRC=192.168.250.1 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=128 ID=17555 PROTO=UDP SPT=68 DPT=67 LEN=308
Jun 26 09:17:43 alarmpi kernel: IN=eth0 OUT= MAC=b8:27:eb:72:f0:a6:24:65:11:67:c0:e2:08:00:45:00:00:30:1e:d9:40:00:80:06:ae:9a SRC=192.168.250.1 DST=192.168.178.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=7897 DF PROTO=TCP SPT=50925 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
不幸的是,似乎没有从 192.168.178.1 到 192.168.250.0 的数据包。一切都出错了。我不确定 strongswan 配置,但建立了隧道...