TCP syn、ack 在进入 IPsec VPN 隧道前丢失

tag-icon tag-icon vpn ipsec syn
TCP syn、ack 在进入 IPsec VPN 隧道前丢失

我配置了站点到站点 VPN,由于流量通过隧道,它工作正常。我能够 ping 和 Telnet 另一个网络上的主机,它们也能够 ping 回我。

我遇到的问题是,当其他网络上的主机向 Web 服务器上的应用程序发送 HTTP 请求时(这实际上是一个将 USSD 菜单发送回移动用户的应用程序,其他主机是来自移动网络提供商的服务器),我可以收到请求,并且会从其他主机开始使用 SYN 进行握手!我的服务器回复了 SYN 和 ACK,但令所有人惊讶的是,这些响应并没有到达另一端。我使用 Cisco 820 作为路由器和 VPN 服务器。据我所知,检查路由器配置并没有发现任何异常。我没有启用任何防火墙,而是使用访问列表进行路由和访问控制。

我怀疑这些数据包在加密并通过 Ipsec 隧道发送之前就被路由器丢弃了。请问是什么原因导致这些数据包被丢弃。

由于三次握手失败,因此无法进行进一步的通信。

这是数据包跟踪:

    25.690224 200.32.15.154 -> 192.168.0.2  TCP 74 45367 > http [SYN]          Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=610983874 TSecr=0 WS=128
    25.690267  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845089 TSecr=610983874 WS=128
    26.687067  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845339 TSecr=610983874 WS=128
    28.687066  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845839 TSecr=610983874 WS=128
    31.688116 200.32.15.154 -> 192.168.0.2  TCP 74 45367 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=610989874 TSecr=0 WS=128
    31.688147  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763846589 TSecr=610983874 WS=128
    32.687068  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763846839 TSecr=610983874 WS=128
    40.687059  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763848839 TSecr=610983874 WS=128
    43.689503 200.32.15.154 -> 192.168.0.2  TCP 74 45367 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=611001874 TSecr=0 WS=128
    43.689531  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763849589 TSecr=610983874 WS=128
    56.887060  192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763852889 TSecr=610983874 WS=128

这是我的服务器上的 Iptables:

    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    fail2ban-dovecot-pop3imap  tcp  --  anywhere                     anywhere             multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd  tcp  --  anywhere                     anywhere             multiport dports ftp
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport         dports ssh
    fail2ban-dovecot-pop3imap  tcp  --  anywhere             anywhere             multiport dports pop3,pop3s,imap2,imaps
    fail2ban-pureftpd  tcp  --  anywhere             anywhere             multiport dports ftp
    fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh

    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination

    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination

    Chain fail2ban-dovecot-pop3imap (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

    Chain fail2ban-pureftpd (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

    Chain fail2ban-ssh (2 references)
    target     prot opt source               destination
    RETURN     all  --  anywhere             anywhere
    RETURN     all  --  anywhere             anywhere

这是指向互联网的访问列表以及我如何编程这些地址:

        150 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.152 log (306 matches)
160 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.153 log (101 matches)
170 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.154 log (141 matches)
180 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.155 log (74 matches)

这是指向 VPN 的访问列表:

        60 permit ip host 192.168.0.2 host 200.32.15.152 (132 matches)
70 permit ip host 192.168.0.2 host 200.32.15.153 (74 matches)
80 permit ip host 192.168.0.2 host 200.32.15.154 (146 matches)
90 permit ip host 192.168.0.2 host 200.32.15.155 (72 matches)

这些是这些地址的 SA:

    local  ident (addr/mask/prot/port): (192.168.0.2/255.255.255.255/0/0)
    remote ident (addr/mask/prot/port): (200.32.15.154/255.255.255.255/0/0)
    current_peer 41.72.111.122 port 500
 PERMIT, flags={origin_is_acl,}
#pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

 local crypto endpt.: 41.222.240.23, remote crypto endpt.: 41.72.111.122
 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4.1
 current outbound spi: 0x8FD440DA(2413052122)
 PFS (Y/N): N, DH group: none

 inbound esp sas:
  spi: 0xD6FEA63C(3607012924)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000040, crypto map: sshlink-to-savannah
    sa timing: remaining key lifetime (k/sec): (4263446/2717)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

 inbound ah sas:

 inbound pcp sas:

 outbound esp sas:
  spi: 0x8FD440DA(2413052122)
    transform: esp-3des esp-sha-hmac ,
    in use settings ={Tunnel, }
    conn id: 20, flow_id: Onboard VPN:20, sibling_flags 80000040, crypto map: sshlink-to-savannah
    sa timing: remaining key lifetime (k/sec): (4263446/2717)
    IV size: 8 bytes
    replay detection support: Y
    Status: ACTIVE(ACTIVE)

 outbound ah sas:

 outbound pcp sas:

请有人帮忙!!!

答案1

终于找到了解决方案,我必须将我的公共对等 IP 添加到 ACL 中。由于网络地址转换,握手的返回部分是使用公共对等 IP 发送的,因此在将公共对等 IP 添加到 ACL 后,一切就绪了!一切都正常。

相关内容