我已经设置了一个 ipsec 服务器,过了一会儿,我就可以从我的 android 设备连接到它了。但客户端没有互联网连接。我还添加了 NAT 规则来转发来自虚拟 IP 的流量,但问题仍然存在。我该如何找到并解决问题?:(
服务器:/etc/ipsec.conf
conn android
keyexchange=ikev2
ike=aes256-sha1-modp1024,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024!
esp=aes256-sha1,aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes256-sha256-modp2048,aes256-sha1-modp2048,aes128-sha256-modp1024,aes128-sha1-modp1024,aes256-sha384-modp1536,aes256-sha256-modp1536,aes256-sha1-modp1536,aes256-sha384-modp1024,aes256-sha256-modp1024,aes256-sha1-modp1024,aes128gcm16,aes256gcm16,aes128-sha256,aes128-sha1,aes256-sha384,aes256-sha256!
dpdaction=clear
dpddelay=300s
rekey=no
left=example.com
leftfirewall=yes
leftauth=pubkey
leftsubnet=0.0.0.0/0
leftcert=example.com.crt
lefthostaccess=yes
right=%any
rightfirewall=yes
rightauth=eap-mschapv2
rightsendcert=never
rightsubnet=192.168.31.0/24
rightsourceip=192.168.31.0/24
rightdns=8.8.8.8
eap_identity=%any
type=tunnel
auto=add
ip xfrm 策略
src 192.168.31.0/24 dst 0.0.0.0/0
dir fwd priority 1955
tmpl src x.x.x.x dst y.y.y.y
proto esp reqid 2 mode tunnel
src 192.168.31.0/24 dst 0.0.0.0/0
dir in priority 1955
tmpl src x.x.x.x dst y.y.y.y
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 192.168.31.0/24
dir out priority 1955
tmpl src y.y.y.y dst x.x.x.x
proto esp reqid 2 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
客户端:Android 版 strongswan vpn 客户端
答案1
最后我找到了问题所在。添加向前规则来iptables
解决我的问题。