Strongswan - IOS Roadwarrior 无法访问互联网上的主机

Strongswan - IOS Roadwarrior 无法访问互联网上的主机

我遇到了一个相当奇怪的问题,Strongswan IPSec VPN 无法访问互联网上的主机。我可以正常连接到 VPN,并且可以访问本地网络上的主机。我还设置了 Strongswan wiki 上描述的 IP 转发规则。有什么想法可以解释为什么它不起作用吗?谢谢。

系统信息

操作系统:OpenWRT CHAOS CALMER(15.05-rc3,r46163)

Strongwan版本:Linux strongSwan U5.3.2/K3.18.17

网络接口

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
   valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 532
link/ether 94:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
link/ether 96:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
inet [my ip address] brd [my ip address] scope global eth1
   valid_lft forever preferred_lft forever
inet6 [my ipv6 address] scope link
   valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 94:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.1/24 brd 192.168.200.255 scope global br-lan
   valid_lft forever preferred_lft forever
inet6 fd1f:2465:879c::1/60 scope global noprefixroute
   valid_lft forever preferred_lft forever
inet6 fe80::9610:3eff:fe9c:bbc3/64 scope link
   valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 00:25:9c:13:94:8f brd ff:ff:ff:ff:ff:ff
inet6 fe80::225:9cff:fe13:948f/64 scope link
   valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 00:25:9c:13:94:90 brd ff:ff:ff:ff:ff:ff
inet6 fe80::225:9cff:fe13:9490/64 scope link
   valid_lft forever preferred_lft forever

ipsec配置文件

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 4"

conn %default
    keyexchange=ikev2
    ike=aes256-sha1-modp2048!
    esp=aes256-sha1!
    dpdaction=clear
    dpddelay=300s
    dpdtimeout = 5s
    rekey=no

conn ios
    left=%any
    leftsubnet=0.0.0.0/0,::/0
    leftauth=pubkey
    leftcert=serverCert.pem
    leftid=[my dns]
    leftsendcert=always
    leftfirewall=yes
    right=%any
    compress=no
    rightsourceip=10.0.0.0/24
    rightsubnet=10.0.0.0/24
    rightdns=8.8.8.8,8.8.4.4
    rightauth=eap-mschapv2
    rightsendcert=never
    eap_identity=%any
    forceencaps=yes
    auto=add

strongswan.conf

  charon {
          dns1 = 192.168.200.1

          threads = 16

          plugins {

                  dhcp {
                          server = 192.168.200.1
                          load = yes
                          identity_lease = yes
                  }
          }

  }

  libstrongswan {

          #  set to no, the DH exponent size is optimized
          #  dh_exponent_ansi_x9_42 = no
 }

iptables -t nat -L

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
delegate_prerouting  all  --  anywhere             anywhere

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  10.0.0.0/24          anywhere             policy match dir out pol ipsec
MASQUERADE  all  --  10.0.0.0/24          anywhere
SNAT      !esp  --  anywhere             anywhere                 to:[my ip address]
SNAT      !esp  --  anywhere             anywhere                 to:[my ip address]
delegate_postrouting  all  --  anywhere             anywhere

Chain delegate_postrouting (1 references)
target     prot opt source               destination
postrouting_rule  all  --  anywhere             anywhere                 /* user chain for postrouting */
zone_lan_postrouting  all  --  anywhere             anywhere
zone_wan_postrouting  all  --  anywhere             anywhere

Chain delegate_prerouting (1 references)
target     prot opt source               destination
prerouting_rule  all  --  anywhere             anywhere                 /* user chain for prerouting */
zone_lan_prerouting  all  --  anywhere             anywhere
zone_wan_prerouting  all  --  anywhere             anywhere

Chain postrouting_lan_rule (1 references)
target     prot opt source               destination

Chain postrouting_rule (1 references)
target     prot opt source               destination

Chain postrouting_wan_rule (1 references)
target     prot opt source               destination

Chain prerouting_lan_rule (1 references)
target     prot opt source               destination

Chain prerouting_rule (1 references)
target     prot opt source               destination

Chain prerouting_wan_rule (1 references)
target     prot opt source               destination

Chain zone_lan_postrouting (1 references)
target     prot opt source               destination
postrouting_lan_rule  all  --  anywhere             anywhere                 /* user chain for postrouting */
SNAT       tcp  --  192.168.200.0/24     DYLAN-PC.lan         tcp         dpt:20545 /* PA (reflection) */ to:192.168.200.1
SNAT       udp  --  192.168.200.0/24     DYLAN-PC.lan         udp     dpt:20545 /* PA (reflection) */ to:192.168.200.1

Chain zone_lan_prerouting (1 references)
target     prot opt source               destination
prerouting_lan_rule  all  --  anywhere             anywhere                 /* user chain for prerouting */

Chain zone_wan_postrouting (1 references)
target     prot opt source               destination
postrouting_wan_rule  all  --  anywhere             anywhere                 /* user chain for postrouting */
MASQUERADE  all  --  anywhere             anywhere

Chain zone_wan_prerouting (1 references)
target     prot opt source               destination
prerouting_wan_rule  all  --  anywhere             anywhere                 /* user chain for prerouting */

ipsec 状态全部

Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.17, armv7l):
  uptime: 38 minutes, since Oct 25 15:41:56 2015
  malloc: sbrk 249856, mmap 0, used 235568, free 14288
  worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
  loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Virtual IP pools (size/online/offline):
  10.0.0.0/24: 254/1/0
Listening IP addresses:
  [my ip]
  192.168.200.1
  fd1f:2465:879c::1
Connections:
         ios:  %any...%any  IKEv2, dpddelay=300s
         ios:   local:  [my dns] uses public key authentication
         ios:    cert:  "C=[private], O=[private], CN=[private]"
         ios:   remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
         ios:   child:  0.0.0.0/0 ::/0 === 10.0.0.0/24 TUNNEL,     dpdaction=clear
Security Associations (1 up, 0 connecting):
         ios[1]: ESTABLISHED 38 minutes ago, [my ip][my dns]...192.168.200.82[192.168.200.82]
         ios[1]: Remote EAP identity: Root
         ios[1]: IKEv2 SPIs: b37f832ebfca2f94_i 880899839db79676_r*, rekeying disabled
         ios[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
         ios{3}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 84263131_i 0e3cbe75_o
         ios{3}:  AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
         ios{3}:   0.0.0.0/0 ::..ff:ff:ff:ff:ff:ff:ff:ff === 10.0.0.0/24

连接到本地网络上的主机时使用 tcpdump(工作)

16:33:22.704782 IP (tos 0x0, ttl 64, id 9350, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [S], cksum 0x7799 (correct), seq 3750784734, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 966927395 ecr 0,sackOK,eol], length 0
16:33:22.704961 IP (tos 0x0, ttl 64, id 58779, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > 74.83.103.140.4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x59), length 116
16:33:22.705029 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.200.1.8080 > 192.168.200.82.57850: Flags [S.], cksum 0x11d4 (incorrect -> 0x5b64), seq 2721465844, ack 3750784735, win 28960, options [mss 1460,sackOK,TS val 131648516 ecr 966927395,nop,wscale 5], length 0
16:33:22.708762 IP (tos 0x0, ttl 64, id 43704, offset 0, flags [DF], proto UDP (17), length 112)
    74.83.103.140.4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xef58!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x59), length 84
16:33:22.711473 IP (tos 0x0, ttl 64, id 9046, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xdaf0 (correct), seq 1, ack 1, win 8235, options [nop,nop,TS val 966927446 ecr 131648516], length 0
16:33:22.722786 IP (tos 0x0, ttl 64, id 59126, offset 0, flags [DF], proto TCP (6), length 414)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [P.], cksum 0x24b0 (correct), seq 1:363, ack 1, win 8235, options [nop,nop,TS val 966927458 ecr 131648516], length 362
16:33:22.722948 IP (tos 0x0, ttl 64, id 35312, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.8080 > 192.168.200.82.57850: Flags [.], cksum 0x11cc (incorrect -> 0xf5f8), seq 1, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 0
16:33:22.723414 IP (tos 0x0, ttl 64, id 35313, offset 0, flags [DF], proto TCP (6), length 88)
    192.168.200.1.8080 > 192.168.200.82.57850: Flags [P.], cksum 0x11f0 (incorrect -> 0x0f90), seq 1:37, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 36
16:33:22.724154 IP (tos 0x0, ttl 64, id 35314, offset 0, flags [DF], proto TCP (6), length 628)
    192.168.200.1.8080 > 192.168.200.82.57850: Flags [FP.], cksum 0x140c (incorrect -> 0x64be), seq 37:613, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 576
16:33:22.729373 IP (tos 0x0, ttl 64, id 55781, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xd950 (correct), seq 363, ack 37, win 8233, options [nop,nop,TS val 966927464 ecr 131648518], length 0
16:33:22.730312 IP (tos 0x0, ttl 64, id 38684, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xd732 (correct), seq 363, ack 614, win 8197, options [nop,nop,TS val 966927465 ecr 131648518], length 0
16:33:22.740388 IP (tos 0x0, ttl 64, id 63789, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57850 > 192.168.200.1.8080: Flags [F.], cksum 0xd729 (correct), seq 363, ack 614, win 8197, options [nop,nop,TS val 966927473 ecr 131648518], length 0
16:33:22.740557 IP (tos 0x0, ttl 64, id 61626, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.8080 > 192.168.200.82.57850: Flags [.], cksum 0xf381 (correct), seq 614, ack 364, win 939, options [nop,nop,TS val 131648520 ecr 966927473], length 0
16:33:22.986586 IP (tos 0x0, ttl 64, id 31291, offset 0, flags [DF], proto TCP (6), length 64)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [S], cksum 0x7412 (correct), seq 2027804630, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 966927716 ecr 0,sackOK,eol], length 0
16:33:22.986790 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [S.], cksum 0x11d4 (incorrect -> 0x1b05), seq 2123277911, ack 2027804631, win 28960, options [mss 1460,sackOK,TS val 131648545 ecr 966927716,nop,wscale 5], length 0
16:33:22.990076 IP (tos 0x0, ttl 64, id 34081, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9ac1 (correct), seq 1, ack 1, win 8235, options [nop,nop,TS val 966927719 ecr 131648545], length 0
16:33:22.999404 IP (tos 0x0, ttl 64, id 17707, offset 0, flags [DF], proto TCP (6), length 437)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [P.], cksum 0xb033 (correct), seq 1:386, ack 1, win 8235, options [nop,nop,TS val 966927726 ecr 131648545], length 385
16:33:22.999569 IP (tos 0x0, ttl 64, id 27257, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0x11cc (incorrect -> 0xb5b8), seq 1, ack 386, win 939, options [nop,nop,TS val 131648546 ecr 966927726], length 0
16:33:23.124190 IP (tos 0x0, ttl 64, id 27258, offset 0, flags [DF], proto TCP (6), length 123)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [P.], cksum 0x1213 (incorrect -> 0x08f6), seq 1:72, ack 386, win 939, options [nop,nop,TS val 131648558 ecr 966927726], length 71
16:33:23.124731 IP (tos 0x0, ttl 64, id 27259, offset 0, flags [DF], proto TCP (6), length 1500)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0x1774 (incorrect -> 0xf158), seq 72:1520, ack 386, win 939, options [nop,nop,TS val 131648558 ecr 966927726], length 1448
16:33:23.131681 IP (tos 0x0, ttl 64, id 27260, offset 0, flags [DF], proto TCP (6), length 785)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [FP.], cksum 0x14a9 (incorrect -> 0x1c75), seq 1520:2253, ack 386, win 939, options [nop,nop,TS val 131648559 ecr 966927726], length 733
16:33:23.136792 IP (tos 0x0, ttl 64, id 27261, offset 0, flags [DF], proto TCP (6), length 785)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [FP.], cksum 0x14a9 (incorrect -> 0x1c74), seq 1520:2253, ack 386, win 939, options [nop,nop,TS val 131648560 ecr 966927726], length 733
16:33:23.212452 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9814 (correct), seq 386, ack 72, win 8231, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.213419 IP (tos 0x0, ttl 64, id 20648, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9017 (correct), seq 386, ack 2254, win 8094, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.213541 IP (tos 0x0, ttl 64, id 48495, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9017 (correct), seq 386, ack 2254, win 8094, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.216709 IP (tos 0x0, ttl 64, id 63818, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.57851 > 192.168.200.1.8080: Flags [F.], cksum 0x8fb1 (correct), seq 386, ack 2254, win 8192, options [nop,nop,TS val 966927942 ecr 131648558], length 0
16:33:23.216874 IP (tos 0x0, ttl 64, id 61632, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0xabfc (correct), seq 2254, ack 387, win 939, options [nop,nop,TS val 131648568 ecr 966927942], length 0
16:33:27.787312 IP (tos 0x0, ttl 64, id 42412, offset 0, flags [DF], proto TCP (6), length 158)
    192.168.200.82.55840 > 17.143.161.82.443: Flags [P.], cksum 0xebb8 (correct), seq 3594655287:3594655393, ack 269384561, win 8192, options [nop,nop,TS val 966932505 ecr 2381341221], length 106
16:33:27.875048 IP (tos 0x0, ttl 53, id 10846, offset 0, flags [DF], proto TCP (6), length 126)
    17.143.161.82.443 > 192.168.200.82.55840: Flags [P.], cksum 0x76fe (correct), seq 1:75, ack 106, win 243, options [nop,nop,TS val 2381441728 ecr 966932505], length 74
16:33:27.880223 IP (tos 0x0, ttl 64, id 61435, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.200.82.55840 > 17.143.161.82.443: Flags [.], cksum 0xdb8d (correct), seq 106, ack 75, win 8187, options [nop,nop,TS val 966932602 ecr 2381441728], length 0

连接到互联网上的主机时使用 tcpdump(不起作用)

    16:32:41.024822 IP (tos 0x0, ttl 64, id 65271, offset 0, flags [none], proto UDP (17), length 60)
    192.168.200.82.63600 > 192.168.200.1.53: [udp sum ok] 54389+ A? www.google.com. (32)
16:32:41.043780 IP (tos 0x0, ttl 64, id 39217, offset 0, flags [DF], proto UDP (17), length 316)
    192.168.200.1.53 > 192.168.200.82.63600: [bad udp cksum 0x12df -> 0xe3ba!] 54389 q: A? www.google.com. 16/0/0 www.google.com. A 216.68.10.91, www.google.com. A 216.68.10.102, www.google.com. A 216.68.10.80, www.google.com. A 216.68.10.113, www.google.com. A 216.68.10.95, www.google.com. A 216.68.10.84, www.google.com. A 216.68.10.88, www.google.com. A 216.68.10.101, www.google.com. A 216.68.10.117, www.google.com. A 216.68.10.123, www.google.com. A 216.68.10.121, www.google.com. A 216.68.10.112, www.google.com. A 216.68.10.106, www.google.com. A 216.68.10.90, www.google.com. A 216.68.10.99, www.google.com. A 216.68.10.110 (288)
16:32:41.057546 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.200.1 tell 192.168.200.82, length 28
16:32:41.057624 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.200.1 is-at 94:10:3e:9c:bb:c3, length 28
16:32:41.062178 IP (tos 0x0, ttl 64, id 53004, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x15), length 116
16:32:41.065188 IP (tos 0x0, ttl 64, id 40726, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xdf58!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x15), length 84
16:32:41.074054 IP (tos 0x0, ttl 64, id 48563, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x16), length 116
16:32:41.078424 IP (tos 0x0, ttl 64, id 40727, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x28bf!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x16), length 84
16:32:41.088822 IP (tos 0x0, ttl 64, id 42083, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x17), length 116
16:32:41.093839 IP (tos 0x0, ttl 64, id 40728, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xfa2c!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x17), length 84
16:32:41.102155 IP (tos 0x0, ttl 64, id 32839, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x18), length 116
16:32:41.107066 IP (tos 0x0, ttl 64, id 40730, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x4d81!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x18), length 84
16:32:41.111799 IP (tos 0x0, ttl 64, id 37483, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x19), length 116
16:32:41.117356 IP (tos 0x0, ttl 64, id 40731, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xec74!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x19), length 84
16:32:41.124423 IP (tos 0x0, ttl 64, id 52967, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1a), length 116
16:32:41.129381 IP (tos 0x0, ttl 64, id 40732, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xddb3!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1a), length 84
16:32:41.135395 IP (tos 0x0, ttl 64, id 11173, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1b), length 116
16:32:41.140413 IP (tos 0x0, ttl 64, id 40733, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x5e3a!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1b), length 84
16:32:41.148676 IP (tos 0x0, ttl 64, id 21386, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1c), length 116
16:32:41.153463 IP (tos 0x0, ttl 64, id 40734, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x3ad8!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1c), length 84
16:32:41.160587 IP (tos 0x0, ttl 64, id 2472, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1d), length 116
16:32:41.165318 IP (tos 0x0, ttl 64, id 40735, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x4e4f!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1d), length 84
16:32:41.174659 IP (tos 0x0, ttl 64, id 861, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1e), length 116
16:32:41.180427 IP (tos 0x0, ttl 64, id 40737, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x7622!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1e), length 84
16:32:41.186044 IP (tos 0x0, ttl 64, id 63379, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1f), length 116
16:32:41.191767 IP (tos 0x0, ttl 64, id 40738, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x35e1!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1f), length 84
16:32:41.198961 IP (tos 0x0, ttl 64, id 51861, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x20), length 116
16:32:41.204298 IP (tos 0x0, ttl 64, id 40739, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x8037!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x20), length 84
16:32:41.214102 IP (tos 0x0, ttl 64, id 41375, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x21), length 116
16:32:41.218514 IP (tos 0x0, ttl 64, id 40740, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xcde4!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x21), length 84
16:32:41.225920 IP (tos 0x0, ttl 64, id 30968, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x22), length 116
16:32:41.229989 IP (tos 0x0, ttl 64, id 40741, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x752f!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x22), length 84
16:32:41.236197 IP (tos 0x0, ttl 64, id 11505, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x23), length 116
16:32:41.241163 IP (tos 0x0, ttl 64, id 40742, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xe347!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x23), length 84
16:32:41.249454 IP (tos 0x0, ttl 64, id 61849, offset 0, flags [none], proto UDP (17), length 144)
    192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x24), length 116
16:32:41.254248 IP (tos 0x0, ttl 64, id 40743, offset 0, flags [DF], proto UDP (17), length 112)
    [personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x5732!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x24), length 84

答案1

这是 iptables nat 规则排序的问题

使用 -I 标志而不是 -A 添加这些

iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT

相关内容