我遇到了一个相当奇怪的问题,Strongswan IPSec VPN 无法访问互联网上的主机。我可以正常连接到 VPN,并且可以访问本地网络上的主机。我还设置了 Strongswan wiki 上描述的 IP 转发规则。有什么想法可以解释为什么它不起作用吗?谢谢。
系统信息
操作系统:OpenWRT CHAOS CALMER(15.05-rc3,r46163)
Strongwan版本:Linux strongSwan U5.3.2/K3.18.17
网络接口
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 532
link/ether 94:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 532
link/ether 96:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
inet [my ip address] brd [my ip address] scope global eth1
valid_lft forever preferred_lft forever
inet6 [my ipv6 address] scope link
valid_lft forever preferred_lft forever
6: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 94:10:3e:9c:bb:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.200.1/24 brd 192.168.200.255 scope global br-lan
valid_lft forever preferred_lft forever
inet6 fd1f:2465:879c::1/60 scope global noprefixroute
valid_lft forever preferred_lft forever
inet6 fe80::9610:3eff:fe9c:bbc3/64 scope link
valid_lft forever preferred_lft forever
7: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 00:25:9c:13:94:8f brd ff:ff:ff:ff:ff:ff
inet6 fe80::225:9cff:fe13:948f/64 scope link
valid_lft forever preferred_lft forever
8: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br-lan state UP group default qlen 1000
link/ether 00:25:9c:13:94:90 brd ff:ff:ff:ff:ff:ff
inet6 fe80::225:9cff:fe13:9490/64 scope link
valid_lft forever preferred_lft forever
ipsec配置文件
config setup
charondebug="cfg 2, dmn 2, ike 2, net 4"
conn %default
keyexchange=ikev2
ike=aes256-sha1-modp2048!
esp=aes256-sha1!
dpdaction=clear
dpddelay=300s
dpdtimeout = 5s
rekey=no
conn ios
left=%any
leftsubnet=0.0.0.0/0,::/0
leftauth=pubkey
leftcert=serverCert.pem
leftid=[my dns]
leftsendcert=always
leftfirewall=yes
right=%any
compress=no
rightsourceip=10.0.0.0/24
rightsubnet=10.0.0.0/24
rightdns=8.8.8.8,8.8.4.4
rightauth=eap-mschapv2
rightsendcert=never
eap_identity=%any
forceencaps=yes
auto=add
strongswan.conf
charon {
dns1 = 192.168.200.1
threads = 16
plugins {
dhcp {
server = 192.168.200.1
load = yes
identity_lease = yes
}
}
}
libstrongswan {
# set to no, the DH exponent size is optimized
# dh_exponent_ansi_x9_42 = no
}
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
delegate_prerouting all -- anywhere anywhere
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 10.0.0.0/24 anywhere policy match dir out pol ipsec
MASQUERADE all -- 10.0.0.0/24 anywhere
SNAT !esp -- anywhere anywhere to:[my ip address]
SNAT !esp -- anywhere anywhere to:[my ip address]
delegate_postrouting all -- anywhere anywhere
Chain delegate_postrouting (1 references)
target prot opt source destination
postrouting_rule all -- anywhere anywhere /* user chain for postrouting */
zone_lan_postrouting all -- anywhere anywhere
zone_wan_postrouting all -- anywhere anywhere
Chain delegate_prerouting (1 references)
target prot opt source destination
prerouting_rule all -- anywhere anywhere /* user chain for prerouting */
zone_lan_prerouting all -- anywhere anywhere
zone_wan_prerouting all -- anywhere anywhere
Chain postrouting_lan_rule (1 references)
target prot opt source destination
Chain postrouting_rule (1 references)
target prot opt source destination
Chain postrouting_wan_rule (1 references)
target prot opt source destination
Chain prerouting_lan_rule (1 references)
target prot opt source destination
Chain prerouting_rule (1 references)
target prot opt source destination
Chain prerouting_wan_rule (1 references)
target prot opt source destination
Chain zone_lan_postrouting (1 references)
target prot opt source destination
postrouting_lan_rule all -- anywhere anywhere /* user chain for postrouting */
SNAT tcp -- 192.168.200.0/24 DYLAN-PC.lan tcp dpt:20545 /* PA (reflection) */ to:192.168.200.1
SNAT udp -- 192.168.200.0/24 DYLAN-PC.lan udp dpt:20545 /* PA (reflection) */ to:192.168.200.1
Chain zone_lan_prerouting (1 references)
target prot opt source destination
prerouting_lan_rule all -- anywhere anywhere /* user chain for prerouting */
Chain zone_wan_postrouting (1 references)
target prot opt source destination
postrouting_wan_rule all -- anywhere anywhere /* user chain for postrouting */
MASQUERADE all -- anywhere anywhere
Chain zone_wan_prerouting (1 references)
target prot opt source destination
prerouting_wan_rule all -- anywhere anywhere /* user chain for prerouting */
ipsec 状态全部
Status of IKE charon daemon (strongSwan 5.3.2, Linux 3.18.17, armv7l):
uptime: 38 minutes, since Oct 25 15:41:56 2015
malloc: sbrk 249856, mmap 0, used 235568, free 14288
worker threads: 5 of 16 idle, 7/0/4/0 working, job queue: 0/0/0/0, scheduled: 1
loaded plugins: charon test-vectors ldap pkcs11 aes des blowfish sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs8 pgp dnskey pem openssl gcrypt af-alg fips-prf gmp agent xcbc cmac hmac ctr ccm gcm curl mysql sqlite attr kernel-libipsec kernel-netlink resolve socket-default farp stroke smp updown eap-identity eap-md5 eap-mschapv2 eap-radius xauth-generic xauth-eap dhcp whitelist led duplicheck uci addrblock unity
Virtual IP pools (size/online/offline):
10.0.0.0/24: 254/1/0
Listening IP addresses:
[my ip]
192.168.200.1
fd1f:2465:879c::1
Connections:
ios: %any...%any IKEv2, dpddelay=300s
ios: local: [my dns] uses public key authentication
ios: cert: "C=[private], O=[private], CN=[private]"
ios: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ios: child: 0.0.0.0/0 ::/0 === 10.0.0.0/24 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
ios[1]: ESTABLISHED 38 minutes ago, [my ip][my dns]...192.168.200.82[192.168.200.82]
ios[1]: Remote EAP identity: Root
ios[1]: IKEv2 SPIs: b37f832ebfca2f94_i 880899839db79676_r*, rekeying disabled
ios[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
ios{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: 84263131_i 0e3cbe75_o
ios{3}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying disabled
ios{3}: 0.0.0.0/0 ::..ff:ff:ff:ff:ff:ff:ff:ff === 10.0.0.0/24
连接到本地网络上的主机时使用 tcpdump(工作)
16:33:22.704782 IP (tos 0x0, ttl 64, id 9350, offset 0, flags [DF], proto TCP (6), length 64)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [S], cksum 0x7799 (correct), seq 3750784734, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 966927395 ecr 0,sackOK,eol], length 0
16:33:22.704961 IP (tos 0x0, ttl 64, id 58779, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > 74.83.103.140.4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x59), length 116
16:33:22.705029 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.200.1.8080 > 192.168.200.82.57850: Flags [S.], cksum 0x11d4 (incorrect -> 0x5b64), seq 2721465844, ack 3750784735, win 28960, options [mss 1460,sackOK,TS val 131648516 ecr 966927395,nop,wscale 5], length 0
16:33:22.708762 IP (tos 0x0, ttl 64, id 43704, offset 0, flags [DF], proto UDP (17), length 112)
74.83.103.140.4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xef58!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x59), length 84
16:33:22.711473 IP (tos 0x0, ttl 64, id 9046, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xdaf0 (correct), seq 1, ack 1, win 8235, options [nop,nop,TS val 966927446 ecr 131648516], length 0
16:33:22.722786 IP (tos 0x0, ttl 64, id 59126, offset 0, flags [DF], proto TCP (6), length 414)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [P.], cksum 0x24b0 (correct), seq 1:363, ack 1, win 8235, options [nop,nop,TS val 966927458 ecr 131648516], length 362
16:33:22.722948 IP (tos 0x0, ttl 64, id 35312, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.8080 > 192.168.200.82.57850: Flags [.], cksum 0x11cc (incorrect -> 0xf5f8), seq 1, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 0
16:33:22.723414 IP (tos 0x0, ttl 64, id 35313, offset 0, flags [DF], proto TCP (6), length 88)
192.168.200.1.8080 > 192.168.200.82.57850: Flags [P.], cksum 0x11f0 (incorrect -> 0x0f90), seq 1:37, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 36
16:33:22.724154 IP (tos 0x0, ttl 64, id 35314, offset 0, flags [DF], proto TCP (6), length 628)
192.168.200.1.8080 > 192.168.200.82.57850: Flags [FP.], cksum 0x140c (incorrect -> 0x64be), seq 37:613, ack 363, win 939, options [nop,nop,TS val 131648518 ecr 966927458], length 576
16:33:22.729373 IP (tos 0x0, ttl 64, id 55781, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xd950 (correct), seq 363, ack 37, win 8233, options [nop,nop,TS val 966927464 ecr 131648518], length 0
16:33:22.730312 IP (tos 0x0, ttl 64, id 38684, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [.], cksum 0xd732 (correct), seq 363, ack 614, win 8197, options [nop,nop,TS val 966927465 ecr 131648518], length 0
16:33:22.740388 IP (tos 0x0, ttl 64, id 63789, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57850 > 192.168.200.1.8080: Flags [F.], cksum 0xd729 (correct), seq 363, ack 614, win 8197, options [nop,nop,TS val 966927473 ecr 131648518], length 0
16:33:22.740557 IP (tos 0x0, ttl 64, id 61626, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.8080 > 192.168.200.82.57850: Flags [.], cksum 0xf381 (correct), seq 614, ack 364, win 939, options [nop,nop,TS val 131648520 ecr 966927473], length 0
16:33:22.986586 IP (tos 0x0, ttl 64, id 31291, offset 0, flags [DF], proto TCP (6), length 64)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [S], cksum 0x7412 (correct), seq 2027804630, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 966927716 ecr 0,sackOK,eol], length 0
16:33:22.986790 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [S.], cksum 0x11d4 (incorrect -> 0x1b05), seq 2123277911, ack 2027804631, win 28960, options [mss 1460,sackOK,TS val 131648545 ecr 966927716,nop,wscale 5], length 0
16:33:22.990076 IP (tos 0x0, ttl 64, id 34081, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9ac1 (correct), seq 1, ack 1, win 8235, options [nop,nop,TS val 966927719 ecr 131648545], length 0
16:33:22.999404 IP (tos 0x0, ttl 64, id 17707, offset 0, flags [DF], proto TCP (6), length 437)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [P.], cksum 0xb033 (correct), seq 1:386, ack 1, win 8235, options [nop,nop,TS val 966927726 ecr 131648545], length 385
16:33:22.999569 IP (tos 0x0, ttl 64, id 27257, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0x11cc (incorrect -> 0xb5b8), seq 1, ack 386, win 939, options [nop,nop,TS val 131648546 ecr 966927726], length 0
16:33:23.124190 IP (tos 0x0, ttl 64, id 27258, offset 0, flags [DF], proto TCP (6), length 123)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [P.], cksum 0x1213 (incorrect -> 0x08f6), seq 1:72, ack 386, win 939, options [nop,nop,TS val 131648558 ecr 966927726], length 71
16:33:23.124731 IP (tos 0x0, ttl 64, id 27259, offset 0, flags [DF], proto TCP (6), length 1500)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0x1774 (incorrect -> 0xf158), seq 72:1520, ack 386, win 939, options [nop,nop,TS val 131648558 ecr 966927726], length 1448
16:33:23.131681 IP (tos 0x0, ttl 64, id 27260, offset 0, flags [DF], proto TCP (6), length 785)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [FP.], cksum 0x14a9 (incorrect -> 0x1c75), seq 1520:2253, ack 386, win 939, options [nop,nop,TS val 131648559 ecr 966927726], length 733
16:33:23.136792 IP (tos 0x0, ttl 64, id 27261, offset 0, flags [DF], proto TCP (6), length 785)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [FP.], cksum 0x14a9 (incorrect -> 0x1c74), seq 1520:2253, ack 386, win 939, options [nop,nop,TS val 131648560 ecr 966927726], length 733
16:33:23.212452 IP (tos 0x0, ttl 64, id 34568, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9814 (correct), seq 386, ack 72, win 8231, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.213419 IP (tos 0x0, ttl 64, id 20648, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9017 (correct), seq 386, ack 2254, win 8094, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.213541 IP (tos 0x0, ttl 64, id 48495, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [.], cksum 0x9017 (correct), seq 386, ack 2254, win 8094, options [nop,nop,TS val 966927939 ecr 131648558], length 0
16:33:23.216709 IP (tos 0x0, ttl 64, id 63818, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.57851 > 192.168.200.1.8080: Flags [F.], cksum 0x8fb1 (correct), seq 386, ack 2254, win 8192, options [nop,nop,TS val 966927942 ecr 131648558], length 0
16:33:23.216874 IP (tos 0x0, ttl 64, id 61632, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.1.8080 > 192.168.200.82.57851: Flags [.], cksum 0xabfc (correct), seq 2254, ack 387, win 939, options [nop,nop,TS val 131648568 ecr 966927942], length 0
16:33:27.787312 IP (tos 0x0, ttl 64, id 42412, offset 0, flags [DF], proto TCP (6), length 158)
192.168.200.82.55840 > 17.143.161.82.443: Flags [P.], cksum 0xebb8 (correct), seq 3594655287:3594655393, ack 269384561, win 8192, options [nop,nop,TS val 966932505 ecr 2381341221], length 106
16:33:27.875048 IP (tos 0x0, ttl 53, id 10846, offset 0, flags [DF], proto TCP (6), length 126)
17.143.161.82.443 > 192.168.200.82.55840: Flags [P.], cksum 0x76fe (correct), seq 1:75, ack 106, win 243, options [nop,nop,TS val 2381441728 ecr 966932505], length 74
16:33:27.880223 IP (tos 0x0, ttl 64, id 61435, offset 0, flags [DF], proto TCP (6), length 52)
192.168.200.82.55840 > 17.143.161.82.443: Flags [.], cksum 0xdb8d (correct), seq 106, ack 75, win 8187, options [nop,nop,TS val 966932602 ecr 2381441728], length 0
连接到互联网上的主机时使用 tcpdump(不起作用)
16:32:41.024822 IP (tos 0x0, ttl 64, id 65271, offset 0, flags [none], proto UDP (17), length 60)
192.168.200.82.63600 > 192.168.200.1.53: [udp sum ok] 54389+ A? www.google.com. (32)
16:32:41.043780 IP (tos 0x0, ttl 64, id 39217, offset 0, flags [DF], proto UDP (17), length 316)
192.168.200.1.53 > 192.168.200.82.63600: [bad udp cksum 0x12df -> 0xe3ba!] 54389 q: A? www.google.com. 16/0/0 www.google.com. A 216.68.10.91, www.google.com. A 216.68.10.102, www.google.com. A 216.68.10.80, www.google.com. A 216.68.10.113, www.google.com. A 216.68.10.95, www.google.com. A 216.68.10.84, www.google.com. A 216.68.10.88, www.google.com. A 216.68.10.101, www.google.com. A 216.68.10.117, www.google.com. A 216.68.10.123, www.google.com. A 216.68.10.121, www.google.com. A 216.68.10.112, www.google.com. A 216.68.10.106, www.google.com. A 216.68.10.90, www.google.com. A 216.68.10.99, www.google.com. A 216.68.10.110 (288)
16:32:41.057546 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.200.1 tell 192.168.200.82, length 28
16:32:41.057624 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.200.1 is-at 94:10:3e:9c:bb:c3, length 28
16:32:41.062178 IP (tos 0x0, ttl 64, id 53004, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x15), length 116
16:32:41.065188 IP (tos 0x0, ttl 64, id 40726, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xdf58!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x15), length 84
16:32:41.074054 IP (tos 0x0, ttl 64, id 48563, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x16), length 116
16:32:41.078424 IP (tos 0x0, ttl 64, id 40727, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x28bf!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x16), length 84
16:32:41.088822 IP (tos 0x0, ttl 64, id 42083, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x17), length 116
16:32:41.093839 IP (tos 0x0, ttl 64, id 40728, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xfa2c!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x17), length 84
16:32:41.102155 IP (tos 0x0, ttl 64, id 32839, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x18), length 116
16:32:41.107066 IP (tos 0x0, ttl 64, id 40730, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x4d81!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x18), length 84
16:32:41.111799 IP (tos 0x0, ttl 64, id 37483, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x19), length 116
16:32:41.117356 IP (tos 0x0, ttl 64, id 40731, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xec74!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x19), length 84
16:32:41.124423 IP (tos 0x0, ttl 64, id 52967, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1a), length 116
16:32:41.129381 IP (tos 0x0, ttl 64, id 40732, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xddb3!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1a), length 84
16:32:41.135395 IP (tos 0x0, ttl 64, id 11173, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1b), length 116
16:32:41.140413 IP (tos 0x0, ttl 64, id 40733, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x5e3a!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1b), length 84
16:32:41.148676 IP (tos 0x0, ttl 64, id 21386, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1c), length 116
16:32:41.153463 IP (tos 0x0, ttl 64, id 40734, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x3ad8!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1c), length 84
16:32:41.160587 IP (tos 0x0, ttl 64, id 2472, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1d), length 116
16:32:41.165318 IP (tos 0x0, ttl 64, id 40735, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x4e4f!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1d), length 84
16:32:41.174659 IP (tos 0x0, ttl 64, id 861, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1e), length 116
16:32:41.180427 IP (tos 0x0, ttl 64, id 40737, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x7622!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1e), length 84
16:32:41.186044 IP (tos 0x0, ttl 64, id 63379, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x1f), length 116
16:32:41.191767 IP (tos 0x0, ttl 64, id 40738, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x35e1!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x1f), length 84
16:32:41.198961 IP (tos 0x0, ttl 64, id 51861, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x20), length 116
16:32:41.204298 IP (tos 0x0, ttl 64, id 40739, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x8037!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x20), length 84
16:32:41.214102 IP (tos 0x0, ttl 64, id 41375, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x21), length 116
16:32:41.218514 IP (tos 0x0, ttl 64, id 40740, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xcde4!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x21), length 84
16:32:41.225920 IP (tos 0x0, ttl 64, id 30968, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x22), length 116
16:32:41.229989 IP (tos 0x0, ttl 64, id 40741, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x752f!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x22), length 84
16:32:41.236197 IP (tos 0x0, ttl 64, id 11505, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x23), length 116
16:32:41.241163 IP (tos 0x0, ttl 64, id 40742, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0xe347!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x23), length 84
16:32:41.249454 IP (tos 0x0, ttl 64, id 61849, offset 0, flags [none], proto UDP (17), length 144)
192.168.200.82.4500 > [personal ip address].4500: [no cksum] UDP-encap: ESP(spi=0xbe4c77e6,seq=0x24), length 116
16:32:41.254248 IP (tos 0x0, ttl 64, id 40743, offset 0, flags [DF], proto UDP (17), length 112)
[personal ip address].4500 > 192.168.200.82.4500: [bad udp cksum 0x3b48 -> 0x5732!] UDP-encap: ESP(spi=0x06ecfd03,seq=0x24), length 84
答案1
这是 iptables nat 规则排序的问题
使用 -I 标志而不是 -A 添加这些
iptables -I FORWARD -s 10.0.0.0/24 -j ACCEPT
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o eth1 -j MASQUERADE
iptables -t nat -I POSTROUTING -s 10.0.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT