过去几天,我一直尝试在 CentOS 机器上设置 libreswan VPN 客户端以连接到 libreswan VPN 服务器(也是 CentOS),但没有成功。
问题如下: - VPN 服务器已启动并正在运行,我可以从 Windows 计算机连接到它,一切正常 - Libreswan VPN 客户端与服务器进行身份验证,但之后什么都没有。客户端和服务器都没有正在运行的 VPN 接口,日志在 IPSEC 之后没有显示任何一方的活动。
我的最终目标是连接到一个配置过时、我无法控制的 VPN,所以我能做的就是配置一个 libreswan 客户端。我现在尝试连接的 VPN 服务器是我为测试客户端而设置的。
服务器和客户端都是CentOS 7 KVM,共享同一物理主机。
因为我怀疑问题出在客户端,所以我只会发布客户端的配置而不是服务器的配置,但如果需要的话我会发布所有内容。
客户端 ipsec.conf:
config setup
conn vpnpsk
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
rekey=yes
ikelifetime=8h
keylife=1h
type=transport
left=%defaultroute
leftprotoport=17/1701
right=<ServerIP>
rightprotoport=17/1701
rightid=<ServerIP>
客户端ipsec.secrets:
[root@localhost ~]# vim /etc/ipsec.secrets
%any <ServerIP> : PSK "SECRET"
客户端xl2tpd.conf:
[lac vpn-connection]
lns = <ServerIP>
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client:
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
connect-delay 5000
name <user>
password <password>
当启动连接时这是输出:
[root@localhost ~]# ipsec auto --up vpnpsk
002 "vpnpsk" #1: initiating Main Mode
104 "vpnpsk" #1: STATE_MAIN_I1: initiate
003 "vpnpsk" #1: received Vendor ID payload [Dead Peer Detection]
003 "vpnpsk" #1: received Vendor ID payload [FRAGMENTATION]
003 "vpnpsk" #1: received Vendor ID payload [RFC 3947]
002 "vpnpsk" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "vpnpsk" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "vpnpsk" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "vpnpsk" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
002 "vpnpsk" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "vpnpsk" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "vpnpsk" #1: Main mode peer ID is ID_IPV4_ADDR: '<ServerIP>'
002 "vpnpsk" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
004 "vpnpsk" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
002 "vpnpsk" #1: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:6305f4b0 proposal=defaults pfsgroup=no-pfs}
117 "vpnpsk" #2: STATE_QUICK_I1: initiate
002 "vpnpsk" #2: Dead Peer Detection (RFC 3706): enabled
002 "vpnpsk" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "vpnpsk" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP=>0xad2a86a6 <0xcf8adbd0 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
此后没有更多输出。ip addr:
[root@localhost ~]# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens18: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether a6:6a:06:d0:03:80 brd ff:ff:ff:ff:ff:ff
inet <ClientIP>/24 brd <broadcast> scope global ens18
valid_lft forever preferred_lft forever
inet6 fe80::eb5b:83d6:e0aa:940e/64 scope link
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN qlen 1
link/ipip 0.0.0.0 brd 0.0.0.0
在服务器端:
Mar 22 17:17:28 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received and ignored empty informational notification payload
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [Dead Peer Detection]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [FRAGMENTATION]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: received Vendor ID payload [RFC 3947]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: packet from <ClientIP>:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: responding to Main Mode from unknown peer <ClientIP>
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R1: sent MR1, expecting MI2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: no NAT detected
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R2: sent MR2, expecting MI3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Main mode peer ID is ID_IPV4_ADDR: '<ClientIP>'
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #134: the peer proposed: <ServerIP>/32:17/1701 -> <ClientIP>/32:17/0
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: responding to Quick Mode proposal {msgid:6305f4b0}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: us: <ServerIP><<ServerIP>>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: them: <ClientIP>:17/1701
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: Dead Peer Detection (RFC 3706): enabled
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Mar 22 17:17:32 localhost.localdomain pluto[9126]: "L2TP-PSK-noNAT"[22] <ClientIP> #135: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xcf8adbd0 <0xad2a86a6 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=none DPD=active}
并且不再记录。
客户端iptables -L:
[root@localhost ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
ACCEPT tcp -- <ServerIP> anywhere
ACCEPT udp -- <ServerIP> anywhere
ACCEPT tcp -- 10.0.0.0/24 anywhere
ACCEPT udp -- 10.0.0.0/24 anywhere
ACCEPT tcp -- <other_peer> anywhere
ACCEPT udp -- <other_peer> anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
DROP all -- anywhere anywhere ctstate INVALID
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere <ServerIP>
ACCEPT udp -- anywhere <ServerIP>
ACCEPT tcp -- anywhere 10.0.0.0/24
ACCEPT udp -- anywhere 10.0.0.0/24
ACCEPT tcp -- anywhere <other_peer>
ACCEPT udp -- anywhere <other_peer>
10.0.0.0/24 是 VPN 网络。
感谢您阅读所有这些内容。
答案1
您可能在客户端的输入链中遗漏了 ESP 接受规则。另外,请将 L2TP 端口添加到规则列表中。
iptables -A INPUT -i eth0 -p esp -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m multiport --dports 1701,500,4500 -j ACCEPT
而且,如果我读得正确的话,您的 INPUT 链中在 ACCEPT 规则之前有一个 REJECT 规则 - 请删除它!