我正在使用 strongswan 作为 road warriors 的 vpn 服务器。我有两台机器运行该软件,一台在 raspbian 上,另一台在 CentOS 7 上。raspbian 机器运行良好,但 CentOS 机器运行不良。
CentOS 的问题似乎在于数据包没有通过隧道传输。
这是来自 tshark 的输出。
88 6.655929830 67.22.27.75 → 10.202.121.120 ESP 146 ESP (SPI=0xc542d5c5)
89 6.655929830 192.168.3.1 → 8.8.4.4 DNS 71 Standard query 0x26a6 A dealsea.com
67.22.27.75是road warrior的ip,192.168.3.1是strongswan分配的虚拟ip。
在 raspbian 的工作实例上,tshark 输出如下所示:
45 3.318470851 104.38.166.37 → 10.111.58.102 ESP 146 ESP (SPI=0xc7ca8886)
46 3.318470851 10.202.122.1 → 8.8.4.4 DNS 67 Standard query 0x10af A psu.edu
47 3.318656688 10.111.58.102 → 8.8.4.4 DNS 67 Standard query 0x10af A psu.edu
这里104.38.166.37是road warroir的ip,10.202.122.1是虚拟ip,10.111.58.102是strongswan服务器在其本地网络中的ip。
两台机器使用相同的配置文件:
ipsec配置文件
config setup
charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
ike=aes256-sha256-modp2048!
esp=aes256-sha256!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=@MYHOSTNAME
leftcert=/etc/strongswan/ipsec.d/certs/vpn-server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.202.122.1/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
strongswan.conf
charon {
load_modular = yes
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
服务器上的 iptables-save 输出:
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017
*nat
:PREROUTING ACCEPT [6817:1235375]
:INPUT ACCEPT [18:2342]
:OUTPUT ACCEPT [37384:3449660]
:POSTROUTING ACCEPT [1:42]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_drop - [0:0]
:POST_drop_allow - [0:0]
:POST_drop_deny - [0:0]
:POST_drop_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o enp0s25 -j POST_drop
-A POSTROUTING_ZONES -j POST_drop
-A POST_drop -j POST_drop_log
-A POST_drop -j POST_drop_deny
-A POST_drop -j POST_drop_allow
-A POST_drop_allow ! -o lo -j MASQUERADE
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017
*mangle
:PREROUTING ACCEPT [119158:81622108]
:INPUT ACCEPT [119106:81612125]
:FORWARD ACCEPT [51:9630]
:OUTPUT ACCEPT [182387:35412441]
:POSTROUTING ACCEPT [188177:36690351]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017
*security
:INPUT ACCEPT [106545:79110205]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [182387:35412441]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017
*raw
:PREROUTING ACCEPT [119158:81622108]
:OUTPUT ACCEPT [182387:35412441]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i enp0s25 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:09:50 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [182387:35412441]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_drop - [0:0]
:FWDI_drop_allow - [0:0]
:FWDI_drop_deny - [0:0]
:FWDI_drop_log - [0:0]
:FWDO_drop - [0:0]
:FWDO_drop_allow - [0:0]
:FWDO_drop_deny - [0:0]
:FWDO_drop_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_drop - [0:0]
:IN_drop_allow - [0:0]
:IN_drop_deny - [0:0]
:IN_drop_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i enp0s25 -j FWDI_drop
-A FORWARD_IN_ZONES -j FWDI_drop
-A FORWARD_OUT_ZONES -o enp0s25 -j FWDO_drop
-A FORWARD_OUT_ZONES -j FWDO_drop
-A FWDI_drop -j FWDI_drop_log
-A FWDI_drop -j FWDI_drop_deny
-A FWDI_drop -j FWDI_drop_allow
-A FWDI_drop -j DROP
-A FWDO_drop -j FWDO_drop_log
-A FWDO_drop -j FWDO_drop_deny
-A FWDO_drop -j FWDO_drop_allow
-A FWDO_drop -j DROP
-A FWDO_drop_allow -m conntrack --ctstate NEW -j ACCEPT
-A INPUT_ZONES -i enp0s25 -j IN_drop
-A INPUT_ZONES -j IN_drop
-A IN_drop -j IN_drop_log
-A IN_drop -j IN_drop_deny
-A IN_drop -j IN_drop_allow
-A IN_drop -j DROP
-A IN_drop_allow -p esp -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p ah -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT
-A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Fri Oct 6 09:09:50 2017
客户端上的 iptable-save 输出
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017
*nat
:PREROUTING ACCEPT [5730:255228]
:INPUT ACCEPT [166:9920]
:OUTPUT ACCEPT [134648:14023445]
:POSTROUTING ACCEPT [134648:14023445]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_drop - [0:0]
:POST_drop_allow - [0:0]
:POST_drop_deny - [0:0]
:POST_drop_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -o wlp3s0 -j POST_drop
-A POSTROUTING_ZONES -j POST_drop
-A POST_drop -j POST_drop_log
-A POST_drop -j POST_drop_deny
-A POST_drop -j POST_drop_allow
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017
*mangle
:PREROUTING ACCEPT [4053472:653310426]
:INPUT ACCEPT [4050417:653148889]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:POSTROUTING ACCEPT [3992350:10498514887]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017
*security
:INPUT ACCEPT [4027162:648560078]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Fri Oct 6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017
*raw
:PREROUTING ACCEPT [4053472:653310426]
:OUTPUT ACCEPT [3972204:10494033871]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_drop - [0:0]
:PRE_drop_allow - [0:0]
:PRE_drop_deny - [0:0]
:PRE_drop_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -i wlp3s0 -j PRE_drop
-A PREROUTING_ZONES -j PRE_drop
-A PRE_drop -j PRE_drop_log
-A PRE_drop -j PRE_drop_deny
-A PRE_drop -j PRE_drop_allow
COMMIT
# Completed on Fri Oct 6 09:15:58 2017
# Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3972204:10494033871]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_drop - [0:0]
:FWDI_drop_allow - [0:0]
:FWDI_drop_deny - [0:0]
:FWDI_drop_log - [0:0]
:FWDO_drop - [0:0]
:FWDO_drop_allow - [0:0]
:FWDO_drop_deny - [0:0]
:FWDO_drop_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_drop - [0:0]
:IN_drop_allow - [0:0]
:IN_drop_deny - [0:0]
:IN_drop_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -i wlp3s0 -j FWDI_drop
-A FORWARD_IN_ZONES -j FWDI_drop
-A FORWARD_OUT_ZONES -o wlp3s0 -j FWDO_drop
-A FORWARD_OUT_ZONES -j FWDO_drop
-A FWDI_drop -j FWDI_drop_log
-A FWDI_drop -j FWDI_drop_deny
-A FWDI_drop -j FWDI_drop_allow
-A FWDI_drop -j DROP
-A FWDO_drop -j FWDO_drop_log
-A FWDO_drop -j FWDO_drop_deny
-A FWDO_drop -j FWDO_drop_allow
-A FWDO_drop -j DROP
-A INPUT_ZONES -i wlp3s0 -j IN_drop
-A INPUT_ZONES -j IN_drop
-A IN_drop -j IN_drop_log
-A IN_drop -j IN_drop_deny
-A IN_drop -j IN_drop_allow
-A IN_drop -j DROP
COMMIT
# Completed on Fri Oct 6 09:15:58 2017
我怎样才能使 CentOS 实例工作?