我之前已经见过几次此类问题,但到目前为止,都没有解决我的问题。
我正在尝试使用 Strongswan 在 GCP 中的虚拟机上设置 IKEv2 VPN。连接似乎设置正确,但没有路由数据包,我无法 ping VPN 客户端的 IP 地址。
我的服务器的内部网络是 10.164.0.0/20
ipsec 状态全部
root@vpn-gateway-vodafone:/home/alxtbk# ipsec statusall
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-8-amd64, x86_64):
uptime: 4 minutes, since Mar 22 14:22:20 2019
malloc: sbrk 1478656, mmap 0, used 418352, free 1060304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
10.164.0.17
Connections:
myconn: %any...85.205.30.142 IKEv2, dpddelay=30s
myconn: local: [35.204.88.19] uses pre-shared key authentication
myconn: remote: [85.205.30.142] uses pre-shared key authentication
myconn: child: 10.164.0.0/20 === 10.2.0.0/20 TUNNEL, dpdaction=hold
Routed Connections:
myconn{1}: ROUTED, TUNNEL, reqid 1
myconn{1}: 10.164.0.0/20 === 10.2.0.0/20
Security Associations (1 up, 0 connecting):
myconn[1]: ESTABLISHED 4 minutes ago, 10.164.0.17[35.204.88.19]...85.205.30.142[85.205.30.142]
myconn[1]: IKEv2 SPIs: 9bbb1dde62c00c0c_i* 8fb78440b271f60b_r, pre-shared key reauthentication in 2 hours
myconn[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
myconn{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2c9e607_i 5650382b_o
myconn{2}: AES_CBC_256/HMAC_SHA1_96, 0 bytes_i, 252 bytes_o (3 pkts, 239s ago), rekeying in 44 minutes
myconn{2}: 10.164.0.0/20 === 10.2.0.0/20
/var/log/syslog
Mar 22 13:59:52 vpn-gateway-vodafone ipsec[527]: charon stopped after 200 ms
Mar 22 13:59:52 vpn-gateway-vodafone ipsec[527]: ipsec starter stopped
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.1, Linux 4.9.0-8-amd64, x86_64)
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[CFG] loaded IKE secret for %any
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem opens
sl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 22 13:59:54 vpn-gateway-vodafone charon: 00[JOB] spawning 16 worker threads
Mar 22 13:59:54 vpn-gateway-vodafone charon: 05[CFG] received stroke: add connection 'myconn'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 05[CFG] added configuration 'myconn'
Mar 22 13:59:54 vpn-gateway-vodafone charon: 07[CFG] received stroke: route 'myconn'
Mar 22 14:00:47 vpn-gateway-vodafone charon: 11[CFG] received stroke: initiate 'myconn'
Mar 22 14:00:47 vpn-gateway-vodafone charon: 13[IKE] initiating IKE_SA myconn[1] to 85.205.30.142
Mar 22 14:00:47 vpn-gateway-vodafone charon: 13[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar 22 14:00:47 vpn-gateway-vodafone charon: 13[NET] sending packet: from 10.164.0.17[500] to 85.205.30.142[500] (464 bytes)
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[NET] received packet: from 85.205.30.142[500] to 10.164.0.17[500] (376 bytes)
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[ENC] parsed IKE_SA_INIT response 0 [ SA KE No ]
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[IKE] authentication of '35.204.88.19' (myself) with pre-shared key
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[IKE] establishing CHILD_SA myconn
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
Mar 22 14:00:47 vpn-gateway-vodafone charon: 12[NET] sending packet: from 10.164.0.17[500] to 85.205.30.142[500] (252 bytes)
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[NET] received packet: from 85.205.30.142[500] to 10.164.0.17[500] (204 bytes)
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[ENC] parsed IKE_AUTH response 1 [ IDr AUTH SA TSi TSr ]
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[IKE] authentication of '85.205.30.142' with pre-shared key successful
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[IKE] IKE_SA myconn[1] established between 10.164.0.17[35.204.88.19]...85.205.30.142[85.205.30.142]
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[IKE] scheduling reauthentication in 9908s
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[IKE] maximum IKE_SA lifetime 10448s
Mar 22 14:00:47 vpn-gateway-vodafone charon: 15[IKE] CHILD_SA myconn{2} established with SPIs c9533bb0_i 398968fc_o and TS 10.164.0.0/20 === 10.2.0.0/20
Mar 22 14:00:51 vpn-gateway-vodafone google-accounts: INFO Removing user alxtbk.
Mar 22 14:00:51 vpn-gateway-vodafone google-accounts: INFO Removing user alxtbk from the Google sudoers group.
Mar 22 14:00:51 vpn-gateway-vodafone google_accounts_daemon[690]: Removing user alxtbk from group google-sudoers
Mar 22 14:01:17 vpn-gateway-vodafone charon: 08[IKE] sending DPD request
Mar 22 14:01:17 vpn-gateway-vodafone charon: 08[ENC] generating INFORMATIONAL request 2 [ ]
Mar 22 14:01:17 vpn-gateway-vodafone charon: 08[NET] sending packet: from 10.164.0.17[500] to 85.205.30.142[500] (76 bytes)
Mar 22 14:01:17 vpn-gateway-vodafone charon: 07[NET] received packet: from 85.205.30.142[500] to 10.164.0.17[500] (76 bytes)
Mar 22 14:01:17 vpn-gateway-vodafone charon: 07[ENC] parsed INFORMATIONAL response 2 [ ]
Mar 22 14:01:47 vpn-gateway-vodafone charon: 10[IKE] sending DPD request
Mar 22 14:01:47 vpn-gateway-vodafone charon: 10[ENC] generating INFORMATIONAL request 3 [ ]
Mar 22 14:01:47 vpn-gateway-vodafone charon: 10[NET] sending packet: from 10.164.0.17[500] to 85.205.30.142[500] (76 bytes)
Mar 22 14:01:47 vpn-gateway-vodafone charon: 13[NET] received packet: from 85.205.30.142[500] to 10.164.0.17[500] (76 bytes)
Mar 22 14:01:47 vpn-gateway-vodafone charon: 13[ENC] parsed INFORMATIONAL response 3 [ ]
iptables
root@vpn-gateway-vodafone:/home/alxtbk# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ip xfrm 策略
root@vpn-gateway-vodafone:/home/alxtbk# ip xfrm policy
src 10.2.0.0/20 dst 10.164.0.0/20
dir fwd priority 189760 ptype main
tmpl src 85.205.30.142 dst 10.164.0.17
proto esp reqid 1 mode tunnel
src 10.2.0.0/20 dst 10.164.0.0/20
dir in priority 189760 ptype main
tmpl src 85.205.30.142 dst 10.164.0.17
proto esp reqid 1 mode tunnel
src 10.164.0.0/20 dst 10.2.0.0/20
dir out priority 189760 ptype main
tmpl src 10.164.0.17 dst 85.205.30.142
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
我究竟做错了什么?