我有一个强天鹅运行于Ubuntu 18机器。只要客户端使用其移动数据。但当他们尝试通过调制解调器连接时(使用电缆或 wifi),他们最终会收到连接错误。
客户端日志:
00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
00[JOB] spawning 16 worker threads
08[IKE] initiating IKE_SA android[5] to x.x.x.x
08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08[NET] sending packet: from 192.168.2.2[38856] to x.x.x.x[500] (716 bytes)
10[NET] received packet: from x.x.x.x[500] to 192.168.2.2[38856] (270 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] establishing CHILD_SA android{5}
10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
12[IKE] retransmit 1 of request with message ID 1
12[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
13[IKE] retransmit 2 of request with message ID 1
13[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
14[IKE] retransmit 3 of request with message ID 1
14[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
01[IKE] giving up after 3 retransmits
01[IKE] establishing IKE_SA failed, peer not responding
08[IKE] unable to terminate IKE_SA: ID 5 not found
以及服务器日志:
11[NET] received packet: from y.y.y.y[56945] to x.x.x.x[500] (716 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11[IKE] y.y.y.y is initiating an IKE_SA
11[IKE] remote host is behind NAT
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[56945] (270 bytes)
在哪里xxxxx我的服务器是公共 IP 吗?年是我的客户端调制解调器 IP。
如您所见,客户端无法接收响应。我注意到客户端端口(38856或者55032在本例中)与服务器响应的端口不同(56945)(这是 NAT 问题吗?这根本就是个问题吗?)
另一件事是客户端认为服务器位于 NAT 后面,但事实并非如此,我使用公共 IP 连接到服务器。但是,成功的客户端(使用移动数据连接)也认为服务器位于 NAT 后面。
我不需要需要在客户端进行修改的答案。因为我的客户是一些不熟悉高级解决方法(例如端口转发)的普通人。(然而,阅读这样的答案会很有帮助。)
更新:
连接成功客户端日志:
Feb 19 13:21:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 13:21:59 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
Feb 19 13:21:59 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 13:21:59 00[JOB] spawning 16 worker threads
Feb 19 13:21:59 07[IKE] initiating IKE_SA android[1] to x.x.x.x
Feb 19 13:21:59 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 13:21:59 07[NET] sending packet: from z.z.z.z[44087] to x.x.x.x[500] (716 bytes)
Feb 19 13:22:00 09[NET] received packet: from x.x.x.x[500] to z.z.z.z[44087] (270 bytes)
Feb 19 13:22:00 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 13:22:00 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Feb 19 13:22:00 09[IKE] local host is behind NAT, sending keep alives
Feb 19 13:22:00 09[IKE] remote host is behind NAT
Feb 19 13:22:00 09[IKE] establishing CHILD_SA android{1}
Feb 19 13:22:00 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 13:22:00 09[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 13:22:00 15[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (1236 bytes)
Feb 19 13:22:00 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 13:22:00 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 13:22:00 12[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (788 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 13:22:00 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1952 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 12[IKE] received end entity cert "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG] no issuer certificate found for "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG] issuer is "CN=VPN root CA"
Feb 19 13:22:00 12[CFG] using trusted certificate "CN=x.x.x.x"
Feb 19 13:22:00 12[IKE] authentication of 'x.x.x.x' with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 13:22:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0xB1)
Feb 19 13:22:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 12[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 13:22:00 16[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (144 bytes)
Feb 19 13:22:00 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 16[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Feb 19 13:22:00 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 16[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 13:22:01 13[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (80 bytes)
Feb 19 13:22:01 13[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 13:22:01 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 13:22:01 13[IKE] authentication of 'username' (myself) with EAP
Feb 19 13:22:01 13[ENC] generating IKE_AUTH request 4 [ AUTH ]
Feb 19 13:22:01 13[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 13:22:01 14[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (288 bytes)
Feb 19 13:22:01 14[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 13:22:01 14[IKE] authentication of 'x.x.x.x' with EAP successful
Feb 19 13:22:01 14[IKE] IKE_SA android[1] established between z.z.z.z[username]...x.x.x.x[x.x.x.x]
Feb 19 13:22:01 14[IKE] scheduling rekeying in 35953s
Feb 19 13:22:01 14[IKE] maximum IKE_SA lifetime 36553s
Feb 19 13:22:01 14[IKE] installing DNS server 8.8.8.8
Feb 19 13:22:01 14[IKE] installing new virtual IP 10.10.10.2
Feb 19 13:22:01 14[IKE] CHILD_SA android{1} established with SPIs 8fdeb5a5_i c034c489_o and TS 10.10.10.2/32 === 0.0.0.0/0
Feb 19 13:22:01 14[DMN] setting up TUN device for CHILD_SA android{1}
Feb 19 13:22:01 14[DMN] successfully created TUN device
Feb 19 13:22:01 14[IKE] peer supports MOBIKE
连接成功服务器日志:
Feb 19 09:51:19 fsra charon: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:19 fsra charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:19 fsra charon: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:19 fsra charon: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y
[username]
Feb 19 09:51:19 fsra charon: 11[IKE] IKE_SA deleted
Feb 19 09:51:19 fsra charon: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:19 fsra charon: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG
) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra charon: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra charon: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra charon: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 15[IKE] received retransmit of request with ID 0, retransmitting response
Feb 19 09:51:40 fsra ipsec[9456]: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[59365] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xA1)
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successfu
l
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (1236 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (788 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_
N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] IKE_SA ikev2-vpn[155] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any6
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] CHILD_SA ikev2-vpn{49} established with SPIs c79b0579_i daec5f8d_o and TS 0.0.0.0/0
=== 10.10.10.2/32
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N
(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (288 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] IKE_SA deleted
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra charon: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra charon: 13[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra charon: 13[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 09:51:40 fsra charon: 13[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra charon: 13[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (1236 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (788 bytes)
Feb 19 09:51:41 fsra charon: 09[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:41 fsra charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (144 bytes)
Feb 19 09:51:41 fsra charon: 03[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:41 fsra charon: 03[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:41 fsra charon: 03[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:41 fsra charon: 03[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (80 bytes)
Feb 19 09:51:41 fsra charon: 15[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:41 fsra charon: 15[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:41 fsra charon: 15[IKE] IKE_SA ikev2-vpn[156] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any
Feb 19 09:51:41 fsra charon: 15[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any6
Feb 19 09:51:41 fsra charon: 15[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] CHILD_SA ikev2-vpn{50} established with SPIs c034c489_i 8fdeb5a5_o and TS 0.0.0.0/0 ===
10.10.10.2/32
Feb 19 09:51:41 fsra charon: 15[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_
4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:41 fsra charon: 15[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (288 bytes)
在哪里xxxxx我的服务器是公共 IP 吗?年我的客户的移动数据 IP 是多少?zzzz一些 IP 来自苏丹(非洲的一个国家)我不知道为什么在那里。(手机自我介绍为zzzz在其日志中(一些来自很远地方的 IP),但实际 IP 是年)
但是服务器似乎没有问题可以联系到客户端,并且如上所述,双方都认为对方在 NAT 后面。(我的客户端和服务器有两个不同的时区,这就是记录的时间不匹配的原因。)
日志中另一个值得注意的事情是:端口46299和44087已在双方登录。(似乎它们是在客户端设备中打开的,绑定到zzzz并且服务器正在与以下端口通信年IP。)(由于缺乏对 StrongSwan 系统工作原理的了解,我可能错误地关注这些细节。)
也许你觉得知道如果我使用移动热点连接到可以连接VPN的客户端,我仍然可以在新的客户端设备中连接到VPN。
更新:
所以我设置charon.fragment_size在配置文件设置为零(如文档中所建议的)并设置为1360其中设置:
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
(还测试了1400这) 但一切都一样。移动数据客户端可以连接,但调制解调器用户无法连接。
我还尝试使用 strongswan.conf 中的插件部分更改 mtu 和 mss 值:
kernel-netlink
{
mss = 1140; #I tried the numbers above too
mtu = 1280; #I tried the numbers above too
}