已与在 Ubuntu 上运行的 StrongSwan VPN 建立连接,但无法连接到互联网

tag-icon tag-icon ubuntu networking google-cloud-platform strongswan
已与在 Ubuntu 上运行的 StrongSwan VPN 建立连接,但无法连接到互联网

尽管我已经与 GCP 上的 Ubuntu VM 上运行的 IKEv2 VPN 建立了连接,但我在连接互联网时遇到了问题。我已从 Macbook 连接到 VPN。我按照此操作教程在 Ubuntu VM 上安装 VPN。与教程的唯一区别是,我将教程中的域名更改为 GCP VM 的 IP 地址。

这是 /etc/ipsec.conf 配置:

config setup
  charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2"
  strictcrlpolicy=no
  uniqueids=yes
  cachecrls=no

conn ipsec-ikev2-vpn
  auto=add
  compress=no
  type=tunnel
  keyexchange=ikev2
  fragmentation=yes
  forceencaps=yes
  dpdaction=clear
  dpddelay=300s
  rekey=no
  left=%any
  leftid=xx.xxx.xxx.219
  leftcert=server.cert.pem
  leftsendcert=always
  leftsubnet=0.0.0.0/0
  right=%any
  rightid=%any
  rightauth=eap-mschapv2
  rightsourceip=192.168.0.0/24
  rightdns=8.8.8.8 # DNS to be assigned to clients
  rightsendcert=never
  eap_identity=%identity

这是 iptables:

$ iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 751 packets, 119K bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain INPUT (policy ACCEPT 7 packets, 3808 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain OUTPUT (policy ACCEPT 35 packets, 2840 bytes)
 pkts bytes target     prot opt in     out     source               destination         
Chain POSTROUTING (policy ACCEPT 767 packets, 116K bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0

/etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

如果我通过 ssh 进入 ubuntu 服务器,我就可以 curl 任何公共网站。这让我相信这与 strongswan 配置有关。如果需要的话,我有一些 GCP 上用于 VM 的网络配置图片。

在此处输入图片描述

在此处输入图片描述

我需要更改哪些配置才能通过 IKEv2 VPN 访问互联网?

编辑:以下是一些日志syslog

Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 000000000000
0000_r
Jul 18 07:09:41 vpn-instance charon: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (604 byt
es)
Jul 18 07:09:41 vpn-instance charon: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NA
TD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance charon: 09[CFG]   candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance charon: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance charon: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance charon: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 09[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance charon: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_25
6/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMA
C_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1
/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES_CTR_
128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC_SHA2
_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/P
RF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_255
19/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_256/AE
S_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM_12_1
28/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_GCM_12
_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/EC
P_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2
048
Jul 18 07:09:41 vpn-instance charon: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256
/MODP_2048
Jul 18 07:09:41 vpn-instance charon: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance charon: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance charon: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP)
 N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance charon: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456 byte
s)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance charon: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] getting iface index for ens4
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 in
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting policy 192.168.0.1/32 === 0.0.0.0/0 fwd
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI cf6c6551
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleting SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[KNL] deleted SAD entry with SPI 08f90a8f
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[CFG] lease 192.168.0.1 by 'users-name' went offline
Jul 18 07:09:41 vpn-instance ipsec[8264]: 05[MGR] checkin and destroy of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] checkout IKEv2 SA with SPIs 0bb3c1942e27aa5a_i 154ee3eb7c30364c_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 07[MGR] IKE_SA checkout not successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 0000000
000000000_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] created IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] received packet: from xxx.xxx.xxx.112[500] to 10.152.0.2[500] (60
4 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP)
 N(NATD_D_IP) N(FRAG_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] looking for an IKEv2 config for 10.152.0.2...xxx.xxx.xxx.112
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG]   candidate: %any...%any, prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] found matching ike config: %any...%any with prio 28
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] xxx.xxx.xxx.112 is initiating an IKE_SA
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] IKE_SA (unnamed)[5] state change: CREATED => CONNECTING
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] received proposals: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SH
A2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_256_128/PR
F_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:3DES_CBC/HMAC_SHA1_96/PRF_HMAC
_SHA1/MODP_1024
Jul 18 07:09:41 vpn-instance charon: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (496 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] configured proposals: IKE:AES_CBC_128/AES_CBC_192/AES_CBC_256/AES
_CTR_128/AES_CTR_192/AES_CTR_256/CAMELLIA_CBC_128/CAMELLIA_CBC_192/CAMELLIA_CBC_256/3DES_CBC/HMAC_SHA2_256_128/HMAC
_SHA2_384_192/HMAC_SHA2_512_256/AES_XCBC_96/AES_CMAC_96/HMAC_SHA1_96/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_
256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_256/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURV
E_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/MODP_2048, IKE:AES_CCM_16_128/AES_CCM_16_192/AES_CCM_16_2
56/AES_GCM_16_128/AES_GCM_16_192/AES_GCM_16_256/CHACHA20_POLY1305/AES_CCM_8_128/AES_CCM_8_192/AES_CCM_8_256/AES_CCM
_12_128/AES_CCM_12_192/AES_CCM_12_256/AES_GCM_8_128/AES_GCM_8_192/AES_GCM_8_256/AES_GCM_12_128/AES_GCM_12_192/AES_G
CM_12_256/PRF_AES128_XCBC/PRF_AES128_CMAC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_HMAC_SHA1/ECP_2
56/ECP_384/ECP_521/ECP_256_BP/ECP_384_BP/ECP_512_BP/CURVE_25519/CURVE_448/MODP_3072/MODP_4096/MODP_6144/MODP_8192/M
ODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA
2_256/MODP_2048
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] local host is behind NAT, sending keep alives
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[IKE] remote host is behind NAT
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_
D_IP) N(FRAG_SUP) N(CHDLESS_SUP) N(MULT_AUTH) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500] (456
 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[500] to xxx.xxx.xxx.112[500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin IKE_SA (unnamed)[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 09[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] IKE_SA (unnamed)[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
496 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance charon: 10[ENC] unknown attribute type INTERNAL_DNS_DOMAIN
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MAS
K DHCP DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...12
5.168.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr CPRQ(ADDR MASK DHC
P DNS ADDR6 DHCP6 DNS6 DOMAIN) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr N(MOBIKE_SUP) ]
Jul 18 07:09:41 vpn-instance charon: 10[CFG] looking for peer configs matching 10.152.0.2[xxx.xxx.xxx.219]...125.168
.239.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 10[CFG]   candidate "ipsec-ikev2-vpn", match: 20/1/28 (me/other/ike)
Jul 18 07:09:41 vpn-instance charon: 10[CFG] selected peer config 'ipsec-ikev2-vpn'
Jul 18 07:09:41 vpn-instance charon: 10[IKE] initiating EAP_IDENTITY method (id 0x00)
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance charon: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Jul 18 07:09:41 vpn-instance charon: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance charon: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature success
ful
Jul 18 07:09:41 vpn-instance charon: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1236 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (740 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance charon: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance charon: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance charon: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (112 by
tes)
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (144 b
ytes)
Jul 18 07:09:41 vpn-instance charon: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (144 by
tes)
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance charon: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance charon: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (80 by
tes)
Jul 18 07:09:41 vpn-instance charon: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance charon: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance charon: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance charon: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (80 byt
es)
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance charon: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance charon: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance charon: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance charon: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577350b8
858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_NETMASK attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_ADDRESS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DHCP attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_IP6_DNS attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] processing INTERNAL_DNS_DOMAIN attribute
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC paddi
ng
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] peer supports MOBIKE
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with RSA signature su
ccessful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[IKE] sending end entity cert "CN=xxx.xxx.xxx.219"
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] splitting IKE message (1904 bytes) into 2 fragments
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
236 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (7
40 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 10[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] received EAP identity 'users-name'
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[IKE] initiating EAP_MSCHAPV2 method (id 0x4D)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
12 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 01[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance charon: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
144 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (1
44 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 11[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
80 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500] (8
0 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 13[MGR] checkin of IKE_SA successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 04[NET] sending packet: from 10.152.0.2[4500] to xxx.xxx.xxx.112[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 03[NET] waiting for data on sockets
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] checkout IKEv2 SA by message with SPIs ba2940ca0c7e91b2_i 775c577
350b8858e_r
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[MGR] IKE_SA ipsec-ikev2-vpn[5] successfully checked out
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (
112 bytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[35.244.1
21.219]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[NET] received packet: from xxx.xxx.xxx.112[4500] to 10.152.0.2[4500] (112 b
ytes)
Jul 18 07:09:41 vpn-instance ipsec[8264]: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of '192.168.1.2' with EAP successful
Jul 18 07:09:41 vpn-instance charon: 12[IKE] authentication of 'xxx.xxx.xxx.219' (myself) with EAP
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] established between 10.152.0.2[xx.xxx.xxx.21
9]...xxx.xxx.xxx.112[192.168.1.2]
Jul 18 07:09:41 vpn-instance charon: 12[IKE] IKE_SA ipsec-ikev2-vpn[5] state change: CONNECTING => ESTABLISHED
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any
Jul 18 07:09:41 vpn-instance charon: 12[CFG] reassigning offline lease to 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] assigning virtual IP 192.168.0.1 to peer 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] peer requested virtual IP %any6
Jul 18 07:09:41 vpn-instance charon: 12[IKE] no virtual IP found for %any6 requested by 'users-name'
Jul 18 07:09:41 vpn-instance charon: 12[IKE] building INTERNAL_IP4_DNS attribute
Jul 18 07:09:41 vpn-instance charon: 12[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for us:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]  0.0.0.0/0
Jul 18 07:09:41 vpn-instance charon: 12[CFG] proposing traffic selectors for other:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]  192.168.0.1/32
Jul 18 07:09:41 vpn-instance charon: 12[CFG]   candidate "ipsec-ikev2-vpn" with prio 10+2
Jul 18 07:09:41 vpn-instance charon: 12[CFG] found matching child config "ipsec-ikev2-vpn" with prio 12
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selecting proposal:
Jul 18 07:09:41 vpn-instance charon: 12[CFG]   proposal matches
Jul 18 07:09:41 vpn-instance charon: 12[CFG] received proposals: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:
AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_9
6/NO_EXT_SEQ, ESP:3DES_CBC/HMAC_SHA1_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] configured proposals: ESP:AES_CBC_128/AES_CBC_192/AES_CBC_256/HMAC_SHA
2_256_128/HMAC_SHA2_384_192/HMAC_SHA2_512_256/HMAC_SHA1_96/AES_XCBC_96/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ
Jul 18 07:09:41 vpn-instance charon: 12[KNL] got SPI c37cf9e4
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying policy 0.0.0.0/0 === 192.168.0.1/32 out
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance charon: 08[KNL] querying SAD entry with SPI 079bf039
Jul 18 07:10:21 vpn-instance ipsec[8264]: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[IKE] sending keep alive to xxx.xxx.xxx.112[4500]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin IKE_SA ipsec-ikev2-vpn[5]
Jul 18 07:10:21 vpn-instance charon: 08[MGR] checkin of IKE_SA successful

答案1

从 GCP 防火墙方面来看,您的配置似乎没问题。但是,安装和配置 StrongSwan 并不是一个简单的过程,而且有许多步骤决定了它是否成功。

您可以尝试在另一台虚拟机(从头开始创建)上重复该过程并再次执行这些步骤,但是......

如果你可以使用其他解决方案,我建议你使用 Marketplace 解决方案 - 部署它们要简单得多,而且你可以获得现成的解决方案 - 例如OpenVPN。并且已通过 GCP 认证。

您也可以尝试软以太网VPN,但目前市场上还没有准备好部署该解决方案,所以这意味着要像 StronSwan 一样进行安装。

相关内容