我使用 Ubuntu 22.04 和 strongSwan 5.9.5 在 Oracle 的 OCI 上设置了 VPN 服务器。当我尝试从不同的移动终端连接时,Android 运行良好,Win10 运行良好,甚至老款的 Blackberry10 也运行良好,但 Win7 和 Win8.1 笔记本电脑却不行:它们停留在第一阶段:
mytestcloud charon[968]: 05[NET] received packet: from <MYIP>[500] to 10.0.0.64[500] (616 bytes)
mytestcloud charon[968]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
mytestcloud charon[968]: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
mytestcloud charon[968]: 05[IKE] received MS-Negotiation Discovery Capable vendor ID
mytestcloud charon[968]: 05[IKE] received Vid-Initial-Contact vendor ID
mytestcloud charon[968]: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
mytestcloud charon[968]: 05[IKE] local host is behind NAT, sending keep alives
mytestcloud charon[968]: 05[IKE] remote host is behind NAT
mytestcloud charon[968]: 05[IKE] sending cert request for "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<MYNAME>"
mytestcloud charon[968]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ]
mytestcloud charon[968]: 05[NET] sending packet: from 10.0.0.64[500] to <MYIP>[500] (345 bytes)
mytestcloud charon[968]: 08[IKE] sending keep alive to <MYIP>[500]
mytestcloud charon[968]: 09[JOB] deleting half open IKE_SA with <MYIP> after timeout
我的 ipsec.conf 是:
config setup
charondebug="ike 1, knl 1, cfg 1"
strictcrlpolicy=no
# uniqueids = no
conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes
leftfirewall=yes
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=192.168.2.100/28
# rightdns=8.8.8.8, 8.8.4.4
# leftsendcert=always
# fragmentation=yes
# rightsendcert=never
# forceencaps=yes
rekey=no
auto=add
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
conn roadwarrior
leftauth=pubkey
leftcert=VPNCert.pem
leftid=<SERVERIP>
rightauth=pubkey
状态为(Win10笔记本电脑已连接):
ubuntu@mytestcloud:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1025-oracle, aarch64):
uptime: 36 minutes, since Dec 12 09:05:21 2022
malloc: sbrk 2605056, mmap 0, used 1670848, free 934208
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs dhcp counters
Virtual IP pools (size/online/offline):
192.168.2.100/28: 11/1/0
Listening IP addresses:
10.0.0.64
Connections:
roadwarrior: %any...%any IKEv2, dpddelay=3600s
roadwarrior: local: [<SERVERIP>] uses public key authentication
roadwarrior: cert: "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<SERVERIP>"
roadwarrior: remote: uses public key authentication
roadwarrior: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
roadwarrior[3]: ESTABLISHED 7 minutes ago, 10.0.0.64[150.136.154.215]...<MYIP>[C=<MYCOUNTRY>, O=<MYFIRM>, CN=Win10]
roadwarrior[3]: IKEv2 SPIs: 250f9e9db620a7e7_i 29b6ebbdb66a922a_r*, rekeying disabled
roadwarrior[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
roadwarrior{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c084f973_i 5daafdba_o
roadwarrior{1}: AES_CBC_256/HMAC_SHA1_96, 30958 bytes_i (122 pkts, 80s ago), 14517 bytes_o (50 pkts, 80s ago), rekeying disabled
roadwarrior{1}: 0.0.0.0/0 === 192.168.2.100/32
我怀疑这是某种碎片问题,因为在添加
fragmentation=no
在 ipsec.conf 中,Win10 设备也以同样的方式出现故障。我相信我添加了所有需要的内容;我的意思是
net/ipv4/ip_no_pmtu_disc=1
在 sysctl.conf 和
FORWARD -t mangle --match policy --pol ipsec --dir in -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
在 iptables 规则中。请记住,我可以在 AWS 上的 Ubuntu 16.04 / strongSwan 5.2.2 中使用几乎相同的配置,没有任何问题。细微的差别是默认密码套件和不同的服务器证书。那么,我可以强制以某种方式连接这些 Windows 野兽吗?
答案1
好吧,问题似乎是数据包碎片。一方面,我相信 Oracle 已将碎片硬编码到其公共接口中;另一方面,旧版 Windows 操作系统(Windows 7、Windows 8/8.1、Windows 10 1803 之前版本、Ubuntu 16)不支持碎片。因此,无法使用此类操作系统上的客户端连接在 Oracle OCI 上运行的 strongSwan。有 3 种解决方法可以克服这一限制:
- 摆脱旧式客户端(对于使用它们的人来说印象并不深刻)。
- 更换云提供商 - 我在 Amazon AWS 和 DigitalOcean 上测试了 strongSwan:一切运行顺利。
- 更改 VPN 类型 - 我个人最终选择了这个解决方案:WireGuard 在 Oracle OCI 上没有任何问题。而且,我还解决了 DNS 泄漏问题,这是一个很好的补充。