我在 NAT 后面的虚拟 Ubuntu 22 上设置了我的 strongswan 服务器。对于使用登录密码的 RCA,它运行良好。但我需要仅使用 PSK 密钥来工作。我尝试了很多选项,但我无法从我的 android 连接。目前的配置是:
cat /etc/ipsec.secrets
: PSK 6VvBHiM3vZlaY4elIgiKhuD/6aAWo5c2
cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids=yes
conn ikev2-ipsec-psk
auto=add
compress=no
type=tunnel
keyexchange=ikev2
# authby=secret
authby=psk
fragmentation=yes
forceencaps=yes
ike=aes256-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=%any
# [email protected]
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightdns=1.1.1.1,1.0.0.1
rightsourceip=10.101.0.0/16
cat rules.v4
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A FORWARD -s 10.101.0.0/16 -o ens33 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [83911:86155655]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i ens33 -m state --state NEW -m recent --update --seconds 300 --hitcount 60 --name DEFAULT --mask 255.255.255.255 --rsource -j DROP
-A INPUT -i ens33 -m state --state NEW -m recent --set --name DEFAULT --mask 255.255.255.255 --rsource
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A INPUT -i lo -j ACCEPT
-A INPUT -i ens33 -p esp -j ACCEPT
-A INPUT -i ens33 -p ah -j ACCEPT
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j DROP
-A FORWARD -s 10.101.0.0/16 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -d 10.101.0.0/16 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -j DROP
-A OUTPUT -o ens33 -p esp -j ACCEPT
-A OUTPUT -o ens33 -p ah -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 500 --dport 500 -j ACCEPT
-A OUTPUT -o ens33 -p udp -m udp --sport 4500 --dport 4500 -j ACCEPT
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
# Generated by iptables-save v1.8.7 on Fri Jul 7 17:37:44 2023
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:DOCKER - [0:0]
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.101.0.0/16 -o ens33 -j MASQUERADE
COMMIT
# Completed on Fri Jul 7 17:37:44 2023
NAT 上转发的端口:
# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 401M packets, 47G bytes)
pkts bytes target prot opt in out source destination
...
84 23694 DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:4500 to:10.5.23.88:4500
904 363K DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:500 to:10.5.23.88:500
483 26400 DNAT tcp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 to:10.5.23.88:80
16 1568 DNAT udp -- sfp2 * 0.0.0.0/0 0.0.0.0/0 udp dpt:1701 to:10.5.23.88:1701
Chain INPUT (policy ACCEPT 77M packets, 5830M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 34M packets, 3513M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 31M packets, 3036M bytes)
pkts bytes target prot opt in out source destination
1094M 182G SNAT all -- * * 10.0.0.0/8 0.0.0.0/0 to:x.y.z.b
在 Ubuntu 服务器上,当我尝试连接到日志时,我得到了这个(178.168.214.112 ip 用户,10.5.23.88 LAN ip 服务器):
Jul 11 18:22:16 ubuntu22 charon: 01[NET] received packet: from 178.168.214.112[64102] to 10.5.23.88[500] (1072 bytes)
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) ]
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] 178.168.214.112 is initiating an IKE_SA
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] received proposals: IKE:AES_CTR_256/AES_CBC_256/AES_CTR_192/AES_CBC_192/AES_CTR_128/AES_CBC_128/HMAC_SHA2_512_256/HMAC_SHA2_384_192/HMAC_SHA2_256_128/AES_XCBC_96/AES_CMAC_96/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048, IKE:CHACHA20_POLY1305/AES_GCM_16_256/AES_GCM_12_256/AES_GCM_8_256/AES_GCM_16_192/AES_GCM_12_192/AES_GCM_8_192/AES_GCM_16_128/AES_GCM_12_128/AES_GCM_8_128/PRF_HMAC_SHA1/PRF_AES128_XCBC/PRF_HMAC_SHA2_256/PRF_HMAC_SHA2_384/PRF_HMAC_SHA2_512/PRF_AES128_CMAC/MODP_4096/CURVE_25519/MODP_3072/MODP_2048
Jul 11 18:22:16 ubuntu22 charon: 01[CFG] configured proposals: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] local host is behind NAT, sending keep alives
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] remote host is behind NAT
Jul 11 18:22:16 ubuntu22 charon: 01[IKE] received proposals unacceptable
Jul 11 18:22:16 ubuntu22 charon: 01[ENC] generating IKE_SA_INIT response 0 [ N(NO_PROP) ]
Jul 11 18:22:16 ubuntu22 charon: 01[NET] sending packet: from 10.5.23.88[500] to 178.168.214.112[64102] (36 bytes)