Ubuntu 中的 VPN 问题

tag-icon tag-icon vpn
Ubuntu 中的 VPN 问题

几天前我遇到了一个情况,我们的一个远程用户在 VPN 连接到我们的第二个 VPN 服务器(Cisco ASA)时出现了奇怪的问题。ASA 配置没有问题,因为对于来自不同位置的其他任何用户来说,一切都运行正常。我甚至尝试从不同的机器使用他的配置文件,一切正常。问题是他能够建立隧道,但无法访问本地资源。即使他可以 ping 到服务器。使用 telnet 从他的机器测试端口也成功了。无论我使用 IP 还是 FQDN,都无法访问 WEB 和 SSH。我现在不知道该去哪里找。路由表看起来不错。给我一些建议如何调查这个问题。我注意到他在 /etc/resolve.conf 127.0.0.53 中有一个垃圾名称服务器 IP。而且在建立 VPN 连接后,内部 DNS IP 未填充到 resolve.conf 中。我需要你们的帮助。谢谢!

输出:

ls -al
lrwxrwxrwx 1 root root 39 Mar 27 08:03 /etc/resolv.conf -> ../run/systemd/resolve/stub-resolv.conf

cat /etc/resolve.conf

nameserver 127.0.0.53
options edns0
search asatnet.net


$ sudo systemd-resolve --status
Global
          DNSSEC NTA: 10.in-addr.arpa
                      16.172.in-addr.arpa
                      168.192.in-addr.arpa
                      17.172.in-addr.arpa
                      18.172.in-addr.arpa
                      19.172.in-addr.arpa
                      20.172.in-addr.arpa
                      21.172.in-addr.arpa
                      22.172.in-addr.arpa
                      23.172.in-addr.arpa
                      24.172.in-addr.arpa
                      25.172.in-addr.arpa
                      26.172.in-addr.arpa
                      27.172.in-addr.arpa
                      28.172.in-addr.arpa
                      29.172.in-addr.arpa
                      30.172.in-addr.arpa
                      31.172.in-addr.arpa
                      corp
                      d.f.ip6.arpa
                      home
                      internal
                      intranet
                      lan
                      local
                      private
                      test

Link 19 (tun0)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.xx.xx
                      192.168.xx.xx
          DNS Domain: <domain>

Link 5 (ppp0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 3 (wlp2s0)
      Current Scopes: none
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no

Link 2 (eno1)
      Current Scopes: DNS
       LLMNR setting: yes
MulticastDNS setting: no
      DNSSEC setting: no
    DNSSEC supported: no
         DNS Servers: 192.168.0.1

我还使用 tcpdump/telnet 测试了我们本地服务器的 443 和 22,它似乎正在监听并且可以访问远程端口:

 $ telnet xxx.domain.xxx 443
Trying 192.168.yy.yyy...
Connected to xxx.domain.xxx
Escape character is '^]'.



^]
telnet> close
Connection closed.



$ sudo tcpdump -nnn -i tun0 dst port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:58:08.124308 IP 192.168.xx.xxx.37600 > 192.168.yy.yyy.443: Flags [P.], seq 1839497978:1839497980, ack 4013729976, win 215, options [nop,nop,TS val 2566817412 ecr 3737518068], length 2
17:58:12.448693 IP 192.168.xx.xxx.37600 > 192.168.yy.yyy.443: Flags [P.], seq 2:4, ack 1, win 215, options [nop,nop,TS val 2566821736 ecr 3737533137], length 2
17:58:13.742958 IP 192.168.xx.xxx.37600 > 192.168.yy.yyy.443: Flags [P.], seq 4:6, ack 1, win 215, options [nop,nop,TS val 2566823031 ecr 3737537467], length 2
17:58:22.070210 IP 192.168.xx.xxx.37600 > 192.168.yy.yyy.443: Flags [F.], seq 6, ack 1, win 215, options [nop,nop,TS val 2566831358 ecr 3737538757], length 0
17:58:22.205701 IP 192.168.xx.xxx.37600 > 192.168.yy.yyy.443: Flags [.], ack 2, win 215, options [nop,nop,TS val 2566831493 ecr 3737547086], length 0
^C
5 packets captured
5 packets received by filter
0 packets dropped by kernel


$ telnet 192.168.yy.yyy 22
Trying 192.168.yy.yyy...
Connected to 192.168.yy.yyy.
Escape character is '^]'.
SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.4

Protocol mismatch.
Connection closed by foreign host.

~$ sudo tcpdump -nnn -i tun0 dst port 22
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tun0, link-type RAW (Raw IP), capture size 262144 bytes
17:59:03.479558 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [S], seq 655161819, win 27440, options [mss 1372,sackOK,TS val 2566872767 ecr 0,nop,wscale 7], length 0
17:59:03.612253 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [.], ack 3463176096, win 215, options [nop,nop,TS val 2566872900 ecr 4260145591], length 0
17:59:03.759173 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [.], ack 42, win 215, options [nop,nop,TS val 2566873047 ecr 4260145734], length 0
17:59:06.453527 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [P.], seq 0:2, ack 42, win 215, options [nop,nop,TS val 2566875741 ecr 4260145734], length 2
17:59:06.586761 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [.], ack 61, win 215, options [nop,nop,TS val 2566875875 ecr 4260148565], length 0
17:59:06.587035 IP 192.168.xx.xxx.47946 > 192.168.yy.yyy.22: Flags [F.], seq 2, ack 62, win 215, options [nop,nop,TS val 2566875875 ecr 4260148565], length 0

外部域名网络访问没有问题。

相关内容