已建立的 IKEv2 StrongSWAN 隧道没有流量

已建立的 IKEv2 StrongSWAN 隧道没有流量

我有一个最近几天无法解决的问题。我已经在带有 Rasbian 的 Raspberry Pi 上安装了 StrongSWAN(Debian GNU/Linux 7.11(wheezy)/Linux 4.1.19-v7+armv7l)。此 Pi 上还运行 openVPN。子网由 VLAN(带有 IEEE 802.1q 标记)分隔。

网络图

目的是将我的 iPad 从任何位置连接到我的 LAN,就像我已经通过 openVPN 在笔记本电脑上所做的那样。隧道即将建成,一切看起来都很好 - 但交通却很糟糕。隧道启动后,我无法再访问任何IP。 (此时我不想使用分割隧道。)iPad 路由表看起来不错

Dest IP/Prefix       Gateway                      IFace
0.0.0.0/0            link#8                       ipsec0
0.0.0.0/0            192.168.99.1 (local Gw)      en0
10.2.200.254         link#8                       ipsec0

路由器本身在 IPTables 中没有丢弃链,也没有手动规则。当我从 iPad ping 时,我在防火墙上看不到来自公共源 IP 的任何流量。只有 Keepalive(UDP/500 和 UDP/4500)。所以对我来说,iPad 似乎没有正确发送有效负载。

200.0.0.1是远程客户端的动态公共IP。

/etc/ipsec.conf

config setup
  charondebug="cfg 2, dmn 2, ike 2, net 2"

conn %default
  keyexchange=ikev2
  ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2$
  esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha$
  dpdaction=clear
  dpddelay=300s
  left=%any
  leftsubnet=0.0.0.0/0
  leftcert=vpnHostCert.pem
  leftid="vpn.site2.example.com"
  leftsendcert=always
  lefthostaccess=yes
  right=%any
  rightdns=10.2.200.254
  rightid="*@site02.example.com"
  rightsourceip=10.102.1.0/24
  righthostaccess=yes

conn IPSec-IKEv2
  auto=add

/var/log/系统日志

Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500] (432 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] looking for an ike config for 10.2.250.2...200.0.0.1
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   candidate: %any...%any, prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] found matching ike config: %any...%any with prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] 200.0.0.1 is initiating an IKE_SA
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG]   proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] local host is behind NAT, sending keep alives
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] remote host is behind NAT
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "CN=ca.vpn.site02.example.com, ST=NDS, L=Somewhere, OU=IT, O=Example, C=DE, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011] (485 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500] (1804 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received end entity cert "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for peer configs matching 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   candidate "IPSec-IKEv2", match: 20/19/28 (me/other/ike)
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected peer config 'IPSec-IKEv2'
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   using certificate "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   certificate "C=DE, O=Example, [email protected]" key: 2048 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   using trusted ca certificate "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] checking certificate status of "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] ocsp check skipped, no ocsp found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate status is not available
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   certificate "C=DE, O=Example, CN=Example IPSec CA" key: 4096 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   reached self-signed root ca with a path length of 0
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of '[email protected]' with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer supports MOBIKE
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of 'vpn.site02.example.com' (myself) with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] established between 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => ESTABLISHED
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] scheduling reauthentication in 9849s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] maximum IKE_SA lifetime 10389s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] sending end entity cert "C=DE, O=Example, CN=vpn.site02.example.com"
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reassigning offline lease to '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] assigning virtual IP 10.102.1.1 to peer '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any6
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] no virtual IP found for %any6 requested by '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] building INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   candidate "IPSec-IKEv2" with prio 10+2
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] found matching child config "IPSec-IKEv2" with prio 12
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]   proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 0.0.0.0/0, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 10.102.1.1/32, received: 0.0.0.0/0 => match: 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG]  config: 10.102.1.1/32, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] CHILD_SA IPSec-IKEv2{2} established with SPIs cfc7c697_i 09e87caf_o and TS 0.0.0.0/0 === 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916] (1772 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916]

iptables-保存

# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*nat
:PREROUTING ACCEPT [333:25621]
:INPUT ACCEPT [104:10720]
:OUTPUT ACCEPT [1264:104724]
:POSTROUTING ACCEPT [1493:119625]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016
# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*filter
:INPUT ACCEPT [22151:4547969]
:FORWARD ACCEPT [7303:2080414]
:OUTPUT ACCEPT [22707:4537290]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016

iptables

eth0      Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.0.254  Bcast:10.2.0.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:507930 errors:0 dropped:0 overruns:0 frame:0
          TX packets:510583 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:1000
          RX bytes:436916075 (416.6 MiB)  TX bytes:448900377 (428.1 MiB)

eth0.10   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.10.254  Bcast:10.2.10.255  Maske:255.255.255.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1818 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:497281 (485.6 KiB)

eth0.11   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.11.254  Bcast:10.2.11.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:5857 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4833 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:1402095 (1.3 MiB)  TX bytes:760454 (742.6 KiB)

eth0.20   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.20.254  Bcast:10.2.20.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:472837 (461.7 KiB)

eth0.51   Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.51.254  Bcast:10.2.51.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:36720 (35.8 KiB)

eth0.100  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.100.254  Bcast:10.2.100.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:180916 errors:0 dropped:0 overruns:0 frame:0
          TX packets:277135 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:52955753 (50.5 MiB)  TX bytes:368243511 (351.1 MiB)

eth0.110  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.110.254  Bcast:10.2.110.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1713 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:92936 (90.7 KiB)  TX bytes:526225 (513.8 KiB)

eth0.150  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.150.254  Bcast:10.2.150.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0.200  Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.200.254  Bcast:10.2.200.255  Maske:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:4945 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6059 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:596764 (582.7 KiB)  TX bytes:2019159 (1.9 MiB)

eth0.2500 Link encap:Ethernet  Hardware Adresse 11:22:33:44:55:66
          inet Adresse:10.2.250.2  Bcast:10.2.250.3  Maske:255.255.255.252
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metrik:1
          RX packets:313144 errors:0 dropped:0 overruns:0 frame:0
          TX packets:217317 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:379718967 (362.1 MiB)  TX bytes:70217194 (66.9 MiB)

lo        Link encap:Lokale Schleife
          inet Adresse:127.0.0.1  Maske:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metrik:1
          RX packets:27589 errors:0 dropped:0 overruns:0 frame:0
          TX packets:27589 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:0
          RX bytes:3368330 (3.2 MiB)  TX bytes:3368330 (3.2 MiB)

tun0      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.100.12.2  P-z-P:10.100.12.1  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:19147 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19569 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:3915884 (3.7 MiB)  TX bytes:2446854 (2.3 MiB)

tun1      Link encap:UNSPEC  Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet Adresse:10.102.0.1  P-z-P:10.102.0.2  Maske:255.255.255.255
          UP PUNKTZUPUNKT RUNNING NOARP MULTICAST  MTU:1500  Metrik:1
          RX packets:11134 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11398 errors:0 dropped:0 overruns:0 carrier:0
          Kollisionen:0 Sendewarteschlangenlänge:100
          RX bytes:2738720 (2.6 MiB)  TX bytes:7083263 (6.7 MiB)

有任何想法吗?

编辑 2016 年 10 月 14 日 10:37 中欧夏令时:

iPMC.mobileconfig的相关部分

<dict>
    <key>PayloadDescription</key>
        <string>VPN-Setup for site2.example.com_IPSec</string>
    <key>PayloadDisplayName</key>
        <string>VPN-Config site2.example.com_IPSec</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.config</string>
    <key>PayloadType</key>
        <string>com.apple.vpn.managed</string>
    <key>PayloadUUID</key>
        <string>87c9ece2-3e6b-56a4-8bed-2f4cba277d93</string>
    <key>PayloadVersion</key>
        <real>1</real>
    <key>UserDefinedName</key>
        <string>site2.example.com_IPSec</string>
    <key>VPNType</key>
        <string>IKEv2</string>
    <key>IKEv2</key>
        <dict>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    <key>PayloadCertificateUUID</key>
    <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>RemoteAddress</key>
    <string>vpn.site2.example.com</string>
    <key>RemoteIdentifier</key>
    <string>vpn.site2.example.com</string>
    <key>LocalIdentifier</key>
    <string>[email protected]</string>
    <key>AuthenticationMethod</key>
    <string>Certificate</string>
    <key>ExtendedAuthEnabled</key>
    <integer>0</integer>
    <key>PayloadCertificateUUID</key>
    <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>OnDemandEnabled</key>
    <integer>0</integer>
    <key>IKESecurityAssociationParameters</key>
        <dict>
            <key>EncryptionAlgorithm</key>
            <string>AES-128</string>
            <key>IntegrityAlgorithm</key>
            <string>SHA1-96</string>
            <key>DiffieHellmanGroup</key>
            <integer>14</integer>
        </dict>
    <key>ChildSecurityAssociationParameters</key>
        <dict>
            <key>EncryptionAlgorithm</key>
            <string>AES-128</string>
            <key>IntegrityAlgorithm</key>
            <string>SHA1-96</string>
            <key>DiffieHellmanGroup</key>
            <integer>14</integer>
        </dict>
        </dict>
    <key>IPv4</key>
        <dict>
    <key>OverridePrimary</key>
    <integer>1</integer>
        </dict>
</dict>
<dict>
    <key>PayloadDisplayName</key>
        <string>VPN-CA-Certificate</string>
    <key>PayloadDescription</key>
        <string>Setup of a VPN-CA-Certificate</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.cacertificate</string>
    <key>PayloadType</key>
        <string>com.apple.security.root</string>
    <key>PayloadUUID</key>
        <string>0b541041-c649-5563-adf9-2d56ed801ad3</string>
    <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadCertificateFileName</key>
        <string>vpn_2_ca.crt</string>
    <key>PayloadContent</key>
        <data>
    XX0xXX0XXXxXXxXXXXXXXXXXX0XXXX0xXX0xXx0XXXXXXXXXXXx0
    X0X0XXXXX0xXXxxXx0XxXX0XX0X0XXXXXxxxXxxxxxXXXXXXXxXX
    XXxXXXXXXXXxX0XxXXXXXxxXX0XXXXxXxxXXXxxXXxXXx0XXx0xx
                    [... cut away ...]
    x0xXXXx0xXXXxXxXxXxXXXxXXxx0xXXxXx0XXxXXXXXxXxxXxXXx
    XXXXXXx0X0X0xXx0x0XXXxXXXxX0XXXxXxxxXXxxxXxXXxx0XX0X
    XxXxXxxxxX0XXXXXXXXXx0xXXXX0X0XxXxX0Xx0xXX0xXX0XXXXX
    XxXXXxxXXXXXXX0xXX0X
        </data>
</dict>
<dict>
    <key>PayloadDisplayName</key>
        <string>VPN-Client-Certificate</string>
    <key>PayloadDescription</key>
        <string>Setup of a Client-Certificate</string>
    <key>PayloadIdentifier</key>
        <string>com.example.admin.JohnDoe.vpn.2.certificate</string>
    <key>PayloadType</key>
        <string>com.apple.security.pkcs12</string>
    <key>PayloadUUID</key>
        <string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
    <key>PayloadVersion</key>
        <integer>1</integer>
    <key>PayloadCertificateFileName</key>
        <string>vpn_2.p12</string>
    <key>Password</key>
        <string>veryverylongandcomplexpassword;-)</string>
    <key>PayloadContent</key>
        <data>
    YYYYyYYYYyYYYYYYYYyYYYy8YYYYYyYYYYYYyyY/YYYYyyYYYyyY
    YYyYYYy8YYYYYyYYYyyyyyyyYyYYYYYY8YYYYyYYyyyYYYyYYYyY
    YyyYYYy8YYYYYYYyYyYYyyyYYYYYYyYYYyyYyYYYyYYYYy+8yYy8
                    [... cut away ...]
    YYyy8YYyyYyY8yYYYyyyYYy8yyY8YYyYYYyYYYy8YYYYYYYyYyyY
    YyYyYY8YYyYyYYYYYyYYYY8YYYYYYYYYyyY8YYyYYyYyYYYYYYY8
    YYYyYYYyYYyYYYyYYyYyYYYYYYyyYYy//Yy8yYYY8/8Y8y88yYY/
    YYy8y8YyyYY8yYYYYYY=
        </data>
</dict>

相关内容