我有一个最近几天无法解决的问题。我已经在带有 Rasbian 的 Raspberry Pi 上安装了 StrongSWAN(Debian GNU/Linux 7.11(wheezy)/Linux 4.1.19-v7+armv7l)。此 Pi 上还运行 openVPN。子网由 VLAN(带有 IEEE 802.1q 标记)分隔。
目的是将我的 iPad 从任何位置连接到我的 LAN,就像我已经通过 openVPN 在笔记本电脑上所做的那样。隧道即将建成,一切看起来都很好 - 但交通却很糟糕。隧道启动后,我无法再访问任何IP。 (此时我不想使用分割隧道。)iPad 路由表看起来不错
Dest IP/Prefix Gateway IFace
0.0.0.0/0 link#8 ipsec0
0.0.0.0/0 192.168.99.1 (local Gw) en0
10.2.200.254 link#8 ipsec0
路由器本身在 IPTables 中没有丢弃链,也没有手动规则。当我从 iPad ping 时,我在防火墙上看不到来自公共源 IP 的任何流量。只有 Keepalive(UDP/500 和 UDP/4500)。所以对我来说,iPad 似乎没有正确发送有效负载。
200.0.0.1是远程客户端的动态公共IP。
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha1-modp1536,aes256-sha384-modp2048,aes2$
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp4096,aes256-sha256-modp4096,aes256-sha1-modp4096,aes128-sha256-modp1536,aes128-sha$
dpdaction=clear
dpddelay=300s
left=%any
leftsubnet=0.0.0.0/0
leftcert=vpnHostCert.pem
leftid="vpn.site2.example.com"
leftsendcert=always
lefthostaccess=yes
right=%any
rightdns=10.2.200.254
rightid="*@site02.example.com"
rightsourceip=10.102.1.0/24
righthostaccess=yes
conn IPSec-IKEv2
auto=add
/var/log/系统日志
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] received packet: from 200.0.0.1[1011] to 10.2.250.2[500] (432 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(REDIR_SUP) N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] looking for an ike config for 10.2.250.2...200.0.0.1
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] candidate: %any...%any, prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] found matching ike config: %any...%any with prio 28
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] 200.0.0.1 is initiating an IKE_SA
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] no acceptable PSEUDO_RANDOM_FUNCTION found
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] configured proposals: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/ECP_384, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_4096, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_4096, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048, IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1536, IKE:AES_CBC_256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_1024, IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1024, IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Oct 13 13:18:02 RTR-200-254 charon: 06[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] local host is behind NAT, sending keep alives
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] remote host is behind NAT
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 06[IKE] sending cert request for "CN=ca.vpn.site02.example.com, ST=NDS, L=Somewhere, OU=IT, O=Example, C=DE, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
Oct 13 13:18:02 RTR-200-254 charon: 06[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011] (485 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[500] to 200.0.0.1[1011]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500]
Oct 13 13:18:02 RTR-200-254 charon: 02[NET] waiting for data on sockets
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] received packet: from 200.0.0.1[64916] to 10.2.250.2[4500] (1804 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) N(MOBIKE_SUP) IDr AUTH CERT CPRQ(ADDR DHCP DNS MASK ADDR6 DHCP6 DNS6) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) SA TSi TSr ]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received end entity cert "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for peer configs matching 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] candidate "IPSec-IKEv2", match: 20/19/28 (me/other/ike)
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected peer config 'IPSec-IKEv2'
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] using certificate "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate "C=DE, O=Example, [email protected]" key: 2048 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] using trusted ca certificate "C=DE, O=Example, CN=Example IPSec CA"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] checking certificate status of "C=DE, O=Example, [email protected]"
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] ocsp check skipped, no ocsp found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate status is not available
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] certificate "C=DE, O=Example, CN=Example IPSec CA" key: 4096 bit RSA
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reached self-signed root ca with a path length of 0
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of '[email protected]' with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP4_NETMASK attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_ADDRESS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DHCP attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] processing INTERNAL_IP6_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer supports MOBIKE
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] authentication of 'vpn.site02.example.com' (myself) with RSA signature successful
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] established between 10.2.250.2[vpn.site02.example.com]...200.0.0.1[[email protected]]
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] IKE_SA IPSec-IKEv2[2] state change: CONNECTING => ESTABLISHED
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] scheduling reauthentication in 9849s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] maximum IKE_SA lifetime 10389s
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] sending end entity cert "C=DE, O=Example, CN=vpn.site02.example.com"
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] reassigning offline lease to '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] assigning virtual IP 10.102.1.1 to peer '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] peer requested virtual IP %any6
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] no virtual IP found for %any6 requested by '[email protected]'
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] building INTERNAL_IP4_DNS attribute
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] looking for a child config for 0.0.0.0/0 ::/0 === 0.0.0.0/0 ::/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] 0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposing traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] candidate "IPSec-IKEv2" with prio 10+2
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] found matching child config "IPSec-IKEv2" with prio 12
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable ENCRYPTION_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] no acceptable INTEGRITY_ALGORITHM found
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting proposal:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] proposal matches
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] received proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] configured proposals: ESP:AES_GCM_16_128/ECP_256/NO_EXT_SEQ, ESP:AES_GCM_16_256/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/ECP_256/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/ECP_384/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_4096/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_2048/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1536/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/MODP_1024/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/MODP_1024/NO_EXT_SEQ, ESP:AES_GCM_16_128/NO_EXT_SEQ, ESP:AES_GCM_16_256/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_384_192/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA2_256_128/NO_EXT_SEQ, ESP:AES_CBC_256/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for us:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 0.0.0.0/0, received: 0.0.0.0/0 => match: 0.0.0.0/0
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 0.0.0.0/0, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] selecting traffic selectors for other:
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 10.102.1.1/32, received: 0.0.0.0/0 => match: 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[CFG] config: 10.102.1.1/32, received: ::/0 => no match
Oct 13 13:18:02 RTR-200-254 charon: 05[IKE] CHILD_SA IPSec-IKEv2{2} established with SPIs cfc7c697_i 09e87caf_o and TS 0.0.0.0/0 === 10.102.1.1/32
Oct 13 13:18:02 RTR-200-254 charon: 05[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH CPRP(ADDR DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Oct 13 13:18:02 RTR-200-254 charon: 05[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916] (1772 bytes)
Oct 13 13:18:02 RTR-200-254 charon: 03[NET] sending packet: from 10.2.250.2[4500] to 200.0.0.1[64916]
iptables-保存
# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*nat
:PREROUTING ACCEPT [333:25621]
:INPUT ACCEPT [104:10720]
:OUTPUT ACCEPT [1264:104724]
:POSTROUTING ACCEPT [1493:119625]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016
# Generated by iptables-save v1.4.14 on Thu Oct 13 13:25:44 2016
*filter
:INPUT ACCEPT [22151:4547969]
:FORWARD ACCEPT [7303:2080414]
:OUTPUT ACCEPT [22707:4537290]
COMMIT
# Completed on Thu Oct 13 13:25:44 2016
iptables
eth0 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.0.254 Bcast:10.2.0.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:507930 errors:0 dropped:0 overruns:0 frame:0
TX packets:510583 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:1000
RX bytes:436916075 (416.6 MiB) TX bytes:448900377 (428.1 MiB)
eth0.10 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.10.254 Bcast:10.2.10.255 Maske:255.255.255.0
UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1818 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:497281 (485.6 KiB)
eth0.11 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.11.254 Bcast:10.2.11.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:5857 errors:0 dropped:0 overruns:0 frame:0
TX packets:4833 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:1402095 (1.3 MiB) TX bytes:760454 (742.6 KiB)
eth0.20 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.20.254 Bcast:10.2.20.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:1236 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:472837 (461.7 KiB)
eth0.51 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.51.254 Bcast:10.2.51.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:472 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:36720 (35.8 KiB)
eth0.100 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.100.254 Bcast:10.2.100.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:180916 errors:0 dropped:0 overruns:0 frame:0
TX packets:277135 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:52955753 (50.5 MiB) TX bytes:368243511 (351.1 MiB)
eth0.110 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.110.254 Bcast:10.2.110.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:507 errors:0 dropped:0 overruns:0 frame:0
TX packets:1713 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:92936 (90.7 KiB) TX bytes:526225 (513.8 KiB)
eth0.150 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.150.254 Bcast:10.2.150.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
eth0.200 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.200.254 Bcast:10.2.200.255 Maske:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:4945 errors:0 dropped:0 overruns:0 frame:0
TX packets:6059 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:596764 (582.7 KiB) TX bytes:2019159 (1.9 MiB)
eth0.2500 Link encap:Ethernet Hardware Adresse 11:22:33:44:55:66
inet Adresse:10.2.250.2 Bcast:10.2.250.3 Maske:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metrik:1
RX packets:313144 errors:0 dropped:0 overruns:0 frame:0
TX packets:217317 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:379718967 (362.1 MiB) TX bytes:70217194 (66.9 MiB)
lo Link encap:Lokale Schleife
inet Adresse:127.0.0.1 Maske:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metrik:1
RX packets:27589 errors:0 dropped:0 overruns:0 frame:0
TX packets:27589 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:0
RX bytes:3368330 (3.2 MiB) TX bytes:3368330 (3.2 MiB)
tun0 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:10.100.12.2 P-z-P:10.100.12.1 Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
RX packets:19147 errors:0 dropped:0 overruns:0 frame:0
TX packets:19569 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:3915884 (3.7 MiB) TX bytes:2446854 (2.3 MiB)
tun1 Link encap:UNSPEC Hardware Adresse 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet Adresse:10.102.0.1 P-z-P:10.102.0.2 Maske:255.255.255.255
UP PUNKTZUPUNKT RUNNING NOARP MULTICAST MTU:1500 Metrik:1
RX packets:11134 errors:0 dropped:0 overruns:0 frame:0
TX packets:11398 errors:0 dropped:0 overruns:0 carrier:0
Kollisionen:0 Sendewarteschlangenlänge:100
RX bytes:2738720 (2.6 MiB) TX bytes:7083263 (6.7 MiB)
有任何想法吗?
编辑 2016 年 10 月 14 日 10:37 中欧夏令时:
iPMC.mobileconfig的相关部分
<dict>
<key>PayloadDescription</key>
<string>VPN-Setup for site2.example.com_IPSec</string>
<key>PayloadDisplayName</key>
<string>VPN-Config site2.example.com_IPSec</string>
<key>PayloadIdentifier</key>
<string>com.example.admin.JohnDoe.vpn.2.config</string>
<key>PayloadType</key>
<string>com.apple.vpn.managed</string>
<key>PayloadUUID</key>
<string>87c9ece2-3e6b-56a4-8bed-2f4cba277d93</string>
<key>PayloadVersion</key>
<real>1</real>
<key>UserDefinedName</key>
<string>site2.example.com_IPSec</string>
<key>VPNType</key>
<string>IKEv2</string>
<key>IKEv2</key>
<dict>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>PayloadCertificateUUID</key>
<string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
<key>RemoteAddress</key>
<string>vpn.site2.example.com</string>
<key>RemoteIdentifier</key>
<string>vpn.site2.example.com</string>
<key>LocalIdentifier</key>
<string>[email protected]</string>
<key>AuthenticationMethod</key>
<string>Certificate</string>
<key>ExtendedAuthEnabled</key>
<integer>0</integer>
<key>PayloadCertificateUUID</key>
<string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
<key>OnDemandEnabled</key>
<integer>0</integer>
<key>IKESecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
<key>ChildSecurityAssociationParameters</key>
<dict>
<key>EncryptionAlgorithm</key>
<string>AES-128</string>
<key>IntegrityAlgorithm</key>
<string>SHA1-96</string>
<key>DiffieHellmanGroup</key>
<integer>14</integer>
</dict>
</dict>
<key>IPv4</key>
<dict>
<key>OverridePrimary</key>
<integer>1</integer>
</dict>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>VPN-CA-Certificate</string>
<key>PayloadDescription</key>
<string>Setup of a VPN-CA-Certificate</string>
<key>PayloadIdentifier</key>
<string>com.example.admin.JohnDoe.vpn.2.cacertificate</string>
<key>PayloadType</key>
<string>com.apple.security.root</string>
<key>PayloadUUID</key>
<string>0b541041-c649-5563-adf9-2d56ed801ad3</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadCertificateFileName</key>
<string>vpn_2_ca.crt</string>
<key>PayloadContent</key>
<data>
XX0xXX0XXXxXXxXXXXXXXXXXX0XXXX0xXX0xXx0XXXXXXXXXXXx0
X0X0XXXXX0xXXxxXx0XxXX0XX0X0XXXXXxxxXxxxxxXXXXXXXxXX
XXxXXXXXXXXxX0XxXXXXXxxXX0XXXXxXxxXXXxxXXxXXx0XXx0xx
[... cut away ...]
x0xXXXx0xXXXxXxXxXxXXXxXXxx0xXXxXx0XXxXXXXXxXxxXxXXx
XXXXXXx0X0X0xXx0x0XXXxXXXxX0XXXxXxxxXXxxxXxXXxx0XX0X
XxXxXxxxxX0XXXXXXXXXx0xXXXX0X0XxXxX0Xx0xXX0xXX0XXXXX
XxXXXxxXXXXXXX0xXX0X
</data>
</dict>
<dict>
<key>PayloadDisplayName</key>
<string>VPN-Client-Certificate</string>
<key>PayloadDescription</key>
<string>Setup of a Client-Certificate</string>
<key>PayloadIdentifier</key>
<string>com.example.admin.JohnDoe.vpn.2.certificate</string>
<key>PayloadType</key>
<string>com.apple.security.pkcs12</string>
<key>PayloadUUID</key>
<string>7d35ed5d-5f97-55c8-b668-254fe57e26d4</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadCertificateFileName</key>
<string>vpn_2.p12</string>
<key>Password</key>
<string>veryverylongandcomplexpassword;-)</string>
<key>PayloadContent</key>
<data>
YYYYyYYYYyYYYYYYYYyYYYy8YYYYYyYYYYYYyyY/YYYYyyYYYyyY
YYyYYYy8YYYYYyYYYyyyyyyyYyYYYYYY8YYYYyYYyyyYYYyYYYyY
YyyYYYy8YYYYYYYyYyYYyyyYYYYYYyYYYyyYyYYYyYYYYy+8yYy8
[... cut away ...]
YYyy8YYyyYyY8yYYYyyyYYy8yyY8YYyYYYyYYYy8YYYYYYYyYyyY
YyYyYY8YYyYyYYYYYyYYYY8YYYYYYYYYyyY8YYyYYyYyYYYYYYY8
YYYyYYYyYYyYYYyYYyYyYYYYYYyyYYy//Yy8yYYY8/8Y8y88yYY/
YYy8y8YyyYY8yYYYYYY=
</data>
</dict>