我从Xen VPS主机支付VPS并且其上的负载相当轻,所以我想从它运行VPN.我正在拍摄的配置是“roadwarrior”风格,因为当我不在家时,我想用它来保护我和iPhone和Mac的连接.请记住,我是程序员,而不是系统管理员,所以这对我来说都是相当陌生的.
在未能使StrongSWAN / PPP / xL2TP设置工作之后,我遇到了racoon,这似乎是一个非常简单的选择.我试图避免使用证书,因为将证书放到iOS设备上的过程可能很烦人(只是一个猜测).因此,我在VPS上配置了racoon,以便我可以成功连接到它并通过系统用户数据库支持的XAUTH进行身份验证.这一切似乎都在起作用,这是NAT /网络的东西,它不起作用,而且我完全不符合我的要素.
我的VPS正在运行Ubuntu 10.10.我从ifconfig得到以下输出(我猜它可能是相关的):
eth0 Link encap:Ethernet HWaddr 00:16:3e:4a:7f:29 inet addr:69.172.231.11 Bcast:69.172.231.63 Mask:255.255.255.192 inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0 TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:553246281 (553.2 MB) TX bytes:5237753987 (5.2 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0 TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0
这是我的racoon配置文件:
path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; timer { natt_keepalive 10sec; } remote anonymous { exchange_mode main,aggressive,base; doi ipsec_doi; situation identity_only; nat_traversal on; script "/etc/racoon/phase1-up.sh" phase1_up; script "/etc/racoon/phase1-down.sh" phase1_down; generate_policy on; ike_frag on; passive on; my_identifier address 69.172.231.11; peers_identifier fqdn "zcr.me"; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 2; } proposal_check claim; } sainfo anonymous { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } mode_cfg { auth_source system; save_passwd on; network4 10.1.0.0; pool_size 100; }
这个配置已经从围绕’网络的各种教程拼凑而成,所以它可能……很奇怪.当我连接到VPN时,在客户端收到以下输出:
4/12/11 2:21:43 PM racoon[191] Connecting. 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator,Aggressive-Mode message 1). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 AUTH: success. (Initiator,Aggressive-Mode Message 2). 4/12/11 2:21:43 PM racoon[191] IKE Packet: receive success. (Initiator,Aggressive-Mode message 2). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 Initiator: success. (Initiator,Aggressive-Mode). 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator,Aggressive-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (MODE-Config). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator,Quick-Mode message 1). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (Initiator,Quick-Mode message 2). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator,Quick-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKEv1 Phase2 Initiator: success. (Initiator,Quick-Mode). 4/12/11 2:22:03 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:03 PM racoon[191] IKEv1 Information-Notice: transmit success. (R-U-THERE?). 4/12/11 2:22:03 PM racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request). 4/12/11 2:22:04 PM racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response). 4/12/11 2:22:04 PM racoon[191] IKE Packet: receive success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).
Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500] Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode. Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match. Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads. Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500] Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification,because it is only accepted after phase1. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0 Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username" Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683 Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768] Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found,try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e) Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out" Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy,deleting it. Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910. Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0 Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name
我认为部分问题可能源于phase1up和phase1down脚本.
phase1-up.sh:
#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require; spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require; " | setkey -c
phase1-down.sh:
#!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require; spddelete ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require; " | setkey -c
所有这一切都发生了,客户端说它已成功连接IP地址10.1.0.0.此时,任何连接到互联网的尝试都会立即失败.这就是问题所在.
编辑:这里有更多的诊断信息.
当我连接到VPN时,ping到VPS的公共IP地址成功.但是,ping到8.8.8.8(VPN默认设置为使用的DNS服务器)会给出超时.因此,根本不能解析主机名.
第二次编辑:
» route -nv Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 69.172.231.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0 0.0.0.0 69.172.231.1 0.0.0.0 UG 0 0 0 eth0 » iptables -L -nv Chain INPUT (policy ACCEPT 49270 packets,6376K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets,0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 42570 packets,8573K bytes) pkts bytes target prot opt in out source destination