Ubuntu上的iOS / Mac兼容IPSec VPN服务器

前端之家收集整理的这篇文章主要介绍了Ubuntu上的iOS / Mac兼容IPSec VPN服务器前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我从Xen VPS主机支付VPS并且其上的负载相当轻,所以我想从它运行VPN.我正在拍摄的配置是“roadwarrior”风格,因为当我不在家时,我想用它来保护我和iPhone和Mac的连接.请记住,我是程序员,而不是系统管理员,所以这对我来说都是相当陌生的.

在未能使StrongSWAN / PPP / xL2TP设置工作之后,我遇到了racoon,这似乎是一个非常简单的选择.我试图避免使用证书,因为将证书放到iOS设备上的过程可能很烦人(只是一个猜测).因此,我在VPS上配置了racoon,以便我可以成功连接到它并通过系统用户数据库支持的XAUTH进行身份验证.这一切似乎都在起作用,这是NAT /网络的东西,它不起作用,而且我完全不符合我的要素.

我的VPS正在运行Ubuntu 10.10.我从ifconfig得到以下输出(我猜它可能是相关的):

eth0      Link encap:Ethernet  HWaddr 00:16:3e:4a:7f:29  
          inet addr:69.172.231.11  Bcast:69.172.231.63  Mask:255.255.255.192
          inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:553246281 (553.2 MB)  TX bytes:5237753987 (5.2 GB)
lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0

这是我的racoon配置文件

path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";

timer {
        natt_keepalive 10sec;
}

remote anonymous {
        exchange_mode main,aggressive,base;
        doi ipsec_doi;
        situation identity_only;
        nat_traversal on;
        script "/etc/racoon/phase1-up.sh" phase1_up;
        script "/etc/racoon/phase1-down.sh" phase1_down;
        generate_policy on;
        ike_frag on;
        passive on;
        my_identifier address 69.172.231.11;
        peers_identifier fqdn "zcr.me";
        proposal {
                encryption_algorithm aes;
                hash_algorithm sha1;
                authentication_method xauth_psk_server;
                dh_group 2;
        }
        proposal_check claim;
}


sainfo anonymous {
        encryption_algorithm aes;
        authentication_algorithm hmac_sha1;
        compression_algorithm deflate;
}

mode_cfg {
        auth_source system;
        save_passwd on;
        network4 10.1.0.0;
        pool_size 100;
}

这个配置已经从围绕’网络的各种教程拼凑而成,所以它可能……很奇怪.当我连接到VPN时,在客户端收到以下输出

4/12/11 2:21:43 PM  racoon[191] Connecting.
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator,Aggressive-Mode message 1).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 AUTH: success. (Initiator,Aggressive-Mode Message 2).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: receive success. (Initiator,Aggressive-Mode message 2).
4/12/11 2:21:43 PM  racoon[191] IKEv1 Phase1 Initiator: success. (Initiator,Aggressive-Mode).
4/12/11 2:21:43 PM  racoon[191] IKE Packet: transmit success. (Initiator,Aggressive-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Mode-Config message).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (MODE-Config).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator,Quick-Mode message 1).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: receive success. (Initiator,Quick-Mode message 2).
4/12/11 2:21:46 PM  racoon[191] IKE Packet: transmit success. (Initiator,Quick-Mode message 3).
4/12/11 2:21:46 PM  racoon[191] IKEv1 Phase2 Initiator: success. (Initiator,Quick-Mode).
4/12/11 2:22:03 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Information-Notice: transmit success. (R-U-THERE?).
4/12/11 2:22:03 PM  racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: receive success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA).
4/12/11 2:22:04 PM  racoon[191] IKE Packet: transmit success. (Information message).
4/12/11 2:22:04 PM  racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA).

相同的连接在服务器端生成以下输出

Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500]
Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode.
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY
Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD
Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match.
Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads.
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500]
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified
Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match
Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification,because it is only accepted after phase1.
Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER
Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request
Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0
Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username"
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY
Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683
Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768]
Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found,try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel
Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c)
Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e)
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd"
Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out"
Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy,deleting it.
Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910.
Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da
Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0
Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER
Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name

我认为部分问题可能源于phase1up和phase1down脚本.

phase1-up.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any
        -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require;
spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any
        -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require;
" | setkey -c

phase1-down.sh:

#!/bin/bash

PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

echo "
deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp;
deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp;

spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any
        -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require;
spddelete  ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any
        -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require;
" | setkey -c

所有这一切都发生了,客户端说它已成功连接IP地址10.1.0.0.此时,任何连接到互联网的尝试都会立即失败.这就是问题所在.

编辑:这里有更多的诊断信息.

当我连接到VPN时,ping到VPS的公共IP地址成功.但是,ping到8.8.8.8(VPN默认设置为使用的DNS服务器)会给出超时.因此,根本不能解析主机名.

第二次编辑:

» route -nv      
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
69.172.231.0    0.0.0.0         255.255.255.192 U     0      0        0 eth0
0.0.0.0         69.172.231.1    0.0.0.0         UG    0      0        0 eth0

» iptables -L -nv
Chain INPUT (policy ACCEPT 49270 packets,6376K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets,0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 42570 packets,8573K bytes)
 pkts bytes target     prot opt in     out     source               destination
你从哪里得到phase1-up.sh和phase1-down.sh脚本?在racoon发布中应该有一些例子,在… / racoon / samples / roadwarrior / client /下.尝试使用那些.作为一个快速实验,您可以用10.1.0.0/24替换这些脚本中192.168.1.0/24的所有出现,但我不知道您是如何在Ubuntu VPS上设置网络的.如果这些步骤都不起作用,请发布命令的输出
route -nv
iptables -L -nv

在你的Ubuntu VPS上.

猜你在找的Ubuntu相关文章