ubuntu – 建立了Strongswan(IKEv2)连接,但没有流量路由

Ubuntu 前端之家
前端之家收集整理的这篇文章主要介绍了ubuntu – 建立了Strongswan(IKEv2)连接,但没有流量路由前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我之前已经看过几次这样的问题,但到目前为止,他们都没有解决我的问题.

我正在尝试在我的ubuntu服务器上设置一个IKEv2 VPN,以便与使用Strongswan的Windows Phone一起使用.连接似乎设置正确,但没有路由数据包,我无法ping VPN客户端的IP地址.

我的服务器的内部网络是192.168.1.0/24,我的服务器的IP是192.168.1.110并且在NAT之后.

在/ var / log / syslog的

  1. May  8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
  2. May  8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
  3. May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
  4. May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
  5. May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
  6. May  8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
  7. May  8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
  8. May  8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT,sending keep alives
  9. May  8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
  10. May  8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx,ST=xx,L=xxx,O=xxx,CN=xxx,E=xxx"
  11. May  8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
  12. May  8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
  13. May  8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
  14. May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
  15. May  8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
  16. May  8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
  17. May  8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx,E=xxx"
  18. May  8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
  19. May  8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
  20. May  8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
  21. May  8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
  22. May  8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
  23. May  8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
  24. May  8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx,C=xx,E=xxx"
  25. May  8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
  26. May  8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  27. May  8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
  28. May  8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
  29. May  8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
  30. May  8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
  31. May  8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
  32. May  8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  33. May  8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
  34. May  8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
  35. May  8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
  36. May  8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  37. May  8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
  38. May  8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
  39. May  8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded,MSK established
  40. May  8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
  41. May  8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  42. May  8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
  43. May  8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
  44. May  8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
  45. May  8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
  46. May  8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
  47. May  8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
  48. May  8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
  49. May  8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
  50. May  8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
  51. May  8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
  52. May  8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
  53. May  8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
  54. May  8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
  55. May  8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  56. May  8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
  57. May  8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
  58. May  8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
  59. May  8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]

/etc/ipsec.conf

  1. config setup
  2.         strictcrlpolicy = no
  3.         charonstart = yes
  4.         plutostart = no
  5.  
  6. conn windows-phone-vpn
  7.         auto = route
  8.         compress = no
  9.         dpdaction = clear
  10.         pfs = no
  11.         keyexchange = ikev2
  12.         type = tunnel
  13.         left = %any
  14.         leftfirewall = yes
  15.         leftauth = pubkey
  16.         leftid = steakscorp.org
  17.         leftcert = /etc/apache2/ssl/start-ssl.crt
  18.         leftca = /etc/apache2/ssl/start-ssl-ca.pem
  19.         leftsendcert = always
  20.         leftsubnet = 0.0.0.0/0
  21.         right = %any
  22.         rightauth = eap-mschapv2
  23.         eap_identity = %any
  24.         rightca = /etc/ipsec.d/cacerts/vpnca.pem
  25.         rightsendcert = ifasked
  26.         rightsourceip = 10.8.0.0/24
  27.         #leftprotoport = 17/1701
  28.         #rightprotoport = 17/%any

使用ifconfig

  1. eth1      Link encap:Ethernet  HWaddr aa:00:04:00:0a:04
  2.           inet addr:192.168.1.110  Bcast:192.168.1.255  Mask:255.255.255.0
  3.           inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
  4.           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  5.           RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
  6.           TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
  7.           collisions:0 txqueuelen:1000
  8.           RX bytes:121434663 (121.4 MB)  TX bytes:129069773 (129.0 MB)
  9.           Interrupt:21 Memory:fe9e0000-fea00000
  10.  
  11. ham0      Link encap:Ethernet  HWaddr 7a:79:19:da:fb:84
  12.           inet addr:25.218.251.132  Bcast:25.255.255.255  Mask:255.0.0.0
  13.           inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
  14.           inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
  15.           UP BROADCAST RUNNING MULTICAST  MTU:1404  Metric:1
  16.           RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
  17.           TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
  18.           collisions:0 txqueuelen:500
  19.           RX bytes:384780 (384.7 KB)  TX bytes:1249410 (1.2 MB)
  20.  
  21. lo        Link encap:Local Loopback
  22.           inet addr:127.0.0.1  Mask:255.0.0.0
  23.           inet6 addr: ::1/128 Scope:Host
  24.           UP LOOPBACK RUNNING  MTU:16436  Metric:1
  25.           RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
  26.           TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
  27.           collisions:0 txqueuelen:0
  28.           RX bytes:2036987 (2.0 MB)  TX bytes:2036987 (2.0 MB)

iptables的

  1. # Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
  2. *mangle
  3. :PREROUTING ACCEPT [604388:58921019]
  4. :INPUT ACCEPT [4937028:2589137657]
  5. :FORWARD ACCEPT [22:1366]
  6. :OUTPUT ACCEPT [3919078:5188868578]
  7. :POSTROUTING ACCEPT [4008714:5195778648]
  8. :AS0_MANGLE_PRE_REL_EST - [0:0]
  9. :AS0_MANGLE_TUN - [0:0]
  10. -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
  11. -A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
  12. -A AS0_MANGLE_PRE_REL_EST -j ACCEPT
  13. -A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
  14. -A AS0_MANGLE_TUN -j ACCEPT
  15. COMMIT
  16. # Completed on Fri May  9 10:33:46 2014
  17. # Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
  18. *filter
  19. :INPUT ACCEPT [1737:217459]
  20. :FORWARD ACCEPT [0:0]
  21. :OUTPUT ACCEPT [16831:20344894]
  22. :AS0_ACCEPT - [0:0]
  23. :AS0_IN - [0:0]
  24. :AS0_IN_POST - [0:0]
  25. :AS0_IN_PRE - [0:0]
  26. :AS0_OUT - [0:0]
  27. :AS0_OUT_LOCAL - [0:0]
  28. :AS0_OUT_S2C - [0:0]
  29. :AS0_U_ADMIN_IN - [0:0]
  30. :AS0_U_USERLOCA_IN - [0:0]
  31. :AS0_WEBACCEPT - [0:0]
  32. :fail2ban-apache - [0:0]
  33. :fail2ban-apache-404 - [0:0]
  34. :fail2ban-apache-noscript - [0:0]
  35. :fail2ban-apache-overflows - [0:0]
  36. :fail2ban-apache-postflood - [0:0]
  37. :fail2ban-ip-blocklist - [0:0]
  38. :fail2ban-repeatoffender - [0:0]
  39. :fail2ban-ssh - [0:0]
  40. :fail2ban-ssh-ddos - [0:0]
  41. -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
  42. -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
  43. -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
  44. -A INPUT -i lo -j AS0_ACCEPT
  45. -A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
  46. -A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
  47. -A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
  48. -A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
  49. -A INPUT -p tcp -j fail2ban-ip-blocklist
  50. -A INPUT -p tcp -j fail2ban-repeatoffender
  51. -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
  52. -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
  53. -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
  54. -A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
  55. -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
  56. -A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
  57. -A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
  58. -A FORWARD -o as0t+ -j AS0_OUT_S2C
  59. -A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
  60. -A AS0_ACCEPT -j ACCEPT
  61. -A AS0_IN -d 10.0.8.1/32 -j ACCEPT
  62. -A AS0_IN -j AS0_IN_POST
  63. -A AS0_IN_POST -o as0t+ -j AS0_OUT
  64. -A AS0_IN_POST -j DROP
  65. -A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
  66. -A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
  67. -A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
  68. -A AS0_IN_PRE -j ACCEPT
  69. -A AS0_OUT -j DROP
  70. -A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
  71. -A AS0_OUT_LOCAL -j ACCEPT
  72. -A AS0_OUT_S2C -j AS0_OUT
  73. -A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
  74. -A AS0_U_ADMIN_IN -j AS0_IN_POST
  75. -A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
  76. -A AS0_U_USERLOCA_IN -j AS0_IN_POST
  77. -A AS0_WEBACCEPT -j ACCEPT
  78. -A fail2ban-apache -j RETURN
  79. -A fail2ban-apache-404 -j RETURN
  80. -A fail2ban-apache-noscript -j RETURN
  81. -A fail2ban-apache-overflows -j RETURN
  82. -A fail2ban-apache-postflood -j RETURN
  83. -A fail2ban-ip-blocklist -j RETURN
  84. -A fail2ban-repeatoffender -j RETURN
  85. -A fail2ban-ssh -j RETURN
  86. -A fail2ban-ssh-ddos -j RETURN
  87. COMMIT
  88. # Completed on Fri May  9 10:33:46 2014
  89. # Generated by iptables-save v1.4.12 on Fri May  9 10:33:46 2014
  90. *nat
  91. :PREROUTING ACCEPT [906:84714]
  92. :INPUT ACCEPT [860:81590]
  93. :OUTPUT ACCEPT [233:50740]
  94. :POSTROUTING ACCEPT [233:50740]
  95. :AS0_NAT - [0:0]
  96. :AS0_NAT_POST_REL_EST - [0:0]
  97. :AS0_NAT_PRE - [0:0]
  98. :AS0_NAT_PRE_REL_EST - [0:0]
  99. :AS0_NAT_TEST - [0:0]
  100. -A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
  101. -A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
  102. -A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
  103. -A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
  104. -A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
  105. -A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
  106. -A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
  107. -A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
  108. -A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
  109. -A AS0_NAT -j ACCEPT
  110. -A AS0_NAT_POST_REL_EST -j ACCEPT
  111. -A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
  112. -A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
  113. -A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
  114. -A AS0_NAT_PRE -j AS0_NAT
  115. -A AS0_NAT_PRE_REL_EST -j ACCEPT
  116. -A AS0_NAT_TEST -o as0t+ -j ACCEPT
  117. -A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
  118. -A AS0_NAT_TEST -j AS0_NAT
  119. COMMIT
  120. # Completed on Fri May  9 10:33:46 2014

ip xfrm政策

  1. src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
  2.         dir fwd priority 1920
  3.         tmpl src 166.147.118.120 dst 192.168.1.110
  4.                 proto esp reqid 3 mode tunnel
  5. src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
  6.         dir in priority 1920
  7.         tmpl src 166.147.118.120 dst 192.168.1.110
  8.                 proto esp reqid 3 mode tunnel
  9. src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
  10.         dir out priority 1920
  11.         tmpl src 192.168.1.110 dst 166.147.118.120
  12.                 proto esp reqid 3 mode tunnel

有些事情对我来说有点奇怪(当连接建立时,不应该提起ipsec0或某事吗?),但是我很难过这一点,并且非常感谢一些帮助.

编辑:注释掉protoport行并取消了tun0接口.

你需要:

$iptables -t nat -A POSTROUTING -o eth0 ! -p esp -j SNAT –to-source “your VPN host IP”

猜你在找的Ubuntu相关文章

学linux,从Ubuntu开始
1.安装过程出现0x00000000指令引用的0x00000000内存该内存不能为written 如果你安装的是in...
ubuntu16.04获取root权限并用root用户登录
写在全面:如果根据以下教程涉及到只读文件需要更改文件权限才能需修改文件内容,参考我的...
ubuntu18.04获取root权限并用root用户登录
写在前面:以下步骤中需要在终端输入命令,电脑端查看博客的朋友可以直接复制粘贴到终端,...
ubuntu16.04和18.04更换国内源
ubuntu16.04和18.04更换国内源 写在前面:安装好ubuntu双系统后,默认的软件更新源是国外的...
ubuntu双系统启动时卡死解决办法
ubuntu双系统启动时卡死解决办法(在ubuntu16.04和18.04测试无误) 问题描述: 在安装完ub...
Ubuntu安装ssh
Ubuntu报“xxx is not in the sudoers file.This incident will be reported” 错误解决方法
ubuntu-make | Ubuntu Linux一键安装开发环境
-- 作者 谢恩铭 转载请注明出处 内容简介 什么是ubuntu-make 安装最新版ubuntu-make 用ubu...
Ubuntu 17.04(Zesty Zapus)正式发布,可以下载使用了
今天,2017 年 4 月 13 日,Canonical 官方发布了 Ubuntu 17.04(Zesty Zapus)的最终版。...
Ubuntu 为钱而放弃 Unity ? Linux 社区的反应
(点击上方公众号,可快速关注) 编译:伯乐在线/黄小非 如有好文章投稿,请点击 → 这里...
LinuxWindowsCentOSUbuntuNginxWebServiceScalaMemcacheApacheRedisDockerBashAzureTomcatLNMPShell数据结构服务器运维网络安全
xebugnodemondocker-copydcoselasticsearcwindows-contdocker-windodocker-awsamazon-cloudenvoyproxyhashicorp-vaswisscomdevkafka-pythonzscalerphoton-osdocker-swarmkamongoogle-cloudconcoursewso2-ampersistent-vapi-managerprocess-manamanjarojenkins-workhypriotremoteapikeystonejsbitcoindbitcoin-test