Tôi đã thấy loại câu hỏi này được đăng một vài lần trước đây, nhưng cho đến nay, không ai trong số họ đã giải quyết vấn đề của tôi.
Tôi đang cố gắng thiết lập VPN IKEv2 trên Máy chủ Ubuntu của mình để sử dụng với Windows Phone bằng Strongswan. Kết nối dường như được thiết lập chính xác, nhưng không có gói nào được định tuyến và tôi không thể ping địa chỉ IP của máy khách VPN.
Mạng nội bộ của máy chủ của tôi là 192.168.1.0/24 và IP của máy chủ của tôi là 192.168.1.110 và sau NAT.
/ var / log / syslog
May 8 09:50:01 seanco-server charon: 16[NET] received packet: from 166.147.118.120[13919] to 192.168.1.110[500]
May 8 09:50:01 seanco-server charon: 16[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 1e:2b:51:69:05:99:1c:7d:7c:96:fc:bf:b5:87:e4:61:00:00:00:09
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: fb:1d:e3:cd:f3:41:b7:ea:16:b7:e5:be:08:55:f1:20
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 26:24:4d:38:ed:db:61:b3:17:2a:36:e3:d0:cf:b8:19
May 8 09:50:01 seanco-server charon: 16[ENC] received unknown vendor id: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
May 8 09:50:01 seanco-server charon: 16[IKE] 166.147.118.120 is initiating an IKE_SA
May 8 09:50:01 seanco-server charon: 16[IKE] local host is behind NAT, sending keep alives
May 8 09:50:01 seanco-server charon: 16[IKE] remote host is behind NAT
May 8 09:50:01 seanco-server charon: 16[IKE] sending cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 16[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(MULT_AUTH) ]
May 8 09:50:01 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[500] to 166.147.118.120[13919]
May 8 09:50:01 seanco-server charon: 08[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP4_SERVER
May 8 09:50:01 seanco-server charon: 08[ENC] unknown attribute type INTERNAL_IP6_SERVER
May 8 09:50:01 seanco-server charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CP(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
May 8 09:50:01 seanco-server charon: 08[IKE] received cert request for "C=xx, ST=xx, L=xxx, O=xxx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 08[IKE] received 31 cert requests for an unknown ca
May 8 09:50:01 seanco-server charon: 08[CFG] looking for peer configs matching 192.168.1.110[%any]...166.147.118.120[10.212.235.245]
May 8 09:50:01 seanco-server charon: 08[CFG] selected peer config 'windows-phone-vpn'
May 8 09:50:01 seanco-server charon: 08[IKE] initiating EAP-Identity request
May 8 09:50:01 seanco-server charon: 08[IKE] peer supports MOBIKE
May 8 09:50:01 seanco-server charon: 08[IKE] authentication of 'steakscorp.org' (myself) with RSA signature successful
May 8 09:50:01 seanco-server charon: 08[IKE] sending end entity cert "D=xxx, C=xx, CN=xxx, E=xxx"
May 8 09:50:01 seanco-server charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
May 8 09:50:01 seanco-server charon: 08[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 10[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
May 8 09:50:02 seanco-server charon: 10[IKE] received EAP identity 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0xA5)
May 8 09:50:02 seanco-server charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 10[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 09[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 09[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 11[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 11[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
May 8 09:50:02 seanco-server charon: 11[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
May 8 09:50:02 seanco-server charon: 11[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
May 8 09:50:02 seanco-server charon: 11[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:02 seanco-server charon: 12[NET] received packet: from 166.147.118.120[1282] to 192.168.1.110[4500]
May 8 09:50:02 seanco-server charon: 12[ENC] parsed IKE_AUTH request 5 [ AUTH ]
May 8 09:50:02 seanco-server charon: 12[IKE] authentication of '10.212.235.245' with EAP successful
May 8 09:50:02 seanco-server charon: 12[IKE] authentication of 'steakscorp.org' (myself) with EAP
May 8 09:50:02 seanco-server charon: 12[IKE] IKE_SA windows-phone-vpn[2] established between 192.168.1.110[steakscorp.org]...166.147.118.120[10.212.235.245]
May 8 09:50:02 seanco-server charon: 12[IKE] scheduling reauthentication in 10200s
May 8 09:50:02 seanco-server charon: 12[IKE] maximum IKE_SA lifetime 10740s
May 8 09:50:02 seanco-server charon: 12[IKE] peer requested virtual IP %any6
May 8 09:50:02 seanco-server charon: 12[CFG] reassigning offline lease to 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 12[IKE] assigning virtual IP 10.8.0.1 to peer 'Windows Phone\jinhai'
May 8 09:50:02 seanco-server charon: 12[IKE] CHILD_SA windows-phone-vpn{2} established with SPIs c214680b_i a1cbebd2_o and TS 0.0.0.0/0[udp/l2f] === 10.8.0.1/32[udp]
May 8 09:50:02 seanco-server vpn: + 10.212.235.245 10.8.0.1/32 == 166.147.118.120 -- 192.168.1.110 == 0.0.0.0/0
May 8 09:50:02 seanco-server charon: 12[ENC] generating IKE_AUTH response 5 [ AUTH CP(ADDR DNS DNS) SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_6_ADDR) ]
May 8 09:50:02 seanco-server charon: 12[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:22 seanco-server charon: 16[IKE] sending keep alive
May 8 09:50:22 seanco-server charon: 16[NET] sending packet: from 192.168.1.110[4500] to 166.147.118.120[1282]
May 8 09:50:32 seanco-server charon: 10[IKE] sending DPD request
May 8 09:50:32 seanco-server charon: 10[ENC] generating INFORMATIONAL request 0 [ N(NATD_S_IP) N(NATD_D_IP) ]
/etc/ipsec.conf
config setup
strictcrlpolicy = no
charonstart = yes
plutostart = no
conn windows-phone-vpn
auto = route
compress = no
dpdaction = clear
pfs = no
keyexchange = ikev2
type = tunnel
left = %any
leftfirewall = yes
leftauth = pubkey
leftid = steakscorp.org
leftcert = /etc/apache2/ssl/start-ssl.crt
leftca = /etc/apache2/ssl/start-ssl-ca.pem
leftsendcert = always
leftsubnet = 0.0.0.0/0
right = %any
rightauth = eap-mschapv2
eap_identity = %any
rightca = /etc/ipsec.d/cacerts/vpnca.pem
rightsendcert = ifasked
rightsourceip = 10.8.0.0/24
#leftprotoport = 17/1701
#rightprotoport = 17/%any
ifconfig
eth1 Link encap:Ethernet HWaddr aa:00:04:00:0a:04
inet addr:192.168.1.110 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::21e:4fff:feaa:1577/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:157187 errors:0 dropped:0 overruns:0 frame:0
TX packets:162827 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:121434663 (121.4 MB) TX bytes:129069773 (129.0 MB)
Interrupt:21 Memory:fe9e0000-fea00000
ham0 Link encap:Ethernet HWaddr 7a:79:19:da:fb:84
inet addr:25.218.251.132 Bcast:25.255.255.255 Mask:255.0.0.0
inet6 addr: fe80::7879:19ff:feda:fb84/64 Scope:Link
inet6 addr: 2620:9b::19da:fb84/96 Scope:Global
UP BROADCAST RUNNING MULTICAST MTU:1404 Metric:1
RX packets:1622 errors:0 dropped:0 overruns:0 frame:0
TX packets:3115 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:384780 (384.7 KB) TX bytes:1249410 (1.2 MB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:6554 errors:0 dropped:0 overruns:0 frame:0
TX packets:6554 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:2036987 (2.0 MB) TX bytes:2036987 (2.0 MB)
iptables
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*mangle
:PREROUTING ACCEPT [604388:58921019]
:INPUT ACCEPT [4937028:2589137657]
:FORWARD ACCEPT [22:1366]
:OUTPUT ACCEPT [3919078:5188868578]
:POSTROUTING ACCEPT [4008714:5195778648]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Fri May 9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*filter
:INPUT ACCEPT [1737:217459]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [16831:20344894]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_U_ADMIN_IN - [0:0]
:AS0_U_USERLOCA_IN - [0:0]
:AS0_WEBACCEPT - [0:0]
:fail2ban-apache - [0:0]
:fail2ban-apache-404 - [0:0]
:fail2ban-apache-noscript - [0:0]
:fail2ban-apache-overflows - [0:0]
:fail2ban-apache-postflood - [0:0]
:fail2ban-ip-blocklist - [0:0]
:fail2ban-repeatoffender - [0:0]
:fail2ban-ssh - [0:0]
:fail2ban-ssh-ddos - [0:0]
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-404
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-noscript
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A INPUT -p tcp -j fail2ban-ip-blocklist
-A INPUT -p tcp -j fail2ban-repeatoffender
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh-ddos
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-postflood
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache-overflows
-A INPUT -p tcp -m multiport --dports 80,443 -j fail2ban-apache
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.8.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_OUT -j DROP
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_U_ADMIN_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_ADMIN_IN -j AS0_IN_POST
-A AS0_U_USERLOCA_IN -d 192.168.1.0/24 -j ACCEPT
-A AS0_U_USERLOCA_IN -j AS0_IN_POST
-A AS0_WEBACCEPT -j ACCEPT
-A fail2ban-apache -j RETURN
-A fail2ban-apache-404 -j RETURN
-A fail2ban-apache-noscript -j RETURN
-A fail2ban-apache-overflows -j RETURN
-A fail2ban-apache-postflood -j RETURN
-A fail2ban-ip-blocklist -j RETURN
-A fail2ban-repeatoffender -j RETURN
-A fail2ban-ssh -j RETURN
-A fail2ban-ssh-ddos -j RETURN
COMMIT
# Completed on Fri May 9 10:33:46 2014
# Generated by iptables-save v1.4.12 on Fri May 9 10:33:46 2014
*nat
:PREROUTING ACCEPT [906:84714]
:INPUT ACCEPT [860:81590]
:OUTPUT ACCEPT [233:50740]
:POSTROUTING ACCEPT [233:50740]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A POSTROUTING -d 192.168.2.0/24 -o ppp0 -j MASQUERADE
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE
-A AS0_NAT -o eth1 -j SNAT --to-source 192.168.1.110
-A AS0_NAT -o ham0 -j SNAT --to-source 25.218.251.132
-A AS0_NAT -o tun0 -j SNAT --to-source 10.8.0.1
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -d 10.0.8.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Fri May 9 10:33:46 2014
chính sách ip xfrm
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
dir fwd priority 1920
tmpl src 166.147.118.120 dst 192.168.1.110
proto esp reqid 3 mode tunnel
src 10.8.0.1/32 dst 0.0.0.0/0 proto udp dport 1701
dir in priority 1920
tmpl src 166.147.118.120 dst 192.168.1.110
proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 10.8.0.1/32 proto udp sport 1701
dir out priority 1920
tmpl src 192.168.1.110 dst 166.147.118.120
proto esp reqid 3 mode tunnel
Một vài điều có vẻ hơi lạ đối với tôi (không nên đưa ipsec0 lên hoặc một cái gì đó khi kết nối được thiết lập?), Nhưng tôi đã bối rối vào thời điểm này và thực sự sẽ đánh giá cao sự giúp đỡ nào đó.
Chỉnh sửa : Nhận xét các dòng protoport và gỡ xuống giao diện tun0.
left|rightprotoport
tùy chọn. Với những giá trị đó, chúng được sử dụng khi sử dụng IKEv1 / L2TP / IPsec mà bạn không sử dụng, bạn đang sử dụng IKEv2 với IPsec đơn giản. Tại sao có một thiết bị TUN có địa chỉ IP của máy khách được gán? Đọc Chuyển tiếp và phân chia đường hầm trên wiki mạnhSwan cũng có thể giúp ích.