我把ipsec vpn连接到远程主机。 由于远程主机只接受一个IP,所以我在NAT上为本地网上的enc0。 Ping从IPSec主机是好的:
PING 172.20.162.150 (172.20.162.150): 56 data bytes 64 bytes from 172.20.162.150: icmp_seq=0 ttl=252 time=2.597 ms 但是从本地网ping是失败的:
PING 172.20.162.150 (172.20.162.150) 56(84) bytes of data. From 192.168.1.5 icmp_seq=1 Frag needed and DF set (mtu = 0)
enc0 = 0的MTU,我不能改变它
netstat -i Name Mtu Network Address Ipkts Ierrs Opkts Oerrs Colls enc0 0 <Link> 29 0 29 0 0 enc0 0 172.25.41.1 172.25.41.10 29 0 29 0 0
我试过在pf.conf中使用scrub,但是没有帮助:
match in on enc0 scrub (no-df max-mss 1452)
或者在所有擦洗中匹配(no-df max-mss 1452)
sudo ifconfig enc0 mtu 1452 return:
SIOCSIFMTU: Inappropriate ioctl for device
不幸的是,没有解决scheme选项(((
其他可能有助于理解的设置:
172.20.162.150 - remote host 172.25.41.10 - local ip for enc0 (only this ip accepted by 172.20.162.150) 192.168.1.0/24 local net and 192.168.1.5 ip of my host for local net /etc/hostname.enc0 inet 172.25.41.10 255.255.255.255 up !/sbin/route add -host 172.20.162.150 172.25.41.10 /etc/ipsec.conf ike esp from 172.25.41.10/32 to 172.20.162.150/32 peer 80.*.*.132 \ main auth hmac-sha1 enc aes-256 group modp1024 lifetime 86400 \ quick auth hmac-sha1 enc aes-256 group modp1024 lifetime 3600 \ psk *********** /etc/pf.conf pass from 172.20.162.150 to any pass out quick on enc0 from <localnet> to 172.20.162.150 nat-to enc0 keep state (if-bound) tcpdump for ping from local net for internal net if 192.168.1.13 > 172.20.162.150: icmp: echo request (id:777a seq:5) [icmp cksum ok] (DF) (ttl 64, id 30758, len 84) 192.168.1.5 > 192.168.1.13: icmp: 172.20.162.150 unreachable - need to frag [icmp cksum ok] (ttl 255, id 44410, len 56, bad ip cksum 0! -> 8ae7) tcpdump for enc0 is empty. Statistic for nat from pfctl: sudo pfctl -s state | grep 172.20.162.150 all icmp 172.20.162.150:8 <- 192.168.1.13:30586 0:0 enc0 icmp 172.25.41.10:61751 (192.168.1.13:30586) -> 172.20.162.150:8 0:0
有人可以面对类似的问题,迅速解决问题。