Strongswan有连接，但没有隧道

我正在使用strongswan作为vpn服务器的公路战士。我有两台机器运行这个软件，一个是raspbian，另一个是CentOS 7.这个raspbian机器工作正常，但不是CentOS。

CentOS的问题似乎是数据包没有隧道。

这是来自tshark的输出。

88 6.655929830 67.22.27.75 → 10.202.121.120 ESP 146 ESP (SPI=0xc542d5c5) 89 6.655929830 192.168.3.1 → 8.8.4.4 DNS 71 Standard query 0x26a6 A dealsea.com

67.22.27.75是roadwar的ip，192.168.3.1是strongswan分配的虚拟ip。

在raspbian的工作实例中，tshark输出如下所示：

 45 3.318470851 104.38.166.37 → 10.111.58.102 ESP 146 ESP (SPI=0xc7ca8886) 46 3.318470851 10.202.122.1 → 8.8.4.4 DNS 67 Standard query 0x10af A psu.edu 47 3.318656688 10.111.58.102 → 8.8.4.4 DNS 67 Standard query 0x10af A psu.edu

这里104.38.166.37是路由器的IP，10.202.122.1是虚拟IP，10.111.58.102是本地networking中的strongswan服务器的IP地址。

这两台机器使用相同的configuration文件：

ipsec.conf文件

 config setup charondebug="ike 2, knl 2, cfg 2, net 2, esp 2, dmn 2, mgr 2" uniqueids=no conn ikev2-vpn auto=add compress=no type=tunnel keyexchange=ikev2 fragmentation=yes forceencaps=yes ike=aes256-sha256-modp2048! esp=aes256-sha256! dpdaction=clear dpddelay=300s rekey=no left=%any leftid=@MYHOSTNAME leftcert=/etc/strongswan/ipsec.d/certs/vpn-server-cert.pem leftsendcert=always leftsubnet=0.0.0.0/0 right=%any rightid=%any rightauth=eap-mschapv2 rightsourceip=10.202.122.1/24 rightdns=8.8.8.8,8.8.4.4 rightsendcert=never eap_identity=%identity

strongswan.conf

 charon { load_modular = yes plugins { include strongswan.d/charon/*.conf } } include strongswan.d/*.conf

服务器上的iptables-save输出：

 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017 *nat :PREROUTING ACCEPT [6817:1235375] :INPUT ACCEPT [18:2342] :OUTPUT ACCEPT [37384:3449660] :POSTROUTING ACCEPT [1:42] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_drop - [0:0] :POST_drop_allow - [0:0] :POST_drop_deny - [0:0] :POST_drop_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o enp0s25 -j POST_drop -A POSTROUTING_ZONES -j POST_drop -A POST_drop -j POST_drop_log -A POST_drop -j POST_drop_deny -A POST_drop -j POST_drop_allow -A POST_drop_allow ! -o lo -j MASQUERADE -A PREROUTING_ZONES -i enp0s25 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:09:50 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017 *mangle :PREROUTING ACCEPT [119158:81622108] :INPUT ACCEPT [119106:81612125] :FORWARD ACCEPT [51:9630] :OUTPUT ACCEPT [182387:35412441] :POSTROUTING ACCEPT [188177:36690351] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i enp0s25 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:09:50 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017 *security :INPUT ACCEPT [106545:79110205] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [182387:35412441] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Fri Oct 6 09:09:50 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017 *raw :PREROUTING ACCEPT [119158:81622108] :OUTPUT ACCEPT [182387:35412441] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i enp0s25 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:09:50 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:09:50 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [182387:35412441] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_drop - [0:0] :FWDI_drop_allow - [0:0] :FWDI_drop_deny - [0:0] :FWDI_drop_log - [0:0] :FWDO_drop - [0:0] :FWDO_drop_allow - [0:0] :FWDO_drop_deny - [0:0] :FWDO_drop_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_drop - [0:0] :IN_drop_allow - [0:0] :IN_drop_deny - [0:0] :IN_drop_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i enp0s25 -j FWDI_drop -A FORWARD_IN_ZONES -j FWDI_drop -A FORWARD_OUT_ZONES -o enp0s25 -j FWDO_drop -A FORWARD_OUT_ZONES -j FWDO_drop -A FWDI_drop -j FWDI_drop_log -A FWDI_drop -j FWDI_drop_deny -A FWDI_drop -j FWDI_drop_allow -A FWDI_drop -j DROP -A FWDO_drop -j FWDO_drop_log -A FWDO_drop -j FWDO_drop_deny -A FWDO_drop -j FWDO_drop_allow -A FWDO_drop -j DROP -A FWDO_drop_allow -m conntrack --ctstate NEW -j ACCEPT -A INPUT_ZONES -i enp0s25 -j IN_drop -A INPUT_ZONES -j IN_drop -A IN_drop -j IN_drop_log -A IN_drop -j IN_drop_deny -A IN_drop -j IN_drop_allow -A IN_drop -j DROP -A IN_drop_allow -p esp -m conntrack --ctstate NEW -j ACCEPT -A IN_drop_allow -p ah -m conntrack --ctstate NEW -j ACCEPT -A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT -A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT -A IN_drop_allow -p udp -m udp --dport 500 -m conntrack --ctstate NEW -j ACCEPT -A IN_drop_allow -p udp -m udp --dport 4500 -m conntrack --ctstate NEW -j ACCEPT COMMIT # Completed on Fri Oct 6 09:09:50 2017

iptable-save在客户端输出

 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017 *nat :PREROUTING ACCEPT [5730:255228] :INPUT ACCEPT [166:9920] :OUTPUT ACCEPT [134648:14023445] :POSTROUTING ACCEPT [134648:14023445] :OUTPUT_direct - [0:0] :POSTROUTING_ZONES - [0:0] :POSTROUTING_ZONES_SOURCE - [0:0] :POSTROUTING_direct - [0:0] :POST_drop - [0:0] :POST_drop_allow - [0:0] :POST_drop_deny - [0:0] :POST_drop_log - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A POSTROUTING -j POSTROUTING_ZONES_SOURCE -A POSTROUTING -j POSTROUTING_ZONES -A POSTROUTING_ZONES -o wlp3s0 -j POST_drop -A POSTROUTING_ZONES -j POST_drop -A POST_drop -j POST_drop_log -A POST_drop -j POST_drop_deny -A POST_drop -j POST_drop_allow -A PREROUTING_ZONES -i wlp3s0 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:15:58 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017 *mangle :PREROUTING ACCEPT [4053472:653310426] :INPUT ACCEPT [4050417:653148889] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3972204:10494033871] :POSTROUTING ACCEPT [3992350:10498514887] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] :POSTROUTING_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct -A POSTROUTING -j POSTROUTING_direct -A PREROUTING_ZONES -i wlp3s0 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:15:58 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017 *security :INPUT ACCEPT [4027162:648560078] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3972204:10494033871] :FORWARD_direct - [0:0] :INPUT_direct - [0:0] :OUTPUT_direct - [0:0] -A INPUT -j INPUT_direct -A FORWARD -j FORWARD_direct -A OUTPUT -j OUTPUT_direct COMMIT # Completed on Fri Oct 6 09:15:58 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017 *raw :PREROUTING ACCEPT [4053472:653310426] :OUTPUT ACCEPT [3972204:10494033871] :OUTPUT_direct - [0:0] :PREROUTING_ZONES - [0:0] :PREROUTING_ZONES_SOURCE - [0:0] :PREROUTING_direct - [0:0] :PRE_drop - [0:0] :PRE_drop_allow - [0:0] :PRE_drop_deny - [0:0] :PRE_drop_log - [0:0] -A PREROUTING -j PREROUTING_direct -A PREROUTING -j PREROUTING_ZONES_SOURCE -A PREROUTING -j PREROUTING_ZONES -A OUTPUT -j OUTPUT_direct -A PREROUTING_ZONES -i wlp3s0 -j PRE_drop -A PREROUTING_ZONES -j PRE_drop -A PRE_drop -j PRE_drop_log -A PRE_drop -j PRE_drop_deny -A PRE_drop -j PRE_drop_allow COMMIT # Completed on Fri Oct 6 09:15:58 2017 # Generated by iptables-save v1.4.21 on Fri Oct 6 09:15:58 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [3972204:10494033871] :FORWARD_IN_ZONES - [0:0] :FORWARD_IN_ZONES_SOURCE - [0:0] :FORWARD_OUT_ZONES - [0:0] :FORWARD_OUT_ZONES_SOURCE - [0:0] :FORWARD_direct - [0:0] :FWDI_drop - [0:0] :FWDI_drop_allow - [0:0] :FWDI_drop_deny - [0:0] :FWDI_drop_log - [0:0] :FWDO_drop - [0:0] :FWDO_drop_allow - [0:0] :FWDO_drop_deny - [0:0] :FWDO_drop_log - [0:0] :INPUT_ZONES - [0:0] :INPUT_ZONES_SOURCE - [0:0] :INPUT_direct - [0:0] :IN_drop - [0:0] :IN_drop_allow - [0:0] :IN_drop_deny - [0:0] :IN_drop_log - [0:0] :OUTPUT_direct - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -j INPUT_direct -A INPUT -j INPUT_ZONES_SOURCE -A INPUT -j INPUT_ZONES -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -j FORWARD_direct -A FORWARD -j FORWARD_IN_ZONES_SOURCE -A FORWARD -j FORWARD_IN_ZONES -A FORWARD -j FORWARD_OUT_ZONES_SOURCE -A FORWARD -j FORWARD_OUT_ZONES -A FORWARD -m conntrack --ctstate INVALID -j DROP -A FORWARD -j REJECT --reject-with icmp-host-prohibited -A OUTPUT -j OUTPUT_direct -A FORWARD_IN_ZONES -i wlp3s0 -j FWDI_drop -A FORWARD_IN_ZONES -j FWDI_drop -A FORWARD_OUT_ZONES -o wlp3s0 -j FWDO_drop -A FORWARD_OUT_ZONES -j FWDO_drop -A FWDI_drop -j FWDI_drop_log -A FWDI_drop -j FWDI_drop_deny -A FWDI_drop -j FWDI_drop_allow -A FWDI_drop -j DROP -A FWDO_drop -j FWDO_drop_log -A FWDO_drop -j FWDO_drop_deny -A FWDO_drop -j FWDO_drop_allow -A FWDO_drop -j DROP -A INPUT_ZONES -i wlp3s0 -j IN_drop -A INPUT_ZONES -j IN_drop -A IN_drop -j IN_drop_log -A IN_drop -j IN_drop_deny -A IN_drop -j IN_drop_allow -A IN_drop -j DROP COMMIT # Completed on Fri Oct 6 09:15:58 2017

我怎样才能使CentOS实例工作？