我一直在试图解决一个网站到现场的VPN问题几天。 我连接到一个公司的VPN,我没有控制或访问的设置。 我正在运行一台Digitalocean VPS(不知道DO的具体基础设施在这里扮演一个angular色)运行Ubuntu 16.04和使用Strongswan 5.3.5
我已经尽可能地获得了networking工程师为此确认的与VPN成功连接的情况。 他们不能看到我的任何stream量,我无法从他们的子网上的服务器获得ping答复。
请帮忙。 不是networking专家,欢迎(也是鼓励)像我一样向我解释5.我没有安装Strongswan的VPS附加服务器。 我需要从同一VPS与公司服务器通信
ME (VPS) <<<>>> internet <<<>>> CORPORATE VPN <<<>>> CORP SERVERS 138.xx.xx.xx <> internet <> 41.yy.yy.yy <> 172.zz.zz.zz 以下所有信息都是在VPN隧道启动时进行的。
ipsec状态
$: ipsec statusall Status of IKE charon daemon (strongSwan 5.3.5, Linux 4.4.0-96-generic, x86_64): uptime: 20 minutes, since Sep 28 10:30:07 2017 malloc: sbrk 1634304, mmap 0, used 582896, free 1051408 worker threads: 7 of 16 idle, 5/0/4/0 working, job queue: 0/0/0/0, scheduled: 6 loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac ccm gcm attr kernel-libipsec kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp lookip error-notify certexpire led addrblock unity Listening IP addresses: 138.xx.xx.xx 10.16.0.5 Connections: my-conn: 138.xx.xx.xx...41.yy.yy.yy IKEv2 my-conn: local: [138.xx.xx.xx] uses pre-shared key authentication my-conn: remote: [41.yy.yy.yy] uses pre-shared key authentication my-conn: child: 138.xx.xx.xx/32 === 172.zz.zz.zz/24 TUNNEL Security Associations (1 up, 0 connecting): my-conn[1]: ESTABLISHED 20 minutes ago, 138.xx.xx.xx[138.xx.xx.xx]...41.yy.yy.yy[41.yy.yy.yy] my-conn[1]: IKEv2 SPIs: 981bda0c250576ed_i 890fb1ffd688230e_r*, pre-shared key reauthentication in 7 hours my-conn[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536 my-conn{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: dbb4f9b1_i 0d49761f_o my-conn{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 252 bytes_o (3 pkts, 1197s ago), rekeying in 23 hours my-conn{1}: 138.xx.xx.xx/32 === 172.ww.ww.ww/32 my-conn{2}: INSTALLED, TUNNEL, reqid 2, ESP in UDP SPIs: 6e95fb25_i 09e475d6_o my-conn{2}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 23 hours my-conn{2}: 138.xx.xx.xx/32 === 172.ww.ww.zz/32
ipsec.conf的内容
# ipsec.conf - strongSwan IPsec configuration file config setup cachecrls=yes uniqueids=yes nat_traversal=yes conn %default ikelifetime=28800s lifetime=1440m margintime=3m keyingtries=2 authby=secret keyexchange=ikev2 conn my-conn type=tunnel left=138.xx.xx.xx leftsubnet=138.xx.xx.xx #leftfirewall=yes right=41.yy.yy.yy rightsubnet=172.zz.zz.zz/24 ike=aes256-sha256-modp1536 esp=aes256-sha256-modp1536 auto=add #rightsourceip=172.ww.ww.yy,172.ww.ww.zz
保存iptables的内容
# Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017 *mangle :PREROUTING ACCEPT [11416:1336562] :INPUT ACCEPT [11416:1336562] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12308:1948095] :POSTROUTING ACCEPT [12308:1948095] COMMIT # Completed on Wed Sep 27 14:36:20 2017 # Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017 *nat :PREROUTING ACCEPT [4:200] :INPUT ACCEPT [2:120] :OUTPUT ACCEPT [4:266] :POSTROUTING ACCEPT [4:266] -A POSTROUTING -s 10.16.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.16.0.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Wed Sep 27 14:36:20 2017 # Generated by iptables-save v1.6.0 on Wed Sep 27 14:36:20 2017 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [11109:1768005] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 500 -j ACCEPT -A INPUT -p udp -m udp --dport 4500 -j ACCEPT -A INPUT -j DROP -A INPUT -p esp -j ACCEPT COMMIT
iproute显示
$: ip route show default via 138.xx.xx.xx dev eth0 onlink 10.16.0.0/16 dev eth0 proto kernel scope link src 10.16.0.5 138.xx.xx.xx/20 dev eth0 proto kernel scope link src 138.xx.xx.xx
使用ifconfig
$: ifconfig eth0 Link encap:Ethernet HWaddr XX:XX:XX:XX:XX:XX inet addr:138.xx.xx.xx Bcast:138.xx.xx.255 Mask:255.255.xx.0 inet6 addr: fe80::78ab:64ff:fee9:a6a5/64 Scope:Link inet6 addr: XXXX::XXXX:XXXX:XXXX:XXXX/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:91775 errors:0 dropped:0 overruns:0 frame:0 TX packets:100307 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:14598431 (14.5 MB) TX bytes:23615037 (23.6 MB) ipsec0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:500 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:12670 errors:0 dropped:0 overruns:0 frame:0 TX packets:12670 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1 RX bytes:722578 (722.5 KB) TX bytes:722578 (722.5 KB)
ip路由显示
$: ip route show table 220 172.zz.zz.yy dev ipsec0 proto static src 138.xx.xx.xx
从我看到你似乎连接,但无论是错误的编码或configuration错误的关键。 更多共享ipsec.secrets文件。
至于现在在你的ipsec.conf中试试这个,试试这个;
conn my-conn aggressive=no authby=secret auto=start esp=3des-sha1-modp1024 ike=3des-sha1-modp1024 ikelifetime=28800s keyexchange=ike rightid=41.yy.yy.yy leftid=46.101.81.172 left=138.xx.xx.xx right=41.yy.yy.yy rightsubnet=72.zz.zz.0/24
左边的子网不重要..检查编码。 我build议
esp=3des-sha1-modp1024 ike=3des-sha1-modp1024
代替;
ike=aes256-sha256-modp1536 esp=aes256-sha256-modp1536
这build议根据您发送给我的私人信息。
干杯!
怀疑你缺less/etc/sysctl.conf net.ipv4.ip_forward=1
这可以在/etc/sysctl.conf永久设置,然后运行sysctl -p来更新运行值。
或者设置它暂时运行sysctl -w net.ipv4.ip_forward=1