服务器 Gind.cn
  1. 服务器 Gind.cn
  3. TCP syn,ack在进入IPsec VPN隧道之前丢失
Intereting Posts
IP规则和表格混淆 fail2ban监狱工作不正常 在Solaris lp或lpr上打印 为什么这个nginx /瘦运行木偶大师解释path不同于一个单独的puppetmaster? 如何运行`apt-get -f install' 如何强制Windows Server在使用HTTPS时仅接受SSLv3连接? 如何redirect到不同的url? 用于login的Nginx Microcache例外 大型网站有多个全球上行链路? 使用nginx的try_files和自定义错误页面的主要位置块? 如果我更改了Linux服务器上的root密码,如果他们为root用户创build了一个SSH authorized_key,还能访问root吗? 如何在CentOS服务器上以无头模式安装OpenOffice arp-requests不能被特定节点看到 用于超线程的VMware ESXi虚拟机configuration 限制对整个服务器的/ wp-admin /的访问

TCP syn,ack在进入IPsec VPN隧道之前丢失

我已经configuration了一个站点到站点的VPN,因为stream量正在通过隧道正常工作。 我可以在另一个networking上ping和Telnet主机,他们能够ping通我。

我遇到的问题是,当其他networking上的主机向Web服务器上的应用发送HTTP请求时(这实际上是将USSD菜单传递给移动用户的应用,其他主机是来自移动networking提供商的服务器),我可以请求和握手从其他主机的SYN启动! 我的服务器回复一个SYN,ACK,但是对于每个人来说,这些回应并没有到达另一边。 我正在使用Cisco 820作为路由器和VPN服务器。 就我所知,对路由器configuration的检查无论如何都没有显示出任何exception。 我没有启用任何防火墙,我使用访问列表进行路由和访问控制。

我怀疑是路由器丢弃了这些数据包,然后才能通过Ipsec隧道进行encryption和发送。 请有人build议可能会丢弃这些数据包。

由于三次握手失败,所以没有进一步的通信。

这个数据包跟踪: 

25.690224 200.32.15.154 -> 192.168.0.2 TCP 74 45367 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=610983874 TSecr=0 WS=128 25.690267 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845089 TSecr=610983874 WS=128 26.687067 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845339 TSecr=610983874 WS=128 28.687066 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763845839 TSecr=610983874 WS=128 31.688116 200.32.15.154 -> 192.168.0.2 TCP 74 45367 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=610989874 TSecr=0 WS=128 31.688147 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763846589 TSecr=610983874 WS=128 32.687068 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763846839 TSecr=610983874 WS=128 40.687059 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763848839 TSecr=610983874 WS=128 43.689503 200.32.15.154 -> 192.168.0.2 TCP 74 45367 > http [SYN] Seq=0 Win=5840 Len=0 MSS=1452 SACK_PERM=1 TSval=611001874 TSecr=0 WS=128 43.689531 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763849589 TSecr=610983874 WS=128 56.887060 192.168.0.2 -> 200.32.15.154 TCP 74 http > 45367 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=763852889 TSecr=610983874 WS=128

这是我在服务器上的iptables: 

  Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain fail2ban-dovecot-pop3imap (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-pureftpd (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere Chain fail2ban-ssh (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere

这是指向互联网的访问列表,我如何编程这些地址: 

  150 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.152 log (306 matches) 160 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.153 log (101 matches) 170 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.154 log (141 matches) 180 deny ip 192.168.0.0 0.0.0.255 host 200.32.15.155 log (74 matches)

这是指向VPN的访问列表: 

  60 permit ip host 192.168.0.2 host 200.32.15.152 (132 matches) 70 permit ip host 192.168.0.2 host 200.32.15.153 (74 matches) 80 permit ip host 192.168.0.2 host 200.32.15.154 (146 matches) 90 permit ip host 192.168.0.2 host 200.32.15.155 (72 matches)

这些是这些地址的SA: 

  local ident (addr/mask/prot/port): (192.168.0.2/255.255.255.255/0/0) remote ident (addr/mask/prot/port): (200.32.15.154/255.255.255.255/0/0) current_peer 41.72.111.122 port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 28, #pkts encrypt: 28, #pkts digest: 28 #pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 41.222.240.23, remote crypto endpt.: 41.72.111.122 path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4.1 current outbound spi: 0x8FD440DA(2413052122) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0xD6FEA63C(3607012924) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 19, flow_id: Onboard VPN:19, sibling_flags 80000040, crypto map: sshlink-to-savannah sa timing: remaining key lifetime (k/sec): (4263446/2717) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0x8FD440DA(2413052122) transform: esp-3des esp-sha-hmac , in use settings ={Tunnel, } conn id: 20, flow_id: Onboard VPN:20, sibling_flags 80000040, crypto map: sshlink-to-savannah sa timing: remaining key lifetime (k/sec): (4263446/2717) IV size: 8 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas:

请有人帮忙!

最后find解决scheme,我不得不将我的公共对等IP包含在ACL中。 由于natting,握手回程使用公共对等IP发送,因此在将公共对等IP添加到ACL之后,PRESTO !!! 一切正常。