Ubuntu上的iOS / Mac兼容的IPSec VPN服务器

我从一个Xen VPS主机买了一个VPS,负载很轻,所以我想运行一个VPN。 我正在拍摄的configuration是“roadwarrior”风格,因为我不想在家中使用它来保护iPhone和Mac的连接。 请记住,我是一个程序员,而不是一个系统pipe理员,所以这对我来说是相当陌生的。

没有得到一个StrongSWAN / PPP / xL2TP设置工作,我碰到浣熊这似乎是一个非常简单的select。 我试图避免使用证书,因为在iOS设备上获取证书的过程可能很烦人(只是猜测)。 因此,我已经在VPS上configuration了racoon,这样我就可以成功连接它并通过系统用户数据库支持的XAUTH进行身份validation。 这一切似乎工作,这是NAT /networking的东西,不工作,我完全不在我的元素。

我的VPS正在运行Ubuntu 10.10。 我从ifconfig得到以下输出(我猜它可能是相关的):

 eth0 Link encap:Ethernet HWaddr 00:16:3e:4a:7f:29 inet addr:69.172.231.11 Bcast:69.172.231.63 Mask:255.255.255.192 inet6 addr: fe80::216:3eff:fe4a:7f29/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:5234214 errors:0 dropped:0 overruns:0 frame:0 TX packets:2417090 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:553246281 (553.2 MB) TX bytes:5237753987 (5.2 GB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1577698 errors:0 dropped:0 overruns:0 frame:0 TX packets:1577698 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 

这是我的racoonconfiguration文件:

 path pre_shared_key "/etc/racoon/psk.txt"; path certificate "/etc/racoon/certs"; timer { natt_keepalive 10sec; } remote anonymous { exchange_mode main, aggressive, base; doi ipsec_doi; situation identity_only; nat_traversal on; script "/etc/racoon/phase1-up.sh" phase1_up; script "/etc/racoon/phase1-down.sh" phase1_down; generate_policy on; ike_frag on; passive on; my_identifier address 69.172.231.11; peers_identifier fqdn "zcr.me"; proposal { encryption_algorithm aes; hash_algorithm sha1; authentication_method xauth_psk_server; dh_group 2; } proposal_check claim; } sainfo anonymous { encryption_algorithm aes; authentication_algorithm hmac_sha1; compression_algorithm deflate; } mode_cfg { auth_source system; save_passwd on; network4 10.1.0.0; pool_size 100; } 

这个configuration已经从“net”的各种教程中拼凑出来了,所以它可能是……奇怪的。 当我连接到VPN时,在客户端接收到以下输出:

 4/12/11 2:21:43 PM racoon[191] Connecting. 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 1). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 AUTH: success. (Initiator, Aggressive-Mode Message 2). 4/12/11 2:21:43 PM racoon[191] IKE Packet: receive success. (Initiator, Aggressive-Mode message 2). 4/12/11 2:21:43 PM racoon[191] IKEv1 Phase1 Initiator: success. (Initiator, Aggressive-Mode). 4/12/11 2:21:43 PM racoon[191] IKE Packet: transmit success. (Initiator, Aggressive-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 XAUTH: success. (XAUTH Status is OK). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Mode-Config message). 4/12/11 2:21:46 PM racoon[191] IKEv1 Config: retransmited. (Mode-Config retransmit). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (MODE-Config). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 1). 4/12/11 2:21:46 PM racoon[191] IKE Packet: receive success. (Initiator, Quick-Mode message 2). 4/12/11 2:21:46 PM racoon[191] IKE Packet: transmit success. (Initiator, Quick-Mode message 3). 4/12/11 2:21:46 PM racoon[191] IKEv1 Phase2 Initiator: success. (Initiator, Quick-Mode). 4/12/11 2:22:03 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:03 PM racoon[191] IKEv1 Information-Notice: transmit success. (RU-THERE?). 4/12/11 2:22:03 PM racoon[191] IKEv1 Dead-Peer-Detection: request transmitted. (Initiator DPD Request). 4/12/11 2:22:04 PM racoon[191] IKEv1 Dead-Peer-Detection: response received. (Initiator DPD Response). 4/12/11 2:22:04 PM racoon[191] IKE Packet: receive success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete IPSEC-SA). 4/12/11 2:22:04 PM racoon[191] IKE Packet: transmit success. (Information message). 4/12/11 2:22:04 PM racoon[191] IKEv1 Information-Notice: transmit success. (Delete ISAKMP-SA). 

相同的连接在服务器端生成以下输出:

 Apr 12 13:20:20 Zaccaro racoon: INFO: respond new phase 1 negotiation: SERVER.IP.ADDRESS[500]<=>CLIENT.IP.ADDRESS[500] Apr 12 13:20:20 Zaccaro racoon: INFO: begin Aggressive mode. Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-08 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-07 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-06 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-05 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-04 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-03 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsec-nat-t-ike-02#012 Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: draft-ietf-ipsra-isakmp-xauth-06.txt Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: CISCO-UNITY Apr 12 13:20:20 Zaccaro racoon: INFO: received Vendor ID: DPD Apr 12 13:20:20 Zaccaro racoon: WARNING: No ID match. Apr 12 13:20:20 Zaccaro racoon: INFO: Selected NAT-T version: RFC 3947 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding remote and local NAT-D payloads. Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: Adding xauth VID payload. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-T: ports changed to: SERVER.IP.ADDRESS[32768]<->CLIENT.IP.ADDRESS[4500] Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing SERVER.IP.ADDRESS[4500] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #0 verified Apr 12 13:20:20 Zaccaro racoon: INFO: Hashing CLIENT.IP.ADDRESS[32768] with algo #2 Apr 12 13:20:20 Zaccaro racoon: INFO: NAT-D payload #1 doesn't match Apr 12 13:20:20 Zaccaro racoon: WARNING: ignore INITIAL-CONTACT notification, because it is only accepted after phase1. Apr 12 13:20:20 Zaccaro racoon: INFO: NAT detected: PEER Apr 12 13:20:20 Zaccaro racoon: INFO: Sending Xauth request Apr 12 13:20:20 Zaccaro racoon: INFO: ISAKMP-SA established SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:23 Zaccaro racoon: INFO: Using port 0 Apr 12 13:20:23 Zaccaro racoon: INFO: login succeeded for user "username" Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute INTERNAL_ADDRESS_EXPIRY Apr 12 13:20:23 Zaccaro racoon: WARNING: Ignored attribute 28683 Apr 12 13:20:23 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:20:23 Zaccaro racoon: INFO: respond new phase 2 negotiation: SERVER.IP.ADDRESS[4500]<=>CLIENT.IP.ADDRESS[32768] Apr 12 13:20:23 Zaccaro racoon: INFO: no policy found, try to generate the policy : 10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting my encmode UDP-Tunnel->Tunnel Apr 12 13:20:23 Zaccaro racoon: INFO: Adjusting peer's encmode UDP-Tunnel(3)->Tunnel(1) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel CLIENT.IP.ADDRESS[32768]->SERVER.IP.ADDRESS[4500] spi=141535132(0x86fa79c) Apr 12 13:20:23 Zaccaro racoon: INFO: IPsec-SA established: ESP/Tunnel SERVER.IP.ADDRESS[4500]->CLIENT.IP.ADDRESS[32768] spi=48270910(0x2e08e3e) Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=in" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "10.1.0.0/32[0] 0.0.0.0/0[0] proto=any dir=fwd" Apr 12 13:20:23 Zaccaro racoon: ERROR: such policy does not already exist: "0.0.0.0/0[0] 10.1.0.0/32[0] proto=any dir=out" Apr 12 13:20:40 Zaccaro racoon: INFO: generated policy, deleting it. Apr 12 13:20:40 Zaccaro racoon: INFO: purged IPsec-SA proto_id=ESP spi=48270910. Apr 12 13:20:40 Zaccaro racoon: INFO: ISAKMP-SA expired SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: ISAKMP-SA deleted SERVER.IP.ADDRESS[4500]-CLIENT.IP.ADDRESS[32768] spi:651d506ebbf13d5b:98e862615eac09da Apr 12 13:20:41 Zaccaro racoon: INFO: Released port 0 Apr 12 13:20:41 Zaccaro racoon: INFO: unsupported PF_KEY message REGISTER Apr 12 13:21:02 Zaccaro sm-msp-queue[23481]: unable to qualify my own domain name (Zaccaro) -- using short name 

我认为问题的一部分可能来自phase1up和phase1down脚本。

phase1-up.sh:

 #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " spdadd 192.168.1.0/24 ${INTERNAL_ADDR4}/32 any -P out ipsec esp/tunnel/${LOCAL_ADDR}[4500]-${REMOTE_ADDR}[4500]/require; spdadd ${INTERNAL_ADDR4}/32 192.168.1.0/24 any -P in ipsec esp/tunnel/${REMOTE_ADDR}[4500]-${LOCAL_ADDR}[4500]/require; " | setkey -c 

phase1-down.sh:

 #!/bin/bash PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin echo " deleteall ${REMOTE_ADDR} ${LOCAL_ADDR} esp; deleteall ${LOCAL_ADDR} ${REMOTE_ADDR} esp; spddelete 192.168.1.0/24[any] ${INTERNAL_ADDR4}[any] any -P out ipsec esp/tunnel/${LOCAL_ADDR}-${REMOTE_ADDR}/require; spddelete ${INTERNAL_ADDR4}[any] 192.168.1.0/24 [any] any -P in ipsec esp/tunnel/${REMOTE_ADDR}-${LOCAL_ADDR}/require; " | setkey -c 

所有这一切都发生,客户说,它与IP地址10.1.0.0成功连接。 在这一点上,任何连接到互联网的尝试都会立即失败。 这就是问题所在。

编辑:这是一个更多的诊断信息。

当我连接到VPN时,对VPS的公共IP地址的ping成功。 但是,ping到8.8.8.8(VPN默认设置为使用的DNS服务器)会导致超时。 因此,根本不能parsing主机名。

第二编辑:

 » route -nv Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 69.172.231.0 0.0.0.0 255.255.255.192 U 0 0 0 eth0 0.0.0.0 69.172.231.1 0.0.0.0 UG 0 0 0 eth0 » iptables -L -nv Chain INPUT (policy ACCEPT 49270 packets, 6376K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 42570 packets, 8573K bytes) pkts bytes target prot opt in out source destination 

你在哪里得到phase1-up.shphase1-down.sh脚本? 浣熊分布中应该有一些例子,在.../racoon/samples/roadwarrior/client/ 。 尝试使用这些。 作为一个快速的实验,你可以用10.1.0.0/24replace这些脚本中的所有192.168.1.0/24,但是我不知道你是如何在你的Ubuntu VPS上设置networking的。 如果这两个步骤都不起作用,请张贴命令的输出

 route -nv iptables -L -nv 

在你的Ubuntu VPS上。

看起来你的问题与IPSEC无关。 开箱即用的Ubuntu不会路由任何数据包,因此像这样的连接将只允许您访问您的服务器,而不是互联网。

你需要做的是按照这样的教程: https : //help.ubuntu.com/community/Internet/ConnectionSharing

这将帮助您将Ubuntu设置为启用NAT和路由的路由器/防火墙。

您可以跳过有关DHCP的部分,因为您已经通过IPSEC获得IP。