Networking

Strongswan 只有最後一個連接的人通過隧道路由

  • March 6, 2020

我有使用 StrongSwan 的 site2site VPN 隧道。一切似乎都正常——除了最後一個連接的人可以訪問。即我從 PC1 連接,可以 ping 另一端的伺服器,從 PC2 連接,現在 PC1 超時,PC2 可以 ping,當我斷開 PC2 時,PC1 可以再次 ping。

ipsec statusall

我可以看到兩個連接都收到了數據包,但只返回其中一個。所有通過隧道的數據包都得到了答案,這讓我認為這是一個路由問題(伺服器僅路由最後一個通過隧道連接的人)。我在這一切方面都是一個新手,所以我很可能忽略了一些非常基本的東西。

# ipsec.conf on serverB (server I am connecting to/going through)
config setup
   charondebug="ike 2, knl -1, cfg 0"

conn tunnel
   authby=secret
   left=10.25.1.0/24
   leftid=serverB
   leftsubnet=10.25.2.0/24
   right=serverA
   rightsubnet=192.168.10.0/24
   auto=add
   compress=no
   type=tunnel
   keyexchange=ikev2
   fragmentation=yes
   forceencaps=yes
   ike=aes256-sha1-modp1024,3des-sha1-modp1024!
   esp=aes256-sha1,3des-sha1!
   dpdaction=clear
   dpddelay=300s

conn incoming
   left=10.25.1.0/24
   leftid=serverB
   leftsubnet=192.168.10.0/24
   leftauth=pubkey
   leftcert=/etc/ipsec.d/certs/cert.pem
   right=%any
   rightid=%any
   rightsourceip=10.25.2.0/24
   rightsubnet=0.0.0.0/0
   rightdns=8.8.8.8,8.8.4.4
   keyexchange=ikev2
   rightauth=eap-mschapv2
   eap_identity=%any
   auto=add
   ike=aes256-sha1-modp1024,3des-sha1-modp1024
   esp=aes256-sha1,3des-sha1
   rekey=no

# iptables-save
# Generated by iptables-save v1.6.1 on Fri Mar  6 10:47:28 2020
*filter
:INPUT ACCEPT [18415:7233797]
:FORWARD ACCEPT [10367:4483972]
:OUTPUT ACCEPT [18804:7027092]
:sshguard - [0:0]
-A INPUT -j sshguard
COMMIT
# Completed on Fri Mar  6 10:47:28 2020

# ip rule
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default

# ip route show table all
0:      from all lookup local
220:    from all lookup 220
32766:  from all lookup main
32767:  from all lookup default
root@vpn-endpoint-euw2-prod:~# ip route show table all
default via 10.25.1.1 dev ens4 proto dhcp src 10.25.1.2 metric 100
10.25.1.1 dev ens4 proto dhcp scope link src 10.25.1.2 metric 100
local 10.25.1.2 dev ens4 table local proto kernel scope host src 10.25.1.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev ens4 proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::4001:aff:fe19:102 dev ens4 table local proto kernel metric 0 pref medium
ff00::/8 dev ens4 table local metric 256 pref medium

# ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
   link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
   inet 127.0.0.1/8 scope host lo
      valid_lft forever preferred_lft forever
   inet6 ::1/128 scope host
      valid_lft forever preferred_lft forever
2: ens4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1460 qdisc fq_codel state UP group default qlen 1000
   link/ether 42:01:0a:19:01:02 brd ff:ff:ff:ff:ff:ff
   inet 10.25.1.2/32 scope global dynamic ens4
      valid_lft 73441sec preferred_lft 73441sec
   inet6 fe80::4001:aff:fe19:102/64 scope link
      valid_lft forever preferred_lft forever

# logs from connection, irrelevant cert requests omitted

# xx.xx.188.25 - external ip of both clients i am using for testing
# xx.xx.120.2 - serverA (other side of the tunnel)
# xx.xx.14.15 - serverB (server I am connecting to from clients)


Mar  6 14:32:34 vpn-endpoint-euw2-prod charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.2, Linux 5.0.0-1021-gcp, x86_64)
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] plugin 'load-tester': failed to load - load_tester_plugin_create returned NULL
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] loaded plugins: charon test-vectors unbound ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md4 md5 mgf1 rdrand random nonce x509 revocation constraints acert pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey dnscert ipseckey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru bliss curl soup mysql sqlite attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-sim eap-sim-pcsc eap-aka eap-aka-3gpp2 eap-simaka-pseudonym eap-simaka-reauth eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam xauth-noauth tnc-tnccs tnccs-20 tnccs-11 tnccs-dynamic dhcp whitelist lookip error-notify certexpire led radattr addrblock unity counters
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar  6 14:32:35 vpn-endpoint-euw2-prod charon: 00[JOB] spawning 16 worker threads
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[NET] received packet: from xx.xx.120.2[500] to 10.25.1.2[500] (376 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] xx.xx.120.2 is initiating an IKE_SA
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA (unnamed)[1] state change: CREATED => CONNECTING
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] local host is behind NAT, sending keep alives
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] remote host is behind NAT
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 14[NET] sending packet: from 10.25.1.2[500] to xx.xx.120.2[500] (361 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[NET] received packet: from xx.xx.120.2[4500] to 10.25.1.2[4500] (300 bytes)
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] authentication of 'xx.xx.120.2' with pre-shared key successful
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] peer supports MOBIKE
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] authentication of 'xx.xx.14.15' (myself) with pre-shared key
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] successfully created shared key MAC
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] IKE_SA bf_tunel2[1] established between 10.25.1.2[xx.xx.14.15]...xx.xx.120.2[xx.xx.120.2]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] IKE_SA bf_tunel2[1] state change: CONNECTING => ESTABLISHED
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] scheduling reauthentication in 9998s
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] maximum IKE_SA lifetime 10538s
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[IKE] CHILD_SA bf_tunel2{1} established with SPIs c086077e_i c1b1cbeb_o and TS 10.25.2.0/24 === 192.168.10.0/24
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:32:48 vpn-endpoint-euw2-prod charon: 13[NET] sending packet: from 10.25.1.2[4500] to xx.xx.120.2[4500] (236 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[NET] received packet: from xx.xx.188.25[500] to 10.25.1.2[500] (1104 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] received Vid-Initial-Contact vendor ID
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] xx.xx.188.25 is initiating an IKE_SA
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] IKE_SA (unnamed)[2] state change: CREATED => CONNECTING
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] local host is behind NAT, sending keep alives
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] remote host is behind NAT
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 05[NET] sending packet: from 10.25.1.2[500] to xx.xx.188.25[500] (345 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 08[ENC] received fragment #1 of 3, waiting for complete IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 07[ENC] received fragment #2 of 3, waiting for complete IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (336 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] received cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] received 43 cert requests for an unknown ca
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_NBNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP4_SERVER attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_ADDRESS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] processing INTERNAL_IP6_SERVER attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] peer supports MOBIKE
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] authentication of 'xx.xx.14.15' (myself) with RSA signature successful
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[IKE] sending end entity cert "C=UK, O=VPN Server, CN=xx.xx.14.15"
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (1248 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (800 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[IKE] received EAP identity 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[IKE] initiating EAP_MSCHAPV2 method (id 0x2D)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 10[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (108 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (140 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 11[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (140 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 12[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (76 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] authentication of '192.168.1.10' with EAP successful
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] authentication of 'xx.xx.14.15' (myself) with EAP
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA bf_in[2] established between 10.25.1.2[xx.xx.14.15]...xx.xx.188.25[192.168.1.10]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] IKE_SA bf_in[2] state change: CONNECTING => ESTABLISHED
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] peer requested virtual IP %any
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] assigning virtual IP 10.25.2.1 to peer 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] peer requested virtual IP %any6
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] no virtual IP found for %any6 requested by 'user2'
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[IKE] CHILD_SA bf_in{2} established with SPIs c8553926_i 088be440_o and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:33:00 vpn-endpoint-euw2-prod charon: 14[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (236 bytes)
Mar  6 14:33:08 vpn-endpoint-euw2-prod charon: 13[IKE] sending keep alive to xx.xx.120.2[4500]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[NET] received packet: from xx.xx.188.25[4500] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[ENC] parsed INFORMATIONAL request 6 [ ]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[ENC] generating INFORMATIONAL response 6 [ ]
Mar  6 14:33:10 vpn-endpoint-euw2-prod charon: 16[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[NET] received packet: from xx.xx.188.25[500] to 10.25.1.2[500] (632 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(FRAG_SUP) N(NATD_S_IP) N(NATD_D_IP) V V V V ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] received Vid-Initial-Contact vendor ID
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] xx.xx.188.25 is initiating an IKE_SA
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] IKE_SA (unnamed)[3] state change: CREATED => CONNECTING
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] local host is behind NAT, sending keep alives
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] remote host is behind NAT
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[IKE] sending cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(MULT_AUTH) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 06[NET] sending packet: from 10.25.1.2[500] to xx.xx.188.25[500] (473 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[ENC] parsed IKE_AUTH request 1 [ EF(1/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 15[ENC] received fragment #1 of 3, waiting for complete IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (576 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[ENC] parsed IKE_AUTH request 1 [ EF(2/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 05[ENC] received fragment #2 of 3, waiting for complete IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (384 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ EF(3/3) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] received fragment #3 of 3, reassembling fragmented IKE message
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ N(MOBIKE_SUP) CPRQ(ADDR DNS NBNS SRV ADDR6 DNS6 SRV6) SA TSi TSr ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] received cert request for "C=US, O=VPN Server, CN=VPN Server Root CA"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] received 45 cert requests for an unknown ca
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_ADDRESS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_NBNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP4_SERVER attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_ADDRESS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] processing INTERNAL_IP6_SERVER attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] peer supports MOBIKE
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] authentication of 'xx.xx.14.15' (myself) with RSA signature successful
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[IKE] sending end entity cert "C=UK, O=VPN Server, CN=xx.xx.14.15"
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/ID ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] splitting IKE message with length of 1980 bytes into 2 fragments
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (1248 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 08[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (800 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[ENC] parsed IKE_AUTH request 2 [ EAP/RES/ID ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[IKE] received EAP identity 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[IKE] initiating EAP_MSCHAPV2 method (id 0x01)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 07[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (108 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (140 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[ENC] generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 09[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (140 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[ENC] parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[ENC] generating IKE_AUTH response 4 [ EAP/SUCC ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 10[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (76 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (92 bytes)
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[ENC] parsed IKE_AUTH request 5 [ AUTH ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] authentication of '192.168.5.3' with EAP successful
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] authentication of 'xx.xx.14.15' (myself) with EAP
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] IKE_SA bf_in[3] established between 10.25.1.2[xx.xx.14.15]...xx.xx.188.25[192.168.5.3]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] IKE_SA bf_in[3] state change: CONNECTING => ESTABLISHED
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] peer requested virtual IP %any
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] assigning virtual IP 10.25.2.2 to peer 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] peer requested virtual IP %any6
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] no virtual IP found for %any6 requested by 'user'
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] building INTERNAL_IP4_DNS attribute
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[IKE] CHILD_SA bf_in{3} established with SPIs c447c376_i bdd4e08c_o and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[ENC] generating IKE_AUTH response 5 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
Mar  6 14:33:12 vpn-endpoint-euw2-prod charon: 11[NET] sending packet: from 10.25.1.2[4500] to xx.xx.188.25[1024] (236 bytes)
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[NET] received packet: from xx.xx.188.25[1024] to 10.25.1.2[4500] (76 bytes)
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[ENC] parsed INFORMATIONAL request 6 [ D ]
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] received DELETE for ESP CHILD_SA with SPI bdd4e08c
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] closing CHILD_SA bf_in{3} with SPIs c447c376_i (0 bytes) bdd4e08c_o (0 bytes) and TS 192.168.10.0/24 === 0.0.0.0/0
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] sending DELETE for ESP CHILD_SA with SPI c447c376
Mar  6 14:33:16 vpn-endpoint-euw2-prod charon: 12[IKE] CHILD_SA closed

只需從中刪除rightsubnet=0.0.0.0/0conn incoming否則您將所有內容都通過隧道傳輸到最後連接的客戶端。

為客戶端分配虛擬 IP時,不應配置遠端流量選擇器(rightsubnet在 ipsec.conf 中,在 swanctl.conf 中),如文件中所述。remote_ts

引用自:https://unix.stackexchange.com/questions/571481

相關問答

Networking

如何將訪客掛接到“tun”介面

  • October 23, 2021
檢視問答
Networking

虛擬網關 iptables

  • September 29, 2021
檢視問答
Networking

OpenVPN 如何調整進入 tun0 的所有流量?

  • July 12, 2018
檢視問答
Linux

通過 VPS 的 VPN 站點到站點

  • April 6, 2018
檢視問答
Routing

Strongswan 在兩個 IPsec 隧道之間轉發流量,其中一個是主機

  • January 16, 2017
檢視問答
Networking

OpenVPN 伺服器配置

  • November 17, 2016
檢視問答