DTLS握手在ocserv和openconnect中失败。

Question

我在我的Ubuntu服务器上配置了/etc/ocserv/ocserv.conf文件中的ocserv：

auth = "plain[passwd=/etc/ocserv/ocpasswd]"
tcp-port = 443
udp-port = 443
run-as-user = nobody
run-as-group = daemon
socket-file = /run/ocserv.socket
server-cert = /etc/ocserv/ssl/server-cert.pem
server-key = /etc/ocserv/ssl/server-key.pem
ca-cert = /etc/ocserv/ssl/ca-cert.pem
isolate-workers = true
#banner = Welcome
max-clients = 128
max-same-clients = 2
server-stats-reset-time = 604800
keepalive = 300
dpd = 60
mobile-dpd = 300
switch-to-tcp-timeout = 25
try-mtu-discovery = false
cert-user-oid = 0.9.2342.19200300.100.1.1
compression = true
no-compress-limit = 256
tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-RSA:-VERS-SSL3.0:-ARCFOUR-128"
auth-timeout = 240
idle-timeout = 1200
mobile-idle-timeout = 1800
min-reauth-time = 300
max-ban-score = 80
ban-reset-time = 300
cookie-timeout = 300
deny-roaming = false
rekey-time = 172800
rekey-method = ssl
use-occtl = true
pid-file = /run/ocserv.pid
device = vpns
predictable-ips = true
default-domain = SERVER_IP
ipv4-network = 10.11.12.0
ipv4-netmask = 255.255.255.0
tunnel-all-dns = true
dns = 8.8.8.8
dns = 8.8.4.4
ping-leases = false
cisco-client-compat = true
dtls-legacy = true

然后，当我想使用OpenConnect用Ubuntu机器连接到服务器时，连接将建立起来，但我正在接收以下消息：

DTLS handshake failed: Resource temporarily unavailable, try again.
Configured as 10.11.12.127, with SSL + LZ4 connected and DTLS + LZ4 in progress

然后第一行每分钟重复一遍。

有什么办法解决这个问题吗？我的配置文件有问题吗？

Answer 1

对于此来源，问题是防火墙允许列表中的问题。

我只允许ufw中的端口/tcp，然后当我允许端口/udp时，问题已经解决了。

ufw allow 443/tcp
ufw allow 443/udp