文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >客户端通信不是通过VPN路由的。

客户端通信不是通过VPN路由的。
EN

Server Fault用户
提问于 2020-11-03 14:40:49
回答 1查看 513关注 0票数 0

我尝试在服务器和Android手机之间创建一个简单的Strongswan连接,使用Strongswan Android应用程序。

我的安卓手机信息:Android 8.0.0与三星体验9.0这是一款Galaxy A5 (2017)型号

我尝试同时使用4G和Wifi,我的Strongswan应用程序在version 2.3.0上运行,并于2020年6月更新。

我的服务器信息:这是一个最新的Ubuntu 18.04 VPS

我的Strongswan服务器配置如下:我手动下载了Strongswan 5.9.0,然后使用

代码语言:javascript
复制
./configure --prefix=/custompath/strongroot --disable-stroke --with-piddir=/custompath/strongroot/var/run --enable-eap-dynamic --enable-eap-mschapv2 --enable-eap-aka --enable-eap-identity --enable-md4
make
make install

我的strongswan.conf如下所示

代码语言:javascript
复制
charon {
        load_modular = yes

        plugins {

                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

我的服务器端swanctl.conf如下

代码语言:javascript
复制
connections {
       server {
                pools = primary-pool-ipv4, primary-pool-ipv6
                local {
                        auth = pubkey
                        certs = <server_crt>
                        id = <server_id>
                }
                remote {
                        auth = eap-dynamic
                        id = %any
                }

                children {
                    client {

                    }
                }
        }
}


secrets {
        eap-test {
                id = <user_id>
                secret = <user_password>
        }
}


pools {
    primary-pool-ipv4 {
        addrs = 10.0.0.0/24
        dns = 8.8.8.8 
    }
    primary-pool-ipv6 {
        addrs = 2620:0:2d0:200::7/97

    }
}

服务器是以下面的命令作为root启动的,具有这些结果

代码语言:javascript
复制
/custompath/strongroot/libexec/ipsec/charon &
/custompath/strongroot/sbin/swanctl -q


loaded certificate from '/custompath/strongroot/etc/swanctl/x509/<server_crt'
loaded certificate from '/custompath/strongroot/etc/swanctl/x509ca/<CA_crt>'
loaded rsa key from '/custompath/strongroot/etc/swanctl/private/<server_key>'
loaded eap secret 'eap-test'
no authorities found, 0 unloaded
loaded pool 'primary-pool-ipv4'
loaded pool 'primary-pool-ipv6'
successfully loaded 2 pools, 0 unloaded
loaded connection 'server'
successfully loaded 1 connections, 0 unloaded

还有那些原木

代码语言:javascript
复制
[CFG] loaded certificate 'C=FR, O=Test, CN=<server_id>'
[CFG] loaded certificate 'C=FR, O=Test, CN=Test CA'
[CFG] loaded RSA private key
[CFG] loaded EAP shared key with id 'eap-test' for: '<user_id>'
[CFG] added vici pool primary-pool-ipv4: 10.0.0.0, 254 entries
[CFG] added vici pool primary-pool-ipv6: 2620:0:2d0:200::7, 2147483640 entries
[CFG] added vici connection: server

在我的android手机上,我在我的Strongswan应用程序中使用了以下参数

代码语言:javascript
复制
Server : <server ipv4>
VPN Type : IKEv2 EAP (Username/Password)
Username : <user_id>
Password <user_password>

CA certificate : <CA_crt>

Server identity : <server_id>
Client identity : <user_id>

当我将客户端登录到服务器时,我在服务器上得到了以下日志:

代码语言:javascript
复制
[NET] <3> received packet: from  <client_ip>[33980] to   <server_ip>[500] (716 bytes)
[ENC] <3> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[IKE] <3>  <client_ip> is initiating an IKE_SA
[CFG] <3> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
[IKE] <3> remote host is behind NAT
[IKE] <3> DH group ECP_256 unacceptable, requesting CURVE_25519
[ENC] <3> generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[NET] <3> sending packet: from   <server_ip>[500] to  <client_ip>[33980] (38 bytes)
[NET] <4> received packet: from  <client_ip>[33980] to   <server_ip>[500] (684 bytes)
[ENC] <4> parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[IKE] <4>  <client_ip> is initiating an IKE_SA
[CFG] <4> selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
[IKE] <4> remote host is behind NAT
[IKE] <4> sending cert request for "C=FR, O=Test, CN=Test CA"
[ENC] <4> generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[NET] <4> sending packet: from   <server_ip>[500] to  <client_ip>[33980] (273 bytes)
[NET] <4> received packet: from  <client_ip>[51380] to   <server_ip>[4500] (480 bytes)
[ENC] <4> parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[IKE] <4> received cert request for "C=FR, O=Test, CN=Test CA"
[CFG] <4> looking for peer configs matching   <server_ip>[<server_id>]... <client_ip>[<client_id>]
[CFG] <server|4> selected peer config 'server'
[IKE] <server|4> EAP_AKA method selected
[IKE] <server|4> initiating EAP_AKA method (id 0x11)
[IKE] <server|4> received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
[IKE] <server|4> peer supports MOBIKE
[IKE] <server|4> authentication of '<server_id>' (myself) with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] <server|4> sending end entity cert "C=FR, O=Test, CN=<server_id>"
[ENC] <server|4> generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
[NET] <server|4> sending packet: from   <server_ip>[4500] to  <client_ip>[51380] (1184 bytes)
[NET] <server|4> received packet: from  <client_ip>[51380] to   <server_ip>[4500] (80 bytes)
[ENC] <server|4> parsed IKE_AUTH request 2 [ EAP/RES/NAK ]
[IKE] <server|4> received EAP_NAK, selecting a different EAP method
[IKE] <server|4> EAP_MSCHAPV2 method selected
[ENC] <server|4> generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[NET] <server|4> sending packet: from   <server_ip>[4500] to  <client_ip>[51380] (112 bytes)
[NET] <server|4> received packet: from  <client_ip>[51380] to   <server_ip>[4500] (144 bytes)
[ENC] <server|4> parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[ENC] <server|4> generating IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[NET] <server|4> sending packet: from   <server_ip>[4500] to  <client_ip>[51380] (144 bytes)
[NET] <server|4> received packet: from  <client_ip>[51380] to   <server_ip>[4500] (80 bytes)
[ENC] <server|4> parsed IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[IKE] <server|4> EAP method EAP_MSCHAPV2 succeeded, MSK established
[ENC] <server|4> generating IKE_AUTH response 4 [ EAP/SUCC ]
[NET] <server|4> sending packet: from   <server_ip>[4500] to  <client_ip>[51380] (80 bytes)
[NET] <server|4> received packet: from  <client_ip>[51380] to   <server_ip>[4500] (96 bytes)
[ENC] <server|4> parsed IKE_AUTH request 5 [ AUTH ]
[IKE] <server|4> authentication of '<client_id>' with EAP successful
[IKE] <server|4> authentication of '<server_id>' (myself) with EAP
[IKE] <server|4> IKE_SA server[4] established between   <server_ip>[<server_id>]... <client_ip>[<client_id>]
[IKE] <server|4> scheduling rekeying in 13701s
[IKE] <server|4> maximum IKE_SA lifetime 15141s
[IKE] <server|4> peer requested virtual IP %any
[CFG] <server|4> reassigning offline lease to '<client_id>'
[IKE] <server|4> assigning virtual IP 10.0.0.1 to peer '<client_id>'
[IKE] <server|4> peer requested virtual IP %any6
[CFG] <server|4> reassigning offline lease to '<client_id>'
[IKE] <server|4> assigning virtual IP 2620:0:2d0:200::7 to peer '<client_id>'
[CFG] <server|4> selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
[JOB] watched FD 15 ready to read
[JOB] watcher going to poll() 3 fds
[JOB] watcher got notification, rebuilding
[JOB] watcher going to poll() 4 fds
[IKE] <server|4> CHILD_SA client{2} established with SPIs ce546f2f_i 58d283b4_o and TS   <server_ip>/32 === 10.0.0.1/32 2620:0:2d0:200::7/128
[ENC] <server|4> generating IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
[NET] <server|4> sending packet: from   <server_ip>[4500] to  <client_ip>[51380] (288 bytes)

客户端的日志

代码语言:javascript
复制
[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
[DMN] Starting IKE service (strongSwan 5.8.4, Android 8.0.0 - R16NW.A520FXXSFCTG8/2020-08-01, SM-A520F - samsung/a5y17ltexx/samsung, Linux 3.18.14-13712092-QB33307948, aarch64)
[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
[JOB] spawning 16 worker threads
[IKE] initiating IKE_SA android[2] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_internal_ip>[33980] to <server_ip>[500] (716 bytes)
[NET] received packet: from <server_ip>[500] to <client_internal_ip>[33980] (38 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
[IKE] peer didn't accept DH group ECP_256, it requested CURVE_25519
[IKE] initiating IKE_SA android[2] to <server_ip>
[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
[NET] sending packet: from <client_internal_ip>[33980] to <server_ip>[500] (684 bytes)
[NET] received packet: from <server_ip>[500] to <client_internal_ip>[33980] (273 bytes)
[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) N(HASH_ALG) N(CHDLESS_SUP) N(MULT_AUTH) ]
[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/CURVE_25519
[IKE] local host is behind NAT, sending keep alives
[IKE] received cert request for "C=FR, O=Test, CN=Test CA"
[IKE] sending cert request for "C=FR, O=Test, CN=Test CA"
[IKE] establishing CHILD_SA android{2}
[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CERTREQ IDr CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
[NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (480 bytes)
[NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (1184 bytes)
[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/AKA ]
[IKE] received end entity cert "C=FR, O=Test, CN=<server_id>"
[CFG]   using certificate "C=FR, O=Test, CN=<server_id>"
[CFG]   using trusted ca certificate "C=FR, O=Test, CN=Test CA"
[CFG] checking certificate status of "C=FR, O=Test, CN=<server_id>"
[CFG] certificate status is not available
[CFG]   reached self-signed root ca with a path length of 0
[IKE] authentication of '<server_id>' with RSA_EMSA_PKCS1_SHA2_256 successful
[IKE] server requested EAP_AKA authentication (id 0x11)
[IKE] EAP method not supported, sending EAP_NAK
[ENC] generating IKE_AUTH request 2 [ EAP/RES/NAK ]
[NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (112 bytes)
[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
[IKE] server requested EAP_MSCHAPV2 authentication (id 0x0F)
[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (144 bytes)
[NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (144 bytes)
[ENC] parsed IKE_AUTH response 3 [ EAP/REQ/MSCHAPV2 ]
[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
[ENC] generating IKE_AUTH request 4 [ EAP/RES/MSCHAPV2 ]
[NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (80 bytes)
[NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (80 bytes)
[ENC] parsed IKE_AUTH response 4 [ EAP/SUCC ]
[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
[IKE] authentication of '<client_id>' (myself) with EAP
[ENC] generating IKE_AUTH request 5 [ AUTH ]
[NET] sending packet: from <client_internal_ip>[51380] to <server_ip>[4500] (96 bytes)
[NET] received packet: from <server_ip>[4500] to <client_internal_ip>[51380] (288 bytes)
[ENC] parsed IKE_AUTH response 5 [ AUTH CPRP(ADDR ADDR6 DNS) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) ]
[IKE] authentication of '<server_id>' with EAP successful
[IKE] IKE_SA android[2] established between <client_internal_ip>[<client_id>]...<server_ip>[<server_id>]
[IKE] scheduling rekeying in 35866s
[IKE] maximum IKE_SA lifetime 37666s
[IKE] installing DNS server 8.8.8.8
[IKE] installing new virtual IP 10.0.0.1
[IKE] installing new virtual IP 2620:0:2d0:200::7
[CFG] selected proposal: ESP:AES_CBC_128/HMAC_SHA2_256_128/NO_EXT_SEQ
[IKE] CHILD_SA android{2} established with SPIs 58d283b4_i ce546f2f_o and TS 10.0.0.1/32 2620:0:2d0:200::7/128 === <server_ip>/32
[DMN] setting up TUN device for CHILD_SA android{2}
[DMN] successfully created TUN device
[IKE] peer supports MOBIKE

我收到了隧道关闭的通知。

我添加了一些iptables规则,用于转发以下基于这个链接的https://wiki.strongswan.org/projects/strongswan/wiki/ForwardingAndSplitTunneling命令,我只得到了一个服务器网络接口(不包括回退),它将被命名为

代码语言:javascript
复制
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o <server_int> -m policy --dir out --pol ipsec -j ACCEPT
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -o <server_int> -j MASQUERADE
iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

我还启动了ipv4的ip转发(如果这是正确的方式,则是ipv6 ),方法是取消对/etc/sysctl.conf上的以下行的注释

net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1

然后使用sysctl -p /etc/sysctl.conf重新加载配置。

但是,当我在线查看我的IP时,我发现我仍然得到了客户端公共ip,而不是服务器ip。让我相信VPN上没有路由的是,当我激活VPN之外的所有流量禁用选项时,我会断开到internet的所有连接(除了VPN还在运行)。但我没有触及拆分隧道,在默认情况下,应该将所有内容重定向到VPN隧道。

我在这里错过了哪一部分?

vpn
routing
strongswan
EN

回答 1

Server Fault用户

回答已采纳

发布于 2020-11-03 18:17:36

如果您想通过VPN隧道到达比服务器更多的服务器,那么您必须在流量选择器中指定这一点。也就是说,按照以下方式更改子配置:

代码语言:javascript
复制
client {
    local_ts = 0.0.0.0/0,::/0
}

默认值是动态的,这将默认为IP地址(或在客户端情况下为虚拟IP ),您可以在日志中看到这个值(例如,在客户机上作为10.0.0.1/32 2620:0:2d0:200::7/128 === <server_ip>/32)。

票数 1
EN
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://serverfault.com/questions/1041122

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档