Windows 7和8.1无法连接到Ubuntu22上的strongSwan 5.9VPN服务器
Windows 7和8.1无法连接到Ubuntu22上的strongSwan 5.9VPN服务器
提问于 2022-12-12 11:04:45
我使用Ubuntu22.04和strongSwan 5.9.5在Oracle的OCI上设置了VPN服务器。当我尝试从不同的公路战士连接时,安卓运行良好,Win10工作良好,甚至古老的Blackberry10运行良好,但对于Win7和Win8.1笔记本电脑则不然:它们停留在第一阶段:
mytestcloud charon[968]: 05[NET] received packet: from <MYIP>[500] to 10.0.0.64[500] (616 bytes)
mytestcloud charon[968]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V V ]
mytestcloud charon[968]: 05[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
mytestcloud charon[968]: 05[IKE] received MS-Negotiation Discovery Capable vendor ID
mytestcloud charon[968]: 05[IKE] received Vid-Initial-Contact vendor ID
mytestcloud charon[968]: 05[ENC] received unknown vendor ID: 01:52:8b:bb:c0:06:96:12:18:49:ab:9a:1c:5b:2a:51:00:00:00:02
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[IKE] <MYIP> is initiating an IKE_SA
mytestcloud charon[968]: 05[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
mytestcloud charon[968]: 05[IKE] local host is behind NAT, sending keep alives
mytestcloud charon[968]: 05[IKE] remote host is behind NAT
mytestcloud charon[968]: 05[IKE] sending cert request for "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<MYNAME>"
mytestcloud charon[968]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(CHDLESS_SUP) N(MULT_AUTH) ]
mytestcloud charon[968]: 05[NET] sending packet: from 10.0.0.64[500] to <MYIP>[500] (345 bytes)
mytestcloud charon[968]: 08[IKE] sending keep alive to <MYIP>[500]
mytestcloud charon[968]: 09[JOB] deleting half open IKE_SA with <MYIP> after timeout我的ipsec.conf是:
config setup
charondebug="ike 1, knl 1, cfg 1"
strictcrlpolicy=no
# uniqueids = no
conn %default
ikelifetime=24h
keylife=24h
keyexchange=ikev2
dpdaction=clear
dpdtimeout=3600s
dpddelay=3600s
compress=yes
leftfirewall=yes
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsourceip=192.168.2.100/28
# rightdns=8.8.8.8, 8.8.4.4
# leftsendcert=always
# fragmentation=yes
# rightsendcert=never
# forceencaps=yes
rekey=no
auto=add
ike=aes256-sha1-modp1024,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
conn roadwarrior
leftauth=pubkey
leftcert=VPNCert.pem
leftid=<SERVERIP>
rightauth=pubkey状态是(Win10膝上型计算机连接):
ubuntu@mytestcloud:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1025-oracle, aarch64):
uptime: 36 minutes, since Dec 12 09:05:21 2022
malloc: sbrk 2605056, mmap 0, used 1670848, free 934208
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon pkcs11 aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp curve25519 xcbc cmac hmac ccm gcm drbg curl attr kernel-netlink resolve socket-default farp stroke vici updown eap-identity eap-aka eap-aka-3gpp2 eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-tls eap-ttls eap-peap eap-tnc xauth-generic tnc-tnccs dhcp counters
Virtual IP pools (size/online/offline):
192.168.2.100/28: 11/1/0
Listening IP addresses:
10.0.0.64
Connections:
roadwarrior: %any...%any IKEv2, dpddelay=3600s
roadwarrior: local: [<SERVERIP>] uses public key authentication
roadwarrior: cert: "C=<MYCOUNTRY>, O=<MYFIRM>, CN=<SERVERIP>"
roadwarrior: remote: uses public key authentication
roadwarrior: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
roadwarrior[3]: ESTABLISHED 7 minutes ago, 10.0.0.64[150.136.154.215]...<MYIP>[C=<MYCOUNTRY>, O=<MYFIRM>, CN=Win10]
roadwarrior[3]: IKEv2 SPIs: 250f9e9db620a7e7_i 29b6ebbdb66a922a_r*, rekeying disabled
roadwarrior[3]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
roadwarrior{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c084f973_i 5daafdba_o
roadwarrior{1}: AES_CBC_256/HMAC_SHA1_96, 30958 bytes_i (122 pkts, 80s ago), 14517 bytes_o (50 pkts, 80s ago), rekeying disabled
roadwarrior{1}: 0.0.0.0/0 === 192.168.2.100/32我怀疑,这是某种碎裂问题,因为在添加
fragmentation=no在ipsec.conf中,Win10设备以非常相同的方式下降。我补充说,一切都是必需的,我的意思是
net/ipv4/ip_no_pmtu_disc=1在sysctl.conf和
FORWARD -t mangle --match policy --pol ipsec --dir in -o enp0s3 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360在iptable的规则中。请记住,我可以使用几乎相同的配置在Ubuntu16.04/ strongSwan 5.2.2上的AWS没有任何问题。不同的是默认密码套件和不同的服务器证书。那么,我能用某种方式将那些Windows野兽连接起来吗?
回答 1
Server Fault用户
发布于 2022-12-30 10:16:34
嗯,问题似乎是数据包碎片。一方面,我认为甲骨文已经将碎片硬编码到它的公共接口中;另一方面,遗留的Windows OSes (Windows7、Windows8/8.1、Windows10Pre1803、Ubuntu 16)不支持碎片化。因此,没有任何方法可以使用这种OSes上的客户端连接运行在Oracle上的strongSwan。有三种解决办法可以克服这一限制:
- 远离遗留客户端(对于使用这些客户端的人来说不是很令人印象深刻)。
- 变更云提供商--我在Amazon和DigitalOcean上测试了DigitalOcean:一切都完美无缺。
- 改变VPN类型-就我个人而言,我以这个解决方案结束: WireGuard在Oracle上没有任何问题。我解决了DNS泄漏的问题,作为一个很好的补充。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/1117826
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号