我正在尝试连接到我的 Strongswan VPN 服务器,从 5.9.14 编译而来。
我已将其安装在服务器上,客户端尝试连接,但服务器始终未接听电话。我已检查防火墙,防火墙已设置为允许端口 500 和 4500。我还尝试让它以更详细的信息进行登录,但它没有这样做/或系统日志中没有记录任何条目。
总的来说,我很困惑,如果能得到任何帮助我都会感激不尽。我试过用 UFW 来解决问题,但没有任何效果。
服务器是 Ubuntu 24.04.01 LTS。
编译命令:
./configure --prefix=/usr --sysconfdir=/etc --disable-defaults --enable-silent-rules --enable-charon --enable-systemd --enable-ikev2 --enable-vici --enable-swanctl --enable-nonce --enable-random --enable-drbg --enable-openssl --enable-curl --enable-pem --enable-x509 --enable-constraints --enable-revocation --enable-pki --enable-pubkey --enable-socket-default --enable-kernel-netlink --enable-resolve --enable-eap-identity --enable-eap-md5 --enable-eap-dynamic --enable-eap-tls --enable-updown --enable-tss-tss2 --enable-tpm
root@huginn:~/strongswan-5.9.14# service strongswan status
● strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
Loaded: loaded (/usr/lib/systemd/system/strongswan.service; enabled; preset: enabled)
Active: active (running) since Mon 2024-09-02 21:06:16 EDT; 10min ago
Process: 220846 ExecStartPost=/usr/sbin/swanctl --load-all --noprompt (code=exited, status=0/SUCCESS)
Main PID: 220827 (charon-systemd)
Status: "charon-systemd running, strongSwan 5.9.14, Linux 6.8.0-41-generic, x86_64"
Tasks: 17 (limit: 9445)
Memory: 3.5M (peak: 6.1M)
CPU: 44ms
CGroup: /system.slice/strongswan.service
└─220827 /usr/sbin/charon-systemd
Sep 02 21:06:16 huginn swanctl[220846]: loaded certificate from '/etc/swanctl/x509ca/ca-chain.cert.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded private key from '/etc/swanctl/private/vpn.server.org.key.pem'
Sep 02 21:06:16 huginn swanctl[220846]: loaded eap secret 'eap-user'
Sep 02 21:06:16 huginn swanctl[220846]: loaded authority 'Strongswan'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 authorities, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded pool 'remote_pool'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 pools, 0 unloaded
Sep 02 21:06:16 huginn swanctl[220846]: loaded connection 'roadwarrior'
Sep 02 21:06:16 huginn swanctl[220846]: successfully loaded 1 connections, 0 unloaded
Sep 02 21:06:16 huginn systemd[1]: Started strongswan.service - strongSwan IPsec IKEv1/IKEv2 daemon using swanctl.
日志记录配置文件
charon-systemd {
journal {
default = 4
ike = 4
knl = 4
# ...
}
}
charon {
# two defined file loggers
filelog {
charon {
# path to the log file, specify this as section name in versions prior to 5.7.0
path = /var/log/charon.log
# add a timestamp prefix
time_format = %b %e %T
# prepend connection name, simplifies grepping
ike_name = yes
# overwrite existing files
append = yes
# increase default loglevel for all daemon subsystems
default = 2
# flush each line to disk
flush_line = yes
}
stderr {
# more detailed loglevel for a specific subsystem, overriding the
# default loglevel.
ike = 2
knl = 3
}
}
# and two loggers using syslog
syslog {
# prefix for each log message
identifier = charon-custom
# use default settings to log to the LOG_DAEMON facility
daemon {
}
# very minimalistic IKE auditing logs to LOG_AUTHPRIV
auth {
default = -1
ike = 0
}
}
# ...
}
连接配置文件
#roadwarrior configuration
authorities {
Strongswan {
cacert = ca-chain.cert.pem
}
}
journal {
default = 4
ike = 4
knl = 4
# ...
}
connections {
roadwarrior {
pools = rw_pool
local {
auth = pubkey
certs = vpn.server.org.cert.pem
id = vpn.server.org
}
remote {
auth = pubkey
}
children {
roadwarrior {
# local_ts = 10.1.0.0/16
# local_ts = 0.0.0.0/0
local_ts = 0.0.0.0/0, ::/0
rekey_time = 0
}
}
}
}
}
客户端日志(ubuntu 桌面 24.04)
2024-09-02T19:32:04.323589-06:00 fafnir charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
2024-09-02T19:32:04.323634-06:00 fafnir charon-nm: 05[NET] sending packet: from 192.168.30.50[46858] to 167.71.166.210[500] (972 bytes)
2024-09-02T19:32:08.324281-06:00 fafnir charon-nm: 12[IKE] retransmit 1 of request with message ID 0
2024-09-02T19:32:08.324342-06:00 fafnir charon-nm: 12[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:15.524583-06:00 fafnir charon-nm: 14[IKE] retransmit 2 of request with message ID 0
2024-09-02T19:32:15.524692-06:00 fafnir charon-nm: 14[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:28.485020-06:00 fafnir charon-nm: 09[IKE] retransmit 3 of request with message ID 0
2024-09-02T19:32:28.485079-06:00 fafnir charon-nm: 09[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:32:51.813298-06:00 fafnir charon-nm: 15[IKE] retransmit 4 of request with message ID 0
2024-09-02T19:32:51.813448-06:00 fafnir charon-nm: 15[NET] sending packet: from 192.168.30.50[46858] to <server ip>[500] (972 bytes)
2024-09-02T19:33:04.247159-06:00 fafnir charon-nm[70214]: Connect timer expired, disconnecting.
2024-09-02T19:33:04.247220-06:00 fafnir charon-nm: 08[IKE] destroying IKE_SA in state CONNECTING without notification
2024-09-02T19:33:04.247899-06:00 fafnir charon-nm: 07[KNL] interface nm-xfrm-2751540 deactivated
2024-09-02T19:33:04.248785-06:00 fafnir charon-nm: 13[KNL] fe80::bddd:f33c:78f:5cd9 disappeared from nm-xfrm-2751540
9 月 4 日更新。
我的客户端通过 Starlink 连接,据我所知,它存在 IPV4 问题,因此我根据 Strongswan Test labs 针对 IPv6 roadwarrior 的配置,将其重新配置为 IPv6。然后,我在尝试连接时运行了 TCPDUMP,结果从服务器得到以下结果:
02:42:11.805109 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:15.803606 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:23.008293 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:35.966303 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431(status))
(n: prot_id=#0 type=16406(status))
02:42:59.299393 IP6 (flowlabel 0x064f8, hlim 53, next-header UDP (17) payload length: 248) client-ipv6-address.55059 > server-ipv6-address.500: [udp sum ok] isakmp 2.0 msgid 00000000: parent_sa ikev2_init[I]:
(sa: len=44
(p: #1 protoid=isakmp transform=4 len=44
(t: #1 type=encr id=aes (type=keylen value=0080))
(t: #2 type=integ id=#12 )
(t: #3 type=prf id=#5 )
(t: #4 type=dh id=#31 )))
(v2ke: len=32 group=#31)
(nonce: len=32 data=(37b6ff2309f8d07e5532...0000402f00020003000400050000000800004016))
(n: prot_id=#0 type=16388(nat_detection_source_ip))
(n: prot_id=#0 type=16389(nat_detection_destination_ip))
(n: prot_id=#0 type=16430(status))
(n: prot_id=#0 type=16431
我没有在系统日志中获得任何有关客户端 IP 或 IKEV2 连接的信息。
9 月 4 日更新 - ps -ef 输出
UID PID PPID C STIME TTY TIME CMD
root 1020 1 0 03:03 ? 00:00:00 /usr/sbin/charon-systemd
因此,问题在于 Ubuntu 24.04 使用的是 netfilter / nft 防火墙。创建了一个单独的表 inet,它适用于 IPV4 和 IPv6,但未通过 UFW 或 IPTABLES 命令进行修改。
将列出带有位置编号的规则。
将以下规则应用于至少位于最后一条(删除)规则之上的规则位置
在最后一条丢弃规则之上添加上述规则解决了数据包被丢弃的问题,无论 UFW 和 IPTABLES 规则是否接受端口 500。