问题[zyxel](server)

通过私有 IP 进行 SSH 很好

我可以通过 SSH 通过其私有 IP 地址连接到服务器：

C:\Users\m3>ssh -vvvvA [email protected]
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug3: Failed to open file:C:/Users/m3/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 192.168.1.11 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 192.168.1.11 [192.168.1.11] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
debug1: match: OpenSSH_7.2p2 Ubuntu-4ubuntu2.10 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 192.168.1.11:22 as 'uconn'
debug3: hostkeys_foreach: reading file "C:\\Users\\m3/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\m3/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.11
debug3: Failed to open file:C:/Users/m3/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,[email protected],[email protected],ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]
debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,[email protected]
debug2: compression stoc: none,[email protected]
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:eyPiBvKLgJOk1xJc0k6cx9UnwIXbUUaXu9pPHTKt5Rg
debug3: hostkeys_foreach: reading file "C:\\Users\\m3/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file C:\\Users\\m3/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 192.168.1.11
debug3: Failed to open file:C:/Users/m3/.ssh/known_hosts2 error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_known_hosts2 error:2
debug1: Host '192.168.1.11' is known and matches the ECDSA host key.
debug1: Found key in C:\\Users\\m3/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug1: SSH2_MSG_NEWKEYS received
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: pubkey_prepare: ssh_get_authentication_socket: No such file or directory
debug2: key: C:\\Users\\m3/.ssh/id_rsa (0000000000000000)
debug2: key: C:\\Users\\m3/.ssh/id_dsa (0000000000000000)
debug2: key: C:\\Users\\m3/.ssh/id_ecdsa (0000000000000000)
debug2: key: C:\\Users\\m3/.ssh/id_ed25519 (0000000000000000)
debug2: key: C:\\Users\\m3/.ssh/id_xmss (0000000000000000)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password
debug3: start over, passed a different list publickey,password
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: C:\\Users\\m3/.ssh/id_rsa
debug3: no such identity: C:\\Users\\m3/.ssh/id_rsa: No such file or directory
debug1: Trying private key: C:\\Users\\m3/.ssh/id_dsa
debug3: no such identity: C:\\Users\\m3/.ssh/id_dsa: No such file or directory
debug1: Trying private key: C:\\Users\\m3/.ssh/id_ecdsa
debug3: no such identity: C:\\Users\\m3/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: C:\\Users\\m3/.ssh/id_ed25519
debug3: no such identity: C:\\Users\\m3/.ssh/id_ed25519: No such file or directory
debug1: Trying private key: C:\\Users\\m3/.ssh/id_xmss
debug3: no such identity: C:\\Users\\m3/.ssh/id_xmss: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
debug3: failed to open file:C:/dev/tty error:3
debug1: read_passphrase: can't open /dev/tty: No such file or directory
[email protected]'s password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 52
debug1: Authentication succeeded (password).
Authenticated to 192.168.1.11 ([192.168.1.11]:22).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug3: send packet: type 90
debug1: Requesting [email protected]
debug3: send packet: type 80
debug1: Entering interactive session.
debug1: pledge: network
debug1: console supports the ansi parsing
debug3: Successfully set console output code page from:437 to 65001
debug3: Successfully set console input code page from:437 to 65001
debug3: receive packet: type 80
debug1: client_input_global_request: rtype [email protected] want_reply 0
debug3: receive packet: type 91
debug2: channel_input_open_confirmation: channel 0: callback start
debug3: unable to connect to pipe \\\\.\\pipe\\openssh-ssh-agent, error: 2
debug1: ssh_get_authentication_socket: No such file or directory
debug2: fd 3 setting TCP_NODELAY
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug3: send packet: type 98
debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-206-generic i686)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 of these updates are security updates.

New release '18.04.5 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Tue Mar 23 14:22:05 2021 from 192.168.1.52

公共 IP 的 SSH 不好

但是，当使用它的公共 IP 地址时，我遇到了一个错误：

ssh_exchange_identification：连接被远程主机关闭

C:\Users\m3>ssh -vvvvA [email protected]
OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5
debug3: Failed to open file:C:/Users/m3/.ssh/config error:2
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 11.111.11.111 is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 11.111.11.111 [11.111.11.111] port 22.
debug1: Connection established.
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_rsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_rsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_rsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_dsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_dsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_dsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ecdsa type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ecdsa-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ecdsa-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519 error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ed25519 type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_ed25519-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_ed25519-cert type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_xmss type -1
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss-cert error:2
debug3: Failed to open file:C:/Users/m3/.ssh/id_xmss-cert.pub error:2
debug1: key_load_public: No such file or directory
debug1: identity file C:\\Users\\m3/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_for_Windows_7.7
ssh_exchange_identification: Connection closed by remote host

如何调试

可能是什么原因？如何调试问题？

路由器端口转发

服务器具有私有 IP 地址。但是有一个具有公共 IP 地址的路由器，它将 SSH 22 端口转发到私有 IP 地址。

sshd日志

建议在这里，我在服务器上使用了这个命令来记录sshd输出：

$ tail -f -n 500 /var/log/auth.log | grep 'sshd'

当我ssh [email protected]在客户端上运行时，我得到以下日志：

Mar 23 17:26:10 server-homeshine sshd[1355]: Accepted password for uconn from 192.168.1.52 port 53107 ssh2
Mar 23 17:26:10 server-homeshine sshd[1355]: pam_unix(sshd:session): session opened for user uconn by (uid=0)

但是当我ssh [email protected]在client上运行时，不会显示任何日志。我认为这暗示路由器在使用公共 IP 地址时不会转发端口。22不知道为什么。

SSHD 配置

sshd服务器上的配置是：

uconn@server-homeshine:/etc/ssh$ cat sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
ListenAddress ::
ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin prohibit-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

IP 表

这是服务器上的 IP 表：

$ sudo iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

$ sudo ip6tables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

路由表

服务器路由表：

$ sudo route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 enp9s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp9s0

Wireshark/Tshark

tshark在服务器上安装并检查网络数据包，表明在客户端ssh [email protected]上运行（私有 IP）时，SSH 数据包被服务器接收。

但是在客户端ssh [email protected]上运行（公共 IP）时，服务器不会收到任何 SSH 数据包。

结论是 ADSL 路由器没有将 SSH 数据包转发到服务器。

合勤询价

就这个问题联系了合勤，收到了这样的回复：

在进行端口转发时，您需要确保内部服务器具有指向网关的网关地址，以便能够响应外部请求。

还要检查网关本身是否未使用端口 22。

服务器默认网关

我的服务器默认网关是192.168.1.1它应该是什么：

$ ip r
default via 192.168.1.1 dev enp9s0 onlink
192.168.1.0/24 dev enp9s0  proto kernel  scope link  src 192.168.1.11

我正在尝试在具有 StrongSwan 的 Debian 10 服务器和 Nebula NSG200 之间启动 IPSec 连接（站点到站点）。

让我们假设：

• Debian 服务器：
  • 公共 IP : 50.50.50.45
  • 专用网络：10.1.0.0/16
• 星云 NSG200：
  • 公共IP：100.100.100.123
  • 专用网络：10.40.0.0/24

但是每次都认证失败。我在 debian 的日志中收到以下消息。

我不明白为什么认证失败！

...
charon: 13[NET] received packet: from 100.100.100.123[500] to 50.50.50.45[500] (480 bytes)
charon: 13[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V V ]
charon: 13[ENC] received unknown vendor ID: xx:xx:xx:xx:xx:...
charon: 13[ENC] received unknown vendor ID: yy:yy:yy:yy:yy:...
charon: 13[ENC] received unknown vendor ID: zz:zz:zz:zz:zz:...
charon: 13[IKE] 100.100.100.123 is initiating an IKE_SA
charon: 13[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1024
charon: 13[IKE] remote host is behind NAT
charon: 13[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
charon: 13[NET] sending packet: from 50.50.50.45[500] to 100.100.100.123[500] (312 bytes)
charon: 14[NET] received packet: from 100.100.100.123[4500] to 50.50.50.45[4500] (320 bytes)
charon: 14[ENC] parsed IKE_AUTH request 1 [ IDi CERTREQ AUTH SA TSi TSr N(HTTP_CERT_LOOK) N(INIT_CONTACT) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
charon: 14[IKE] received 1 cert requests for an unknown ca
charon: 14[CFG] looking for peer configs matching 50.50.50.45[%any]...100.100.100.123[10.0.1.250]
charon: 14[CFG] no matching peer config found
charon: 14[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
charon: 14[ENC] generating IKE_AUTH response 1 [ N(AUTH_FAILED) ]
charon: 14[NET] sending packet: from 50.50.50.45[4500] to 100.100.100.123[4500] (96 bytes)
...

强天鹅侧

/etc/ipsec.conf：

config setup
        charondebug="all"
        uniqueids=yes
conn deb-to-neb
        type=tunnel
        auto=start
        keyexchange=ikev2
        authby=secret
        left=100.100.100.123
        leftsubnet=10.40.0.1/24
        right=50.50.50.45
        rightsubnet=10.1.0.1/16
        ike=aes256-sha512-modp1024!
        esp=aes256-sha512!
        aggressive=yes
        keyingtries=%forever
        ikelifetime=86400s
        lifetime=3600s
        dpdaction=restart

/etc/ipsec.secrets：

100.100.100.123 50.50.50.45 : PSK "MySuperSecret"
50.50.50.45 100.100.100.123 : PSK "MySuperSecret"

星云侧

屏幕星云配置

• 阶段1
  • IKE 版本：IKEv2
  • 加密：AES256
  • 身份验证：SHA512
  • 迪菲-赫尔曼集团：DH2
  • 寿命（秒）：86400
• 第 2 阶段（第 1 组）
  • 加密：AES256
  • 身份验证：SHA512
  • PFS 组 : DH2
  • 寿命（秒）：3600

我有两个 Debian GNU/Linux 系统（bullseye/sid），都在端口 23456 上运行wireguard，都在 NAT 后面。两者都运行 > 5.6 的内核版本（wireguard mainlined）。

系统 A 是服务器，它在权威名称服务器中为其 Internet 域动态更新专用“A 记录”，并为其分配面向 Internet 的路由器 A（ZyWALL USG 100 防火墙）分配的正确公共 IP 地址。它每分钟这样做一次，但公共 IP 地址实际上仅在路由器/防火墙重新启动时才会更改，这基本上不会发生。

系统 B 在 VDSL 路由器 B 后面，它充当线卫客户端，指向动态更新的“A 记录”和端口 33456。路由器 B 是消费级 VDSL 路由器，它允许出站方向的所有内容，只回复入站。

路由器/防火墙 A (ZyWALL USG 100) 被配置为允许端口 23456 上的 UDP 数据包通过它并将它们转发到服务器 A。以下是相关配置屏幕：

这是服务器 A Wireguard 配置文件（此代码段中的密钥，尽管有效，但不是真实的）：

[Interface]
Address = 10.31.33.100/24, fc00:31:33::1/64
ListenPort = 23456
PrivateKey = iJE/5Qy4uO55uUQg8nnDKQ/dFT1MEq+tDfFXrGNj3GY=
# PreUp = iptables -t nat -A POSTROUTING -s 10.31.33.0/24  -o enp1s0 -j MASQUERADE; ip6tables -t nat -A POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE
# PostDown = iptables -t nat -D POSTROUTING -s 10.31.33.0/24  -o enp1s0 -j MASQUERADE; ip6tables -t nat -D POSTROUTING -s fc00:31:33::/64 -o enp1s0 -j MASQUERADE

# Simon
[Peer]
PublicKey = QnkTJ+Qd9G5EybA2lAx2rPNRkxiQl1W6hHeEFWgJ0zc=
AllowedIPs = 10.31.33.211/32, fc00:31:33::3/128

这是客户端 B 的wireguard 配置（同样，密钥和域不是真实的）：

[Interface]
PrivateKey = YA9cRlF4DgfUojqz6pK89poB71UFoHPM6pdMQabWf1I=
Address = 10.31.33.211/32

[Peer]
PublicKey = p62kU3HoXLJACI4G+9jg0PyTeKAOFIIcY5eeNy31cVs=
AllowedIPs = 10.31.33.0/24, 172.31.33.0/24
Endpoint = wgsrv.example.com:33456
PersistentKeepalive = 25

这是描述这种情况的脏图：

Client B -> LAN B -> VDSL Router B (NAT) -> the internet -> ZyWALL (NAT) -> LAN A -> Server A

在两个系统上启动wireguard 不会建立VPN 连接。在客户端激活调试消息并将 LOG 规则添加到 iptables 中，记录OUTPUT数据包，我得到了很多这些：

[414414.454367] IN= OUT=wlp4s0 SRC=10.150.44.32 DST=1.2.3.4 LEN=176 TOS=0x08 PREC=0x80 TTL=64 ID=2797 PROTO=UDP SPT=36883 DPT=33456 LEN=156 
[414419.821744] wireguard: wg0-simon: Handshake for peer 3 (1.2.3.4:33456) did not complete after 5 seconds, retrying (try 2)
[414419.821786] wireguard: wg0-simon: Sending handshake initiation to peer 3 (1.2.3.4:33456)

我已经向服务器添加了一个 LOG iptables 规则，以便诊断路由器配置问题。

root@wgserver ~ # iptables -t nat -I INPUT 1 -p udp --dport 23456 -j LOG

它记录从客户端收到的wireguard数据包（但我不知道它们是无效还是不完整）：

[ 1412.380826] IN=enp1s0 OUT= MAC=6c:62:6d:a6:5a:8e:d4:60:e3:e0:23:30:08:00 SRC=37.161.119.20 DST=10.150.44.188 LEN=176 TOS=0x08 PREC=0x00 TTL=48 ID=60479 PROTO=UDP SPT=8567 DPT=23456 LEN=156 
[ 1417.509702] IN=enp1s0 OUT= MAC=6c:62:6d:a6:5a:8e:d4:60:e3:e0:23:30:08:00 SRC=37.161.119.20 DST=10.150.44.188 LEN=176 TOS=0x08 PREC=0x00 TTL=48 ID=61002 PROTO=UDP SPT=8567 DPT=23456 LEN=156 

所以我倾向于假设 A 路由器（ZyWALL USG 100）已正确配置为让数据包进入服务器本地网络。为了证实这个假设，我什至尝试用另一个消费级路由器替换 ZyWALL 并将服务器移动到不同的互联网连接上，但问题仍然存在，所以我确定问题不是防火墙，也不是它的具体问题网络连接。

这是服务器网络配置，以防万一：

auto lo
iface lo inet loopback

auto enp1s0
iface enp1s0 inet static
    address 10.150.44.188/24
    gateway 10.150.44.1

最重要的是，使用相同的客户端、相同的 VDSL 路由器（客户端）、相同的互联网连接、类似的服务器配置（显然不同的密钥和域）、类似的防火墙配置（服务器端、不同的防火墙模型）。

我拥有一个小型家用 NAS/服务器 - Zyxel NSA310S。不幸的是，在官方包存储库中，只有 5.0.8 版本可用。去年我设法安装了 7.x。版本，使用以下方法：

    (Connect to the NSA as root using telnet - you first need to enable 
    in the administrator's webpanel. Then you can run the commands.)
cd /usr/local/zy-pkgs/gui
wget http://download.owncloud.org/community/owncloud-latest.tar.bz2
tar xjvf owncloud-latest.tar.bz2
cp ownCloud/config/config.php owncloud/config/config.php
vi owncloud/config/config.php
    (To set 'version' to the correct value for the downloaded one.)
cd /usr/local/zy-pkgs/gui/owncloud/lib/private
chmod 660 config.php
cd /usr/local/zy-pkgs/gui
mv ownCloud oldCloud
    (Just to be safe, keeping the old original version at hand for now.)
mv owncloud ownCloud
    (Putting the new version in place of the old one. Now only thing needed 
    is to log in as the admin to the web interface and follow the instruction
    shown on screen - voila, new version installed and working.)

不幸的是，这种方法根本不适用于当前版本的 ownCloud。我不知道是什么改变破坏了这种升级方法，也不知道哪个版本是最后一个工作的版本。

有没有人尝试过合勤 NSA 的？或者知道哪个版本的 ownCloud 可以与这个设备一起使用？

我使用最新版本的固件 - 4.75。

首先，我对 VLAN 比较陌生。我有一个 ZyXEL GS-1524 交换机和两个我想分开的网络，但它们需要使用相同的路由器。路由器在端口 22 上，端口 17 和 18 属于第一个网络，所有其他端口属于第二个网络。

问题是我的交换机要求所有端口都在 VLAN 1 上。只为第一个网络创建 VLAN 2 似乎不够，因为相同的端口属于 VLAN 1，而连接到属于 VLAN 1 的端口的任何东西都会能够到达它。

因此我创建了两个新的 VLAN：第一个网络的 VLAN 2 和第二个网络的 VLAN 3。我还更改了 PVID，以便在 17 或 18 上未标记的内容被标记为 VLAN 2 和其余的 VLAN 3。这样，未标记的内容被强制保留在通过 PVID 分配的 VLAN 中。

现在，如果连接的设备标记其数据包会怎样？标记的数据包不会重新标记。如果应该在 VLAN 2 上的设备将其数据包标记为 VLAN 3，我想不会有任何问题，因为它的端口不在 VLAN 3 中。但是，所有端口都在 VLAN 1 中——交换机没有给我任何选择。这是否意味着只要一方或双方（不确定）将其数据包标记为 VLAN 1，所有设备都可以相互访问？那将是对安全的破坏！

我公司的路由器是合勤 P-320W，我有一个公共静态 IP。
我注册了几个域名并指向这个IP地址。
我已经设置了虚拟主机并配置了到我的内部服务器的端口转发，它运行良好。我可以从外部连接到所有域

问题是我无法从内部连接到我的域一种解决方法是修改hosts文件以为这些域添加内部 IP，但是我的公司有很多计算机，我不想手动设置所有 PC