我已根据本教程在新的 debian 12 (VMWare ESXI 8.0U2) 上安装了 IKEv2 和 StrongSwan。
我没有:使用ufw配置防火墙(第6步),但我已经激活了内核转发
net/ipv4/ip_forward=1
我能够成功连接到机器,并且可以访问特定机器为我提供的、我正在连接的所有资源(例如 smb 共享、http 服务等)。
但是,我无法访问它之外的任何其他资源,也无法使用它通过 VPN 浏览互联网。
工作示例:
ifconfig
ens192: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.28 netmask 255.255.252.0 broadcast 192.168.3.255
inet6 fe80::250:56ff:fe00:6 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:00:00:06 txqueuelen 1000 (Ethernet)
RX packets 21493 bytes 3501400 (3.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 978 bytes 200862 (196.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Lokale Schleife)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
ipsec 状态全部
ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-17-amd64, x86_64):
uptime: 6 hours, since Feb 05 07:05:48 2024
malloc: sbrk 2437120, mmap 0, used 1700880, free 736240
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Virtual IP pools (size/online/offline):
10.10.10.0/22: 511/0/1
2a03:b0c0:2:d0::4b4:9001/64: 2068541438/0/1
Listening IP addresses:
192.168.1.28
Connections:
ikev2-vpn: %any...%any IKEv2, dpddelay=300s
ikev2-vpn: local: [my.fancy.domain.com] uses public key authentication
ikev2-vpn: cert: "CN=my.fancy.domain.com"
ikev2-vpn: remote: uses EAP_MSCHAPV2 authentication with EAP identity '%any'
ikev2-vpn: child: 0.0.0.0/0 === dynamic TUNNEL, dpdaction=none
Security Associations (0 up, 0 connecting):
none
ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
# server side (localhost)
left=%any
[email protected]
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
# client side (clients)
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/22,2a03:b0c0:2:d0::4b4:9001/64
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
ike=chacha20poly1305-sha512-curve25519-prfsha512,aes256gcm16-sha384-prfsha384-ecp384,aes256-sha1-modp1024,aes128-sha1-modp1024,3des-sha1-modp1024!
esp=chacha20poly1305-sha512,aes256gcm16-ecp384,aes256-sha256,aes256-sha1,3des-sha1!
我还需要做什么才能实现以下目标:
谢谢! :)
我用以下方法解决了这个问题:
iptables -t nat -A POSTROUTING -s 10.10.10.0/22 -o ens192 -j MASQUERADE
我目前无法检查我的 Windows 主机,但通过 StrongSwan 应用程序,我现在可以连接到互联网和内部资源。然而,它从手机提供商获取 IP,而不是从 VPN 主机获取 IP。