у меня есть StrongSwan vpn-сервер, работающий на убунту 18 машина. Все в порядке, пока клиенты подключаются с помощью своих мобильные данные. Но когда они пытаются подключиться через модем (с помощью кабеля или Wi-Fi), они в конечном итоге получают ошибки подключения.
Журнал клиента:
00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
00[JOB] spawning 16 worker threads
08[IKE] initiating IKE_SA android[5] to x.x.x.x
08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
08[NET] sending packet: from 192.168.2.2[38856] to x.x.x.x[500] (716 bytes)
10[NET] received packet: from x.x.x.x[500] to 192.168.2.2[38856] (270 bytes)
10[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
10[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
10[IKE] local host is behind NAT, sending keep alives
10[IKE] remote host is behind NAT
10[IKE] establishing CHILD_SA android{5}
10[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
10[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
12[IKE] retransmit 1 of request with message ID 1
12[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
13[IKE] retransmit 2 of request with message ID 1
13[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
14[IKE] retransmit 3 of request with message ID 1
14[NET] sending packet: from 192.168.2.2[55032] to x.x.x.x[4500] (432 bytes)
01[IKE] giving up after 3 retransmits
01[IKE] establishing IKE_SA failed, peer not responding
08[IKE] unable to terminate IKE_SA: ID 5 not found
И журнал сервера:
11[NET] received packet: from y.y.y.y[56945] to x.x.x.x[500] (716 bytes)
11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
11[IKE] y.y.y.y is initiating an IKE_SA
11[IKE] remote host is behind NAT
11[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
11[NET] sending packet: from x.x.x.x[500] to y.y.y.y[56945] (270 bytes)
где x.x.x.x мой публичный IP-адрес сервера и г.г.г.г IP модема моего клиента.
Как видите, клиент не может получить ответ. Я заметил, что порт клиента (38856 или 55032 в этом случае) отличается от порта, на который отвечает сервер (56945) (Это проблема с NAT? Это вообще проблема?)
Другое дело, что клиент думает, что сервер находится за NAT, а это не так, я использую общедоступный IP-адрес для подключения к серверу. Однако успешные клиенты (которые подключаются с использованием своих мобильных данных) также думают, что сервер находится за NAT.
Мне не нужен ответ, требующий модификации на стороне клиента. Потому что мои клиенты - это нормальные люди, которые не знакомы с продвинутыми обходными путями (такими как перенаправление портов). (Тем не менее, было бы полезно прочитать такие ответы.)
Обновить:
Журнал успешного подключения клиента:
Feb 19 13:21:59 00[DMN] +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Feb 19 13:21:59 00[DMN] Starting IKE service (strongSwan 5.8.2dr1, Android 9 - FIG-LA1 9.1.0.171(C185E6R1P5)/2020-01-01, FIG-LA1 - HUAWEI/FIG-LA1/HUAWEI, Linux 4.9.148, aarch64)
Feb 19 13:21:59 00[LIB] loaded plugins: androidbridge charon android-log openssl fips-prf random nonce pubkey chapoly curve25519 pkcs1 pkcs8 pem xcbc hmac socket-default revocation eap-identity eap-mschapv2 eap-md5 eap-gtc eap-tls x509
Feb 19 13:21:59 00[JOB] spawning 16 worker threads
Feb 19 13:21:59 07[IKE] initiating IKE_SA android[1] to x.x.x.x
Feb 19 13:21:59 07[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Feb 19 13:21:59 07[NET] sending packet: from z.z.z.z[44087] to x.x.x.x[500] (716 bytes)
Feb 19 13:22:00 09[NET] received packet: from x.x.x.x[500] to z.z.z.z[44087] (270 bytes)
Feb 19 13:22:00 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 13:22:00 09[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA2_256_128/PRF_AES128_XCBC/ECP_256
Feb 19 13:22:00 09[IKE] local host is behind NAT, sending keep alives
Feb 19 13:22:00 09[IKE] remote host is behind NAT
Feb 19 13:22:00 09[IKE] establishing CHILD_SA android{1}
Feb 19 13:22:00 09[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 13:22:00 09[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 13:22:00 15[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (1236 bytes)
Feb 19 13:22:00 15[ENC] parsed IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 13:22:00 15[ENC] received fragment #1 of 2, waiting for complete IKE message
Feb 19 13:22:00 12[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (788 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 13:22:00 12[ENC] received fragment #2 of 2, reassembled fragmented IKE message (1952 bytes)
Feb 19 13:22:00 12[ENC] parsed IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 12[IKE] received end entity cert "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG] no issuer certificate found for "CN=x.x.x.x"
Feb 19 13:22:00 12[CFG] issuer is "CN=VPN root CA"
Feb 19 13:22:00 12[CFG] using trusted certificate "CN=x.x.x.x"
Feb 19 13:22:00 12[IKE] authentication of 'x.x.x.x' with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 13:22:00 12[IKE] server requested EAP_MSCHAPV2 authentication (id 0xB1)
Feb 19 13:22:00 12[ENC] generating IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 12[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 13:22:00 16[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (144 bytes)
Feb 19 13:22:00 16[ENC] parsed IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 13:22:00 16[IKE] EAP-MS-CHAPv2 succeeded: 'Welcome2strongSwan'
Feb 19 13:22:00 16[ENC] generating IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 13:22:00 16[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 13:22:01 13[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (80 bytes)
Feb 19 13:22:01 13[ENC] parsed IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 13:22:01 13[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 13:22:01 13[IKE] authentication of 'username' (myself) with EAP
Feb 19 13:22:01 13[ENC] generating IKE_AUTH request 4 [ AUTH ]
Feb 19 13:22:01 13[NET] sending packet: from z.z.z.z[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 13:22:01 14[NET] received packet: from x.x.x.x[4500] to z.z.z.z[46299] (288 bytes)
Feb 19 13:22:01 14[ENC] parsed IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 13:22:01 14[IKE] authentication of 'x.x.x.x' with EAP successful
Feb 19 13:22:01 14[IKE] IKE_SA android[1] established between z.z.z.z[username]...x.x.x.x[x.x.x.x]
Feb 19 13:22:01 14[IKE] scheduling rekeying in 35953s
Feb 19 13:22:01 14[IKE] maximum IKE_SA lifetime 36553s
Feb 19 13:22:01 14[IKE] installing DNS server 8.8.8.8
Feb 19 13:22:01 14[IKE] installing new virtual IP 10.10.10.2
Feb 19 13:22:01 14[IKE] CHILD_SA android{1} established with SPIs 8fdeb5a5_i c034c489_o and TS 10.10.10.2/32 === 0.0.0.0/0
Feb 19 13:22:01 14[DMN] setting up TUN device for CHILD_SA android{1}
Feb 19 13:22:01 14[DMN] successfully created TUN device
Feb 19 13:22:01 14[IKE] peer supports MOBIKE
Журнал успешного подключения к серверу:
Feb 19 09:51:19 fsra charon: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:19 fsra charon: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:19 fsra charon: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:19 fsra charon: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y
[username]
Feb 19 09:51:19 fsra charon: 11[IKE] IKE_SA deleted
Feb 19 09:51:19 fsra charon: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:19 fsra charon: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra charon: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG
) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra charon: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra charon: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra charon: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra charon: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 15[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 15[IKE] received retransmit of request with ID 0, retransmitting response
Feb 19 09:51:40 fsra ipsec[9456]: 15[NET] sending packet: from x.x.x.x[500] to y.y.y.y[59365] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] initiating EAP_MSCHAPV2 method (id 0xA1)
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successfu
l
Feb 19 09:51:40 fsra ipsec[9456]: 12[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (1236 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 12[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (788 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 08[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (144 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:40 fsra ipsec[9456]: 16[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:40 fsra ipsec[9456]: 16[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC_PAD_
N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] IKE_SA ikev2-vpn[155] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] peer requested virtual IP %any6
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:40 fsra ipsec[9456]: 10[IKE] CHILD_SA ikev2-vpn{49} established with SPIs c79b0579_i daec5f8d_o and TS 0.0.0.0/0
=== 10.10.10.2/32
Feb 19 09:51:40 fsra ipsec[9456]: 10[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N
(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:40 fsra ipsec[9456]: 10[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (288 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] received packet: from y.y.y.y[58609] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] parsed INFORMATIONAL request 5 [ D ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] received DELETE for IKE_SA ikev2-vpn[155]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] deleting IKE_SA ikev2-vpn[155] between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:40 fsra ipsec[9456]: 11[IKE] IKE_SA deleted
Feb 19 09:51:40 fsra ipsec[9456]: 11[ENC] generating INFORMATIONAL response 5 [ ]
Feb 19 09:51:40 fsra ipsec[9456]: 11[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[58609] (80 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] received packet: from y.y.y.y[44087] to x.x.x.x[500] (716 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HAS
H_ALG) N(REDIR_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] y.y.y.y is initiating an IKE_SA
Feb 19 09:51:40 fsra ipsec[9456]: 05[IKE] remote host is behind NAT
Feb 19 09:51:40 fsra ipsec[9456]: 05[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP)
N(HASH_ALG) N(MULT_AUTH) ]
Feb 19 09:51:40 fsra ipsec[9456]: 05[NET] sending packet: from x.x.x.x[500] to y.y.y.y[44087] (270 bytes)
Feb 19 09:51:40 fsra ipsec[9456]: 13[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (432 bytes)
Feb 19 09:51:40 fsra charon: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[ENC] parsed IKE_AUTH request 1 [ IDi N(INIT_CONTACT) CPRQ(ADDR ADDR6 DNS DNS6) N(ESP_TFC
_PAD_N) SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(MULT_AUTH) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] EAP-Identity request configured, but not supported
Feb 19 09:51:40 fsra ipsec[9456]: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] initiating EAP_MSCHAPV2 method (id 0xB1)
Feb 19 09:51:40 fsra charon: 13[IKE] received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
Feb 19 09:51:40 fsra charon: 13[IKE] peer supports MOBIKE
Feb 19 09:51:40 fsra charon: 13[IKE] authentication of 'x.x.x.x' (myself) with RSA_EMSA_PKCS1_SHA2_384 successful
Feb 19 09:51:40 fsra charon: 13[IKE] sending end entity cert "CN=x.x.x.x"
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ IDr CERT AUTH EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:40 fsra charon: 13[ENC] splitting IKE message with length of 1952 bytes into 2 fragments
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(1/2) ]
Feb 19 09:51:40 fsra charon: 13[ENC] generating IKE_AUTH response 1 [ EF(2/2) ]
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (1236 bytes)
Feb 19 09:51:40 fsra charon: 13[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (788 bytes)
Feb 19 09:51:41 fsra charon: 09[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (144 bytes)
Feb 19 09:51:41 fsra charon: 09[ENC] parsed IKE_AUTH request 2 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[ENC] generating IKE_AUTH response 2 [ EAP/REQ/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 09[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (144 bytes)
Feb 19 09:51:41 fsra charon: 03[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (80 bytes)
Feb 19 09:51:41 fsra charon: 03[ENC] parsed IKE_AUTH request 3 [ EAP/RES/MSCHAPV2 ]
Feb 19 09:51:41 fsra charon: 03[IKE] EAP method EAP_MSCHAPV2 succeeded, MSK established
Feb 19 09:51:41 fsra charon: 03[ENC] generating IKE_AUTH response 3 [ EAP/SUCC ]
Feb 19 09:51:41 fsra charon: 03[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (80 bytes)
Feb 19 09:51:41 fsra charon: 15[NET] received packet: from y.y.y.y[46299] to x.x.x.x[4500] (96 bytes)
Feb 19 09:51:41 fsra charon: 15[ENC] parsed IKE_AUTH request 4 [ AUTH ]
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'username' with EAP successful
Feb 19 09:51:41 fsra charon: 15[IKE] authentication of 'x.x.x.x' (myself) with EAP
Feb 19 09:51:41 fsra charon: 15[IKE] IKE_SA ikev2-vpn[156] established between x.x.x.x[x.x.x.x]...y.y.y.y[username]
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any
Feb 19 09:51:41 fsra charon: 15[IKE] assigning virtual IP 10.10.10.2 to peer 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] peer requested virtual IP %any6
Feb 19 09:51:41 fsra charon: 15[IKE] no virtual IP found for %any6 requested by 'username'
Feb 19 09:51:41 fsra charon: 15[IKE] CHILD_SA ikev2-vpn{50} established with SPIs c034c489_i 8fdeb5a5_o and TS 0.0.0.0/0 ===
10.10.10.2/32
Feb 19 09:51:41 fsra charon: 15[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_
4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) N(ADD_4_ADDR) ]
Feb 19 09:51:41 fsra charon: 15[NET] sending packet: from x.x.x.x[4500] to y.y.y.y[46299] (288 bytes)
где x.x.x.x публичный IP-адрес моего сервера и г.г.г.г это мобильный IP-адрес моего клиента и z.z.z.z какой-то IP от Судан (Страна в Африке), я не знаю, почему там. (Телефон представляется как z.z.z.z в его журнале (какой-то IP издалека), но фактический IP г.г.г.г)
Однако, похоже, у сервера нет проблем с подключением к клиенту, и, как упоминалось выше, обе стороны думают, что другая сторона находится за NAT. (У меня два разных часовых пояса для моего клиента и сервера, поэтому время регистрации не совпадает.)
Еще одна примечательная вещь в журналах: порт 46299 и 44087 вошли в обе стороны. (Кажется, они были открыты на клиентском устройстве, привязанном к z.z.z.z и сервер обменивается данными с портами с г.г.г.г IP.) (Я могу ошибаться, обращая внимание на эти детали из-за отсутствия знаний о том, как работает система StrongSwan.)
Может быть, вам будет полезно знать, что если я использую Мобильная точка доступа чтобы подключиться к клиенту, который может подключиться к VPN, я все еще могу подключиться к VPN на моем новом клиентском устройстве.
Обновить:
Итак, я установил charon.fragment_size в stronswan.conf до нуля (как рекомендовано в документации) и до 1360 среди с настройкой:
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
(Также протестировано 1400 в соответствии с этот) но это все равно. Клиенты мобильной передачи данных могут подключаться, а пользователи модема - нет.
Я также попытался изменить значения mtu и mss, используя раздел плагинов в strongswan.conf:
kernel-netlink
{
mss = 1140; #I tried the numbers above too
mtu = 1280; #I tried the numbers above too
}