Giter VIP home page Giter VIP logo

Comments (23)

bigbigking avatar bigbigking commented on May 21, 2024 18

这个问题我解决了,确实是iptables的错误。
[以下ip地址作为参考]
AWS的vps,一般是2个网卡,一个lo一个eth0,lo是环回接口127.0.0.1,eth0是172.16.8.3的私有地址。
然后aws有弹性ip,假设我申请到的弹性ip是52.195.41.80,将弹性ip绑定到vps上,其实是在出口设备上做了nat,这个接口地址并不在vps本身配置上,所以,在这步:

是否使用SNAT规则(可选).使用前请确保服务器具有不变的静态公网ip,可提升防火墙对数据包的处理速度.默认为不使用.

的时候,因为我有固定ip,就选择yes,然后默认配置为公网ip,并不是172的私有地址,然后写到iptables里就成了下面这样:
-A POSTROUTING -s 10.31.1.0/24 -o eth0 -j SNAT --to-source 52.195.41.80
这里--to-source 52.195.41.80 是错的(当然并不会报错),因为没法转到这个地址。
解决办法就是修改后面的地址为vps的eth0地址,如下:
-A POSTROUTING -s 10.31.1.0/24 -o eth0 -j SNAT --to-source 172.16.8.3

from one-key-ikev2-vpn.

cwhstcnn avatar cwhstcnn commented on May 21, 2024 4

使用手机网络能够正常使用,家里wifi是电信的,估计运营商封了ipsec

from one-key-ikev2-vpn.

quericy avatar quericy commented on May 21, 2024 1

脚本已更新,Amazon EC2测试通过。安装时开启SNAT参考@KinonC 的方案即可。

from one-key-ikev2-vpn.

quericy avatar quericy commented on May 21, 2024

请提供更加详细的数据,谢谢(如客户端和服务端类型,版本等)

from one-key-ikev2-vpn.

cwhstcnn avatar cwhstcnn commented on May 21, 2024

客户端:ios 9.3,mac os 10.11都有同样的问题
服务端:bandwagon openvz centos 6

from one-key-ikev2-vpn.

cwhstcnn avatar cwhstcnn commented on May 21, 2024

请问楼主用的是哪家的vps

from one-key-ikev2-vpn.

jiayx avatar jiayx commented on May 21, 2024

我遇到了同样的问题
两种连接方式都不行(IKEv2 IPSec) ios 9.3.2 WiFi 和 手机网络都不能上网
我用的是阿里云的美国主机 kvm

from one-key-ikev2-vpn.

TongxiJi avatar TongxiJi commented on May 21, 2024

同样遇到,我这边很奇怪,一台直连可以,中转nat后就出现这种情况.

from one-key-ikev2-vpn.

kehao95 avatar kehao95 commented on May 21, 2024

同样的问题,在DigitalOcean上可以使用,在Amazon上EC2不可以,端口全部打开了,设置了IP转发。
应该不是运营商问题,我在美国测试的。

from one-key-ikev2-vpn.

bigbigking avatar bigbigking commented on May 21, 2024

我也遇到这个问题
服务端:aws ec2主机 Debian 8.3
客户端:iOS9.3.2,Mac OS X 10.11.5 ,android 5.1.1
都不行,都是能连上vpn,但是无法访问网络,无论是google还是baidu。
我怀疑应该是nat或者iptables的问题。

另外,如何查看ipsec的连接日志?

from one-key-ikev2-vpn.

quericy avatar quericy commented on May 21, 2024

@KinonC 感谢回复~~
添加SNAT的时候确实是我考虑不周,没预料到aws的这种情况.
我会在脚本中将使用默认ip修改为可修改的ip的选项以及相应的提示.

另: 安全考虑建议不要将自己服务器的完整ip暴露在这里.

from one-key-ikev2-vpn.

bigbigking avatar bigbigking commented on May 21, 2024

@quericy 我的IP已经隐藏,上面的是修改过的,不是我的啦。这么写更容易看懂,嘿嘿。

from one-key-ikev2-vpn.

chongjizuan avatar chongjizuan commented on May 21, 2024

楼主你好,我用你提供的一件脚本在搬瓦工上安装以后出现了可以正常连接,但是无法上网的情况。
客户端:ios 9.3
服务端:bandwagon openvz centos 6devel
现在的情况是WIFI情况下无法上网,但是我切换成手机流量的话,就可以正常上网。
所以不知是wifi的问题,还是运营商的问题,或者是哪里的配置有问题

from one-key-ikev2-vpn.

hxchen avatar hxchen commented on May 21, 2024

@KinonC 我也是用的EC2,不过我是Ubutu 14,搭建后。手机蜂窝网络可以链接VPN,但是通过wifi链接VPN就不可以。你那没遇到这个问题吗?

from one-key-ikev2-vpn.

hxchen avatar hxchen commented on May 21, 2024

@chongjizuan 你问题解决了吗?我这问题+1

from one-key-ikev2-vpn.

qwm avatar qwm commented on May 21, 2024

@quericy 我也是这个问题,请帮忙看看
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere tcp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT udp -- anywhere anywhere udp dpt:l2tp
ACCEPT tcp -- anywhere anywhere tcp dpt:pptp
ACCEPT esp -- anywhere anywhere
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere tcp dpt:isakmp
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
ACCEPT udp -- anywhere anywhere udp dpt:l2tp
ACCEPT tcp -- anywhere anywhere tcp dpt:pptp

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.31.0.0/24 anywhere
ACCEPT all -- 10.31.1.0/24 anywhere
ACCEPT all -- 10.31.2.0/24 anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- 10.31.0.0/24 anywhere
ACCEPT all -- 10.31.1.0/24 anywhere
ACCEPT all -- 10.31.2.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

ipsec0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1400 Metric:1
RX packets:56 errors:0 dropped:0 overruns:0 frame:0
TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:5293 (5.1 KiB) TX bytes:5783 (5.6 KiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: 2602:ff62:104:5aa::/128 Scope:Global
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:1425 errors:0 dropped:0 overruns:0 frame:0
TX packets:607 errors:0 dropped:2 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:172845 (168.7 KiB) TX bytes:90478 (88.3 KiB)

venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:161.215.102.66 P-t-P:161.215.102.66 Bcast:161.215.102.66 Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1

from one-key-ikev2-vpn.

hellowords avatar hellowords commented on May 21, 2024

网卡选择的问题
不知道网卡 ifconfig 命令查看,看前面那个是eh0还是其他,在安装的时候输入对应的就可以了

from one-key-ikev2-vpn.

bberhao avatar bberhao commented on May 21, 2024

用google cloud搭建成功

from one-key-ikev2-vpn.

fa11ing1eaf avatar fa11ing1eaf commented on May 21, 2024

我想在公司内网用ikev2搭建一个vpn,然后通过公司的nat路由出来,请问可以办到么。我试了一下,发现根证书导入错误。生成的证书都不对。

from one-key-ikev2-vpn.

coyzhu avatar coyzhu commented on May 21, 2024

@fa11ing1eaf 没问题的,Amazon的EC2机器都是内网地址,绑定了外网地址就是nat出去的。所以你按照amazon EC2的方式安装时开启SNAT,然后指向你的内网地址就可以了。

from one-key-ikev2-vpn.

HelloWorldWinning avatar HelloWorldWinning commented on May 21, 2024

我是**电信,**电信直接封了 ipsec 。我用**电信的4G手机网络 就可以了。

from one-key-ikev2-vpn.

ChrisChirs avatar ChrisChirs commented on May 21, 2024

我也遇到这个问题
服务端:aws ec2主机 Debian 8.3
客户端:iOS9.3.2,Mac OS X 10.11.5 ,android 5.1.1
都不行,都是能连上vpn,但是无法访问网络,无论是google还是baidu。
我怀疑应该是nat或者iptables的问题。

另外,如何查看ipsec的连接日志?

你这个问题很诡异,我的IPsec可以上网但IKEv2连接后却无法上网。

from one-key-ikev2-vpn.

lijc210 avatar lijc210 commented on May 21, 2024

总结下我的情况,centos6,第五步选择不使用snat规则,在第六歩的时候选择no,这样会配置iptables,就可以正常访问了,

from one-key-ikev2-vpn.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.