连接到路由器后面的客户端 - 不活动超时 [OpenVPN, Juniper SRX210H]

网络工程 虚拟专用网 杜松-srx
2022-02-03 20:52:55

我有这样的拓扑:

在此处输入图像描述

我想从子网 192.xxx 中的客户端到我的 OpenVPN 服务器建立 VPN 连接。但仍然收到这样的消息:

Mon Mar 10 16:24:00 2014 Initialization Sequence Completed
Mon Mar 10 16:26:00 2014 [OpenVPNServerTEST] Inactivity timeout (--ping-restart), restarting
Mon Mar 10 16:26:00 2014 TCP/UDP: Closing socket
Mon Mar 10 16:26:00 2014 SIGUSR1[soft,ping-restart] received, process restarting
Mon Mar 10 16:26:00 2014 Restart pause, 2 second(s)
Mon Mar 10 16:26:02 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 10 16:26:02 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 10 16:26:02 2014 Re-using SSL/TLS context
Mon Mar 10 16:26:02 2014 LZO compression initialized
Mon Mar 10 16:26:02 2014 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Mar 10 16:26:02 2014 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Mar 10 16:26:02 2014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Mar 10 16:26:02 2014 Local Options hash (VER=V4): '9e7066d2'
Mon Mar 10 16:26:02 2014 Expected Remote Options hash (VER=V4): '162b04de'
Mon Mar 10 16:26:02 2014 UDPv4 link local: [undef]
Mon Mar 10 16:26:02 2014 UDPv4 link remote: [AF_INET]172.16.1.111:1194
Mon Mar 10 16:27:02 2014 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Mon Mar 10 16:27:02 2014 TLS Error: TLS handshake failed
Mon Mar 10 16:27:02 2014 TCP/UDP: Closing socket
Mon Mar 10 16:27:02 2014 SIGUSR1[soft,tls-error] received, process restarting
Mon Mar 10 16:27:02 2014 Restart pause, 2 second(s)
Mon Mar 10 16:27:04 2014 WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Mon Mar 10 16:27:04 2014 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables
Mon Mar 10 16:27:04 2014 Re-using SSL/TLS context
Mon Mar 10 16:27:04 2014 LZO compression initialized
Mon Mar 10 16:27:04 2014 Control Channel MTU parms [ L:1558 D:166 EF:66 EB:0 ET:0 EL:0 ]
Mon Mar 10 16:27:04 2014 Socket Buffers: R=[229376->131072] S=[229376->131072]
Mon Mar 10 16:27:04 2014 Data Channel MTU parms [ L:1558 D:1450 EF:58 EB:135 ET:0 EL:0 AF:3/1 ]
Mon Mar 10 16:27:04 2014 Local Options hash (VER=V4): '9e7066d2'
Mon Mar 10 16:27:04 2014 Expected Remote Options hash (VER=V4): '162b04de'
Mon Mar 10 16:27:04 2014 UDPv4 link local: [undef]
Mon Mar 10 16:27:04 2014 UDPv4 link remote: [AF_INET]172.16.1.111:1194
^C (CTRL+C)
Mon Mar 10 16:27:20 2014 event_wait : Interrupted system call (code=4)
Mon Mar 10 16:27:20 2014 TCP/UDP: Closing socket
Mon Mar 10 16:27:20 2014 /sbin/route del -net 10.8.0.1 netmask 255.255.255.255
Mon Mar 10 16:27:20 2014 /sbin/route del -net 172.16.1.0 netmask 255.255.255.0
Mon Mar 10 16:27:20 2014 /sbin/route del -net 172.16.254.0 netmask 255.255.255.0
Mon Mar 10 16:27:20 2014 Closing TUN/TAP interface
Mon Mar 10 16:27:20 2014 /sbin/ifconfig tun0 0.0.0.0

我的客户(全部)是带有iptables 规则的 Xubuntu 13.10:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination       
ACCEPT     udp  --  anywhere             anywhere             state NEW udp dpt:openvpn
ACCEPT     all  --  anywhere             anywhere           

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination       
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination       
ACCEPT     all  --  anywhere             anywhere
  1. 我来自子网 192.xxx 的客户端是 client3 - 它无法连接到 vpn 服务器
  2. 来自子网 172.xxx 的客户端是 client1 和 client2 - 他们可以毫无问题地连接 OpenVPN 服务器。
  3. 我的路由器是开箱即用配置的 JSRX 210 H - 没有 VPN 客户端 3 (192.xxx) 可以从子网 172.xxx ping 客户端 1、客户端 2 和服务器(每个人都可以在没有 vpn = 完全连接的情况下 ping 所有人)

我的 client3 (192.xxx) 配置文件:

client
dev tun0
proto udp
remote 172.16.1.111 1194
resolv-retry infinite
nobind
# Downgrade privileges after initialization (non-Windows only)
;user nobody
;group nobody
persist-key
persist-tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/client3test.crt
key /etc/openvpn/client3test.key
tls-auth /etc/openvpn/ta.key 1
cipher AES-256-CBC
keepalive 10 120
comp-lzo
verb 3

client1 和 client2 的配置文件是相同的(尽管 tun,client1 使用 tun0,client2 使用 tun1),我的每个客户端都使用自己的密钥和证书。

我的服务器配置文件:

port 1194
proto udp
dev tun0
ca ca.crt
cert OpenVPNServerTEST.crt
key OpenVPNServerTEST.key 
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 172.16.254.0 255.255.255.0"
push "route 172.16.1.0 255.255.255.0"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC   # AES
comp-lzo
;user nobody
;group nobody
persist-key
persist-tun
status openvpn-status.log
log         openvpn.log
log-append  openvpn.log
verb 3

JSRX 配置文件: http ://pastie.org/private/gcnclsztzwnbglzvcalhla

0个回答
没有发现任何回复~
其它你可能感兴趣的问题
上一篇是否可以扩展 Cisco 的 MIB 树? 下一篇瞻博网络 SRX MPLS 出口优先级