openwrt的gre穿透

参考:http://www.openwrt.org.cn/bbs/forum.php?mod=viewthread&tid=1456

最近在另外一台机器上开了一个pptp的VPN,于是重操旧业,折腾起pptp来。
但是有个很蛋疼得问题是,电脑不知为何连不上。同时,iPod使用同一个路由,但是iPod却能连上。

于是研究了半天,后来才知道这个。

后来是用tcpdump在路由上抓包,才发现了这个问题。
顺便贴上以下记录

从wan抓到的包

11:04:10.898392 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [S.], seq 450513921, ack 3307070933, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
11:04:10.900618 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [.], ack 157, win 3456, length 0
11:04:10.907780 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [P.], seq 1:157, ack 157, win 3456, length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
11:04:10.911337 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [P.], seq 157:189, ack 325, win 3992, length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(6016) PEER_CALL_ID(52009) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)
11:04:10.936723 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 0, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:10.955328 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [.], ack 349, win 3992, length 0
11:04:13.956479 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 1, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:16.963507 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 2, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:19.972620 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 3, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:22.982073 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 4, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:25.990972 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 5, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:27.115016 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [.], ack 373, win 3992, length 0
11:04:28.999748 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 6, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:32.009025 IP 10.1.12.41 > 10.1.145.203: GREv1, call 52009, seq 7, length 37: LCP, Conf-Request (0x01), id 1, length 23
11:04:34.947339 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [.], ack 389, win 3992, length 0
11:04:34.947441 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [F.], seq 189, ack 389, win 3992, length 0
11:04:35.950801 IP 10.1.12.41.1723 > 10.1.145.203.50116: Flags [.], ack 390, win 3992, length 0

从lan抓到的包

11:08:17.425044 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [S.], seq 1960838183, ack 194080576, win 5840, options [mss 1460,nop,nop,sackOK,nop,wscale 1], length 0
11:08:17.426306 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 157, win 2920, length 0
11:08:17.437070 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [P.], seq 1:157, ack 157, win 2920, length 156: pptp CTRL_MSGTYPE=SCCRP PROTO_VER(1.0) RESULT_CODE(1) ERR_CODE(0) FRAME_CAP() BEARER_CAP() MAX_CHAN(1) FIRM_REV(1) HOSTNAME(local) VENDOR(linux)
11:08:17.444973 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [P.], seq 157:189, ack 325, win 3456, length 32: pptp CTRL_MSGTYPE=OCRP CALL_ID(1408)PEER_CALL_ID(22594) RESULT_CODE(1) ERR_CODE(0) CAUSE_CODE(0) CONN_SPEED(100000000) RECV_WIN(64) PROC_DELAY(0) PHY_CHAN_ID(0)
11:08:17.488828 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 349, win 3456, length 0
11:08:17.494178 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 373, win 3456, length 0
11:08:41.767662 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 397, win 3456, length 0
11:08:41.880301 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 413, win 3456, length 0
11:08:41.882110 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [F.], seq 189, ack 413, win 3456, length 0
11:08:42.871931 IP 10.1.14.156.1723 > 192.168.11.9.50131: Flags [.], ack 414, win 3456, length 0

发现有gre的包到了路由那里就没有转发过来了。于是上网查了一下:

解决办法是安装 kmod-gre kmod-ipt-conntrack-extra kmod-ipt-nat-extra iptables-mod-conntrack-extra
然后在防火墙中启用gre的转发

在iptables中打开gre的转发

在iptables中打开gre的转发

之后就能连上了。

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注