V2EX = way to explore
V2EX 是一个关于分享和探索的地方
现在注册
已注册用户请  登录
V2EX 提问指南
tyhunter
V2EX  ›  问与答

Cisco Anyconnect 连接后只能打开 Google,其他网站都打不开

  •  
  •   tyhunter · 2016-03-12 15:39:52 +08:00 · 7499 次点击
    这是一个创建于 3208 天前的主题,其中的信息可能已经有所发展或是发生改变。
    服务端默认 DNS 设置是 8.8.8.8 和 8.8.4.4
    但是只能打开 GOOGLE ,其他网站都打不开,我试着 ping 了下发现无法解析,是 DNS 的问题
    我把地址改成中华电信的 168.95.1.1 ,依旧是只能打开 GOOGLE
    求教下 V 友,这是什么情况?
    11 条回复    2020-10-10 15:51:42 +08:00
    Vicer
        1
    Vicer  
       2016-03-12 17:38:30 +08:00 via iPhone   ❤️ 1
    改 DNS ,主 DNS 改成 opendns 就可以了。。。
    webdev
        2
    webdev  
       2016-03-13 17:15:38 +08:00 via iPhone   ❤️ 1
    DNS 的问题 换个
    tyhunter
        3
    tyhunter  
    OP
       2016-03-13 17:42:03 +08:00
    @Vicer
    @webdev
    改成了 OPENDNS 还是不行
    # Network settings
    #

    # The name to use for the tun device
    device = vpns

    # Whether the generated IPs will be predictable, i.e., IP stays the
    # same for the same user when possible.
    predictable-ips = true

    # The default domain to be advertised
    default-domain = 163.44.150.201

    # The pool of addresses that leases will be given from. If the leases
    # are given via Radius, or via the explicit-ip? per-user config option then
    # these network values should contain a network with at least a single
    # address that will remain under the full control of ocserv (that is
    # to be able to assign the local part of the tun device address).
    ipv4-network = 192.168.1.0
    ipv4-netmask = 255.255.255.0

    # An alternative way of specifying the network:
    #ipv4-network = 192.168.1.0/24

    # The IPv6 subnet that leases will be given from.
    #ipv6-network = fda9:4efe:7e3b:03ea::/64

    # Specify the size of the network to provide to clients. It is
    # generally recommended to provide clients with a /64 network in
    # IPv6, but any subnet may be specified. To provide clients only
    # with a single IP use the prefix 128.
    #ipv6-subnet-prefix = 128
    #ipv6-subnet-prefix = 64

    # Whether to tunnel all DNS queries via the VPN. This is the default
    # when a default route is set.
    tunnel-all-dns = true

    # The advertized DNS server. Use multiple lines for
    # multiple servers.
    # dns = fc00::4be0
    dns = 208.67.222.222

    # The NBNS server (if any)
    #nbns = 192.168.1.3

    # The domains over which the provided DNS should be used. Use
    # multiple lines for multiple domains.
    #split-dns = example.com

    # Prior to leasing any IP from the pool ping it to verify that
    # it is not in use by another (unrelated to this server) host.
    # Only set to true, if there can be occupied addresses in the
    # IP range for leases.
    ping-leases = false

    # Use this option to enforce an MTU value to the incoming
    # connections. Unset to use the default MTU of the TUN device.
    #mtu = 1420

    # Unset to enable bandwidth restrictions (in bytes/sec). The
    # setting here is global, but can also be set per user or per group.
    #rx-data-per-sec = 40000
    #tx-data-per-sec = 40000

    # The number of packets (of MTU size) that are available in
    # the output buffer. The default is low to improve latency.
    # Setting it higher will improve throughput.
    #output-buffer = 23000

    # Routes to be forwarded to the client. If you need the
    # client to forward routes to the server, you may use the
    # config-per-user/group or even connect and disconnect scripts.
    #
    # To set the server as the default gateway for the client just
    # comment out all routes from the server, or use the special keyword
    # 'default'.

    #route = 10.10.10.0/255.255.255.0
    #route = 192.168.1.0/255.255.0.0
    #route = fef4:db8:1000:1001::/64
    #route = default

    # Subsets of the routes above that will not be routed by
    # the server.

    #no-route = 192.168.5.0/255.255.255.0

    # Note the that following two firewalling options currently are available
    # in Linux systems with iptables software.

    # If set, the script /usr/bin/ocserv-fw will be called to restrict
    # the user to its allowed routes and prevent him from accessing
    # any other routes. In case of defaultroute, the no-routes are restricted.
    # All the routes applied by ocserv can be reverted using /usr/bin/ocserv-fw
    # --removeall. This option can be set globally or in the per-user configuration.
    #restrict-user-to-routes = true

    # This option implies restrict-user-to-routes set to true. If set, the
    # script /usr/bin/ocserv-fw will be called to restrict the user to
    # access specific ports in the network. This option can be set globally
    # or in the per-user configuration.
    #restrict-user-to-ports = "tcp(443), tcp(80), udp(443), sctp(99), tcp(583), icmp(), icmpv6()"

    # You could also use negation, i.e., block the user from accessing these ports only.
    #restrict-user-to-ports = "!(tcp(443), tcp(80))"

    # When set to true, all client's iroutes are made visible to all
    # connecting clients except for the ones offering them. This option
    # only makes sense if config-per-user is set.
    #expose-iroutes = true

    # Groups that a client is allowed to select from.
    # A client may belong in multiple groups, and in certain use-cases
    # it is needed to switch between them. For these cases the client can
    # select prior to authentication. Add multiple entries for multiple groups.
    # The group may be followed by a user-friendly name in brackets.
    #select-group = group1
    #select-group = group2[My special group]

    # The name of the (virtual) group that if selected it would assign the user
    # to its default group.
    #default-select-group = DEFAULT

    # Instead of specifying manually all the allowed groups, you may instruct
    # ocserv to scan all available groups and include the full list.
    #auto-select-group = true

    # Configuration files that will be applied per user connection or
    # per group. Each file name on these directories must match the username
    # or the groupname.
    # The options allowed in the configuration files are dns, nbns,
    # ipv?-network, ipv4-netmask, rx/tx-per-sec, iroute, route, no-route,
    # explicit-ipv4, explicit-ipv6, net-priority, deny-roaming, no-udp,
    # keepalive, dpd, mobile-dpd, max-same-clients, tunnel-all-dns,
    # restrict-user-to-routes, user-profile, cgroup, stats-report-time,
    # mtu, idle-timeout, mobile-idle-timeout, restrict-user-to-ports,
    # and session-timeout.
    #
    # Note that the 'iroute' option allows to add routes on the server
    # based on a user or group. The syntax depends on the input accepted
    # by the commands route-add-cmd and route-del-cmd (see below). The no-udp
    # is a boolean option (e.g., no-udp = true), and will prevent a UDP session
    # for that specific user or group. Note also, that, any DNS or NBNS servers
    # present will overwrite the global ones, while any routes or no-routes set
    # will be appended to the default set.

    #config-per-user = /etc/ocserv/config-per-user/
    #config-per-group = /etc/ocserv/config-per-group/

    # When config-per-xxx is specified and there is no group or user that
    # matches, then utilize the following configuration.
    #default-user-config = /etc/ocserv/defaults/user.conf
    #default-group-config = /etc/ocserv/defaults/group.conf

    # The system command to use to setup a route. %{R} will be replaced with the
    # route/mask and %{D} with the (tun) device.
    #
    # The following example is from linux systems. %R should be something
    # like 192.168.2.0/24 (the argument of iroute).

    route-add-cmd = "ip route add 192.168.1.0 dev tun0"
    route-del-cmd = "ip route delete 192.168.1.0 dev tun0"

    # This option allows to forward a proxy. The special keywords '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #proxy-url = http://example.com/
    #proxy-url = http://example.com/%{U}/

    # This option allows you to specify a URL location where a client can
    # post using MS-KKDCP, and the message will be forwarded to the provided
    # KDC server. That is a translation URL between HTTP and Kerberos.
    # In MIT kerberos you'll need to add in realms:
    # EXAMPLE.COM = {
    # kdc = https://ocserv.example.com/kerberos
    # http_anchors = FILE:/etc/ocserv-ca.pem
    # }
    # This option is available if ocserv is compiled with GSSAPI support.

    #kkdcp = SERVER-PATH KERBEROS-REALM PROTOCOL@SERVER:PORT
    #kkdcp = /kerberos EXAMPLE.COM [email protected]:88
    #kkdcp = /kerberos-tcp EXAMPLE.COM [email protected]:88

    #
    # The following options are for (experimental) AnyConnect client
    # compatibility.

    # This option must be set to true to support legacy CISCO clients.
    # A side effect of this option is that it will no longer be required
    # for clients to present their certificate on every connection.
    # That is they may resume a cookie without presenting a certificate
    # (when certificate authentication is used).
    cisco-client-compat = true

    # Client profile xml. A sample file exists in doc/profile.xml.
    # It is required by some of the CISCO clients.
    # This file must be accessible from inside the worker's chroot.
    #user-profile = /etc/ocserv/profile.xml

    # Binary files that may be downloaded by the CISCO client. Must
    # be within any chroot environment. Normally you don't need
    # to use this option.
    #binary-files = /path/to/binaries

    #Advanced options

    # Option to allow sending arbitrary custom headers to the client after
    # authentication and prior to VPN tunnel establishment. You shouldn't
    # need to use this option normally; if you do and you think that
    # this may help others, please send your settings and reason to
    # the openconnect mailing list. The special keywords '%{U}'
    # and '%{G}', if present will be replaced by the username and group name.
    #custom-header = "X-My-Header: hi there"
    Vicer
        4
    Vicer  
       2016-03-13 18:03:18 +08:00   ❤️ 1
    试试我的配置,两处$serverip 换成自己的 IP.


    # The default domain to be advertised
    default-domain = $serverip

    #auth = "plain[passwd=/etc/ocserv/ocpasswd]"
    auth = "certificate"

    # TCP and UDP port number
    tcp-port = 8888
    udp-port = 8888

    server-cert = /etc/ocserv/server-cert.pem
    server-key = /etc/ocserv/server-key.pem
    ca-cert = /etc/ocserv/ca-cert.pem

    run-as-user = nobody
    run-as-group = daemon
    cert-user-oid = 2.5.4.3
    socket-file = /var/run/ocserv-socket
    isolate-workers = false
    max-clients = 512
    max-same-clients = 256
    keepalive = 32400
    dpd = 120
    mobile-dpd = 1200
    try-mtu-discovery = true
    compression = true
    #no-compress-limit = 256
    tls-priorities = "NORMAL:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0"
    auth-timeout = 40
    idle-timeout = 1200
    mobile-idle-timeout = 2400
    cookie-timeout = 3600
    deny-roaming = false
    rekey-time = 172800
    rekey-method = ssl
    use-utmp = true
    use-occtl = true
    pid-file = /var/run/ocserv.pid
    device = vpnssl
    predictable-ips = true
    ipv4-network = 192.168.8.0
    ipv4-netmask = 255.255.255.0
    dns = 208.67.220.222
    dns = 119.29.29.29
    ping-leases = false
    cisco-client-compat = true

    # no-route list
    no-route = $serverip/255.255.255.255
    no-route = 192.168.0.0/255.255.0.0
    lhbc
        5
    lhbc  
       2016-03-23 13:40:20 +08:00   ❤️ 1
    192.168.1.0/24 是不是和你局域网的网络冲突了?
    你加了这条
    route-add-cmd = "ip route add 192.168.1.0 dev tun0"
    如果你的局域网也是 192.168.1.0/24 ,路由就成死循环了
    tyhunter
        6
    tyhunter  
    OP
       2016-03-23 13:56:39 +08:00
    @lhbc 我试过删了这条或是把 192.168.1.0 改成 192.168.2.0 ,还是只能打开*.google.com ,其他都打不开
    tyhunter
        7
    tyhunter  
    OP
       2016-03-23 13:57:20 +08:00
    @Vicer 套用你的配置并修改成我的服务器地址后,启动服务提示:
    [....] Restarting ocserv: ocservBad argument `/255.255.255.0'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `/255.255.255.0'
    Try `iptables -h' or 'iptables --help' for more information.
    Bad argument `/255.255.255.0'
    Try `iptables -h' or 'iptables --help' for more information.
    Setting 'certificate' as primary authentication method
    Unknown user: nobody
    failed!
    lhbc
        8
    lhbc  
       2016-03-23 14:27:34 +08:00
    @tyhunter ipv4-network = 192.168.1.0
    这个也要改
    如果确实能 ping 通 google.com , 在终端上做路由跟踪才能找到原因
    推荐手机上很好用的网络检测工具 HE.NET Network Tools

    顺便把防火墙配置贴上来吧
    tyhunter
        9
    tyhunter  
    OP
       2016-03-23 15:08:31 +08:00
    @lhbc 能 ping 通任何网站,但在浏览器里只能打开 google ,并且 QQ 也无法登陆,在本机 TraceRoute 结果如下:
    traceroute to www.qq.com (182.254.18.159[广东省深圳市 深圳腾讯计算机系统有限公司 BGP 节点]), 64 hops max, 52 byte packets
    1 192.168.5.1[局域网 对方和您在同一内部网] (192.168.5.1[局域网 对方和您在同一内部网]) 141.705 ms 139.087 ms 142.274 ms
    2 v163-44-150-2.a00b.g.sin1.static.cnode.io (163.44.150.2[新加坡 GMO 互联网数据中心]) 139.782 ms 150.003 ms 146.593 ms
    3 b-061001-1-be-3.interq.or.jp (103.234.168.37[新加坡 GMO 互联网公司国际互联节点]) 148.244 ms 136.318 ms 136.504 ms
    4 b-061001-2-po-1.interq.or.jp (103.234.168.58[新加坡 GMO 互联网公司国际互联节点]) 133.067 ms 129.743 ms 129.881 ms
    5 * * *
    6 * * *
    7 * * *
    8 * * *
    9 202.97.33.101[上海市 电信骨干网] (202.97.33.101[上海市 电信骨干网]) 209.424 ms * *
    10 202.97.33.33[上海市 电信骨干网] (202.97.33.33[上海市 电信骨干网]) 233.036 ms *
    202.97.35.157[中国 电信骨干网] (202.97.35.157[中国 电信骨干网]) 239.826 ms
    11 202.97.34.210[中国 电信骨干网] (202.97.34.210[中国 电信骨干网]) 278.189 ms 283.512 ms 294.887 ms
    12 219.150.52.138[天津市 电信] (219.150.52.138[天津市 电信]) 291.658 ms
    219.150.52.122[天津市 电信] (219.150.52.122[天津市 电信]) 285.605 ms 281.141 ms
    13 219.150.51.150[天津市 电信] (219.150.51.150[天津市 电信]) 282.806 ms * 306.816 ms
    14 180.213.12.22[天津市 电信] (180.213.12.22[天津市 电信]) 262.793 ms 292.657 ms 307.876 ms
    15 * * *
    16 * * *
    17 * * *
    18 * * *
    19 * * *
    20 * * *
    21 * * *
    22 * * *
    23 * * *
    24 * * *
    25 * * *
    26 * * *
    Vicer
        10
    Vicer  
       2016-03-23 16:07:08 +08:00 via Android
    @tyhunter 好吧,有几项配置要改,开始没仔细看
    liuzhiqing618
        11
    liuzhiqing618  
       2020-10-10 15:51:42 +08:00
    哥~ 我遇到了相同的问题,能 ping 通所有域名,浏览器只能打开 google 国内网站都打不开,但是都能 ping 通!!
    帮帮我!!!!
    关于   ·   帮助文档   ·   博客   ·   API   ·   FAQ   ·   实用小工具   ·   1155 人在线   最高记录 6679   ·     Select Language
    创意工作者们的社区
    World is powered by solitude
    VERSION: 3.9.8.5 · 23ms · UTC 18:33 · PVG 02:33 · LAX 10:33 · JFK 13:33
    Developed with CodeLauncher
    ♥ Do have faith in what you're doing.