centos 7，更新4.12内核，安装bbr之后vpn无法使用

[funway]

请问，原来是3.10.0-514.26.2.el7.x86_64的内核，l2tp, cisco ipsec以及shadowsocks均正常使用。
今天给系统升级了4.12.8-1.el7.elrepo.x86_64内核，安装了google bbr后，shadowsocks正常工作，
但是两个vpn协议均变成了连接正常，但是无法上网的情况，像是无法收发数据了。
即使我现在把内核切换回3.10，也依然是连接但无法上网。请问这会是什么原因呀？

下面是/var/log/secure的日志:

Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute MODECFG_BANNER received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute MODECFG_DOMAIN received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_SPLIT_DNS received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_SPLIT_INC received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_SPLIT_EXCLUDE received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_DO_PFS received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_SAVE_PW received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_FW_TYPE received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_BACKUP_SERVER received.
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: Unsupported modecfg long attribute CISCO_UNKNOWN_SEEN_ON_IPHONE received.
Aug 19 14:42:30 vultr pluto[2747]: | We are not sending a domain
Aug 19 14:42:30 vultr pluto[2747]: | We are not sending a banner
Aug 19 14:42:30 vultr pluto[2747]: | We are 0.0.0.0/0 so not sending CISCO_SPLIT_INC
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: modecfg_inR0(STF_OK)
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: transition from state STATE_MODE_CFG_R0 to state STATE_MODE_CFG_R1
Aug 19 14:42:30 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: STATE_MODE_CFG_R1: ModeCfg Set sent, expecting Ack {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048}
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #3: the peer proposed: 0.0.0.0/0:0/0 -> 192.168.43.10/32:0/0
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: responding to Quick Mode proposal {msgid:a07e2f2a}
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: us: 0.0.0.0/0===45.32.65.159[MS+XS+S=C]
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: them: 14.24.214.135[100.72.67.227,+MC+XC+S=C]===192.168.43.10/32
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 tunnel mode {ESP/NAT=>0x01ed776e <0x69490669 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=14.24.214.135:47640 DPD=active username=funway}
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Aug 19 14:42:31 vultr pluto[2747]: "xauth-psk"[4] 14.24.214.135 #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x01ed776e <0x69490669 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=14.24.214.135:47640 DPD=active username=funway}

[funway]

额，我发现好像跟iptables有关。
我之前因为vps服务商有自带的防火墙安全组设置，所以我更喜欢用vps服务商提供的防火墙，所以把iptables给关闭了，但先前也用的好好的。
刚刚我尝试重新用您的安装脚本重装了一遍后就又恢复正常了，然后我查了一下，发现iptables被打开了，然后我再次把iptables给关闭后，发现又是vpn可以连接，但无法收发数据的情况。。。 =。=#
请问，这到底是什么原因呀，理论上我把iptables给关闭了，那不是应该全部转发吧，连接都可以建立，偏偏数据不转发。。。

[hwdsl2]

@funway 你好，IPTables 中的 NAT 规则 是 VPN 正常工作所必需的 （使用 iptables -nvL -t nat 查看）。这些规则用于 从/到 因特网转发 VPN 客户端的数据。 如你所述，如果关闭 IPTables，就会出现无法上网的问题。你必须保证 IPTables 打开并且规则存在。如需要可以再次运行 VPN 脚本。