我拥有的所有 L2TP/IPsec 实现似乎都没有任何可用于密钥交换的配置。我的路由器允许对原始 IpSec 进行加密和哈希选择。我使用的 Windows 版本允许在“防火墙”处进行加密和哈希选择。但在所有可以选择算法的情况下,它似乎对本机 L2TP/IPsec 客户端没有影响。
这只是历史的偶然,还是 L2TP/IPsec 意味着密钥交换的哈希和加密算法的标准选择?
我可以使用 strongswan 公钥身份验证禁用特定用户的访问权限吗?
所以我有公钥认证工作。SAN 是电子邮件,是 id。有没有办法拒绝对特定用户 ID (rightid) 的身份验证?我希望能够轻松地关闭和打开用户访问权限,我意识到我可以通过删除机密文件中的条目来使用 psk auth。我希望有一种方法可以处理证书。我会以“保留”为由撤销证书,但 strongswan 的 pki 不支持不可撤销的能力。我还尝试设置一个陷阱来拒绝身份验证,但没有成功。必须能够指定允许哪些 clientids 连接
conn main
leftauth=pubkey
leftcert=servercert.pem
rightauth=pubkey
leftid=mydomain.com
type=tunnel
left=%any
leftsubnet=0.0.0.0/0
right=%any
rightsubnet=192.168.137.0/24
esp=aes128gcm16-sha256-modp3072
ike=aes128gcm16-sha256-modp3072
keyexchange=ikev2
ikelifetime=28800s #Time before re authentication of keys
auto=add
conn close
also=main
[email protected]
rightauth=never
auto=route
我使用 strongswan ipsec 作为移动设备 (Android) 的 VPN 网关。在 StrongSwan 配置中,我为 2 个不同的用户组设置了 2 个连接(两个不同的子网 10.10.10.0/24、10.10.20.0/24 具有不同的路由策略)。
而且我不明白(并且在手册和论坛中找不到)如何将用户与连接联系起来。在哪里以及如何设置严格的用户>连接关系?
谢谢!
我的 ipsec 配置:
cat /etc/ipsec.conf
config setup
charondebug="ike 1, knl 1, cfg 0"
uniqueids=no
conn any2ex
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftid=*.*.233.132 #I've masked server IP for this post. Certificate was issued for the ip address.
left=*.*.233.132
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
conn ex2loc
auto=add
compress=yes
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=*.*.233.132
leftid=*.*.233.132
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.20.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=%identity
我用这个配置Android客户端
https://docs.strongswan.org/strongswan-docs/5.9/os/androidVpnClientProfiles.html#_example
我正在尝试设置一个 StrongSwan VPN 服务器,它应该托管多个(Windows 10 - 内部 vpn 客户端)roadwarrior 连接,但不同的子网,具体取决于客户端证书。
root@VPN:/# ipsec version
Linux strongSwan U5.8.2/K5.4.0-26-generic
我的设置有 2 对公钥和私钥,使用不同的 CN,比如说vpn-dev.mycom.com和vpn-liv.mycom.com. 使用的ipsec.conf看起来像这样:
conn vpn-dev
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
ikelifetime=25200s
leftid=vpn-dev.mycom.com
leftcert=server-cert.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.100.0.0/16-10.100.254.254/16
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
rightcert=ca-cert.pem
eap_identity=%identity
ike=aes128-sha1-modp1024
conn vpn-liv
also=vpn-dev
leftid=vpn-liv.mycom.com
leftcert=liv-server-cert.pem
rightsourceip=10.200.0.0/16-10.200.254.254/16
rightcert=liv-ca-cert.pem
两个证书密钥也存储在ipsec.secrets
vpn-dev.mycom.com : RSA "server-key.pem"
vpn-liv.mycom.com : RSA "liv-server-key.pem"
someuser : EAP "somepassword"
但是,一旦我尝试连接到 strongswan 实例,vpn-dev就会使用连接并且 strongswan 不会切换到 connvpn-liv
这是尝试期间的日志:
Mar 30 08:47:48 VPN charon: 16[NET] received packet: from X.X.X.X[64558] to X.X.X.X[500] (1084 bytes)
Mar 30 08:47:48 VPN charon: 16[IKE] received MS NT5 ISAKMPOAKLEY v9 vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] received MS-Negotiation Discovery Capable vendor ID
Mar 30 08:47:48 VPN charon: 16[IKE] X.X.X.X is initiating an IKE_SA
Mar 30 08:47:48 VPN charon: 16[CFG] selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Mar 30 08:47:48 VPN charon: 16[IKE] local host is behind NAT, sending keep alives
Mar 30 08:47:48 VPN charon: 16[IKE] remote host is behind NAT
Mar 30 08:47:48 VPN charon: 16[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64558] (328 bytes)
Mar 30 08:47:48 VPN charon: 06[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 10[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 05[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (576 bytes)
Mar 30 08:47:48 VPN charon: 14[NET] received packet: from X.X.X.X[64596] to X.X.X.X[4500] (368 bytes)
Mar 30 08:47:48 VPN charon: 14[IKE] received cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:48 VPN charon: 14[IKE] received 69 cert requests for an unknown ca
Mar 30 08:47:48 VPN charon: 14[CFG] looking for peer configs matching X.X.X.X[%any]...X.X.X.X[192.168.0.117]
Mar 30 08:47:48 VPN charon: 14[CFG] selected peer config 'vpn-dev' # << here it has not selected vpn-live, even if the earlier provided private key is only matching vpn-live
Mar 30 08:47:48 VPN charon: 14[IKE] initiating EAP_IDENTITY method (id 0x00)
Mar 30 08:47:48 VPN charon: 14[IKE] peer supports MOBIKE
Mar 30 08:47:48 VPN charon: 14[IKE] authentication of 'vpn-dev.mycom.com' (myself) with RSA signature successful
Mar 30 08:47:48 VPN charon: 14[IKE] sending end entity cert "CN=vpn-dev.mycom.com"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN DEV CA"
Mar 30 08:47:49 VPN charon: 14[IKE] sending cert request for "CN=PRIV VPN LIV CA"
Mar 30 08:47:49 VPN charon: 14[NET] sending packet: from X.X.X.X[500] to X.X.X.X[64548] (364 bytes)
Mar 30 08:47:49 VPN charon: 06[NET] received packet: from X.X.X.X[64618] to X.X.X.X[4500] (92 bytes)
Mar 30 08:47:49 VPN charon: 06[IKE] received (28) error notify
目标基本上是在一台机器上托管 2 个 vpn 端点,但根据登录/使用的证书提供不同的 IP 范围。
本地配置是用(powershell)完成的
Import-Certificate -FilePath liv-ca-cert.pem -CertStoreLocation 'Cert:\LocalMachine\Root'
Add-VpnConnection -Name 'LIV VPN' -ServerAddress 'vpn-live.mycom.com' -AuthenticationMethod Eap -IdleDisconnectSeconds 43200
我错过了什么吗?我的设置是否配置错误?或者这对于strongswan和Windows 10内部vpn客户端根本不可能?
请协助。我正在尝试在我的 VPS 上使用 strongswan 设置站点到站点 IPSec 隧道,但遗憾的是我的提供商无法为我启用以下内核模块:
ah4 ah6 esp4 esp6 xfrm4_tunnel xfrm6_tunnel xfrm_user ip_tunnel 隧道 tunnel6 xfrm4_mode_tunnel xfrm6_mode_tunnel
在我转移到我的启动负担不起的专用服务器之前,有没有办法以不依赖于在典型 VPS 配置上启用额外内核模块的替代方式配置 strongswan 或任何其他平台?
考虑到strongswan wiki,这似乎是一个标准问题,但我无法让它正常工作。
网络布局
本地站点 ( clientand gateway) 在我的控制之下,远程站点 ( remote gatewayand remote server) 不在。IPSec 隧道是一个拆分隧道,因此只有对10.10.0.0/16子网的请求通过 IPSec 隧道发送。
目标
我希望与client进行通信remote server,例如创建一个ssh或一个smb连接。
我已经做过的
gateway我已经在和之间建立了 IPSec 隧道remote gateway。我已在以下位置启用 ip 转发
gateway:sysctl net.ipv4.ip_forward=1我在以下位置创建了一个 NAT
gateway:iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT iptables -t nat -A POSTROUTING -j MASQUERADE在
client我已经通过以下方式路由流量gateway:ip route del default ip route add default via 192.168.144.4 # 192.168.144.4 is the gateway
有什么作用
- IPSec隧道已建立且稳定。
- 登录后,我
gateway可以成功。我也可以。我可以。pingremote gatewayremote serverpingclientping google.com - 登录后
client,我可以,ping google.com我可以。随着on the我看到from the正在通过.pinggatewaytcpdump icmpgatewayping google.comclientgateway
什么不起作用,但
我不能ping从它remote server的clientIP 中获取。
client$ ping -c 1 10.10.12.7
PING 10.10.12.7 (10.10.12.7): 56 data bytes
--- 10.10.12.7 ping statistics ---
1 packets transmitted, 0 packets received, 100% packet loss
从tcpdump开始gateway,看起来ping是发送的,但不是通过隧道转发的:
gateway$ tcpdump icmp
13:19:18.122999 IP 192.168.144.7 > 10.10.12.7: ICMP echo request, id 15, seq 0, length 64
13:19:18.123038 IP gateway > 10.10.12.7: ICMP echo request, id 15, seq 0, length 64
13:19:18.127534 IP ac5.nue3.m-online.net > gateway: ICMP net 10.10.12.7 unreachable, length 36
13:19:18.127556 IP ac5.nue3.m-online.net > 192.168.144.7: ICMP net 10.10.12.7 unreachable, length 36
与ac5.nue3.m-online.net本地站点的互联网服务提供商一样,我认为数据包不是通过 IPSec 隧道路由的,而是gateway通过remote server. (如果我将 IPSec 隧道设为完整隧道而不是拆分隧道,我会得到相同的结果。)
任何帮助或见解将不胜感激!
编辑:ipsec statusall在gateway
gateway > ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-88-generic, x86_64):
uptime: 7 minutes, since Oct 08 08:18:24 2021
malloc: sbrk 3112960, mmap 0, used 1081456, free 2031504
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
192.168.144.4
Connections:
example-ipsec: %any...vpn1.example.com IKEv2, dpddelay=300s
example-ipsec: local: [[email protected]] uses pre-shared key authentication
example-ipsec: remote: [[email protected]] uses pre-shared key authentication
example-ipsec: child: dynamic === 0.0.0.0/0 TUNNEL, dpdaction=clear
Security Associations (1 up, 0 connecting):
example-ipsec[1]: ESTABLISHED 7 minutes ago, 192.168.144.4[[email protected]]...<public-ip-of-the-remote-gateway>[[email protected]]
example-ipsec[1]: I: 9d7c74f670bbda86_i* c12b3b4a236b7018_r, pre-shared key reauthentication in 2 hours
example-ipsec[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
example-ipsec{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: cf66ad72_i af3c9348_o
example-ipsec{1}: AES_CBC_256/HMAC_SHA2_256_128, 442 bytes_i (4 pkts, 434s ago), 485 bytes_o (6 pkts, 433s ago), rekeying in 38 minutes
example-ipsec{1}: 10.10.102.235/32 === 0.0.0.0/0
这是在ipsec statusall将fromgateway发送到. from不会更改输出中的“字节” 。输出中的“字节”对应于我从 发送到.pingclientremote serverpinggatewaypinggatewayremote server
编辑:/etc/ipsec.conf在gateway:
# /etc/ipsec.conf
conn example-ipsec
left = %defaultroute
leftsourceip = %config
leftid = "[email protected]"
right = vpn1.example.com
rightid = "[email protected]"
rightsubnet = 0.0.0.0/0
leftfirewall = yes
installpolicy = yes
keyexchange = ikev2
type = tunnel
auto = start
leftauth = psk
rightauth = psk
dpdaction = clear
dpddelay = 300s
我想使用strongswan. 我strongswan在 docker 容器中运行。
为此,我希望我的内部服务器192.168.0.12监听其 25 端口并将流量转发到同一端口上的隧道服务器10.0.0.10:25。
到目前为止,我尝试使用 iptables,但没有成功。
net.ipv4.ip_forward在主机和 docker 容器上都启用了!
我iptables-save在192.168.0.12strongswan 连接到隧道后打开:(是的,我可以从 192.168.0.12 ping 10.0.0.10)
# Generated by iptables-save v1.8.4 on Fri Jul 23 09:55:05 2021
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -s 10.0.0.0/16 -d 192.168.0.10/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.0.10/32 -d 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Fri Jul 23 09:55:05 2021
# Generated by iptables-save v1.8.4 on Fri Jul 23 09:55:05 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:1600]
:POSTROUTING ACCEPT [2:1600]
:DOCKER_OUTPUT - [0:0]
:DOCKER_POSTROUTING - [0:0]
-A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:45165
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:53306
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 45165 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 53306 -j SNAT --to-source :53
COMMIT
命令ip r输出:
default via 192.168.16.1 dev eth0
192.168.16.0/20 dev eth0 proto kernel scope link src 192.168.16.10 # this is a docker internal network for my services
192.168.0.10/30 dev eth1 proto kernel scope link src 192.168.0.12
我尝试了以下各种命令:
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.0.0.10:25
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 25 -j SNAT --to-source 192.168.0.12
但没有成功。
我无法提供有关ip r主机或iptables-save.
我究竟做错了什么?
我已经在 docker 容器中成功设置了一个 vpn 隧道,strongswan并希望使用该隧道连接将特定端口(如 SMTP)转发到隧道另一侧的主机,在我的情况下host 10.0.0.10。
目标是能够通过strongswan-container像这样连接到中间的服务直接在我的应用程序中使用 SMTP
(smtp-host)-[IPSec-tunnel]-(strongswan-container [exposes port 25 and forwards everything to tunneled smtp-host])-[some-docker-network]-(my-mail-sending-app-container [calls strongswan-container:25 for smtp])
在阅读了一些关于此的文档后,我尝试了这些iptables命令strongswan-container但没有成功:
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 10.0.0.10:25
iptables -t nat -A POSTROUTING -p tcp -d 10.0.0.10 --dport 25 -j MASQUERADE
在my-mail-sending-app-container我尝试运行
telnet strongswan-container 25
但它只会等待响应直到超时。
我的iptables命令有什么问题?
iptables-savestrongswan 连接隧道后的输出:
root@14d43f1e2f55:/# iptables-save
# Generated by iptables-save v1.8.4 on Thu Jul 22 16:25:04 2021
*filter
:INPUT ACCEPT [1:112]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1:112]
-A INPUT -s 10.0.0.0/16 -d 192.168.112.2/32 -i eth0 -m policy --dir in --pol ipsec --reqid 1 --proto esp -j ACCEPT
-A OUTPUT -s 192.168.112.2/32 -d 10.0.0.0/16 -o eth0 -m policy --dir out --pol ipsec --reqid 1 --proto esp -j ACCEPT
COMMIT
# Completed on Thu Jul 22 16:25:04 2021
# Generated by iptables-save v1.8.4 on Thu Jul 22 16:25:04 2021
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:1600]
:POSTROUTING ACCEPT [2:1600]
:DOCKER_OUTPUT - [0:0]
:DOCKER_POSTROUTING - [0:0]
-A OUTPUT -d 127.0.0.11/32 -j DOCKER_OUTPUT
-A POSTROUTING -d 127.0.0.11/32 -j DOCKER_POSTROUTING
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p tcp -m tcp --dport 53 -j DNAT --to-destination 127.0.0.11:46701
-A DOCKER_OUTPUT -d 127.0.0.11/32 -p udp -m udp --dport 53 -j DNAT --to-destination 127.0.0.11:58024
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p tcp -m tcp --sport 46701 -j SNAT --to-source :53
-A DOCKER_POSTROUTING -s 127.0.0.11/32 -p udp -m udp --sport 58024 -j SNAT --to-source :53
COMMIT
# Completed on Thu Jul 22 16:25:04 2021
我的ipsec.conf:
config setup
strictcrlpolicy=no
uniqueids=no
# left is local by default, left and right otherwise dynamically detected
conn %default
conn "ezvpn"
keyexchange=ikev2
aggressive=yes
ike=(some-ciphers) # Phase1 parameters
esp=(some-ciphers) # Phase2 parameters
left=192.168.112.2 # local IP used to connect to IOS
leftid=12.123.123.1 # IKEID (group name) used for IOS
leftfirewall=yes
leftauth=psk
rightauth=psk
fragmentation=yes
right=12.123.123.2 #gateway (IOS) IP
rightsubnet=10.0.0.0/16
rightfirewall=yes
auto=route
type=tunnel
ikelifetime=180m
keylife=60m
我需要一点帮助/解释为什么以下网络设置不起作用:
PC1 (192.168.66.1) <-- PLAIN --> (192.168.66.2)PC-GW(192.168.88.2) <-- ESP --> (192.168.88.1) PC2
我可以将数据包从 PC1 192.168.66.1 发送到 PC2 192.168.88.1,PC-GW 封装 esp,PC2 接收 esp 数据包,它工作正常。
但是,如果我将 esp 数据包从 PC2 192.168.88.1 发送到 PC1 192.168.66.1,PC-GW 转发了 esp 数据包而没有解封装/解密,PC1 得到一个 esp 数据包。
如果两个系统都使用 ESP,它可以正常工作:
PC1 (192.168.66.1) <-- ESP--> (192.168.88.1) PC2
我尝试了几种不同的配置,这是我使用的命令:
ip xfrm state add src 192.168.66.1/32 dst 192.168.88.1/32 proto esp spi 0x01000000 reqid 0x01000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.66.1/32 dst 192.168.88.1/32
ip xfrm state add src 192.168.88.1/32 dst 192.168.66.1/32 proto esp spi 0x01000000 reqid 0x02000000 mode transport aead 'rfc4106(gcm(aes))' 0x000000000000000000000000000000000000000000000000000000000000000000000000 128 sel src 192.168.88.1/32 dst 192.168.66.1/32
ip xfrm policy add src 192.168.66.1/32 dst 192.168.88.1/32 dir out tmpl src 192.168.66.1/32 dst 192.168.88.1/32 proto esp reqid 0x01000000 mode transport
ip xfrm policy add src 192.168.88.1/32 dst 192.168.66.1/32 dir in tmpl src 192.168.88.1/32 dst 192.168.66.1/32 proto esp reqid 0x02000000 mode transport
在 tcpdump 的帮助下,我捕获了所有接口。
我不使用openswap,这个测试设置不是真正的使用场景。这只是为了尝试,我想了解它是如何工作的。
我正在尝试将 OpenVPN 访问服务器配置为通过在 OpenVPN 服务器上建立的 IPSec 隧道路由某些流量。这些是寻址细节:
- OpenVPN 客户端 IP 范围:
10.0.1.0/24 - OpenVPN 服务器 IP(客户端连接到的地方):
x.x.x.x - IPSec 隧道对等体:
y.y.y.y - IPSec 隧道子网:
(x.x.x.x) 10.0.1.0/24 <--> 172.30.239.0/25 (y.y.y.y)
从 OpenVPN 客户端来看,预期的行为是这样的:
curl 172.30.239.75-> 流量将从客户端流向 OpenVPN 服务器,通过 IPSec 隧道路由,最终进入172.30.239.0/25网络curl google.com-> 流量将通过其默认网关从客户端到 OpenVPN 服务器和公共互联网(根本不使用 IPSec 隧道)
我认为这种配置会“正常工作”,因为 OpenVPN 客户端的 IP 地址是从与 IPSec 隧道相同的子网分配的,但遗憾的是事实并非如此。
我可以直接从 OpenVPN 服务器访问远程 IPSec 子网,例如curl 172.30.239.75,因此隧道和一些路由正在工作。但是从 OpenVPN 客户端运行相同的请求只是超时(tcpdump表明请求到达 OpenVPN 服务器但它在那里结束)。
我完全不知道接下来应该尝试什么。你能帮帮我吗?我对此很陌生,因此非常感谢您提供详细的答案!这个问题与我之前提出的这个问题有关,但没有足够的细节来实际实现。
下面我尝试收集相关配置,但如果还有其他重要的内容,请告诉我。
我没有添加任何自定义接口、路由或 iptables 规则。我尝试过的所有这些要么没有任何效果,要么搞砸了,所以下面的输出是 OpenVPN 和 IPSec 配置的。
接口
$ ifconfig (truncated)
as0t0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.1 netmask 255.255.255.128 destination 10.0.1.1
as0t1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500
inet 10.0.1.129 netmask 255.255.255.128 destination 10.0.1.129
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet x.x.x.x netmask 255.255.252.0 broadcast x.x.x.x
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.1.7.177 netmask 255.255.252.0 broadcast 10.1.7.255
路由
下面[gw.gw.gw.gw]是eth0 iface默认网关的IP地址
$ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default _gateway 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 10.1.4.1 255.0.0.0 UG 0 0 0 eth1
10.0.1.0 0.0.0.0 255.255.255.128 U 0 0 0 as0t0
10.0.1.128 0.0.0.0 255.255.255.128 U 0 0 0 as0t1
10.1.4.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
169.254.169.254 10.1.4.1 255.255.255.255 UGH 0 0 0 eth1
x.x.x.0 0.0.0.0 255.255.252.0 U 0 0 0 eth0
$ ip route list table all
172.30.239.0/25 via [gw.gw.gw.gw] dev eth0 table 220 proto static src 10.0.1.1
default via [gw.gw.gw.gw] dev eth0
10.0.1.0/25 dev as0t0 proto kernel scope link src 10.0.1.1
10.0.1.128/25 dev as0t1 proto kernel scope link src 10.0.1.129
x.x.x.0/22 dev eth0 proto kernel scope link src x.x.x.x
broadcast 10.0.1.0 dev as0t0 table local proto kernel scope link src 10.0.1.1
local 10.0.1.1 dev as0t0 table local proto kernel scope host src 10.0.1.1
broadcast 10.0.1.127 dev as0t0 table local proto kernel scope link src 10.0.1.1
broadcast 10.0.1.128 dev as0t1 table local proto kernel scope link src 10.0.1.129
local 10.0.1.129 dev as0t1 table local proto kernel scope host src 10.0.1.129
broadcast 10.0.1.255 dev as0t1 table local proto kernel scope link src 10.0.1.129
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast x.x.x.0 dev eth0 table local proto kernel scope link src x.x.x.x
local x.x.x.x dev eth0 table local proto kernel scope host src x.x.x.x
broadcast 185.26.51.255 dev eth0 table local proto kernel scope link src x.x.x.x
iptables
iptables-save
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*nat
:PREROUTING ACCEPT [655:63952]
:INPUT ACCEPT [82:5300]
:OUTPUT ACCEPT [72:5613]
:POSTROUTING ACCEPT [72:5613]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_NAT -o eth0 -j SNAT --to-source x.x.x.x
-A AS0_NAT -o eth1 -j SNAT --to-source 10.1.7.177
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 10.0.1.0/24 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*mangle
:PREROUTING ACCEPT [48:3312]
:INPUT ACCEPT [19672:4609821]
:FORWARD ACCEPT [32480:9628950]
:OUTPUT ACCEPT [18602:11259270]
:POSTROUTING ACCEPT [51071:20887532]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
# Generated by iptables-save v1.8.4 on Thu May 27 23:20:08 2021
*filter
:INPUT ACCEPT [12:660]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [18526:11256230]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p udp -m state --state NEW -m udp --dport 1194 -j AS0_ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 10.0.1.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.0.1.0/24 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j ACCEPT
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -s 10.0.1.0/24 -j ACCEPT
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Thu May 27 23:20:08 2021
我还尝试不让 OpenVPN 客户端 IP 子网和 IPSec 隧道子网重叠,但在这种情况下我也找不到设置路由的方法。不过,这种设置绝对是一种选择,如果那样的话会更好。