关于【routes】的问题- 第1页

nick2k3

Asked: 2021-06-14 01:08:37 +0800 CST

带有 docker 的 site2site 线卫：路由问题

2

免责声明：从stackoverflow转发：https ://stackoverflow.com/questions/67917278/site2site-wireguard-with-docker-routing-problems

我试图让两个容器在两个 RPI 上运行，充当网络 1 和网络 2 之间的站点到站点 VPN。

通过下面的设置，我可以从容器内相互ping通：

从 docker 容器 1 我可以 ping 一个地址 192.168.1.1
从 docker 容器 2 我可以 ping 地址 192.168.10.1

但是，如果我尝试从 System1 主机 (192.168.10.100) ping 192.168.1.1，则会出现错误（请参见下图以可视化我正在尝试执行的操作）。

我知道我必须在 system1 主机 (192.168.10.100) 上添加一个静态路由，以通过 wireguard 容器 (172.17.0.5) 引导 192.168.1.0/24 的流量，因此我运行：

$i p route add 192.168.1.0/24 via 172.17.0.5
$ ip route
default via 192.168.10.1 dev eth0 proto dhcp src 192.168.10.100 metric 100 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 
172.18.0.0/16 dev br-e19a4f1b7646 proto kernel scope link src 172.18.0.1 linkdown 
172.19.0.0/16 dev br-19684dacea29 proto kernel scope link src 172.19.0.1 
172.20.0.0/16 dev br-446863cf7cef proto kernel scope link src 172.20.0.1 
172.21.0.0/16 dev br-6800ed9b4dd6 proto kernel scope link src 172.21.0.1 linkdown 
172.22.0.0/16 dev br-8f8f439a7a28 proto kernel scope link src 172.22.0.1 linkdown 
192.168.1.0/24 via 172.17.0.5 dev docker0 
192.168.10.0/24 dev eth0 proto kernel scope link src 192.168.10.100 
192.168.10.1 dev eth0 proto dhcp scope link src 192.168.10.100 metric 100

但是对 192.168.1.1 的 ping 仍然失败。

通过在容器 2 上运行 tcpdump，我看到一些数据包确实到达了容器：

root@936de7c0d7eb:/# tcpdump -n -i any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
10:11:19.885845 IP [publicIPsystem1].56200 > 172.17.0.6.56100: UDP, length 128
10:11:30.440764 IP 172.17.0.6.56100 > [publicIPsystem1].56200: UDP, length 32
10:11:35.480625 ARP, Request who-has 172.17.0.1 tell 172.17.0.6, length 28
10:11:35.480755 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28

所以我想这不是系统 1 上的路由问题。

谁能告诉我如何进一步诊断？

编辑1：
我做了以下测试：

在容器 2 上运行“tcpdump -ni any”
从系统 1（从主机系统）发送 ping 'ping -c 1 192.168.1.1。
在容器 2 上，tcpdump 记录以下内容：

    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
    15:04:47.495066 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
    15:04:58.120761 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 32

从容器（在容器内）发送 ping 'ping -c 1 192.168.1.1 。
在容器 2 上，tcpdump 记录以下内容：

# tcpdump -ni any
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
15:05:48.120717 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 128
15:05:48.120871 IP 10.13.18.2 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.120963 IP 172.17.0.3 > 192.168.1.1: ICMP echo request, id 747, seq 1, length 64
15:05:48.121955 IP 192.168.1.1 > 172.17.0.3: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122054 IP 192.168.1.1 > 10.13.18.2: ICMP echo reply, id 747, seq 1, length 64
15:05:48.122246 IP 172.17.0.3.56100 > [publicIPsystem1].56200: UDP, length 128
15:05:53.160617 ARP, Request who-has 172.17.0.1 tell 172.17.0.3, length 28
15:05:53.160636 ARP, Request who-has 172.17.0.3 tell 172.17.0.1, length 28
15:05:53.160745 ARP, Reply 172.17.0.3 is-at 02:42:ac:11:00:03, length 28
15:05:53.160738 ARP, Reply 172.17.0.1 is-at 02:42:24:e5:ac:38, length 28
15:05:58.672032 IP [publicIPsystem1].56200 > 172.17.0.3.56100: UDP, length 32

所以，似乎数据包的处理方式与容器 2 不同，具体取决于我目前缺少的东西。这可能是 iptables 问题吗？

	站点 1	站点 2
网络 1 IP 范围	192.168.10.0/24	192.168.1.0/24
主机系统地址	192.168.10.100	192.168.1.100
桥 docker0 范围	172.17.0.0/16	172.17.0.0/16
容器地址	172.17.0.5	172.17.0.6

系统 1 - wg0.conf

[Interface]
Address = 10.13.18.2
PrivateKey = *privatekey*
ListenPort = 56200
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = *publickey*
Endpoint = *system2address*:56100
AllowedIPs = 10.13.18.1/32 , 192.168.1.0/24

系统 2 - wg0.conf

[Interface]
Address = 10.13.18.1
ListenPort = 56100
PrivateKey = *privatekey*
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
# peer_casaleuven
PublicKey = *publickey*
AllowedIPs = 10.13.18.2/32 , 192.168.10.0/24
Endpoint = *system1address*:56200

Justin C

Asked: 2020-06-06 00:40:31 +0800 CST

Rsync 无法在 OpenVPN 上运行

0

离散问题：我的网络配置或 rsync 配置是否存在问题，无法通过 OpenVPN 在两台服务器之间进行备份？

我有一个可以在 10.8.0.1 上 ping 通的可用 openvpn 隧道。但是当我使用下面的命令时，它会超时（110）。它应该打印出可用的备份目录...：

rsync rsync://10.8.0.1

我的 openvpn 配置文件：服务器

;local a.b.c.d
port 1194
proto udp
dev tun0
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
keepalive 10 120
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log-append  /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1
;dev-node MyTap
;topology subnet
;server-bridge 10.8.0.4 255.255.255.0 10.8.0.50 10.8.0.100
;server-bridge
;push "route 192.168.10.0 255.255.255.0"
;push "route 192.168.20.0 255.255.255.0"
;client-config-dir ccd
;route 192.168.40.128 255.255.255.248
;client-config-dir ccd
;route 10.9.0.0 255.255.255.252
;learn-address ./script
;push "redirect-gateway def1 bypass-dhcp"
;push "dhcp-option DNS 208.67.222.222"
;push "dhcp-option DNS 208.67.220.220"
;client-to-client
;duplicate-cn
;log         /var/log/openvpn/openvpn.log
;mute 20
;compress lz4-v2
;push "compress lz4-v2"
;comp-lzo
;max-clients 100

客户：

client
dev tun0
proto udp
remote server.ip.address 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/backupclient.crt
key /etc/openvpn/keys/backupclient.key
remote-cert-tls server
tls-auth /etc/openvpn/keys/ta.key 1
cipher AES-256-CBC
verb 3
;dev-node MyTap
;proto tcp
;http-proxy-retry
;http-proxy [proxy server] [proxy port #]
;mute-replay-warnings
;remote my-server-2 1194
;remote-random
;mute 20

我无法与 rsync 连接以向我显示可用的备份文件，因此我通过运行命令添加了以下内容：

root@user:/# iptables --table nat --append POSTROUTING --out-interface eth0 --source 10.8.0.0/24 --jump MASQUERADE

root@user:/# iptables --table nat --append POSTROUTING --out-interface tun0 --source 10.8.0.0/24 --jump MASQUERADE

然后我对UFW进行了更改：

ufw allow 1194/udp

编辑 /etc/default/ufw，查找 DEFAULT_FORWARD_POLICY=”DROP” 并更改：

DEFAULT_FORWARD_POLICY="ACCEPT"

编辑 1：我已经重新加载了 ufw、openvpn 和 rsync 以及所有更改。即使只是尝试重新启动服务。我注意到我的接口设备随着测试从 tun 到 tun0 到 tun 2 发生了变化，所以我删除了所有 tun 并重新启动了 open vpn

还是没有骰子。在重新映像服务器之前，我已经完成了这项工作，然后又努力重新安装了 openvpn。几乎想知道我是否搞砸了接口或路由......

dovla110010101

Asked: 2016-10-19 03:51:17 +0800 CST

Cisco Anyconnect 客户端连接到 VPN，但无法从客户端计算机访问任何其他网络/子网

1

我有一个关于 VPN 的大问题，我无法解决或连接问题（可能会导致问题）

我们的一位客户希望用更好的东西替换旧的 snapgear，因此他们选择了 ASA。

我已经在 ASA 中创建了所有配置，并在我们的测试网络中进行了测试。我能够将客户端机器从外部连接到 ASA VPN 并 ping 网络内的任何机器。一切都很完美。之后，我为客户站点设置了相同的防火墙/配置，一旦我将 ASA 连接到他们的网络并尝试使用 Any connect 从外部连接，我就无法 ping 他们网络内的任何机器。所有网络、子网都无法访问/没有回复。

起初我设置了 ASA 接口的静态路由和静态 IP，但没有运气。然后我设置接口以从 DHCP 服务器获取 IP 地址，并从正在执行所有路由的“L3 核心交换机”获取所有路由，再次没有任何运气。

ASA 的配置（动态）

: Saved

:
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
hostname xxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxx 10.13.3.2-10.13.3.200 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address dhcp setroute
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 nameif mgmtbck
 security-level 100
 ip address 192.168.96.1 255.255.255.0
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list 101 extended permit icmp any any echo-reply
access-list 101 extended permit icmp any any source-quench
access-list 101 extended permit icmp any any unreachable
access-list 101 extended permit icmp any any time-exceeded
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
mtu mgmtbck 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 1
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 2
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key *****
user-identity default-domain LOCAL
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
http 192.168.96.0 255.255.255.0 mgmtbck
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxx
 enrollment self
 fqdn xxxxxx.local
 subject-name CN=xxxxxxxx
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxx
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxx
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcp-client client-id interface inside
dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxx outside
ssl trust-point xxxxxxxx inside
ssl trust-point xxxxxxxx testConn
ssl trust-point xxxxxxxx mgmtbck
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxMain_client_profile disk0:/xxxxxxMain_client_profile.xml
 anyconnect profiles xxxxxx_client_profile disk0:/xxxxxx_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxMain internal
group-policy GroupPolicy_xxxxxxMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxMain_client_profile type user
group-policy GroupPolicy_VPN internal
group-policy GroupPolicy_VPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ssl-client
 default-domain none
group-policy Policy_xxxxxx internal
group-policy Policy_xxxxxx attributes
 vpn-tunnel-protocol ssl-clientless
 webvpn
  url-list none
dynamic-access-policy-record DfltAccessPolicy
username admin password xxxxxxxx encrypted privilege 15
tunnel-group VPN type remote-access
tunnel-group VPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_VPN
tunnel-group VPN webvpn-attributes
 group-alias VPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxMain type remote-access
tunnel-group xxxxxxMain general-attributes
 address-pool VPN_xxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxMain
tunnel-group xxxxxxMain webvpn-attributes
 group-alias xxxxxxMain enable
tunnel-group VPN_SSL type remote-access
tunnel-group VPN_SSL general-attributes
 default-group-policy Policy_xxxxxx
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
: end

配置 - 静态

: Saved

: 
: Serial Number: xxxxxxxx
: Hardware:   ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
: Written by xxxxx at 08:27:30.065 GMT Wed Oct 12 2016
!
ASA Version 9.5(2) 
!
hostname xxxxxxxxASA
enable password xxxxxxxxxxxxxxxxxxxxxxxx encrypted
passwd xxxxxxxxxxxxxxxxxxxxxxxx encrypted
names
ip local pool VPN_xxxxxxxx 10.13.3.2-10.13.3.254 mask 255.255.255.0
!
interface GigabitEthernet1/1
 description WAN Connection
 nameif outside
 security-level 0
 ip address xxx.xxx.xxx.88 255.255.255.224 
!
interface GigabitEthernet1/2
 description LAN address
 nameif inside
 security-level 100
 ip address 192.168.10.3 255.255.254.0 
!
interface GigabitEthernet1/3
 description Test Connection Outside
 nameif testConn
 security-level 0
 ip address xxx.xxx.xxx.218 255.255.255.248 
!
interface GigabitEthernet1/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/6
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/7
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet1/8
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management1/1
 management-only
 no nameif
 no security-level
 no ip address
!
ftp mode passive
clock timezone GMT 0
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network obj_any
 subnet 0.0.0.0 0.0.0.0
object network TestConnection
 subnet 192.168.10.0 255.255.254.0
 description TestConnection
object network WANAddress
 host xxx.xxx.xxx.217
object network WAN_Connection
 subnet 192.168.10.0 255.255.254.0
 description InternetConnection
object network WANConnectionxxxxxxxx
 host xxx.xxx.xxx.65
object network WANConn
 subnet 192.168.10.0 255.255.254.0
object network NETWORK_OBJ_10.13.3.0_24
 subnet 10.13.3.0 255.255.255.0
object network Network_A
 subnet 192.168.0.0 255.255.254.0
 description Network 192.168.0.0/23
object network Network_B
 subnet 172.17.110.0 255.255.255.0
 description Network 172.17.110.0
object network Network_C
 subnet 172.17.101.0 255.255.255.0
 description Network 172.17.101.0/24
object network Network_D
 subnet 172.17.137.0 255.255.255.0
 description Network 172.17.137.0/24
object network Gateway_Inside
 host 192.168.10.1
 description inside gateway address
object network OutsideNAT
 subnet 192.168.10.0 255.255.254.0
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object echo
 icmp-object echo-reply
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list 101 extended permit icmp any any echo-reply 
access-list 101 extended permit icmp any any source-quench 
access-list 101 extended permit icmp any any unreachable 
access-list 101 extended permit icmp any any time-exceeded 
access-list Split-Tunnel standard permit 192.168.10.0 255.255.254.0 
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu testConn 1500
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
asdm image disk0:/asdm-762.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,testConn) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.13.3.0_24 NETWORK_OBJ_10.13.3.0_24 no-proxy-arp route-lookup
!
object network WANConn
 nat (inside,testConn) dynamic interface dns
object network OutsideNAT
 nat (inside,outside) dynamic interface dns
access-group 101 in interface outside
access-group inside_access_in in interface inside
access-group 101 in interface testConn
route outside 0.0.0.0 0.0.0.0 xxx.xxx.xxx.65 1
route testConn 0.0.0.0 0.0.0.0 xxx.xxx.xxx.217 3
route inside 172.17.101.0 255.255.255.0 192.168.10.1 1
route inside 172.17.110.0 255.255.255.0 192.168.10.1 1
route inside 172.17.137.0 255.255.255.0 192.168.10.1 1
route inside 192.168.0.0 255.255.254.0 192.168.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
aaa-server NPS protocol radius
aaa-server NPS (inside) host 192.168.0.186
 key xxxxxxx
user-identity default-domain LOCAL
aaa authentication http console LOCAL 
aaa authentication ssh console LOCAL 
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.10.0 255.255.254.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec ikev2 ipsec-proposal AES256
 protocol esp encryption aes-256
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
 protocol esp encryption aes-192
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
 protocol esp encryption aes
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
 protocol esp encryption 3des
 protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal DES
 protocol esp encryption des
 protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map outside_map interface outside
crypto map testConn_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map testConn_map interface testConn
crypto ca trustpoint xxxxxxxxCert
 enrollment self
 fqdn xxxxxxxx.local
 subject-name CN=xxxxxxxxASA
 serial-number
 proxy-ldc-issuer
 crl configure
crypto ca trustpool policy
crypto ca certificate chain xxxxxxxxCert
 certificate cffdf657
    3082036f 30820257 a0030201 020204cf fdf65730 0d06092a 864886f7 0d010105 
    05003047 31133011 06035504 03130a41 646d6972 616c4153 41313030 12060355 
    0405130b 4a414432 30323330 34435430 1a06092a 864886f7 0d010902 160d6164 
    6d697261 6c2e6c6f 63616c30 1e170d31 36313030 37303234 3431335a 170d3236 
    31303035 30323434 31335a30 47311330 11060355 0403130a 41646d69 72616c41 
    89dcd2ca 48d03495 655c1b39 35d26809 40d73e65 8bebfe10 c3c07753 75d6ba67 
    e7fd3326 5ee135c4 bf96971a 99e5ed5c 72c22c56 bda3e047 97f5e667 57504628 
    5b64c134 279b5205 2ebf37fe 81174d03 e2c9a30f acdf2893 f3136e20 4221bca0 
    121616e7 7014f20f dbf9733a bca6055a 15f68e68 8fa67ea5 0c63d7ed 712e5517 
    a392775d 2f4bdd5a df207e10 0413c878 fba699
  quit
crypto ikev2 policy 1
 encryption aes-256
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 10
 encryption aes-192
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 20
 encryption aes
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 30
 encryption 3des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 policy 40
 encryption des
 integrity sha
 group 5 2
 prf sha
 lifetime seconds 86400
crypto ikev2 enable outside client-services port 443
crypto ikev2 enable testConn client-services port 443
crypto ikev2 remote-access trustpoint xxxxxxxxCert
crypto ikev1 enable outside
crypto ikev1 enable testConn
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
telnet timeout 5
no ssh stricthostkeycheck
ssh 192.168.10.0 255.255.254.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0

dhcpd auto_config outside
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server xxx.xxx.xxx.44 source testConn prefer
ssl trust-point xxxxxxxxCert outside
ssl trust-point xxxxxxxxCert inside
ssl trust-point xxxxxxxxCert testConn
webvpn
 enable outside
 enable testConn
 anyconnect image disk0:/anyconnect-win-4.3.01095-k9.pkg 1
 anyconnect profiles xxxxxxxxVPNMain_client_profile disk0:/xxxxxxxxVPNMain_client_profile.xml
 anyconnect profiles xxxxxxxxVPN_client_profile disk0:/xxxxxxxxVPN_client_profile.xml
 anyconnect profiles TestVPN_client_profile disk0:/TestVPN_client_profile.xml
 anyconnect enable
 tunnel-group-list enable
 cache
  disable
 error-recovery disable
group-policy GroupPolicy_xxxxxxxxVPN internal
group-policy GroupPolicy_xxxxxxxxVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPN_client_profile type user
group-policy GroupPolicy_TestVPN internal
group-policy GroupPolicy_TestVPN attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value TestVPN_client_profile type user
group-policy GroupPolicy_xxxxxxxxVPNMain internal
group-policy GroupPolicy_xxxxxxxxVPNMain attributes
 wins-server none
 dns-server value 8.8.8.8
 vpn-tunnel-protocol ikev2 ssl-client 
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value Split-Tunnel
 default-domain none
 webvpn
  anyconnect profiles value xxxxxxxxVPNMain_client_profile type user
dynamic-access-policy-record DfltAccessPolicy
username xxxxx password xxxxxxxxxxx encrypted privilege 15
tunnel-group xxxxxxxxVPN type remote-access
tunnel-group xxxxxxxxVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_xxxxxxxxVPN
tunnel-group xxxxxxxxVPN webvpn-attributes
 group-alias xxxxxxxxVPN enable
tunnel-group TestVPN type remote-access
tunnel-group TestVPN general-attributes
 address-pool VPN_xxxxxxxx
 default-group-policy GroupPolicy_TestVPN
tunnel-group TestVPN webvpn-attributes
 group-alias TestVPN enable
tunnel-group xxxxxxxxVPNMain type remote-access
tunnel-group xxxxxxxxVPNMain general-attributes
 address-pool VPN_xxxxxxxx
 authentication-server-group NPS
 default-group-policy GroupPolicy_xxxxxxxxVPNMain
tunnel-group xxxxxxxxVPNMain webvpn-attributes
 group-alias xxxxxxxxVPNMain enable
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
no call-home reporting anonymous
Cryptochecksum:x
: end

与 ASA 直接连接并执行所有路由的交换机配置。

有效的 Snapgear VPN 的路由

工作路线

ASA VPN 路由（不工作）

连接到 ASA 时的路由

另外我需要通知您，当我将 ASA 连接到客户网络时，我可以从 ASA ping 任何子网/网络的任何接口，这意味着路由设置正确，但是一旦我使用 VPN 并尝试从外部通过 ping内部设备/服务器/接口的隧道，我无法到达它们中的任何一个......

What could possibly causing the issue?

Thank you in advance and have yourself a great day.

geeko

Asked: 2010-03-16 10:46:19 +0800 CST

为什么这个静态路由不起作用？

1

我正在尝试开发像 Microsoft NAP 这样的 DHCP 强制扩展。我阻止动态 IP 请求机器（不符合某些策略）的技巧是剥离 IP 租约中规定的默认网关（无默认网关）并将租约子网掩码设置为 255.255.255.255。

现在我需要被阻止的机器能够到达网络上的某些特定位置（IP）。为此，我在租约中包含了一些静态路由。例如，我通过路由器 10.10.10.254 包括 10.10.10.11（需要访问 10.10.10.11 的受阻机器连接到该路由器）。

不幸的是，一旦我将默认网关设置为空，被阻止的机器就无法访问任何添加的静态路由。我还尝试了无类静态路由。

有任何想法吗？任何人都知道MS NAP实际上是如何做到的吗？

Dragos

Asked: 2010-02-02 04:45:49 +0800 CST

ip 静态路由，在重新启动时使更改永久/持久

7

在 CentOS 5 上，我手动添加了一条静态路由，以使所有到一个特定 IP 地址的数据包都使用第二个网络接口：

ip route add 123.456.7.89/32 via 192.168.10.101 dev eth1

有没有办法让这个改变在重新启动时保持不变而不将它添加到启动脚本中/etc/rc.d/rc.local？

带有 docker 的 site2site 线卫：路由问题

Rsync 无法在 OpenVPN 上运行

Cisco Anyconnect 客户端连接到 VPN，但无法从客户端计算机访问任何其他网络/子网

为什么这个静态路由不起作用？

ip 静态路由，在重新启动时使更改永久/持久

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

问题[routes](server)