IPSEC/IKEv2 StrongSwan 仅应用 split-include 中的第一个路由,其余路由将被忽略

tag-icon tag-icon networking vpn routing ipsec
IPSEC/IKEv2 StrongSwan 仅应用 split-include 中的第一个路由,其余路由将被忽略

我有一个 IPSEC/IKEv2 VPN 服务器(在 MikroTik 路由器上),我正尝试从我的 Ubuntu 20.04.1 LTS 系统连接到它。该服务器使用 x509 证书和私钥/公钥对进行身份验证。我可以连接到服务器,但并非所有由服务器推送的路由都应用于客户端。

问题是:为什么它不适用于所有路线?我该如何解决这个问题?

详情如下。

远端(VPN 服务器)有:

  • 私人(办公室)局域网:192.168.13.0/24
  • 为 VPN 客户端保留的池:10.0.88.0/24
  • FQDN *.my.server.hu(替换真实姓名)
  • 公网WAN地址1.2.3.5(替换真实IP)
  • 它还连接了其他内部网络(这就是我需要从 VPN 服务器推送多条路由的原因)

本地(VPN 客户端)端具有:

  • 私人(家庭)局域网:192.168.14.0/24
  • VPN 客户端 IP(由 VPN 服务器提供):10.0.88.100
  • 公网WAN地址1.2.3.4(替换真实IP)

连接到 VPN 服务器后,我在路由表中看到以下内容:

root@laci-ryzen:~# netstat -nr
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.14.1    0.0.0.0         UG        0 0          0 enp5s0
1.2.3.4         192.168.14.1    255.255.255.255 UGH       0 0          0 enp5s0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 enp5s0
192.168.14.0    0.0.0.0         255.255.255.0   U         0 0          0 enp5s0
192.168.14.1    0.0.0.0         255.255.255.255 UH        0 0          0 enp5s0
root@laci-ryzen:~#

正如你所见,

  • 默认网关 192.168.14.1
  • 到公共 WAN 地址的路由(替换为 1.2.3.4)
  • 链路本地默认地址 169.254.0.0
  • 到私有(家庭)LAN 192.168.14.0/24 的路由
  • 到本地(家庭)路由器 192.168.14.1 的直接路由。

没有到 10.0.88.0/24 和 192.168.13.0/24 的路由。

split-include 中给出的第一个路由被添加为 ip 转换。

root@laci-ryzen:~# ip xfrm state
src 192.168.14.2 dst 1.2.3.5
    proto esp spi 0x0c51282e reqid 4 mode tunnel
    replay-window 0 flag af-unspec
    auth-trunc hmac(sha512) 0xfa80fddcd4db0019e7e8f2cc1b3ad3487cff50f27267376b2dc189d790488abb1aa08f6473146e7cde697c696dbbf64f62e1e6e928b72cbb8d8fd7b22b164a58 256
    enc cbc(aes) 0x09d94b3501a7e95ec20c7378c6493d591f291b8819a4a9c69de25f1a8918afb3
    encap type espinudp sport 54067 dport 4500 addr 0.0.0.0
    anti-replay context: seq 0x0, oseq 0xb, bitmap 0x00000000
src 1.2.3.5 dst 192.168.14.2
    proto esp spi 0xcf16ebb2 reqid 4 mode tunnel
    replay-window 32 flag af-unspec
    auth-trunc hmac(sha512) 0xc38ba5586eb6c06d34b92a606ca3a1e6aec988adad87c3f6def719ba3c9a371aafabfd52f240e320d23c39a0bcd06f718a69830d2098757ca6121cee3d50deaf 256
    enc cbc(aes) 0x89807b8796ecfd5975f143dae279af70aa7e52ab9b4d123fa84901743d90db10
    encap type espinudp sport 4500 dport 54067 addr 0.0.0.0
    anti-replay context: seq 0x7, oseq 0x0, bitmap 0x0000007f


root@laci-ryzen:~# ip xfrm policy  | head -20
src 192.168.14.1/32 dst 192.168.14.1/32 
    dir fwd priority 167231 
src 192.168.14.1/32 dst 192.168.14.1/32 
    dir in priority 167231 
src 192.168.14.1/32 dst 192.168.14.1/32 
    dir out priority 167231 
src 10.0.88.100/32 dst 192.168.13.0/24 
    dir out priority 371327 
    tmpl src 192.168.14.2 dst 1.2.3.5
        proto esp spi 0x0c51282e reqid 4 mode tunnel
src 192.168.13.0/24 dst 10.0.88.100/32 
    dir fwd priority 371327 
    tmpl src 1.2.3.5 dst 192.168.14.2
        proto esp reqid 4 mode tunnel
src 192.168.13.0/24 dst 10.0.88.100/32 
    dir in priority 371327 
    tmpl src 1.2.3.5 dst 192.168.14.2
        proto esp reqid 4 mode tunnel
src fe80::/64 dst fe80::/64 
    dir fwd priority 134463

看起来,发往 192.168.13.0/24 的数据包已正确转换并路由到 VPN 服务器。但发往 10.0.88.0/100 的数据包却没有。

这些路由应该被自动添加,因为它们存在于 VPN 服务器上的 split-include 中:

/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no

问题不在于 VPN 服务器,因为当我从 Windows 10 连接到它时,路由应用正确。在 Windows 10 上,添加了 192.168.13.0/24 和 10.0.88.0/24 的路由,我可以 ping 远程地址 10.0.88.1 和 192.168.13.254(它们是不同网络上的 VPN 服务器的地址)。

更新

无论我在服务器上的 split-include 中给出什么路由,客户端的 strongswan 都会正确应用第一个路由。但其余路由则不正确。

例如,如果我将服务器配置更改为如下形式:

/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=172.111.0.0/16,192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no

然后 172.111.0.0/16 被 strongswan 正确添加,但是 192.168.13.0/24 和 10.0.88.0/24 没有添加。

我确实需要添加多条路线,一条是不够的。

以下是我的系统日志(IP 地址和主机名已替换):

Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info>  [1608642655.8085] audit: op="connection-activate" uuid="e430f863-b8b7-4f23-8b49-0fd2a8036d13" name="[email protected]" pid=2578 uid=1001 result="success"
Dec 22 14:10:55 laci-ryzen gnome-shell[1662]: JS ERROR: TypeError: item is undefined#012setActiveConnections/<@resource:///org/gnome/shell/ui/status/network.js:1523:17#012setActiveConnections@resource:///org/gnome/shell/ui/status/network.js:1520:24#012_syncVpnConnections@resource:///org/gnome/shell/ui/status/network.js:1867:26
Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info>  [1608642655.8095] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Saw the service appear; activating connection
Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info>  [1608642655.8265] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN connection: (ConnectInteractive) reply received
Dec 22 14:10:55 laci-ryzen charon-nm: 05[CFG] received initiate for NetworkManager connection [email protected]
Dec 22 14:10:55 laci-ryzen charon-nm: 05[CFG] using CA certificate, gateway identity 'vpn.my.server.hu'
Dec 22 14:10:57 laci-ryzen charon-nm: 05[IKE] initiating IKE_SA [email protected][2] to 1.2.3.5
Dec 22 14:10:57 laci-ryzen charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 05[NET] sending packet: from 192.168.14.2[37786] to 1.2.3.5[500] (1128 bytes)
Dec 22 14:10:57 laci-ryzen NetworkManager[1186]: <info>  [1608642657.4221] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN plugin: state changed: starting (3)
Dec 22 14:10:57 laci-ryzen charon-nm: 08[NET] received packet: from 1.2.3.5[500] to 192.168.14.2[37786] (38 bytes)
Dec 22 14:10:57 laci-ryzen charon-nm: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 22 14:10:57 laci-ryzen charon-nm: 08[IKE] initiating IKE_SA [email protected][2] to 1.2.3.5
Dec 22 14:10:57 laci-ryzen charon-nm: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 08[NET] sending packet: from 192.168.14.2[37786] to 1.2.3.5[500] (1320 bytes)
Dec 22 14:10:58 laci-ryzen charon-nm: 09[NET] received packet: from 1.2.3.5[500] to 192.168.14.2[37786] (429 bytes)
Dec 22 14:10:58 laci-ryzen charon-nm: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Dec 22 14:10:58 laci-ryzen charon-nm: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] local host is behind NAT, sending keep alives
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] sending cert request for "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=my.server.hu"
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] authentication of 'C=HU, ST=Heves, L=Eger, O=my.server.hu, [email protected]' (myself) with RSA signature successful
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] sending end entity cert "C=HU, ST=Heves, L=Eger, O=my.server.hu, [email protected]"
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] establishing CHILD_SA [email protected]{2}
Dec 22 14:10:58 laci-ryzen charon-nm: 09[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 22 14:10:58 laci-ryzen charon-nm: 09[NET] sending packet: from 192.168.14.2[44719] to 1.2.3.5[4500] (2560 bytes)
Dec 22 14:10:59 laci-ryzen charon-nm: 06[NET] received packet: from 1.2.3.5[4500] to 192.168.14.2[44719] (2304 bytes)
Dec 22 14:10:59 laci-ryzen charon-nm: 06[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH CPRP(ADDR MASK SUBNET SUBNET DNS) TSi TSr SA N(ADD_TS_POSS) ]
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] received end entity cert "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG]   using certificate "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG]   using trusted ca certificate "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] checking certificate status of "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] certificate status is not available
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG]   reached self-signed root ca with a path length of 0
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] authentication of 'vpn.my.server.hu' with RSA signature successful
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] IKE_SA [email protected][2] established between 192.168.14.2[C=HU, ST=Heves, L=Eger, O=my.server.hu, [email protected]]...1.2.3.5[vpn.my.server.hu]
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] scheduling rekeying in 35488s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] maximum IKE_SA lifetime 36088s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] installing new virtual IP 10.0.88.100
Dec 22 14:10:59 laci-ryzen avahi-daemon[1177]: Registering new address record for 10.0.88.100 on enp5s0.IPv4.
Dec 22 14:10:59 laci-ryzen charon: 05[KNL] 10.0.88.100 appeared on enp5s0
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1946] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN connection: (IP Config Get) reply received.
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] CHILD_SA [email protected]{2} established with SPIs c7ea1582_i 0d47fc2e_o and TS 10.0.88.100/32 === 192.168.13.0/24
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1947] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN plugin: state changed: started (4)
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1948] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN connection: (IP4 Config Get) reply received
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data: VPN Gateway: 1.2.3.5
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data: Tunnel Device: (null)
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data: IPv4 configuration:
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data:   Internal Address: 10.0.88.100
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data:   Internal Prefix: 32
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data:   Internal Point-to-Point Address: 10.0.88.100
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data:   Internal DNS: 10.0.88.1
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data:   DNS Domain: '(none)'
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: Data: No IPv6 configuration
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info>  [1608642659.1954] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"[email protected]",0]: VPN connection: (IP Config Get) complete
Dec 22 14:10:59 laci-ryzen dbus-daemon[1185]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.10' (uid=0 pid=1186 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Dec 22 14:10:59 laci-ryzen systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec 22 14:10:59 laci-ryzen dbus-daemon[1185]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec 22 14:10:59 laci-ryzen systemd[1]: Started Network Manager Script Dispatcher Service.
Dec 22 14:10:59 laci-ryzen dunst[3085]: WARNING: No icon found in path: 'gnome-lockscreen'
Dec 22 14:10:59 laci-ryzen charon-nm: 09[IKE] installed bypass policy for 192.168.14.1/32

我认为有趣的部分是这样的:

VPN plugin: state changed: started (4)
VPN connection: (IP4 Config Get) reply received
Data: VPN Gateway: 1.2.3.5
Data: Tunnel Device: (null)
Data: IPv4 configuration:
Data:   Internal Address: 10.0.88.100
Data:   Internal Prefix: 32
Data:   Internal Point-to-Point Address: 10.0.88.100
Data:   Internal DNS: 10.0.88.1
Data:   DNS Domain: '(none)'
Data: No IPv6 configuration
VPN connection: (IP Config Get) complete

这是我设置 strongswan 客户端的方式:

在此处输入图片描述

为了完整起见,下面是我 VPN 服务器配置(routeros)的一些片段:

/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name="group vpn.my.server.hu"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.my.server.hu"
/ip ipsec peer
add exchange-mode=ike2 local-address=1.2.3.5 name="peer 1.2.3.5" passive=yes profile="profile vpn.my.server.hu"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=modp2048
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal vpn.my.server.hu" pfs-group=\
    modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.my.server.hu generate-policy=port-strict match-by=certificate mode-config="modeconf vpn.my.server.hu" peer="peer 1.2.3.5" policy-template-group=\
    "group vpn.my.server.hu" [email protected] remote-id=user-fqdn:laci.vpn.my.server.hu
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=10.0.88.0/24 group="group vpn.my.server.hu" proposal="proposal vpn.my.server.hu" src-address=0.0.0.0/0 template=yes

为了进行比较,这是我在 Windows 10 中的路由表中看到的内容,使用具有相同凭据的同一个 VPN 服务器。

在此处输入图片描述

答案1

我遇到了完全相同的问题 - MikroTik 作为 VPN 服务器 - Windows 10 正在接受提供的子网(在远程网络上禁用默认网关后),另一个 MikroTik 作为客户端正在接受提供的子网。但 strongswan 仅接受 VPN 服务器上配置的拆分隧道子网列表中定义的第一个子网。在 Linux、FreeBSD 和 Android 上的行为相同。

在 Android 上,有一个选项可以手动添加拆分隧道子网。在 Linux 和 FreeBSD 上,解决此问题的唯一方法是为每个子网(或新 swanctl 配置语法中的“子网”)配置一个连接。

相关内容