strongswan roadwarrior 无法正确路由

strongswan roadwarrior 无法正确路由

我想要让 Linux 客户端连接到 Linux 网关,以便它可以访问该网络的主机(典型的 road warrior 设置)。

我在服务器端有这个配置:

conn vpnserver-ikev2
        auto=add
        compress=no
        type=tunnel
        keyexchange=ikev2
        fragmentation=yes
        forceencaps=yes
        ike=aes256-sha512-modp4096
        esp=aes256-sha512
        dpdaction=clear
        dpddelay=300s
        inactivity=5s
        rekey=no
        left=%any
        leftid=vpn-test.nimblex.com
        leftcert=/etc/ipsec.d/certs/vpn-server-cert-new.pem
        leftsendcert=always
        leftsubnet=172.31.0.0/16
        right=%any
        rightid=%any
        rightauth=eap-radius
        rightsourceip=10.10.0.1/16
        rightdns=8.8.8.8
        rightsendcert=never
        eap_identity=%identity

客户端的情况如下:

conn ikev2-rw
    right=vpn-test.nimblex.com
    rightid=%vpn-test.nimblex.com
    rightsubnet=172.31.0.0/16
    rightauth=pubkey
    leftsourceip=%config
    leftauth=eap
    eap_identity=123456789
    auto=route

身份验证似乎顺利进行,但当我尝试 ping 时,它不起作用。

当我 ping 时,服务器端的日志如下所示:

04[IKE] peer requested virtual IP %any
04[CFG] assigning new lease to '123456789'
04[IKE] assigning virtual IP 10.10.0.1 to peer '123456789'
04[IKE] CHILD_SA vpnserver-ikev2{1} established with SPIs c7b0a75b_i c5fed014_o and TS 172.31.0.0/16 === 10.10.0.1/32
04[CFG] sending RADIUS Accounting-Request to server '172.31.12.234'
04[CFG] received RADIUS Accounting-Response from server '172.31.12.234'
04[ENC] generating IKE_AUTH response 4 [ AUTH CPRP(ADDR DNS) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) ]
04[NET] sending packet: from 172.31.9.29[4500] to 82.76.67.8[4500] (304 bytes)
03[JOB] deleting CHILD_SA after 5 seconds of inactivity
03[IKE] closing CHILD_SA vpnserver-ikev2{1} with SPIs c7b0a75b_i (0 bytes) c5fed014_o (0 bytes) and TS 172.31.0.0/16 === 10.10.0.1/32
03[IKE] sending DELETE for ESP CHILD_SA with SPI c7b0a75b
03[ENC] generating INFORMATIONAL request 0 [ D ]
03[NET] sending packet: from 172.31.9.29[4500] to 82.76.67.8[4500] (96 bytes)
02[NET] received packet: from 82.76.67.8[4500] to 172.31.9.29[4500] (96 bytes)
02[ENC] parsed INFORMATIONAL response 0 [ D ]
02[IKE] received DELETE for ESP CHILD_SA with SPI c5fed014
02[IKE] CHILD_SA closed

...在客户端是这样的:

09[IKE] installing DNS server 8.8.8.8 via resolvconf
09[IKE] installing new virtual IP 10.10.0.1
09[IKE] CHILD_SA ikev2-rw{2} established with SPIs c5fed014_i c7b0a75b_o and TS 10.10.0.1/32 === 172.31.0.0/16
09[IKE] peer supports MOBIKE
07[NET] received packet: from 54.89.185.13[4500] to 192.168.1.4[4500] (96 bytes)
07[ENC] parsed INFORMATIONAL request 0 [ D ]
07[IKE] received DELETE for ESP CHILD_SA with SPI c7b0a75b
07[IKE] closing CHILD_SA ikev2-rw{2} with SPIs c5fed014_i (0 bytes) c7b0a75b_o (0 bytes) and TS 10.10.0.1/32 === 172.31.0.0/16
07[IKE] sending DELETE for ESP CHILD_SA with SPI c5fed014
07[IKE] CHILD_SA closed
07[ENC] generating INFORMATIONAL response 0 [ D ]
07[NET] sending packet: from 192.168.1.4[4500] to 54.89.185.13[4500] (96 bytes)

220路由表如下所示: 172.31.0.0/16 via 192.168.1.1 dev wlp4s0 proto static src 192.168.1.4

iptables 已刷新并且 ip_forward 为 1。

从 iPhone 连接时,我可以 ping 通 VPN 网关,但无法 ping 通网络中的其他主机。从 Linux 主机连接时,我甚至无法 ping 通 VPN 网关。

当 VPN 网关上的 tcpdump 收到来自 iPhone 的 ping 时,它看起来像这样:

19:54:17.865831 IP (tos 0x0, ttl 1, id 51961, offset 0, flags [none], proto ICMP (1), length 84)
    ip-10-10-0-1.ec2.internal > vpn-test: ICMP echo request, id 37673, seq 0, length 64

... 当我从 iPhone ping 网络中的另一台服务器时:

19:55:04.220726 IP (tos 0x0, ttl 1, id 54334, offset 0, flags [none], proto ICMP (1), length 84)
    ip-10-10-0-1.ec2.internal > ip-172-31-15-66.ec2.internal: ICMP echo request, id 7727, seq 0, length 64

...当我从 Linux 主机 ping 时,VPN 服务器上没有收到 ICMP 流量。

在我的 Linux 客户端上,tcpdump 如下所示:

23:01:21.492340 IP (tos 0x0, ttl 64, id 62233, offset 0, flags [DF], proto ICMP (1), length 84)
    10.10.0.2 > 172.31.15.66: ICMP echo request, id 21102, seq 1, length 64

我错过了什么?

答案1

auto=route正如 ecdsa 所建议的,使用if是不正确的leftsourceip=%config

本该如此auto=start

相关内容