vServer 上的 Strongswan 路由不正确

tag-icon tag-icon linux debian routing strongswan
vServer 上的 Strongswan 路由不正确

我尝试在运行 strongswan 5.5.1-4+deb9u4 的 vServer 上复制我在家中的 openWRT 路由器上使用的 strongswan 设置。客户端是 iPad。

uname -a

Linux t 2.6.32-042stab127.2 #1 SMP Thu Jan 4 16:41:44 MSK 2018 x86_64 GNU/Linux

猫/等/问题

Debian GNU/Linux 9 \n \l

vServer 具有一个具有公共 IP 地址的接口。

隧道正在运行,但似乎存在路由问题(即 SNAT 似乎可以运行,但无法 ping 任何内容)。我花了几天时间尝试不同的建议解决方案,然后尝试使用此图表了解数据包所采用的底层路径: https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg 但我不确定 tcpdump 和 strongswan 在此图中从哪里注入/检索数据包。

问题:1. 为什么我在 tcpdump 中看不到对 PING 请求的回复?2. 我的设置有问题吗?我该如何找出问题所在?

我通过 tcpdump 捕获了 ICMP 流量。一次来自服务器,一次来自客户端。来自服务器的 ICMP 回显请求收到了我在 tcpdump 中看到的回复。客户端请求确实获得了新的源地址和报头校验和,但客户端没有收到回复,我在 tcpdump 中也看不到回复。

从服务器 ping 8.8.4.4

02:04:14.049413 IP <server public IP> > 8.8.4.4: ICMP echo request, id 6323, seq 1, length 64
        0x0000:  4500 0054 0000 4000 4001 6043 dead beef  E..T..@.@.`C.R..
        0x0010:  0808 0404 0800 fbdc 18b3 0001 fe7d 435d  .............}C]
        0x0020:  0000 0000 e2c0 0000 0000 0000 1011 1213  ................
        0x0030:  1415 1617 1819 1a1b 1c1d 1e1f 2021 2223  .............!"#
        0x0050:  3435 3637                 
        0x0040:  2425 2627 2829 2a2b 2c2d 2e2f 3031 3233  $%&'()*+,-./0123

从 iPad Ping 至 8.8.4.4

02:04:05.920606 IP 192.168.0.1 > 8.8.4.4: ICMP echo request, id 62833, seq 0, length 64
        0x0000:  4500 0054 64c1 0000 4001 4933 c0a8 0001  [email protected]....
        0x0010:  0808 0404 0800 c938 f571 0000 3031 3233  .......8.q..0123
        0x0020:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0030:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0040:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0050:  3435 3637                                4567
02:04:05.920674 IP <server public IP> > 8.8.4.4: ICMP echo request, id 62833, seq 0, length 64
        0x0000:  4500 0054 64c1 0000 4001 3b82 dead beef  E..Td...@.;..R..
        0x0010:  0808 0404 0800 c938 f571 0000 3031 3233  .......8.q..0123
        0x0020:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0030:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0040:  3435 3637 3839 4142 4344 4546 3031 3233  456789ABCDEF0123
        0x0050:  3435 3637                                4567

ipsec配置文件

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
        # strictcrlpolicy=yes
        # uniqueids = no

# Add connections here.


conn %default
 keyexchange=ikev2

conn ipad
 left=%any
 leftauth=pubkey
 leftcert=serverCert.pem
 leftsendcert=always
 leftid=server
 leftsubnet=0.0.0.0/0,::/0
 right=%any
 rightsourceip=192.168.0.1/32
 rightauth=pubkey
 rightcert=clientCert.pem
 rightid=ipad
 auto=add

客户端 IP

VPN IP address: 192.168.0.1
Subnet mask: 255.0.0.0

是否配置

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 0  (Local Loopback)
        RX packets 15181  bytes 1013666 (989.9 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15181  bytes 1013666 (989.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

venet0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet 127.0.0.2  netmask 255.255.255.255  broadcast 0.0.0.0  destination 127.0.0.2
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)
        RX packets 407010  bytes 38674278 (36.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 443332  bytes 57928033 (55.2 MiB)
        TX errors 0  dropped 26 overruns 0  carrier 0  collisions 0

venet0:0: flags=211<UP,BROADCAST,POINTOPOINT,RUNNING,NOARP>  mtu 1500
        inet <server public IP>  netmask 255.255.255.255  broadcast <server public IP>  destination <server public IP>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 0  (UNSPEC)

ip xfrm 策略

src 192.168.0.1/32 dst 0.0.0.0/0
        dir fwd priority 191808 ptype main
        tmpl src <client public IP> dst <server public IP>
                proto esp reqid 19 mode tunnel
src 192.168.0.1/32 dst 0.0.0.0/0
        dir in priority 191808 ptype main
        tmpl src <client public IP> dst <server public IP>
                proto esp reqid 19 mode tunnel
src 0.0.0.0/0 dst 192.168.0.1/32
        dir out priority 191808 ptype main
        tmpl src <server public IP> dst <client public IP>
                proto esp reqid 19 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main
src ::/0 dst ::/0
        socket in priority 0 ptype main
src ::/0 dst ::/0
        socket out priority 0 ptype main

sysctl -a | grep net.ipv4.conf.all.f

net.ipv4.conf.all.forwarding = 1

从客户端到服务器的公共 IP 的 ping 操作不通过 VPN 隧道:

$tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
05:00:45.896798 IP <client public IP> > <server public IP: ICMP echo request, id 10520, seq 0, length 64
05:00:45.896835 IP <server public IP > <client public IP>: ICMP echo reply, id 10520, seq 0, length 64

从服务器 ping 客户端的私有 IP 有效:

$ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1) 56(84) bytes of data.
64 bytes from 192.168.0.1: icmp_seq=1 ttl=64 time=314 ms
64 bytes from 192.168.0.1: icmp_seq=2 ttl=64 time=314 ms
64 bytes from 192.168.0.1: icmp_seq=3 ttl=64 time=313 ms

从客户端 ping 客户端私有 IP 失败:

<no text>

从客户端 ping google DNS 失败(但您可以看到 SNAT 正在运行):

$tcpdump -v icmp
tcpdump: listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
05:17:47.675657 IP (tos 0x0, ttl 64, id 27303, offset 0, flags [none], proto ICMP (1), length 84)
    192.168.0.1 > dns.google: ICMP echo request, id 41930, seq 0, length 64
05:17:47.675731 IP (tos 0x0, ttl 64, id 27303, offset 0, flags [none], proto ICMP (1), length 84)
    <server public IP > > dns.google: ICMP echo request, id 41930, seq 0, length 64

iptables-save(服务器)

# Generated by iptables-save v1.6.0 on Thu Aug  8 05:23:13 2019
*nat
:PREROUTING ACCEPT [97478:5722453]
:POSTROUTING ACCEPT [2840:200695]
:OUTPUT ACCEPT [2840:200695]
-A POSTROUTING -s 192.168.0.1/32 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 192.168.0.1/32 -j SNAT --to-source <server public IP>
COMMIT
# Completed on Thu Aug  8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug  8 05:23:13 2019
*filter
:INPUT ACCEPT [341309:31951703]
:FORWARD ACCEPT [3578:244397]
:OUTPUT ACCEPT [369780:46338370]
COMMIT
# Completed on Thu Aug  8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug  8 05:23:13 2019
*mangle
:PREROUTING ACCEPT [344887:32196100]
:INPUT ACCEPT [341309:31951703]
:FORWARD ACCEPT [3578:244397]
:OUTPUT ACCEPT [369780:46338370]
:POSTROUTING ACCEPT [373358:46582767]
COMMIT
# Completed on Thu Aug  8 05:23:13 2019
# Generated by iptables-save v1.6.0 on Thu Aug  8 05:23:13 2019
*raw
:PREROUTING ACCEPT [344887:32196100]
:OUTPUT ACCEPT [369780:46338370]
COMMIT
# Completed on Thu Aug  8 05:23:13 2019

相关内容