非常感谢您对以下问题的任何帮助:
我无法并行使用下面两个基于证书的连接(conn one 和 conn two)。单独使用时(因此注释掉其中一个),它们工作正常(因此本地安装的 ca-certs 以及服务器中的 ca-certs 都没问题)。
Strongswan 正在使用最新的 vimagick/strongswan 镜像在 kubernetes 集群上运行,但这并不重要。顺便说一句,站点到站点的连接也运行良好。
有任何想法吗?
apiVersion:v1 类型:ConfigMap 元数据:标签:应用程序:config-strongswan 名称:config-strongswan 数据:ipsec.conf:| conn sts-base fragmentation=yes dpdaction=restart ike=aes256-sha384-modp2048,aes256-sha512-modp2048 esp=aes256-sha384-modp2048,aes256-sha512-modp2048 keyingtries=%forever leftauth=psk rightauth=psk
conn site-2-site
also=sts-base
keyexchange=ikev2
leftsubnet=12.15.207.0/24
rightsubnet=192.168.4.0/28
right= 87.138.155.173
auto=route
conn one
auto=add
compress=no
type=tunnel
keyexchange=ike
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=servercert1.pem
leftsendcert=always
leftsubnet=0.0.0.0/0
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.10.10.0/24
rightdns=8.8.8.8,8.8.4.4
rightsendcert=never
eap_identity=one
#conn two
# auto=add
# compress=no
# type=tunnel
# keyexchange=ike
# fragmentation=yes
# forceencaps=yes
# dpdaction=clear
# dpddelay=300s
# rekey=no
# left=%any
# [email protected]
# leftcert=servercert2.pem
# leftsendcert=always
# leftsubnet=0.0.0.0/0
# right=%any
# rightid=%any
# rightauth=eap-mschapv2
# rightsourceip=10.0.1.0/24
# rightdns=8.8.8.8,8.8.4.4
# rightsendcert=never
# eap_identity=two
ipsec.secrets:|:PSK'xxxxx':RSA“serverkey1.pem”:RSA“serverkey2.pem”一:EAP“one_password”二:EAP“two_password”
这是 iptables 配置:
由 iptables-save v1.8.6 于 2021 年 4 月 28 日星期三 15:15:46 生成
*mangle
:PREROUTING ACCEPT [1524:546941]
:INPUT ACCEPT [625:222172]
:FORWARD ACCEPT [814:310269]
:OUTPUT ACCEPT [386:140400]
:POSTROUTING ACCEPT [1200:450669]
-A FORWARD -s 10.10.10.0/24 -o eth0 -p tcp -m policy --dir in --pol ipsec -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
COMMIT
# Completed on Wed Apr 28 15:15:46 2021
# Generated by iptables-save v1.8.6 on Wed Apr 28 15:15:46 2021
*filter
:INPUT ACCEPT [625:222172]
:FORWARD ACCEPT [814:310269]
:OUTPUT ACCEPT [386:140400]
COMMIT
# Completed on Wed Apr 28 15:15:46 2021
# Generated by iptables-save v1.8.6 on Wed Apr 28 15:15:46 2021
*nat
:PREROUTING ACCEPT [161:20962]
:INPUT ACCEPT [4:1692]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
# COMMITOUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT