OpenBSD ipsec 路由

tag-icon tag-icon routing openbsd ipsec
OpenBSD ipsec 路由

我有一个 OpenBSD VM,我希望使用 ipsec 连接到我的 OpenBSD 家庭路由器。目标是在我的家庭网络和虚拟机之间建立一个安全通道。

所以我在路由器上有以下 ike conf':

ip_mirror= "212.237.177.102"
ip_dina= "89.234.141.151"

ikev2 'mirror.22decembre.eu' passive esp \
        from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::/64 \
        from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::2 \
        local 2a06:4000:10::c7 peer 2a00:5881:8110:2100::2 \
        dstid dina.22decembre.eu \
        rsa

ikev2 'mirrorv4' passive esp \
        from 10.0.0.0/16 to 10.2.0.0/16 \
        from 10.0.0.0/16 to $ip_dina \
        local $ip_mirror peer $ip_dina \
        dstid dina.22decembre.eu \
        rsa

在虚拟机上:

ip_dina= "89.234.141.151"
ip_mirror= "212.237.177.102"
ip6_dina="2a00:5881:8110:2100::2"
ip6_mirror="2a06:4000:10::c7"

ikev2 'dina.22decembre.eu' active esp \
        from 2a00:5881:8110:2100::/64 to 2a06:4001:c7:e2::/64 \
        from  $ip6_dina  to 2a06:4001:c7:e2::/64 \
        local $ip6_dina peer $ip6_mirror \
        dstid mirror.22decembre.eu \
        rsa

ikev2 'dinav4' active esp \
        from  10.2.0.0/16  to 10.0.0.0/16 \
        from $ip_dina to 10.0.0.0/16 \
        local $ip_dina peer $ip_mirror \
        dstid mirror.22decembre.eu \
        rsa

它创建了相关的流程(或者我认为是这样):

stephane@dina:/home/stephane doas ipsecctl -sa
FLOWS:
flow esp in from 10.0.0.0/16 to 10.2.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp in from 10.0.0.0/16 to 89.234.141.151 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 10.2.0.0/16 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 89.234.141.151 to 10.0.0.0/16 peer 212.237.177.102 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp in from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::/64 peer 2a06:4000:10::c7 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp in from 2a06:4001:c7:e2::/64 to 2a00:5881:8110:2100::2 peer 2a06:4000:10::c7 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 2a00:5881:8110:2100::/64 to 2a06:4001:c7:e2::/64 peer 2a06:4000:10::c7 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require
flow esp out from 2a00:5881:8110:2100::2 to 2a06:4001:c7:e2::/64 peer 2a06:4000:10::c7 srcid FQDN/dina.22decembre.eu dstid FQDN/mirror.22decembre.eu type require

SAD:
esp tunnel from 89.234.141.151 to 212.237.177.102 spi 0x4fb1aa68 auth hmac-sha2-256 enc aes-256
esp tunnel from 2a06:4000:10::c7 to 2a00:5881:8110:2100::2 spi 0x9589f762 auth hmac-sha2-256 enc aes-256
esp tunnel from 212.237.177.102 to 89.234.141.151 spi 0xb54032ea auth hmac-sha2-256 enc aes-256
esp tunnel from 2a00:5881:8110:2100::2 to 2a06:4000:10::c7 spi 0xce462a4c auth hmac-sha2-256 enc aes-256

我什至可以从虚拟机的私有地址上 ping 家庭服务器(或 ssh):

stephane@dina:/home/stephane ping 10.0.0.2
PING 10.0.0.2 (10.0.0.2): 56 data bytes
64 bytes from 10.0.0.2: icmp_seq=0 ttl=254 time=27.239 ms
64 bytes from 10.0.0.2: icmp_seq=1 ttl=254 time=27.415 ms
64 bytes from 10.0.0.2: icmp_seq=2 ttl=254 time=27.270 ms
^C
--- 10.0.0.2 ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/std-dev = 27.239/27.308/27.415/0.077 ms

但其他流量则不会那么容易通过(例如没有系统日志)。

我想知道我做错了什么,我看了几次 OpenBSD 的常见问题解答,但我没有看到我的错误。

你能帮我解决这个问题吗?

相关内容