StrongSwan 已连接到 Cisco ASA 5550,但没有流量

tag-icon tag-icon vpn routing strongswan
StrongSwan 已连接到 Cisco ASA 5550,但没有流量

在此处输入图片描述 我在一台兼作 Web 服务器的系统上运行 StrongSwan 客户端,成功连接到 Cisco ASA。问题是我无法在另一端 ping 任何内容。

我在尝试与 Watchguard VPN 通信时遇到了同样的问题。建议阅读基于路由的 VPN和虚拟 IP。我这样做了,但我仍然缺少或不理解一些东西。

客户告诉我“您需要在主机的本地 IP 和分配的地址之间配置 1:1 双向 NAT 规则。”作为一名程序员,我对网络的理解比较狭隘,但我根据自己的理解尝试阅读并执行了一些内容。

终点:

172.31.89.153 - Webserver / VPN StrongSwan Client internal IP
10.255.16.123 - Address allocated to the above by the Host
209.79.141.251 - The host's public address
209.79.141.30 - Remote client that should be reachable via the tunnel

ipsec配置文件

conn DEST
     left=172.31.89.153
     leftid=172.31.89.153
     leftsubnet=10.255.16.123/32
     right=209.79.141.251
     rightid=209.79.141.251
     rightsubnet=209.79.141.30
     auto=add

我迄今采取的措施

我创建了一个 GRE 隧道

sudo ip tunnel add gre1 local 172.31.89.153 remote 209.79.141.251 mode gre

并添加了交通路线

sudo ip route add 10.255.16.123 dev gre1
sudo ip route add 209.79.141.31/32 dev gre1

已验证我的系统已启用 IP 转发

尝试 ping 主机网络上预期可访问的设备:失败 尝试从分配的 IP 执行 ping 操作

ping -I 10.255.16.123 209.79.141.31
ping: bind: Cannot assign requested address

尝试过 strongswan.conf > install_routes=yes 和 no

我的路由表:

default via 172.31.80.1 dev ens5 proto dhcp src 172.31.89.153 metric 100
10.255.16.123 dev gre1 scope link
172.31.0.2 via 172.31.80.1 dev ens5 proto dhcp src 172.31.89.153 metric 100
172.31.80.0/20 dev ens5 proto kernel scope link src 172.31.89.153 metric 100
172.31.80.1 dev ens5 proto dhcp scope link src 172.31.89.153 metric 100
209.79.141.31 dev gre1 scope link

接口:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
    link/ether 12:47:57:87:6e:97 brd ff:ff:ff:ff:ff:ff
    inet 172.31.89.153/20 metric 100 brd 172.31.95.255 scope global dynamic ens5
       valid_lft 2215sec preferred_lft 2215sec
15: gre0@NONE: <NOARP> mtu 1476 qdisc noop state DOWN group default qlen 1000
    link/gre 0.0.0.0 brd 0.0.0.0
16: gretap0@NONE: <BROADCAST,MULTICAST> mtu 1462 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
17: erspan0@NONE: <BROADCAST,MULTICAST> mtu 1450 qdisc noop state DOWN group default qlen 1000
    link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
22: gre1@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 8977 qdisc noqueue state UNKNOWN group default qlen 1000
    link/gre 172.31.89.153 peer 209.79.141.251
    inet6 fe80::ac1f:5999/64 scope link
       valid_lft forever preferred_lft forever

相关内容