Strongswan 隧道已启动,但无法互相 ping 通

tag-icon tag-icon vpn ipsec strongswan
Strongswan 隧道已启动,但无法互相 ping 通

我面临着奇怪的问题,我已经在同一网络上的 Centos 8 上配置了站点到站点 VPN 隧道,并且已连接,但无法互相 ping 通,这里低于我的配置和状态。

站点A

[root@site-B ~]# Strongswan status 安全关联(1 个已启动,0 个正在连接):2gateway-to-gateway1[4]: ESTABLISHED 6 秒前,100.100.100.6[100.100.100.6]...100.100.100.22[ 100.100.100.22] 2网关到网关1{3}:已安装,隧道,需要 2,ESP SPI:caeaf7b6_ic214a703_o 2网关到网关1{3}:10.20.1.0/24 === 10.10.1.0/24

ip路由

[root@site-A ~]# ip r show default via 100.100.100.1 dev enp0s3 proto dhcp metric 100 10.20.1.0/24 via 100.100.100.22 dev enp0s3 100.100.100.0/24 dev enp0s3 proto kernelscope link src 100.100 .100.22 公制100

onfig setup
    charondebug="all"
    uniqueids=yes

conn ateway1-to-gateway2 type=tunnel auto=start keyexchange=ikev2 authby=secret left=100.100.100.22 leftsubnet=10.10.1.1/24 right=100.100.100.6 rightsubnet=10.20.1.1/24 ike=aes256-sha1-modp1024! esp=aes256-sha1!积极=无键控尝试=%永远 ikelifetime=28800s 寿命=3600s dpddelay=30s dpdtimeout=120s dpdaction=重新启动

[root@site-A ~]# cat /etc/strongswan/ipsec.secrets 100.100.100.22 100.100.100.6 : PSK “XXXXXXXXXXXX”

[root@site-A ~]# cat /etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0

站点B

[root@site-B ~]# strongswan status 安全关联(1 个启动,0 个正在连接):2gateway-to-gateway1[4]: 已建立 4 分钟前,100.100.100.6[100.100.100.6]...100.100.100.22[100.100.100.22] 2gateway-to-gateway1{3}: 已安装,TUNNEL,reqid 2,ESP SPIs: caeaf7b6_i c214a703_o 2gateway-to-gateway1{3}: 10.20.1.0/24 === 10.10.1.0/24

IP路由

[root@site-B ~]# ip r show default via 100.100.100.1 dev enp0s3 proto dhcp metric 100 10.20.1.0/24 via 100.100.100.6 dev enp0s3 100.100.100.0/24 dev enp0s3 proto 内核范围链接 src 100.100。 100.6 公制100

config setup
    charondebug="all"
    uniqueids=yes

conn 2gateway-to-gateway1 type=tunnel auto=start keyexchange=ikev2 authby=secret left=100.100.100.6 leftsubnet=10.20.1.1/24 right=100.100.100.22 rightsubnet=10.10.1.1/24 ike=aes256-sha1-modp1024! esp=aes256-sha1!积极=无键控尝试=%永远 ikelifetime=28800s 寿命=3600s dpddelay=30s dpdtimeout=120s dpdaction=重新启动

[root@site-B ~]# cat /etc/strongswan/ipsec.secrets 100.100.100.6 100.100.100.22 : PSK “XXXXXXXXXXXXX”

[root@site-B ~]# cat /etc/sysctl.conf

net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0

答案1

Aoa,由于您的左右子网位于不同的网络上,因此一种解决方案是:

  1. 在两个子网中添加网关路由,子网之间开始互相 ping 通,然后检查网关设备之间的加密数据包。

命令:route add xxx0/24 mask xxxx xxxx(gw)

相关内容