奇怪的 Ipsec 行为

tag-icon tag-icon networking ipsec strongswan
奇怪的 Ipsec 行为

我遇到了一些有趣的事情,我无法很好地解释。我打开了一个简单的 Ubuntu 20.04 盒子并尝试通过 IPSec 隧道保护所有流量。我没有使用 VTI 或 xfrm 接口,只是将 0.0.0.0 协商为两端的 TS。没有 Ipsec 隧道,一切正常。

现在,当我启动隧道时,隧道运行良好。现在,当我运行 iperf TCP 测试时,它工作正常。数据包流经隧道,返回并到达应用程序,我获得了预期的吞吐量。

当我运行 ping 测试时,它们也运行良好。

问题在于网络流量。当我执行 wget 或尝试使用浏览器时,我看到流量流动良好并返回到我的 Ubuntu 20 节点,但它从未到达应用程序。

所以 wget 永远不会看到回复,但是 TCP 连接按预期获得 ESTAB,并且在wireshark 中我确实看到了通过隧道和解密后的回复。但出于莫名其妙的原因,只有当我尝试使用网络流量时,我才注意到流量没有到达预期的应用程序。

任何线索。我的 Ipsec 配置没什么有趣的

vtewari@vtewari-ububtu:~$ sudo swanctl --list-sas
[sudo] password for vtewari: 
tenant-13543-1010: #9, ESTABLISHED, IKEv2, 43319062223514a3_i* 2927ffc3801b0fa2_r
  local  '[email protected]' @ 10.0.2.15[4500]
  remote 'vtewari-remote' @ vtewari-remote[4500]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 2622s ago, reauth in 24647s
  tenant-13543-1010: #13, reqid 11, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-256/HMAC_SHA1_96
    installed 2623s ago, rekeying in 68598s, expires in 69378s
    in  c6fce0ab,    600 bytes,     7 packets,   381s ago
    out c13ce846, 127082 bytes,    96 packets,   381s ago
    local  0.0.0.0/0
    remote 0.0.0.0/0

vtewari@vtewari-ububtu:~$ sudo swanctl --list-conns
tenant-13543-1010: IKEv2, reauthentication every 215460s, no rekeying
  local:  %any
  remote: vtewari-remote
  local pre-shared key authentication:
    id: [email protected]
  remote pre-shared key authentication:
  tenant-13543-1010: TUNNEL, rekeying every 71460s
    local:  0.0.0.0/0
    remote: 0.0.0.0/0

Ping/Iperf 通过隧道测试成功

vtewari@vtewari-ububtu:~$ iperf3 -c paris.testdebit.info -p 9237 -R
Connecting to host paris.testdebit.info, port 9237
Reverse mode, remote host paris.testdebit.info is sending
[  5] local 10.0.2.15 port 33296 connected to 89.84.1.194 port 9237
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-1.00   sec  37.1 KBytes   304 Kbits/sec                  
[  5]   1.00-2.00   sec   102 KBytes   830 Kbits/sec                  
^C[  5]   2.00-2.54   sec   131 KBytes  2.01 Mbits/sec                  
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate
[  5]   0.00-2.54   sec  0.00 Bytes  0.00 bits/sec                  sender
[  5]   0.00-2.54   sec   270 KBytes   871 Kbits/sec                  receiver
iperf3: interrupt - the client has terminated

然而,尽管 TCP 已连接,但 wget 从未看到响应

vtewari@vtewari-ububtu:~$ wget http://google.com --verbose -O index.html
--2022-06-05 15:10:00--  http://google.com/
Resolving google.com (google.com)... 142.250.77.46, 2404:6800:4009:81c::200e
Connecting to google.com (google.com)|142.250.77.46|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.google.com/ [following]
--2022-06-05 15:10:01--  http://www.google.com/
Resolving www.google.com (www.google.com)... 142.251.42.4, 2404:6800:4009:82f::2004
Connecting to www.google.com (www.google.com)|142.251.42.4|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘index.html’

index.html                           [<=>                                                       ]       0  --.-KB/s

我在浏览器上也看到同样的情况。如果我禁用隧道,一切都很好。当我启用隧道时,浏览器无法到达服务器。

感谢您对此的见解。

相关内容