数据包不通过 VPN(在 net2net 同一网络中)场景

数据包不通过 VPN(在 net2net 同一网络中)场景

我已遵循两侧具有相同网络的实施指南(https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/)下面是我的配置,我认为我的 IPtables 或 updown 配置有问题(或者我不明白),因为数据包没有通过 VPN。

注意:我尝试清理输出。

vpn-to-server {
               ....
                remote_addrs=16.16.16.65
                local_addrs=16.9.4.35
                children {
                        vpn-to-server {
                                 ....
                                local_ts=172.168.48.0/24  
                                remote_ts=16.16.65.0/24
                                dpd_action=restart
                                mark_in = 8
                                set_mark_in = %same
                                mark_out = 4
                                updown = /usr/lib/ipsec/_updown
                        }

VPN 隧道已启动

root@vpn-server:/etc/iptables# swanctl -l
vpn-to-server: #31, ESTABLISHED, IKEv2, 9ff137d4cdd8f543_i* d24cbee7dd1a3ddb_r
  local  '16.9.4.35' @ 16.9.4.35[4500]
  remote '16.16.16.65' @ 16.16.16.65[4500]
  AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
  established 2030s ago, rekeying in 25633s
  vpn-to-server: #13101, reqid 50, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_384_192
    installed 2157s ago, rekeying in 1443s, expires in 1443s
    in  c3dedc5f (0x00000008),      0 bytes,     0 packets
    out e7cfcfac (0x00000004),      0 bytes,     0 packets
    local  172.168.48.0/24
    remote 16.16.65.0/24

从(bob 到 alice)执行 ping 操作的数据包跟踪[倒数第二行,也是下面的最后一行,因为它走出接口而不是 ipsec )

root@vpn-server:/etc/iptables# dmesg -c
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  
TRACE: mangle:PREROUTING:rule:1 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  
TRACE: mangle:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  MARK=0x4 
TRACE: nat:PREROUTING:rule:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  MARK=0x4 
TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: filter:FORWARD:rule:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: nat:POSTROUTING:rule:2 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 

IP表输出

root@vpn-server:/etc/iptables# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    NETMAP     all  --  anywhere             172.16.48.0/24       mark match 0x8 to:10.108.0.0/24
2    NETMAP     all  --  anywhere             172.16.51.0/24       mark match 0x4 to:16.16.65.0/24

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    NETMAP     all  --  16.16.65.0/24      anywhere             mark match 0x8 to:172.16.51.0/24
2    NETMAP     all  --  10.108.0.0/24        anywhere             mark match 0x4 to:172.16.48.0/24
3    ACCEPT     all  --  anywhere             anywhere             policy match dir out pol ipsec
4    MASQUERADE  all  --  10.108.0.0/20        anywhere            
5    MASQUERADE  tcp  --  10.108.0.0/20       !10.108.0.0/20        masq ports: 1024-65535
6    MASQUERADE  udp  --  10.108.0.0/20       !10.108.0.0/20        masq ports: 1024-65535


root@vpn-server:/etc/iptables# iptables -L --line-numbers -t filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             mark match 0x4
2    ACCEPT     all  --  anywhere             anywhere             mark match 0x8
3    ACCEPT     all  --  xxxxxxxx            10.108.0.0/20        policy match dir out pol ipsec proto esp
4    ACCEPT     all  --  xxxxxxxxx           10.108.0.0/16        policy match dir out pol ipsec proto esp
5    ACCEPT     all  --  10.108.0.0/20        anywhere            
6    ACCEPT     all  --  anywhere             10.108.0.0/20        state RELATED,ESTABLISHED


Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

root@vpn-server:/etc/iptables# iptables -L --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MARK       all  --  10.108.0.0/24        172.16.51.0/24       MARK set 0x4

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         


root@vpn-server:/etc/iptables# iptables -L --line-numbers -t raw
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    TRACE      icmp --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    TRACE      icmp --  anywhere             anywhere            
root@vpn-server:/etc/iptables# 

统计数据

root@vpn-server:/etc/iptables# iptables -L -v
Chain INPUT (policy ACCEPT 281 packets, 20288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
80022   11M f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1284 ACCEPT     all  --  any    eth0    anywhere             anywhere             mark match 0x4
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere             mark match 0x8
    0     0 ACCEPT     all  --  any    eth0    xxxxxxx/23       10.108.0.0/20        policy match dir out pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    xxxxxxxxx        10.108.0.0/16        policy match dir out pol ipsec proto esp
 104K 8108K ACCEPT     all  --  eth1   any     10.108.0.0/20        anywhere            
49043 3738K ACCEPT     all  --  any    eth1    anywhere             10.108.0.0/20        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   any     10.108.0.0/20        xxxxxxxxx       policy match dir in pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    xxxxxxx        10.108.0.0/16        policy match dir out pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    192.168.22.0/24      10.108.0.0/16        policy match dir out pol ipsec proto esp

Chain OUTPUT (policy ACCEPT 306 packets, 26032 bytes)
 pkts bytes target     prot opt in     out     source               destination         

相关内容