我已遵循两侧具有相同网络的实施指南(https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/)下面是我的配置,我认为我的 IPtables 或 updown 配置有问题(或者我不明白),因为数据包没有通过 VPN。
注意:我尝试清理输出。
vpn-to-server {
....
remote_addrs=16.16.16.65
local_addrs=16.9.4.35
children {
vpn-to-server {
....
local_ts=172.168.48.0/24
remote_ts=16.16.65.0/24
dpd_action=restart
mark_in = 8
set_mark_in = %same
mark_out = 4
updown = /usr/lib/ipsec/_updown
}
VPN 隧道已启动
root@vpn-server:/etc/iptables# swanctl -l
vpn-to-server: #31, ESTABLISHED, IKEv2, 9ff137d4cdd8f543_i* d24cbee7dd1a3ddb_r
local '16.9.4.35' @ 16.9.4.35[4500]
remote '16.16.16.65' @ 16.16.16.65[4500]
AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
established 2030s ago, rekeying in 25633s
vpn-to-server: #13101, reqid 50, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_384_192
installed 2157s ago, rekeying in 1443s, expires in 1443s
in c3dedc5f (0x00000008), 0 bytes, 0 packets
out e7cfcfac (0x00000004), 0 bytes, 0 packets
local 172.168.48.0/24
remote 16.16.65.0/24
从(bob 到 alice)执行 ping 操作的数据包跟踪[倒数第二行,也是下面的最后一行,因为它走出接口而不是 ipsec )
root@vpn-server:/etc/iptables# dmesg -c
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:rule:1 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: nat:PREROUTING:rule:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: filter:FORWARD:rule:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: nat:POSTROUTING:rule:2 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
IP表输出
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- anywhere 172.16.48.0/24 mark match 0x8 to:10.108.0.0/24
2 NETMAP all -- anywhere 172.16.51.0/24 mark match 0x4 to:16.16.65.0/24
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- 16.16.65.0/24 anywhere mark match 0x8 to:172.16.51.0/24
2 NETMAP all -- 10.108.0.0/24 anywhere mark match 0x4 to:172.16.48.0/24
3 ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
4 MASQUERADE all -- 10.108.0.0/20 anywhere
5 MASQUERADE tcp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
6 MASQUERADE udp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere mark match 0x4
2 ACCEPT all -- anywhere anywhere mark match 0x8
3 ACCEPT all -- xxxxxxxx 10.108.0.0/20 policy match dir out pol ipsec proto esp
4 ACCEPT all -- xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
5 ACCEPT all -- 10.108.0.0/20 anywhere
6 ACCEPT all -- anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK all -- 10.108.0.0/24 172.16.51.0/24 MARK set 0x4
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t raw
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
root@vpn-server:/etc/iptables#
统计数据
root@vpn-server:/etc/iptables# iptables -L -v
Chain INPUT (policy ACCEPT 281 packets, 20288 bytes)
pkts bytes target prot opt in out source destination
80022 11M f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17 1284 ACCEPT all -- any eth0 anywhere anywhere mark match 0x4
0 0 ACCEPT all -- eth0 any anywhere anywhere mark match 0x8
0 0 ACCEPT all -- any eth0 xxxxxxx/23 10.108.0.0/20 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
104K 8108K ACCEPT all -- eth1 any 10.108.0.0/20 anywhere
49043 3738K ACCEPT all -- any eth1 anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any 10.108.0.0/20 xxxxxxxxx policy match dir in pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 192.168.22.0/24 10.108.0.0/16 policy match dir out pol ipsec proto esp
Chain OUTPUT (policy ACCEPT 306 packets, 26032 bytes)
pkts bytes target prot opt in out source destination