Linux 2.6 IPSEC 不会将数据包从 LAN 转发到 VPN

tag-icon tag-icon linux networking ipsec
Linux 2.6 IPSEC 不会将数据包从 LAN 转发到 VPN

我有从 10.132.2.0/24 到 10.132.1.0/24 的站点到站点 VPN。我面临的问题是 VPN 的数据包被转发到 LAN,我可以在 LAN 服务器上看到它们,但 LAN 的数据包没有转发到 10.132.2.0/24,而是被吃掉了。我无法使用 ip xfrm 监视器看到它们,并且机器出口上的 tshark 显示没有发送 ESP 或任何其他类型的数据包。但是,我可以从内部网关 ping 远程网络。

拓扑:10.132.2.0/24(远程网络)| 互联网 | 10.132.1.1/24(内部网关地址)| 10.132.1.2/24(LAN 服务器)

那么。有什么想法我在这里遗漏了什么吗?

~# setkey -DP
(per-socket policy)
        Policy:[Invalid direciton]
        created: Nov 11 10:40:08 2011  lastused: Nov 11 10:40:20 2011
        lifetime: 0(s) validtime: 0(s)
        spid=828 seq=1 pid=19622
        refcnt=1
(per-socket policy)
        Policy:[Invalid direciton]
        created: Nov 11 10:40:08 2011  lastused: Nov 11 10:40:20 2011
        lifetime: 0(s) validtime: 0(s)
        spid=819 seq=2 pid=19622
        refcnt=1
10.132.2.0/24[any] 10.132.3.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=810 seq=3 pid=19622
        refcnt=1
10.132.2.0/24[any] 10.132.3.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=800 seq=4 pid=19622
        refcnt=1
10.132.3.0/24[any] 10.132.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=794 seq=5 pid=19622
        refcnt=1
10.132.3.0/24[any] 10.132.2.0/24[any] any
        out prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused:
        lifetime: 0(s) validtime: 0(s)
        spid=785 seq=6 pid=19622
        refcnt=1
10.132.1.0/24[any] 10.132.2.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:56 2011
        lifetime: 0(s) validtime: 0(s)
        spid=778 seq=7 pid=19622
        refcnt=3
10.132.1.0/24[any] 10.132.2.0/24[any] any
        out prio def ipsec
        esp/tunnel/178.251.144.164-192.194.49.60/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:48 2011
        lifetime: 0(s) validtime: 0(s)
        spid=769 seq=8 pid=19622
        refcnt=15
10.132.2.0/24[any] 10.132.1.0/24[any] any
        fwd prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:56 2011
        lifetime: 0(s) validtime: 0(s)
        spid=762 seq=9 pid=19622
        refcnt=3
10.132.2.0/24[any] 10.132.1.0/24[any] any
        in prio def ipsec
        esp/tunnel/192.194.49.60-178.251.144.164/require
        created: Nov 11 10:40:05 2011  lastused: Nov 11 10:46:48 2011
        lifetime: 0(s) validtime: 0(s)
        spid=752 seq=0 pid=19622
        refcnt=15

答案1

...为了别人的利益而回答我自己的问题,解决方案是不是在 setkey.conf (ipsec-tools.conf) 或任何其他名称中设置 fwd 策略。自己设置只会让事情出错。

相关内容