我已经在 UBUNTU SERVER Linux 机箱和 CISCO ROUTER 之间建立了一条隧道。
拓扑结构如下:
host 1 ------ UBUNTU SERVER IPSEC <---> CISCO ROUTER ------ host 2
| | | |
| | | |
192.168.64.0/24 1.2.3.4 4.3.2.1 10.10.20.0/24
这是我的问题:隧道安装并正确运行。 我绝对可以从 CISCO 路由器 ping 到192.168.64.0/24
网络上的任何主机。但我不能从网络 ping192.168.64.0/24
到网络上的任意主机10.10.20.0/24
。
以下是一些信息:
ipsec.conf:
conn my_vpn
auto=start
authby=secret
ike=aes256-md5
phase2=esp
phase2alg=aes256-md5
type=tunnel
left=1.2.3.4
leftsubnet=192.168.64.0/24
leftnexthop=%defaultroute
leftupdown="ipsec _updown --route yes"
keyingtries=3
keyexchange=ike
pfs=no
right=4.3.2.1
rightsubnet=10.10.20.0/24
ipsec look 命令输出:
XFRM state:
src 4.3.2.1 dst 1.2.3.4
proto esp spi 0x0f9898dd reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0xSOMEVALUE
enc cbc(aes) 0xSOMEOHTERVALUE
src 1.2.3.4 dst 4.3.2.1
proto esp spi 0x667b62d8 reqid 16385 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(md5) 0xSOMEVALUE
enc cbc(aes) 0xSOMEOHTERVALUE
XFRM policy:
src 192.168.64.0/24 dst 10.10.20.0/24
dir out priority 2344
tmpl src 1.2.3.4 dst 4.3.2.1
proto esp reqid 16385 mode tunnel
src 10.10.20.0/24 dst 192.168.64.0/24
dir fwd priority 2344
tmpl src 4.3.2.1 dst 1.2.3.4
proto esp reqid 16385 mode tunnel
src 10.10.20.0/24 dst 192.168.64.0/24
dir in priority 2344
tmpl src 4.3.2.1 dst 1.2.3.4
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
XFRM done
IPSEC mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
NEW_IPSEC_CONN mangle TABLES
iptables: No chain/target/match by that name.
ip6tables: No chain/target/match by that name.
ROUTING TABLES
default dev ppp0 scope link
10.10.20.0/24 via 1.2.3.GW dev ppp0
1.2.3.GW dev ppp0 proto kernel scope link src 1.2.3.4
的门户1.2.3.GW
在哪里。1.2.3.4
ipsec verify 命令输出:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.37/K3.2.0-38-generic-pae (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [FAILED]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
我必须补充一点:UBUNTU 有一个ppp0
具有其公共 IP 地址的连接:1.2.3.4
。
静态路由信息:
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 ppp0
10.10.20.0 1.2.3.GW 255.255.255.0 UG 0 0 0 ppp0
有任何想法吗?
答案1
我以前遇到过这个问题——如果你的隧道正确启动,并且 Cisco 端可以 ping 通 192.168 网络,则意味着你的隧道已启动并正在传输流量。
如果无法 ping 回 Cisco 或 10.10 网段,则问题不在于隧道。
问题很可能是,您正在使用 Ubuntu 机器作为 192.168 接入互联网的防火墙,因此 iptables 被设置为伪装网络流量。
默认设置类似于以下 nat 规则,假设 eth1 是公共接口:
iptables -A POSTROUTING -o eth1 -j MASQUERADE
问题是,ipsec 流量也会从 eth1 出去,因此您也尝试伪装它。
在伪装规则之前插入一条规则,指定 ipsec 流量不应被伪装而只是被接受,strongswan 将完成剩下的工作:
iptables -I POSTROUTING 1 -d 10.10.20.0/24 -o eth1 -j ACCEPT
因此运行iptables -L -v -n -t nat
应该会得到以下结果:
Chain PREROUTING (policy ACCEPT 8875K packets, 566M bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4898K packets, 325M bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1089K packets, 82M bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1412 packets, 119K bytes)
pkts bytes target prot opt in out source destination
4 336 ACCEPT all -- * eth1 0.0.0.0/0 10.10.20.0/24
101M 6481M MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
请注意,接受行位于伪装行之前——它首先匹配并且数据包不会被改变。