我正在使用 strongSwan 在 Amazon EC2 实例上的 Linux 实例和通过其 Cisco 集中器的远程网络之间设置 VPN。我需要将数据包从 Linux 实例本身路由到远程子网中的计算机。
连接已正确建立,但没有路由数据包。
我想我需要设置一些特定的路由规则,我该怎么做?
软件
- Linux 内核 3.5.0-41,
- Ubuntu 12.10,
- strongSwan 5.1.1(从源代码构建),
- iptables——没有规则。
网络
当地的
- Amazon 弹性 IP:56.xxx
- 面向公众的 LAN IP:172.xxx
- 本地虚拟子网:10.254.0.0/16
- 本地虚拟IP:10.254.5.174
偏僻的
- Cisco 集中器的公网 IP:62.xxx
- 远程子网:10.192.0.0/12
配置
ipsec配置文件
config setup
conn %default
keyexchange = ikev1
type = tunnel
ikelifetime = 86400
keylife = 28800
keyingtries = %forever
esp = 3des-sha
ike = 3des-md5-modp1024
forceencaps = yes
leftauth = psk
rightauth = psk
conn myconnection
left = 172.x.x.x
leftsubnet = 10.254.0.0/16
leftsourceip = 10.254.5.174
leftfirewall = yes
right = 62.x.x.x
rightsubnet = 10.192.0.0/12
auto = route
include /var/lib/strongswan/ipsec.conf.inc
strongswan.conf
charon {
cisco_unity = yes
install_routes = yes
install_virtual_ip = yes
threads = 16
plugins {
sql {
loglevel = -1
}
}
filelog {
/var/log/charon.log {
time_format = %b %e %T
default = 3
flush_line = yes
}
}
}
pluto {
}
libstrongswan {
}
ipsec 状态全部
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.1, Linux 3.5.0-41-generic, x86_64):
uptime: 4 days, since Jan 22 14:24:08 2014
malloc: sbrk 270336, mmap 0, used 222672, free 47664
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3445
loaded plugins: charon aes des rc2 sha1 sha2 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc cmac hmac attr kernel-netlink resolve socket-default stroke updown xauth-generic
Listening IP addresses:
172.x.x.x
54.x.x.x
Connections:
smsbrick: 172.x.x.x...62.x.x.x IKEv1
smsbrick: local: [172.x.x.x] uses pre-shared key authentication
smsbrick: remote: [62.x.x.x] uses pre-shared key authentication
smsbrick: child: 10.254.0.0/16 === 10.192.0.0/12 TUNNEL
Routed Connections:
smsbrick{1}: ROUTED, TUNNEL
smsbrick{1}: 10.254.0.0/16 === 10.192.0.0/12
Security Associations (1 up, 0 connecting):
smsbrick[8150]: ESTABLISHED 1 second ago, 172.x.x.x[172.x.x.x]...62.x.x.x[62.x.x.x]
smsbrick[8150]: IKEv1 SPIs: xxxxxxxxxxxxxx_i* xxxxxxxxxxxxx_r, pre-shared key reauthentication in 23 hours
smsbrick[8150]: IKE proposal: 3DES_CBC/HMAC_MD5_96/PRF_HMAC_MD5/MODP_1024
smsbrick[8150]: Tasks queued: QUICK_MODE
smsbrick[8150]: Tasks active: MODE_CONFIG
ip xfrm
# ip xfrm policy
src 10.192.0.0/12 dst 10.254.0.0/16
dir fwd priority 3987
tmpl src 62.x.x.x dst 172.x.x.x
proto esp reqid 1 mode tunnel
src 10.192.0.0/12 dst 10.254.0.0/16
dir in priority 3987
tmpl src 62.x.x.x dst 172.x.x.x
proto esp reqid 1 mode tunnel
src 10.254.0.0/16 dst 10.192.0.0/12
dir out priority 3987
tmpl src 172.x.x.x dst 62.x.x.x
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
答案1
抱歉,无法在此主题上发表任何评论,因为在故障排除方面,关于此特定配置的信息并不多。
我的配置:
- AWS:Strongswan 5.1.3
- 公司:思科 ASA5520 8.4(4)1
症状:
- 可以始终从 Cisco ASA 私有 LAN 启动隧道并 ping 到 AWS 私有 LAN。
在隧道超时/重新启动时,我无法启动或从 AWS ping 到 Cisco ASA,除非/直到从 Cisco ASA 端生成流量。
IPSEC STATUSALL揭示Tasks active: MODE_CONFIG Tasks queued: QUICK_MODE
我发现在配置了modeconfig=push和leftsourceip=之后,它卡在了:
Tasks active: MODE_CONFIG Tasks queued: QUICK_MODE
删除modeconfig=push后它卡在:
Tasks active: MODE_CONFIG
移除后就leftsourceip=成功了,一切都恢复正常并且稳定。
我认为 PIX 需要这两个,也许还需要一些旧版本的 ASA,但不需要这个。