SSH 无法通过 IPSec 隧道工作(Strongswan)

SSH 无法通过 IPSec 隧道工作(Strongswan)

我在云虚拟机上配置了一个小型网络。此虚拟机有一个分配给 eth0 接口的静态 IP 地址,我将其称为 $EXTIP。mydomain.com 指向 $EXTIP。里面有一些 Linux 容器,它们通过子网 10.0.0.0/24 中的 DHCP 获取 IP(我称之为虚拟接口纳特)。它们运行一些可以通过 DNAT 访问的服务。然后我想通过 IPSec 隧道连接到这些容器,因此我配置了 StrongSwan。

ipsec.conf:

conn %default
        dpdaction=none
        rekey=no

conn remote
        keyexchange=ikev2
        ike=########
        left=[$EXTIP]
        leftsubnet=10.0.1.0/24,10.0.0.0/24
        leftauth=pubkey
        lefthostaccess=yes
        leftcert=########.pem
        leftfirewall=yes
        leftid="#########"
        right=%any
        rightsourceip=10.0.1.0/24
        rightauth=########
        rightid=%any
        rightsendcert=never
        eap_identity=%any
        auto=add
        type=tunnel

一切正常,IPSec 客户端获取 10.0.1.0/24 子网的 IP 并可以访问容器子网。我的问题是我无法通过隧道建立 SSH 连接。它根本不起作用,ssh 客户端不会产生任何输出。使用 tcpdump 嗅探得到:

tcpdump:

09:50:29.648206 ARP, Request who-has 10.0.0.1 tell mydomain.com, length 28
09:50:29.648246 ARP, Reply 10.0.0.1 is-at 00:ff:aa:00:00:01 (oui Unknown), length 28
09:50:29.648253 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [S], seq 4007849772, win 29200, options [mss 1460,sackOK,TS val 1151153 ecr 0,nop,wscale 7], length 0
09:50:29.648296 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [S.], seq 2809522632, ack 4007849773, win 14480, options [mss 1460,sackOK,TS val 11482992 ecr 1151153,nop,wscale 6], length 0
09:50:29.677225 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 2809522633, win 229, options [nop,nop,TS val 1151162 ecr 11482992], length 0
09:50:29.679370 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [P.], seq 0:23, ack 1, win 229, options [nop,nop,TS val 1151162 ecr 11482992], length 23
09:50:29.679403 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], ack 24, win 227, options [nop,nop,TS val 11483002 ecr 1151162], length 0
09:50:29.684337 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1:32, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 31
09:50:29.685471 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 32:1480, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 1448
09:50:29.685519 IP mydomain.com > 10.0.0.1: ICMP mydomain.com unreachable - need to frag (mtu 1422), length 556
09:50:29.685567 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 32:1402, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 1370
09:50:29.685572 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 1402:1480, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 78
09:50:29.714601 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 32, win 229, options [nop,nop,TS val 1151173 ecr 11483003], length 0
09:50:29.714642 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1480:1600, ack 24, win 227, options [nop,nop,TS val 11483012 ecr 1151173], length 120
09:50:29.723649 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [P.], seq 1393:1959, ack 32, win 229, options [nop,nop,TS val 1151174 ecr 11483003], length 566
09:50:29.723677 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], ack 24, win 227, options [nop,nop,TS val 11483015 ecr 1151173,nop,nop,sack 1 {1394:1960}], length 0
09:50:29.725688 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 1480, win 251, options [nop,nop,TS val 1151177 ecr 11483003], length 0
09:50:29.952394 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1480:1600, ack 24, win 227, options [nop,nop,TS val 11483084 ecr 1151173,nop,nop,sack 1 {1394:1960}], length 120
09:50:29.981056 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 1600, win 251, options [nop,nop,TS val 1151253 ecr 11483084,nop,nop,sack 1 {1480:1600}], length 0

如果您需要,这是我的 iptables 配置文件:

iptables:

*filter
:INPUT ACCEPT [144:9669]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [97:15649]
:interfacce-trusted - [0:0]
:porte-trusted - [0:0]
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -j interfacce-trusted
-A FORWARD -j porte-trusted
-A FORWARD -j REJECT --reject-with icmp-host-unreachable
-A FORWARD -d 10.0.0.1/32 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.1/32 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -d 10.0.0.3/32 -p tcp -m tcp --dport 1234 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A interfacce-trusted -i nat -j ACCEPT
-A porte-trusted -d 10.0.0.1/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A porte-trusted -d 10.0.0.1/32 -p tcp -m tcp --dport 443 -j ACCEPT
-A porte-trusted -d 10.0.0.3/32 -p tcp -m tcp --dport 1234 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [10:600]
:INPUT ACCEPT [10:600]
:OUTPUT ACCEPT [4:268]
:POSTROUTING ACCEPT [18:1108]
-A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80
-A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.1:443
-A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 8069 -j DNAT --to-destination 10.0.0.3:1234
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.1.0/24 -o nat -j MASQUERADE
-A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
COMMIT

也许我忽略了一些愚蠢的事情......提前感谢你的帮助:))

答案1

问题在于数据包碎片。使用 mangle 表中的一条简单规则来管理 MSS,我解决了我的问题 :)

iptables -t mangle -A FORWARD -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

答案2

就我而言,这也是一个碎片问题。很难找出原因。我的症状如下:

  • ping 在启动方向上工作
  • ssh 仅在从 host2 到 host1 的一个方向上有效

我找到了答案这里并且能够使用以下命令在启动主机上设置 tcpdump:

# configure filter log group:
sudo iptables -I INPUT -m addrtype --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
sudo iptables -I OUTPUT -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5

# verify configuration:
sudo iptables -L --line-numbers
...
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination
1    NFLOG      all  --  anywhere             anywhere             ADDRTYPE match dst-type LOCAL policy match dir in pol ipsec nflog-group 5
...
Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination
1    NFLOG      all  --  anywhere             anywhere             policy match dir out pol ipsec nflog-group 5

# observe the logs (use you own setting for the grep):
sudo tcpdump -s 0 --print -n -i nflog:5 -w ./ipsec_ssh.pcap \
  grep  "{ip_address_to_check}.{port}" | tee -a host1_ssh.log

# remove roles:
sudo iptables -D INPUT 1
sudo iptables -D OUTPUT 1

我对两台主机都进行了同样的操作,并比较了它们的输出。只有较小的包到达了主机 2。

此外,该图这里非常有帮助,并且有来自这里我试图猜测必须插入 mss 限制的位置。

就我的情况而言,host1 上的以下规则解决了该问题:

sudo iptables -t mangle -A PREROUTING -m policy --pol ipsec -p tcp -m tcp --dir in --tcp-flags SYN,RST SYN -m tcpmss --mss 1360:1535 -j TCPMSS --set-mss 1360

相关内容