这是我第一次尝试站点到站点 VPN。我选择使用 IPec,因为它似乎是我需要完成的最佳解决方案。过去一周,我遵循了几个不同的教程,但收效甚微。现在,当我 ping 对方子网时,我似乎无法成功 ping。我知道我错过了什么,但我不知道是什么。
我能说的是,我应该在路由表中看到一些东西。目前,发往其他子网的流量未经封装就发出,并被第一个拾取不可路由的私有 IP 目的地的路由器丢弃。
我尝试将 MASQUERADE 和 RELATED、ESTABLISHED 规则添加到 iptables,认为可能会有帮助。最后我放弃了这个想法。目前 iptables 的默认策略是接受两个 Ubuntu 机器上的所有链。当 IPsec 正常工作时,我会进行一些调整。
“service ipsec status” 的输出
IPsec running - pluto pid: 1059
pluto pid 1059
1 tunnels up
some eroutes exist
两个站点上的 /etc/ipsec.conf
version 2
config setup
dumpdir=/var/run/pluto/
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
protostack=netkey
force_keepalive=yes
keep_alive=60
conn site1-site2
leftsubnets=10.248.248.64/16
rightsubnet=10.131.250.194/16
auto=start
left=162.243.XXX.XXX
right=178.62.YYY.YYY
leftid=@site1
rightid=@site2
authby=secret
ike=aes128-sha1;modp1024
phase2=esp
phase2alg=aes128-sha1;modp1024
aggrmode=no
ikelifetime=8h
salifetime=1h
dpddelay=10
dpdtimeout=40
dpdaction=restart
type=tunnel
forceencaps=yes
两个站点的“ipsec verify”输出(/etc/sysctl.conf 中已启用 IP 转发)
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [OK]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
站点 1:/etc/ipsec.secrets
# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
162.243.XXX.XXX 178.62.YYY.YYY : PSK “sameRandomString“
Site1:“ip xfrm policy”的输出
src 10.248.0.0/16 dst 10.131.0.0/16
dir out priority 2608
tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16
dir fwd priority 2608
tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16
dir in priority 2608
tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
Site1:“ip route”的输出
default via 162.243.XXX.1 dev eth0
10.128.128.0/24 dev eth1 proto kernel scope link src 10.128.128.64
162.243.XXX.0/24 dev eth0 proto kernel scope link src 162.243.XXX.XXX
站点2:/etc/ipsec.secrets
# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
178.62.YYY.YYY 162.243.XXX.XXX : PSK “sameRandomString“
Site2:“ip xfrm policy”的输出
src 10.131.0.0/16 dst 10.248.0.0/16
dir out priority 2608
tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16
dir fwd priority 2608
tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16
dir in priority 2608
tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
Site2:“ip route”的输出
default via 178.62.YYY.1 dev eth0
10.131.0.0/16 dev eth1 proto kernel scope link src 10.131.250.194
178.62.YYY.0/18 dev eth0 proto kernel scope link src 178.62.YYY.YYY
site2 上的 /var/log/auth.log 片段
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: responding to Main Mode
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Main mode peer ID is ID_IPV4_ADDR: '162.243.XXX.XXX'
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: new NAT mapping for #3, was 162.243.XXX.XXX:500, now 162.243.XXX.XXX:4500
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: the peer proposed: 10.131.0.0/16:0/0 -> 10.248.0.0/16:0/0
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: responding to Quick Mode proposal {msgid:9e504ac0}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: us: 10.131.0.0/16===178.62.YYY.YYY<178.62.YYY.YYY>
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: them: 162.243.XXX.XXX<162.243.XXX.XXX>===10.248.0.0/16
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: keeping refhim=4294901761 during rekey
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x5b14c281 <0xd731b1b1 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=162.243.XXX.XXX:4500 DPD=enabled
任何帮助是极大的赞赏。
答案1
在我看来,您似乎试图让站点到站点隧道网关通过其内部 IP 地址而不是公共 IP 地址进行通信。为了使用单个隧道执行此操作,您需要配置左侧和右侧内部源地址。见下文...
leftsourceip=10.248.248.64
rightsourceip=10.131.250.194
添加这些行并重新启动 ipsec,然后您就可以使用内部网关进行 ping 操作。