Strongswan 在两个 IPsec 隧道之间转发流量

Strongswan 在两个 IPsec 隧道之间转发流量

给定一个具有 StrongSwan IKEv2 设置和外部静态 IP 的远程(集中式)VPN 服务器:

  • 集中式服务器内部IP 192.168.1.65,网络192.168.1.64/27

两个网关为内部网络做 NAT:

  • 第一网关内部IP 192.168.1.33,网络:192.168.1.32/27;
  • 第二网关内部IP 192.168.1.1,网络:192.168.1.0/27;

网关也使用 StrongSwan 连接到集中式服务器。

从网关到服务器以及从服务器到网关的连接工作正常:ping 工作正常,可以访问服务器/网关上的服务。网关后面的设备也可以毫无问题地访问服务器。

当我尝试访问不同网关之间的计算机时,问题就开始了。

配置:

集中:

conn base
    keyexchange = ikev2
    keyingtries = %forever
    forceencaps = yes
    compress = no

    left = centralized
    leftid = @centralized
    leftauth = pubkey
    leftca = "..."
    leftcert = centralized.crt
    leftupdown = sudo -E ipsec _updown iptables
    leftsubnet = 192.168.1.65

    right = %any
    rightauth = pubkey
    rightauth2 = psk
    rightca = %same

conn gateway-first
    auto = add
    rightid = @gateway-first
    rightcert = gateway-first.crt
    rightsubnet = 192.168.1.32/27
    rightsourceip = 192.168.1.66
    also = base

conn gateway-second
    auto = add
    rightid = @gateway-second
    rightcert = gateway-second.crt
    rightsubnet = 192.168.1.0/27
    rightsourceip = 192.168.1.67
    also = base

网关优先:

conn gateway-first
    auto = route
    dpdaction = restart
    closeaction = restart
    keyexchange = ikev2
    keyingtries = %forever
    forceencaps = yes
    compress = no

    rightid = @centralized
    right = centralized
    rightauth = pubkey
    rightca = "..."
    rightcert = centralized.crt
    rightsubnet = 192.168.1.65,192.168.1.0/27

    leftid = @gateway-first
    left = %defaultroute
    leftauth = pubkey
    leftauth2 = psk
    leftca = %same
    leftcert = gateway-first.crt
    leftupdown = sudo -E ipsec _updown iptables
    leftsubnet = 192.168.1.32/27
    leftsourceip = %config4

第二个网关:

conn gateway-second
    auto = route
    dpdaction = restart
    closeaction = restart
    keyexchange = ikev2
    keyingtries = %forever
    forceencaps = yes
    compress = no

    rightid = @centralized
    right = centralized
    rightauth = pubkey
    rightca = "..."
    rightcert = centralized.crt
    rightsubnet = 192.168.1.65,192.168.1.32/27

    leftid = @gateway-second
    left = %defaultroute
    leftauth = pubkey
    leftauth2 = psk
    leftca = %same
    leftcert = gateway-second.crt
    leftupdown = sudo -E ipsec _updown iptables
    leftsubnet = 192.168.1.1/27
    leftsourceip = %config4

当尝试 ping 时第二网关从电脑后面网关优先(源计算机IP为192.168.1.40)并运行tcp转储集中服务器同时显示:

tcpdump -i eth0 host 192.168.1.1 -n
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:27:49.030650 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 35, length 64
21:27:50.026652 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 36, length 64
21:27:51.031805 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 37, length 64
21:27:52.041165 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 38, length 64
21:27:53.029530 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 39, length 64

因此,根据此日志,数据包到达集中服务器,但从未转发到192.168.1.1

在集中式服务器和两个网关上,我都启用了转发:

net.ipv4.ip_forward = 1

集中服务器上的路由表:

# ip route
default via yy.yy.yy.yy dev eth0  proto static 
zz.zz.zz.zz dev eth0  proto kernel  scope link  src xx.xx.xx.xx
192.168.1.64/27 via 192.168.1.65 dev eth1  proto static

还有路由表#220 (VPN):

# ip route show table 220
192.168.1.0/27 via 5.189.141.1 dev eth0  proto static  src 192.168.1.65 
192.168.1.32/27 via 5.189.141.1 dev eth0  proto static  src 192.168.1.65 

有什么想法如何在两个不同的隧道之间启用转发吗?

答案1

尝试将两个网关的子网添加到leftsubnet中央服务器上。即使rightsubnet每个网关上都包含相应的相反子网,流量选择器也会缩小到中央服务器上配置的范围leftsubnet(即192.168.1.65)。您应该在 的输出中看到这一点ipsec statusall。你也可以leftsubnet=0.0.0.0/0在中央服务器上配置,然后它会接受任何事物网关建议作为他们的rightsubnet.

相关内容