给定一个具有 StrongSwan IKEv2 设置和外部静态 IP 的远程(集中式)VPN 服务器:
- 集中式服务器内部IP 192.168.1.65,网络192.168.1.64/27
两个网关为内部网络做 NAT:
- 第一网关内部IP 192.168.1.33,网络:192.168.1.32/27;
- 第二网关内部IP 192.168.1.1,网络:192.168.1.0/27;
网关也使用 StrongSwan 连接到集中式服务器。
从网关到服务器以及从服务器到网关的连接工作正常:ping 工作正常,可以访问服务器/网关上的服务。网关后面的设备也可以毫无问题地访问服务器。
当我尝试访问不同网关之间的计算机时,问题就开始了。
配置:
集中:
conn base
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
left = centralized
leftid = @centralized
leftauth = pubkey
leftca = "..."
leftcert = centralized.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.65
right = %any
rightauth = pubkey
rightauth2 = psk
rightca = %same
conn gateway-first
auto = add
rightid = @gateway-first
rightcert = gateway-first.crt
rightsubnet = 192.168.1.32/27
rightsourceip = 192.168.1.66
also = base
conn gateway-second
auto = add
rightid = @gateway-second
rightcert = gateway-second.crt
rightsubnet = 192.168.1.0/27
rightsourceip = 192.168.1.67
also = base
网关优先:
conn gateway-first
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.0/27
leftid = @gateway-first
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-first.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.32/27
leftsourceip = %config4
第二个网关:
conn gateway-second
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.32/27
leftid = @gateway-second
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-second.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.1/27
leftsourceip = %config4
当尝试 ping 时第二网关从电脑后面网关优先(源计算机IP为192.168.1.40)并运行tcp转储在集中服务器同时显示:
tcpdump -i eth0 host 192.168.1.1 -n
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:27:49.030650 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 35, length 64
21:27:50.026652 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 36, length 64
21:27:51.031805 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 37, length 64
21:27:52.041165 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 38, length 64
21:27:53.029530 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 39, length 64
因此,根据此日志,数据包到达集中服务器,但从未转发到192.168.1.1。
在集中式服务器和两个网关上,我都启用了转发:
net.ipv4.ip_forward = 1
集中服务器上的路由表:
# ip route
default via yy.yy.yy.yy dev eth0 proto static
zz.zz.zz.zz dev eth0 proto kernel scope link src xx.xx.xx.xx
192.168.1.64/27 via 192.168.1.65 dev eth1 proto static
还有路由表#220 (VPN):
# ip route show table 220
192.168.1.0/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65
192.168.1.32/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65
有什么想法如何在两个不同的隧道之间启用转发吗?
答案1
尝试将两个网关的子网添加到leftsubnet中央服务器上。即使rightsubnet每个网关上都包含相应的相反子网,流量选择器也会缩小到中央服务器上配置的范围leftsubnet(即192.168.1.65)。您应该在 的输出中看到这一点ipsec statusall。你也可以leftsubnet=0.0.0.0/0在中央服务器上配置,然后它会接受任何事物网关建议作为他们的rightsubnet.