任务: 在连接到 VPN 服务器(在 Ubuntu 上)的远程客户端(192.168.79.0/24)和连接到 Cisco ASA 的公司网络(10.1.2.0/24)之间建立通信。
架构: 192.168.79.0/24 <-Strongswan RA-> Ubuntu srv <-Strongswan s2s-> ASA(10.1.2.0/24)
问题 1。客户端未从 VPN 服务器接收路由。但 Strongswan 发送了路由。“在远程网络上使用默认网关”未选中。
Mar 11 17:41:20 ubuntuSrv charon: 07[IKE] CHILD_SA ASA{1} established with SPIs ccdbd590_i 7cf6b605_o and TS 192.168.79.0/24 === 10.1.2.0/24
问题 2。流量从 192.168.79.10 流向 10.1.2.85,但反之则不然。“在远程网络上使用默认网关”被临时选中,客户端使用默认路由连接到 VPN。
Ubuntu srv Strongswan 配置
cat /etc/ipsec.conf
config setup
# uniqueids=never
charondebug="cfg 2, dmn 2, ike 2, net 2"
conn %default
keyexchange=ikev2
ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp409$
esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes1$
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
leftcert=vpnHostCert.pem
right=%any
rightdns=8.8.8.8,8.8.4.4
conn win7
keyexchange=ikev2
auto=add
rightsourceip=192.168.79.10
rightid="C=CH, O=strongSwan, CN=win7"
leftsubnet=10.1.2.0/24
conn win8
keyexchange=ikev2
auto=add
rightsourceip=192.168.79.11
rightid="C=CH, O=strongSwan, CN=win8"
leftsubnet=10.1.2.0/24
conn ASA
authby=secret
keyexchange=ikev1
ikelifetime=1440m
keylife=60m
rekeymargin=3m
keyingtries=1
left=1.1.1.78
leftsubnet=192.168.79.0/24
leftid=1.1.1.78
leftfirewall=yes
right=1.1.1.72
rightsubnet=10.1.2.0/24
rightid=1.1.1.72
auto=start
ike=aes256-sha1-modp1024
esp=aes256-sha1-modp1024
Ubuntu ipsec 状态和路由打印
root@ubuntuSrv:/etc/ipsec.d# ipsec status
Security Associations (2 up, 0 connecting):
win7[2]: ESTABLISHED 7 minutes ago, 1.1.1.78[C=CH, O=strongSwan, CN=1.1.1.78]...2.2.2.238[C=CH, O=strongSwan, CN=win7]
win7{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9696f69_i ce82f3bc_o
win7{2}: 10.1.2.0/24 === 192.168.79.10/32
ASA[1]: ESTABLISHED 7 minutes ago, 1.1.1.78[1.1.1.78]...1.1.1.72[1.1.1.72]
ASA{1}: INSTALLED, TUNNEL, ESP SPIs: ccdbd590_i 7cf6b605_o
ASA{1}: 192.168.79.0/24 === 10.1.2.0/24
root@ubuntuSrv:/etc/ipsec.d# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0
1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
ASA 加密 ipsec sa
sh crypto ipsec sa peer 1.1.1.78
peer address: 1.1.1.78
Crypto map tag: outside4_map, seq num: 9, local addr: 1.1.1.72
access-list acl extended permit ip 10.1.2.0 255.255.255.0 192.168.79.0 255.255.255.0
local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (192.168.79.0/255.255.255.0/0/0)
current_peer: 1.1.1.78
#pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16
#pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
我从每一端发出了 8 个 icmp 请求。看来 Ubuntu 端的流量丢失了。
更新:ubuntu srv 接收数据包但不将其发回。
tcpdump -pni eth0
16:51:22.073543 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40
16:51:22.073633 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40
答案1
我怀疑你的问题不是出在 Strongswan 上,而是出在防火墙规则上。如果你的 Ubuntu 机器充当防火墙,并且客户端位于防火墙后面,nat 规则将尝试处理到你公司网络的流量。
通常情况下,以下 nat 规则将伪装互联网流量:
Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes)
pkts bytes target prot opt in out source destination
93M 6869M MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
但这也会对 vpn 的流量进行伪装。在 ipsec 流量的伪装规则之前添加一条规则将解决此问题:
iptables -A POSTROUTING -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
因此 iptables -t nat -L -v -n 应该如下所示:
Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes)
pkts bytes target prot opt in out source destination
343 16028 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
93M 6869M MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0