基本上,我正尝试通过 IPsec site2site 将 pfSense 连接到 EdgeRouter。
(公共 IP 网络被“1.2”混淆。)
[pfsense] <-> [edgerouter]
public: 1.2.156.229/30 <-> 1.2.112.249/30
tunnel: 10.5.44.100/24 <-> 10.20.30.100/24
两个站点上的 IPsec 设置:
阶段 1:IKEv2 PSK AES128 SHA1 DH2
阶段 2:ESP AES128 SHA1
EdgeRouter 通过网状路由 OLSR 访问互联网,因此其网关通常不是本地网关,并且如果网状网络发生变化,网关也会发生变化。OLSR 的意图就是这样,因此在此设置中网关不在同一子网中并没有错。
隧道/连接已启动,但没有流量通过,因此在升起后strongswan 内核日志级别并在两个站点的 charon.log 中进行了挖掘,我发现在 EdgeRouter 上设置路由存在问题:
edgerouter 上的 charon.log:
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting a local address in traffic selector 10.20.30.0/24
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using host 10.20.30.100
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 207: => 52 bytes @ 0x711f80a8
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 34 00 00 00 1A 00 01 00 CF 00 00 00 6A 6B 00 00 4...........jk..
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 00 00 00 00 00 00 00 00 00 00 00 08 00 10 00 ................
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: FF FF FF FF 08 00 07 00 4E 29 70 F9 08 00 01 00 ........N)p.....
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: C1 EE 9C E5 ....
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received RTM_NEWROUTE 207: => 112 bytes @ 0x604f58
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 70 00 00 00 18 00 00 00 CF 00 00 00 6A 6B 00 00 p...........jk..
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 20 00 00 FE 00 00 01 00 02 00 00 08 00 0F 00 . ..............
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: FE 00 00 00 08 00 01 00 C1 EE 9C E5 08 00 04 00 ................
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 0A 00 00 00 08 00 07 00 4E 29 70 F9 08 00 05 00 ........N)p.....
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 64: 4E 29 76 75 08 00 10 00 FF FF FF FF 24 00 0C 00 N)vu........$...
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 80: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using 1.2.118.117 as nexthop to reach 1.2.156.229/32
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 1.2.112.249 is on interface br0
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> installing route: 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br0
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting iface index for br0
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_NEWROUTE 208: => 60 bytes @ 0x711f8090
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 3C 00 00 00 18 00 05 06 D0 00 00 00 6A 6B 00 00 <...........jk..
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 18 00 00 DC 04 00 01 00 00 00 00 08 00 01 00 ................
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: 0A 05 2C 00 08 00 07 00 0A 14 1E 64 08 00 05 00 ..,........d....
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 4E 29 76 75 08 00 04 00 0A 00 00 00 N)vu........
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received (2) 208: => 80 bytes @ 0x604fe8
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 50 00 00 00 02 00 00 00 D0 00 00 00 6A 6B 00 00 P...........jk..
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: FD FF FF FF 3C 00 00 00 18 00 05 06 D0 00 00 00 ....<...........
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: 6A 6B 00 00 02 18 00 00 DC 04 00 01 00 00 00 00 jk..............
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 08 00 01 00 0A 05 2C 00 08 00 07 00 0A 14 1E 64 ......,........d
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 64: 08 00 05 00 4E 29 76 75 08 00 04 00 0A 00 00 00 ....N)vu........
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> unable to install source route for 10.20.30.100
Mar 4 23:27:27 12[IKE] <peer-1.2.156.229-tunnel-1|1> CHILD_SA peer-1.2.156.229-tunnel-1{2} established with SPIs c042bc69_i c46929b0_o and TS 10.20.30.0/24 === 10.5.44.0/24
Mar 4 23:27:40 11[KNL] creating roam job due to route change
Mar 4 23:27:40 11[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 209: => 52 bytes @ 0x719f8888
我尝试重现该错误以了解问题所在。
# # reproduce error:
# ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process
# # check default route and local ip address:
# ip route show | grep 0.0.0.0
0.0.0.0/1 via 1.2.118.117 dev br0 metric 2 onlink
# ip -f inet address show br0
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
inet 1.2.112.249/30 brd 1.2.112.251 scope global br0
# ip -f inet address show br1
11: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1462 qdisc noqueue state UP group default
inet 10.20.30.100/24 brd 10.20.30.255 scope global br1
# # try to narrow down the problem
# ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process
# ip route add 10.5.44.0/24 src 10.20.30.100 dev br1
# ip route change 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1
RTNETLINK answers: No such process
现在我不明白 rtnetlink 缺少什么或者网关出了什么问题?
搜索 strongswan 或 rtnetlink 错误,没有给出任何特别的答案,只是我已经理解的一般解释。我的下一个猜测是,我在设置此隧道时错过了什么?EdgeRouter 有一个桥接接口 (br0),带有公共 IP 用于互联网访问,还有一个第二个桥接接口 (br1),带有本地 IP 用于管理网络。
我也检查了本文介绍了 EdgeRouter 上的 IPsec我的配置几乎相同,除了我使用桥接接口和 IKEv2(而不是描述的 IKEv1)。
深入挖掘让我添加路由时,什么原因会导致“RTNETLINK 回答:没有这样的进程”现在我不知道可能出了什么问题。
答案1
解决了问题。
因为 strongswan 守护进程想要安装以下路线:
ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br0
但没有奏效,Linux 上不同子网上的网关我在 edgerouter 上设置了以下两条路线:
ip route add 10.5.44.101 dev br1
ip route add 10.5.44.0/24 via 10.5.44.101 dev br1
10.5.44.101 是 ipsec 隧道的内部远端。需要使用接口 br1,因为由于定义的本地网络,隧道与其一起工作。
韋斯