IPSec 隧道已启动,但我无法 ping 目标 IP

IPSec 隧道已启动,但我无法 ping 目标 IP

我正在尝试设置一个通往我们无法控制的外部服务的 IPSec 隧道。隧道似乎已启动,但我根本无法 ping 私有 IP 地址。我刚收到目标主机无法访问的消息。

是否配置

docker0   Link encap:Ethernet  HWaddr 02:42:5d:6c:5b:ff  
          inet addr:172.17.0.1  Bcast:0.0.0.0  Mask:255.255.0.0
          inet6 addr: fe80::42:5dff:fe6c:5bff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:153830963 errors:0 dropped:0 overruns:0 frame:0
          TX packets:157996702 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:10393890115 (10.3 GB)  TX bytes:15013754691 (15.0 GB)

eth0      Link encap:Ethernet  HWaddr 0c:c4:7a:7d:c2:ac  
          inet addr:129.111.191.242  Bcast:129.111.191.247  Mask:255.255.255.248
          inet6 addr: fe80::ec4:7aff:fe7d:c2ac/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:131498746 errors:0 dropped:0 overruns:0 frame:0
          TX packets:166120812 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:27289309652 (27.2 GB)  TX bytes:163175029250 (163.1 GB)
          Memory:fb200000-fb280000 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:88829366 errors:0 dropped:0 overruns:0 frame:0
          TX packets:88829366 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1816449755157 (1.8 TB)  TX bytes:1816449755157 (1.8 TB)

veth1a733da Link encap:Ethernet  HWaddr 52:e1:f1:58:ec:1d  
          inet6 addr: fe80::50e1:f1ff:fe58:ec1d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:204 errors:0 dropped:0 overruns:0 frame:0
          TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1755510 (1.7 MB)  TX bytes:33966 (33.9 KB)
+ A WHOLE WHACK OF OTHER DOCKER CONTAINERS

ipsec配置文件

version 2.0 # conforms to second version of ipsec.conf specification

config setup
        #plutodebug="dpd control"
        plutostderrlog=/var/log/openswan.log
        dumpdir=/var/run/pluto/
        nat_traversal=no
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        oe=off
        protostack=netkey
        interfaces="%defaultroute"

conn easypay-ipsec-vpn
        authby=secret
        auto=start
        ike=3des-sha1;modp1024
        ikelifetime=86400s
        phase2alg=3des-sha1;modp1024
        salifetime=3600s
        pfs=yes
        left=129.111.191.242
        leftsubnet=129.111.191.242/32
        right=196.25.143.85
        rightsubnet=192.168.200.125/32

ip xrfm 策略

src 129.111.191.242/32 dst 192.168.200.125/32 
    dir out priority 2080 
    tmpl src 129.111.191.242 dst 196.25.143.85
        proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32 
    dir fwd priority 2080 
    tmpl src 196.25.143.85 dst 129.111.191.242
        proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32 
    dir in priority 2080 
    tmpl src 196.25.143.85 dst 129.111.191.242
        proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0

检查 IPSec 是否启动

sudo /usr/sbin/ipsec auto --status | grep easypay
000 "easypay-ipsec-vpn": 129.111.191.242/32===129.111.191.242<129.111.191.242>...196.25.143.85<196.25.143.85>===192.168.200.125/32; erouted; eroute owner: #3
000 "easypay-ipsec-vpn":     myip=unset; hisip=unset;
000 "easypay-ipsec-vpn":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0 
000 "easypay-ipsec-vpn":   policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0; 
000 "easypay-ipsec-vpn":   newest ISAKMP SA: #4; newest IPsec SA: #3; 
000 "easypay-ipsec-vpn":   IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn":   IKE algorithms found:  3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "easypay-ipsec-vpn":   IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "easypay-ipsec-vpn":   ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn":   ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "easypay-ipsec-vpn":   ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=MODP1024
000 #4: "easypay-ipsec-vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 84419s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #3: "easypay-ipsec-vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1621s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "easypay-ipsec-vpn" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #1: "easypay-ipsec-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83601s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate

路线-n

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         129.111.191.241 0.0.0.0         UG    0      0        0 eth0
129.111.191.240 0.0.0.0         255.255.255.248 U     0      0        0 eth0
172.17.0.0      0.0.0.0         255.255.0.0     U     0      0        0 docker0
172.18.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-c8dc65a94bb2
172.19.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-82217b810a12
172.20.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-7850aa98111b
172.21.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-b1a7c55d62b6
172.22.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-825780b49c2d
172.23.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-c54a8b4052f1
172.28.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-9403e62934e3
172.29.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-4b089299a6c4
172.30.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-c9e5b9d15f93
172.31.0.0      0.0.0.0         255.255.0.0     U     0      0        0 br-20e8b7596a16
192.168.0.0     0.0.0.0         255.255.240.0   U     0      0        0 br-69356c2ae863
192.168.16.0    0.0.0.0         255.255.240.0   U     0      0        0 br-fef7a8477c50
192.168.32.0    0.0.0.0         255.255.240.0   U     0      0        0 br-0f934a7b6bbc
192.168.48.0    0.0.0.0         255.255.240.0   U     0      0        0 br-f436be453bc0
192.168.64.0    0.0.0.0         255.255.240.0   U     0      0        0 br-f58d5b3092b2
192.168.80.0    0.0.0.0         255.255.240.0   U     0      0        0 br-861678c58b1d
192.168.96.0    0.0.0.0         255.255.240.0   U     0      0        0 br-0bea6a9a8ba3
192.168.128.0   0.0.0.0         255.255.240.0   U     0      0        0 br-38704ca6d035
192.168.144.0   0.0.0.0         255.255.240.0   U     0      0        0 br-dd2a427832dc
192.168.160.0   0.0.0.0         255.255.240.0   U     0      0        0 br-f402e867a089
192.168.176.0   0.0.0.0         255.255.240.0   U     0      0        0 br-55b8290a7912
192.168.192.0   0.0.0.0         255.255.240.0   U     0      0        0 br-aad43c0bdf40
192.168.208.0   0.0.0.0         255.255.240.0   U     0      0        0 br-22d7856d7bf3
192.168.224.0   0.0.0.0         255.255.240.0   U     0      0        0 br-f968a9b6da10
192.168.240.0   0.0.0.0         255.255.240.0   U     0      0        0 br-5ee84192e789

因此,看起来隧道已启动并正在运行,但我无法从服务器 ping 通 IP 地址 192.168.200.125,也无法跟踪到该地址。如能得到任何帮助,我将不胜感激。

谢谢

更新 1

我又取得了一些进步。

sudo ip route get 192.168.200.125

上面的命令显示 docker 网络不知何故介入了。我删除了 docker 网络,现在它不仅收到目标无法访问的消息,还尝试 ping。但仍然无法连接到 ip。可能是 docker 仍在干扰路由,但不能 100% 确定。

更新 2

重新启动 IPsec 似乎可以解决问题。

答案1

我在使用 Libreswan 时遇到了同样的 ipsec 隧道问题。虽然已建立 IPsec 隧道,但当我 ping 另一侧主机的 IPv4 地址时,我收到消息“目标主机无法访问”。

就我而言,由于错误设置了伪装表,发往私有地址的数据包被伪装成接口 eth0 所具有的全局 IPv4 地址。

因此,我制定了下面的新伪装规则,以免覆盖具有私有地址目标的传出数据包的源地址。

IE

# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -d 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 -o eth0 -j RETURN                             
# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o eth0 -j MASQUERADE

第一条规则返回目标地址为私有网络的数据包。这些数据包将不经过伪装处理而直接进入 IPsec 隧道。第二条规则是常规伪装。只有其他数据包经过伪装后才会进入 Internet。

相关内容