我正在尝试设置一个通往我们无法控制的外部服务的 IPSec 隧道。隧道似乎已启动,但我根本无法 ping 私有 IP 地址。我刚收到目标主机无法访问的消息。
是否配置
docker0 Link encap:Ethernet HWaddr 02:42:5d:6c:5b:ff
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:5dff:fe6c:5bff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:153830963 errors:0 dropped:0 overruns:0 frame:0
TX packets:157996702 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10393890115 (10.3 GB) TX bytes:15013754691 (15.0 GB)
eth0 Link encap:Ethernet HWaddr 0c:c4:7a:7d:c2:ac
inet addr:129.111.191.242 Bcast:129.111.191.247 Mask:255.255.255.248
inet6 addr: fe80::ec4:7aff:fe7d:c2ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131498746 errors:0 dropped:0 overruns:0 frame:0
TX packets:166120812 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27289309652 (27.2 GB) TX bytes:163175029250 (163.1 GB)
Memory:fb200000-fb280000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:88829366 errors:0 dropped:0 overruns:0 frame:0
TX packets:88829366 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1816449755157 (1.8 TB) TX bytes:1816449755157 (1.8 TB)
veth1a733da Link encap:Ethernet HWaddr 52:e1:f1:58:ec:1d
inet6 addr: fe80::50e1:f1ff:fe58:ec1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:204 errors:0 dropped:0 overruns:0 frame:0
TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1755510 (1.7 MB) TX bytes:33966 (33.9 KB)
+ A WHOLE WHACK OF OTHER DOCKER CONTAINERS
ipsec配置文件
version 2.0 # conforms to second version of ipsec.conf specification
config setup
#plutodebug="dpd control"
plutostderrlog=/var/log/openswan.log
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
interfaces="%defaultroute"
conn easypay-ipsec-vpn
authby=secret
auto=start
ike=3des-sha1;modp1024
ikelifetime=86400s
phase2alg=3des-sha1;modp1024
salifetime=3600s
pfs=yes
left=129.111.191.242
leftsubnet=129.111.191.242/32
right=196.25.143.85
rightsubnet=192.168.200.125/32
ip xrfm 策略
src 129.111.191.242/32 dst 192.168.200.125/32
dir out priority 2080
tmpl src 129.111.191.242 dst 196.25.143.85
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir fwd priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir in priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
检查 IPSec 是否启动
sudo /usr/sbin/ipsec auto --status | grep easypay
000 "easypay-ipsec-vpn": 129.111.191.242/32===129.111.191.242<129.111.191.242>...196.25.143.85<196.25.143.85>===192.168.200.125/32; erouted; eroute owner: #3
000 "easypay-ipsec-vpn": myip=unset; hisip=unset;
000 "easypay-ipsec-vpn": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "easypay-ipsec-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "easypay-ipsec-vpn": newest ISAKMP SA: #4; newest IPsec SA: #3;
000 "easypay-ipsec-vpn": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "easypay-ipsec-vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "easypay-ipsec-vpn": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "easypay-ipsec-vpn": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=MODP1024
000 #4: "easypay-ipsec-vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 84419s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #3: "easypay-ipsec-vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1621s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "easypay-ipsec-vpn" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761
000 #1: "easypay-ipsec-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83601s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
路线-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 129.111.191.241 0.0.0.0 UG 0 0 0 eth0
129.111.191.240 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c8dc65a94bb2
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-82217b810a12
172.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-7850aa98111b
172.21.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b1a7c55d62b6
172.22.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-825780b49c2d
172.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c54a8b4052f1
172.28.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-9403e62934e3
172.29.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-4b089299a6c4
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c9e5b9d15f93
172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-20e8b7596a16
192.168.0.0 0.0.0.0 255.255.240.0 U 0 0 0 br-69356c2ae863
192.168.16.0 0.0.0.0 255.255.240.0 U 0 0 0 br-fef7a8477c50
192.168.32.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0f934a7b6bbc
192.168.48.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f436be453bc0
192.168.64.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f58d5b3092b2
192.168.80.0 0.0.0.0 255.255.240.0 U 0 0 0 br-861678c58b1d
192.168.96.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0bea6a9a8ba3
192.168.128.0 0.0.0.0 255.255.240.0 U 0 0 0 br-38704ca6d035
192.168.144.0 0.0.0.0 255.255.240.0 U 0 0 0 br-dd2a427832dc
192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f402e867a089
192.168.176.0 0.0.0.0 255.255.240.0 U 0 0 0 br-55b8290a7912
192.168.192.0 0.0.0.0 255.255.240.0 U 0 0 0 br-aad43c0bdf40
192.168.208.0 0.0.0.0 255.255.240.0 U 0 0 0 br-22d7856d7bf3
192.168.224.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f968a9b6da10
192.168.240.0 0.0.0.0 255.255.240.0 U 0 0 0 br-5ee84192e789
因此,看起来隧道已启动并正在运行,但我无法从服务器 ping 通 IP 地址 192.168.200.125,也无法跟踪到该地址。如能得到任何帮助,我将不胜感激。
谢谢
更新 1
我又取得了一些进步。
sudo ip route get 192.168.200.125
上面的命令显示 docker 网络不知何故介入了。我删除了 docker 网络,现在它不仅收到目标无法访问的消息,还尝试 ping。但仍然无法连接到 ip。可能是 docker 仍在干扰路由,但不能 100% 确定。
更新 2
重新启动 IPsec 似乎可以解决问题。
答案1
我在使用 Libreswan 时遇到了同样的 ipsec 隧道问题。虽然已建立 IPsec 隧道,但当我 ping 另一侧主机的 IPv4 地址时,我收到消息“目标主机无法访问”。
就我而言,由于错误设置了伪装表,发往私有地址的数据包被伪装成接口 eth0 所具有的全局 IPv4 地址。
因此,我制定了下面的新伪装规则,以免覆盖具有私有地址目标的传出数据包的源地址。
IE
# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -d 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 -o eth0 -j RETURN
# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o eth0 -j MASQUERADE
第一条规则返回目标地址为私有网络的数据包。这些数据包将不经过伪装处理而直接进入 IPsec 隧道。第二条规则是常规伪装。只有其他数据包经过伪装后才会进入 Internet。