LEDE 17.01.1,StrongSwan 5.6.0 swanctl NAT

LEDE 17.01.1,StrongSwan 5.6.0 swanctl NAT

我在两个网关之间有一个正在运行的 strongswan 隧道,如下所示例子

moon可以 ping 通sun,反之亦然。

alice无法ping通bob

/etc/防火墙.用户

/usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
/usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT

/usr/sbin/iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

我不知道该怎么做。

编辑1

我不是 iptables 专家,lede/openwrt 的规则很混乱。有很多别名规则。esp 规则似乎不错,否则无法建立隧道,对吗?

    Client A                                                          Client B
///////////////////   Gateway A                 Gateway B         /////////////////
/                 /   *****************         ***************   /               /
/ 192.168.100.110 /   * 192.168.100.1 *   <=>   * 192.168.1.1 *   / 192.168.1.200 /
/                 /   *****************         ***************   /               /
///////////////////                                               /////////////////

客户A

https://pastebin.com/qVS9Nquk

root@LEDE:~# ip route list table 220
192.168.1.0/24 dev ipsec0  proto static  src 192.168.100.1

客户B

https://pastebin.com/bkaG7s7k

root@Lede:~# ip route list table 220
192.168.100.0/24 dev ipsec0  proto static  src 192.168.1.1

编辑2

我查看了我的规则。第一个提示allow esp before processing (input/output)是用

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             policy match dir in pol ipsec proto esp

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             policy match dir out pol ipsec proto esp

对吧?因此,INPUT 和 OUTPUT 首先处理 esp 包,然后接受。

现在您说我的 FORWARD 规则始终是错误的,因为 dir in/out 被 ACCEPTED?

我不知道是否需要 strongswan-mod-kernel-libipsec。据我所知,不应使用 libipsec。但不加载此插件会导致隧道在建立过程中失败。

编辑3

iptables-保存-c

    root@LEDE:~# iptables-save -c
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*nat
:PREROUTING ACCEPT [6248:527283]
:INPUT ACCEPT [3903:355245]
:OUTPUT ACCEPT [1157:92992]
:POSTROUTING ACCEPT [78:6018]
:postrouting_lan_rule - [0:0]
:postrouting_rule - [0:0]
:postrouting_vpn_rule - [0:0]
:postrouting_wan_rule - [0:0]
:prerouting_lan_rule - [0:0]
:prerouting_rule - [0:0]
:prerouting_vpn_rule - [0:0]
:prerouting_wan_rule - [0:0]
:zone_lan_postrouting - [0:0]
:zone_lan_prerouting - [0:0]
:zone_vpn_postrouting - [0:0]
:zone_vpn_prerouting - [0:0]
:zone_wan_postrouting - [0:0]
:zone_wan_prerouting - [0:0]
[6248:527283] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule
[5072:419263] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting
[1176:108020] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting
[0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting
[0:0] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
[3424:245233] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule
[2:674] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting
[3346:239215] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting
[0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting
[2:674] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.100.1
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p tcp -m tcp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1
[0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p udp -m udp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1
[5072:419263] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.100.1:22
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule
[3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule
[3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE
[1176:108020] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.100.1:22
[0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000
[0:0] -A zone_wan_prerouting -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000
COMMIT
# Completed on Sun Oct 29 07:02:41 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*mangle
:PREROUTING ACCEPT [83933:59010388]
:INPUT ACCEPT [12107:2416154]
:FORWARD ACCEPT [71817:56593482]
:OUTPUT ACCEPT [8645:669977]
:POSTROUTING ACCEPT [80462:57263459]
[936:56056] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu
COMMIT
# Completed on Sun Oct 29 07:02:41 2017
# Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forwarding_lan_rule - [0:0]
:forwarding_rule - [0:0]
:forwarding_vpn_rule - [0:0]
:forwarding_wan_rule - [0:0]
:input_lan_rule - [0:0]
:input_rule - [0:0]
:input_vpn_rule - [0:0]
:input_wan_rule - [0:0]
:output_lan_rule - [0:0]
:output_rule - [0:0]
:output_vpn_rule - [0:0]
:output_wan_rule - [0:0]
:reject - [0:0]
:syn_flood - [0:0]
:zone_lan_dest_ACCEPT - [0:0]
:zone_lan_forward - [0:0]
:zone_lan_input - [0:0]
:zone_lan_output - [0:0]
:zone_lan_src_ACCEPT - [0:0]
:zone_vpn_dest_ACCEPT - [0:0]
:zone_vpn_dest_REJECT - [0:0]
:zone_vpn_forward - [0:0]
:zone_vpn_input - [0:0]
:zone_vpn_output - [0:0]
:zone_vpn_src_ACCEPT - [0:0]
:zone_wan_dest_ACCEPT - [0:0]
:zone_wan_dest_REJECT - [0:0]
:zone_wan_forward - [0:0]
:zone_wan_input - [0:0]
:zone_wan_output - [0:0]
:zone_wan_src_REJECT - [0:0]
[0:0] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[304:24349] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT
[11807:2392013] -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule
[1671:638675] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[955:38932] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood
[7953:1389086] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input
[2183:364252] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input
[0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input
[0:0] -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[0:0] -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT
[71817:56593482] -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule
[69392:56423832] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[2425:169650] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward
[0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward
[0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward
[0:0] -A FORWARD -m comment --comment "!fw3" -j reject
[0:0] -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT
[304:24349] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT
[8345:646508] -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule
[7236:557447] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT
[3:1007] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output
[1106:88054] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output
[0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output
[1246:50770] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset
[109:21160] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable
[955:38932] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN
[0:0] -A syn_flood -m comment --comment "!fw3" -j DROP
[3:1007] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT
[2425:169650] -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule
[2425:169650] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7953:1389086] -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule
[0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[7953:1389086] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT
[3:1007] -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule
[3:1007] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT
[7953:1389086] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT
[0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT
[3531:257704] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT
[0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject
[0:0] -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule
[0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT
[0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT
[2183:364252] -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule
[820:292000] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT
[7:230] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT
[0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT
[0:0] -A zone_wan_input -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT
[0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: @rule[11]" -j ACCEPT
[1:92] -A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: @rule[12]" -j ACCEPT
[0:0] -A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: @rule[13]" -j ACCEPT
[0:0] -A zone_wan_input -p ah -m comment --comment "!fw3: @rule[14]" -j ACCEPT
[0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT
[1355:71930] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT
[1106:88054] -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule
[1106:88054] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT
[1355:71930] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject
COMMIT
# Completed on Sun Oct 29 07:02:41 2017

编辑4

到目前为止所有规则都没有问题。

问题在于加载了 kernel-libipsec 插件。在这种情况下,使用用户空间 ipsec 实现(而不是内核本身),而不使用内核路由表。

禁用此模块并安装 kmod-crypto-gcm 以获得内核加密支持解决了所有问题。

相关内容