我已经在路由器(Debian Stretch)上设置了 strongswan,并且 strongswan 配置运行良好,但仅适用于从路由器发出的连接。
但是,一旦隧道建立,路由器后面的客户端(下面的 192.168.10.0/24)将完全失去所有连接。这意味着它们不再能够访问互联网,也无法通过隧道路由,甚至无法 ping/telnet/ssh 路由器本身(192.168.10.1)。目标是让这些客户端能够通过 ASA 隧道传输所有流量来访问互联网。
设置如下:
网络(左侧 LAN 的客户端的流量应通过隧道并在右侧 LAN 后面获得互联网访问):
+---------------+ +------------------+ +-----------+ +------------+
| local LAN | | router | | Cisco ASA | | local LAN |
|192.168.10.0/24+-+eth0:192.168.1.1 +-Network-+ 1.1.1.1 +-+10.10.0.0/24+-Internet
| | |eth1:192.168.10.1 | | | | |
+---------------+ +------------------+ +-----------+ +------------+
ipsec.conf:
config setup
conn tunnel
authby=psk
auto=start
keyingtries=%forever
rekey=yes
dpdaction=restart
closeaction=restart
keyexchange=ikev1
aggressive=yes
fragmentation=yes
ike=aes-sha-modp1024
esp=aes-sha
type=tunnel
forceencaps=yes
left=%defaultroute
leftid=@GroupName
leftauth=psk
leftauth2=xauth
xauth_identity=user.name
leftsourceip=%config
right=1.1.1.1
rightauth=psk
rightsubnet=0.0.0.0/0
iptables-保存:
*filter
:INPUT ACCEPT [762:57704]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [457:52596]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -s 192.168.10.0/24 ! -d 192.168.10.0/24 -o eth0 -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [3:984]
:INPUT ACCEPT [3:984]
:OUTPUT ACCEPT [1:104]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT