Strongswan 已建立连接但无法 ping 任何内容

tag-icon tag-icon networking vpn ipsec strongswan
Strongswan 已建立连接但无法 ping 任何内容

我收到了某公司发来的数据以建立 s2s 连接:

Company VPN gateway: 195.x.37.168
IKE: Ikev1 AES256-SHA1 group 2 1440min
IPSEC: AES128-SHA1 group 2 3600 sec (60 min)
Left VPN gateway: 185.x.192.227
Left side network: 172.x.74.200/29
Company network: 10.6.7.0/24,10.6.4.0/24,10.6.5.0/24,10.6.6.0/24,10.6.8.0/24
Test host (ping): 10.0.1.55

所以我创建了这个 /etc/ipsec.conf

conn comp
        left=%defaultroute
        leftsubnet=172.x.74.200/29
        leftfirewall=yes
        right=195.x.37.168
        rightsubnet=10.6.7.0/24
        rightfirewall=yes
        authby=secret
        keyexchange=ikev1
        keylife=60m
        auto=add
        esp=aes128-sha1
        ike=aes256-sha1-modp1024
        ikelifetime=1440m
        lefthostaccess=yes
        type=tunnel

conn comp-2
    also=comp
    rightsubnet=10.6.4.0/24

conn comp-3
    also=comp
    rightsubnet=10.6.5.0/24

conn comp-4
    also=comp
    rightsubnet=10.6.6.0/24

conn comp-4
    also=comp
    rightsubnet=10.6.8.0/24

连接似乎正常:

sudo ipsec up comp
generating QUICK_MODE request 2398914035 [ HASH SA No ID ID ]
sending packet: from 217.x.73.231[500] to 195.x.37.168[500] (204 bytes)
received packet: from 195.x.37.168[500] to 217.x.73.231[500] (172 bytes)
parsed QUICK_MODE response 2398914035 [ HASH SA No ID ID ]
CHILD_SA comp{123} established with SPIs c776f6f6_i a38bf565_o and TS 172.x.74.200/29 === 10.x.7.0/24
connection 'comp' established successfully

sudo ipsec 状态

  Routed Connections:
       comp-4{5}:  ROUTED, TUNNEL, reqid 4
       comp-4{5}:   172.18.74.200/29 === 10.6.8.0/24
       comp-3{4}:  ROUTED, TUNNEL, reqid 3
       comp-3{4}:   172.18.74.200/29 === 10.6.5.0/24
       comp-2{3}:  ROUTED, TUNNEL, reqid 2
       comp-2{3}:   172.18.74.200/29 === 10.6.4.0/24
         comp{2}:  ROUTED, TUNNEL, reqid 1
         comp{2}:   172.18.74.200/29 === 10.6.7.0/24
Security Associations (1 up, 0 connecting):
         comp[1]: ESTABLISHED 5 minutes ago, 217.x.73.231[217.x.73.231]...195.x.37.168[195.250.37.168]
         comp{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c2f2a492_i 83f84c35_o
         comp{1}:   172.18.74.200/29 === 10.6.7.0/24
         comp{6}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: c36f4493_i 0f13aa49_o
         comp{6}:   172.18.74.200/29 === 10.6.7.0/24

但我无法从公司网络 ping 通任何东西。

答案1

       rightsubnet=10.6.7.0/24,10.6.4.0/24,10.6.5.0/24,10.6.6.0/24,10.6.8.0/24

这不适用于 IKEv1(请参阅此常见问题条目)。您必须为每个远程子网添加一个单独的 conn 部分,例如:

conn comp
    ...
    rightsubnet=10.6.7.0/24
    ...

conn comp-2
    also=comp
    rightsubnet=10.6.4.0/24

conn comp-3
    also=comp
    rightsubnet=10.6.5.0/24

...

相关内容