具有两个正确子网的 IPSec 站点到站点

具有两个正确子网的 IPSec 站点到站点

有 VPN IPSec 站点到站点。

左边是 Proxmox 5.6,外部网关为 1.1.1.1,虚拟机内部网络为 10.14.0.0/24,网关为 10.14.0.1。

右边是一个办公网络,有两个子网 10.0.0.0/16 和 DMZ 192.168.58.0/24

Proxmos 主机

ipforward 已启用

-A FORWARD -s 10.0.0.0/16 -d 10.14.0.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 10.14.0.0/24 -d 10.0.0.0/16 -o vmbr0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 10.14.0.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 10.14.0.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT

-A POSTROUTING -s 10.14.0.0/24 -d 10.0.0.0/16 -j ACCEPT
-A POSTROUTING -s 10.14.0.0/24 -d 192.168.58.0/24 -j ACCEPT
-A POSTROUTING -s 10.14.0.0/24 -o vmbr0 -j MASQUERADE

在 Proxmox 中的 VM (10.14.0.2) 上

ping 10.0.0.27
PING 10.0.0.27 (10.0.0.27) 56(84) bytes of data.
64 bytes from 10.0.0.27: icmp_seq=1 ttl=126 time=2.56 ms
64 bytes from 10.0.0.27: icmp_seq=2 ttl=126 time=2.19 ms
64 bytes from 10.0.0.27: icmp_seq=3 ttl=126 time=2.29 ms

ping 192.168.58.235
PING 192.168.58.235 (192.168.58.235) 56(84) bytes of data.
^C
--- 192.168.58.235 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4086ms

在机器上的正确站点 10.0.0.27

ping 10.14.0.2
PING 10.14.0.2 (10.14.0.2) 56(84) bytes of data.
64 bytes from 10.14.0.2: icmp_seq=1 ttl=62 time=9.59 ms
64 bytes from 10.14.0.2: icmp_seq=2 ttl=62 time=2.47 ms
64 bytes from 10.14.0.2: icmp_seq=3 ttl=62 time=2.49 ms

在正确站点的 DMZ 机器上(192.168.58.235)

ping 10.14.0.2
PING 10.14.0.2 (10.14.0.2) 56(84) bytes of data.
64 bytes from 10.14.0.2: icmp_seq=2 ttl=63 time=2.63 ms
64 bytes from 10.14.0.2: icmp_seq=3 ttl=63 time=2.42 ms
64 bytes from 10.14.0.2: icmp_seq=4 ttl=63 time=2.25 ms

ipsec 状态全部

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.15.18-12-pve, x86_64):
  uptime: 3 days, since Apr 20 06:37:17 2019
  malloc: sbrk 2568192, mmap 0, used 461856, free 2106336
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
  1.1.1.1
  10.14.0.1
Connections:
    node2office:  1.1.1.1...2.2.2.2  IKEv1
    node2office:   local:  [1.1.1.1] uses pre-shared key authentication
    node2office:   remote: [2.2.2.2] uses pre-shared key authentication
    node2office:   child:  10.14.0.0/24 === 10.0.0.0/16 192.168.58.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
    node2office[16]: ESTABLISHED 69 minutes ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
    node2office[16]: IKEv1 SPIs: 6djhfd92c3caad6_i 4515795420c7ac09_r*, pre-shared key reauthentication in 22 hours
    node2office[16]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
    node2office{43}:  INSTALLED, TUNNEL, reqid 12, ESP SPIs: cb8fcbbe_i 0a9a21ad_o
    node2office{43}:  3DES_CBC/HMAC_SHA1_96, 5348 bytes_i (90 pkts, 296s ago), 5964 bytes_o (77 pkts, 296s ago), rekeying in 13 minutes
    node2office{43}:   10.14.0.0/24 === 10.0.0.0/16
    node2office{44}:  INSTALLED, TUNNEL, reqid 13, ESP SPIs: c7a01be7_i ccc813b2_o
    node2office{44}:  3DES_CBC/HMAC_SHA1_96, 252 bytes_i (3 pkts, 359s ago), 252 bytes_o (3 pkts, 359s ago), rekeying in 43 minutes
    node2office{44}:   10.14.0.0/24 === 192.168.58.0/24

我在哪里可以找到问题?

答案1

您的第二条隧道10.14.0.0/24 - 192.168.58.0/24reqid 13,不像您的 iptables 规则集中那样(使用或12检查这些规则的计数器),因此这些数据包可能会被您的防火墙丢弃。iptables -L -n -viptables-save -c

相关内容