有 VPN IPSec 站点到站点。
左边是 Proxmox 5.6,外部网关为 1.1.1.1,虚拟机内部网络为 10.14.0.0/24,网关为 10.14.0.1。
右边是一个办公网络,有两个子网 10.0.0.0/16 和 DMZ 192.168.58.0/24
Proxmos 主机:
ipforward 已启用
-A FORWARD -s 10.0.0.0/16 -d 10.14.0.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 10.14.0.0/24 -d 10.0.0.0/16 -o vmbr0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 192.168.58.0/24 -d 10.14.0.0/24 -i vmbr0 -m policy --dir in --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A FORWARD -s 10.14.0.0/24 -d 192.168.58.0/24 -o vmbr0 -m policy --dir out --pol ipsec --reqid 12 --proto esp -j ACCEPT
-A POSTROUTING -s 10.14.0.0/24 -d 10.0.0.0/16 -j ACCEPT
-A POSTROUTING -s 10.14.0.0/24 -d 192.168.58.0/24 -j ACCEPT
-A POSTROUTING -s 10.14.0.0/24 -o vmbr0 -j MASQUERADE
在 Proxmox 中的 VM (10.14.0.2) 上:
ping 10.0.0.27
PING 10.0.0.27 (10.0.0.27) 56(84) bytes of data.
64 bytes from 10.0.0.27: icmp_seq=1 ttl=126 time=2.56 ms
64 bytes from 10.0.0.27: icmp_seq=2 ttl=126 time=2.19 ms
64 bytes from 10.0.0.27: icmp_seq=3 ttl=126 time=2.29 ms
ping 192.168.58.235
PING 192.168.58.235 (192.168.58.235) 56(84) bytes of data.
^C
--- 192.168.58.235 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4086ms
在机器上的正确站点 10.0.0.27
ping 10.14.0.2
PING 10.14.0.2 (10.14.0.2) 56(84) bytes of data.
64 bytes from 10.14.0.2: icmp_seq=1 ttl=62 time=9.59 ms
64 bytes from 10.14.0.2: icmp_seq=2 ttl=62 time=2.47 ms
64 bytes from 10.14.0.2: icmp_seq=3 ttl=62 time=2.49 ms
在正确站点的 DMZ 机器上(192.168.58.235)
ping 10.14.0.2
PING 10.14.0.2 (10.14.0.2) 56(84) bytes of data.
64 bytes from 10.14.0.2: icmp_seq=2 ttl=63 time=2.63 ms
64 bytes from 10.14.0.2: icmp_seq=3 ttl=63 time=2.42 ms
64 bytes from 10.14.0.2: icmp_seq=4 ttl=63 time=2.25 ms
ipsec 状态全部
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.15.18-12-pve, x86_64):
uptime: 3 days, since Apr 20 06:37:17 2019
malloc: sbrk 2568192, mmap 0, used 461856, free 2106336
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 10
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Listening IP addresses:
1.1.1.1
10.14.0.1
Connections:
node2office: 1.1.1.1...2.2.2.2 IKEv1
node2office: local: [1.1.1.1] uses pre-shared key authentication
node2office: remote: [2.2.2.2] uses pre-shared key authentication
node2office: child: 10.14.0.0/24 === 10.0.0.0/16 192.168.58.0/24 TUNNEL
Security Associations (1 up, 0 connecting):
node2office[16]: ESTABLISHED 69 minutes ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2]
node2office[16]: IKEv1 SPIs: 6djhfd92c3caad6_i 4515795420c7ac09_r*, pre-shared key reauthentication in 22 hours
node2office[16]: IKE proposal: 3DES_CBC/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
node2office{43}: INSTALLED, TUNNEL, reqid 12, ESP SPIs: cb8fcbbe_i 0a9a21ad_o
node2office{43}: 3DES_CBC/HMAC_SHA1_96, 5348 bytes_i (90 pkts, 296s ago), 5964 bytes_o (77 pkts, 296s ago), rekeying in 13 minutes
node2office{43}: 10.14.0.0/24 === 10.0.0.0/16
node2office{44}: INSTALLED, TUNNEL, reqid 13, ESP SPIs: c7a01be7_i ccc813b2_o
node2office{44}: 3DES_CBC/HMAC_SHA1_96, 252 bytes_i (3 pkts, 359s ago), 252 bytes_o (3 pkts, 359s ago), rekeying in 43 minutes
node2office{44}: 10.14.0.0/24 === 192.168.58.0/24
我在哪里可以找到问题?
答案1
您的第二条隧道10.14.0.0/24 - 192.168.58.0/24有reqid 13,不像您的 iptables 规则集中那样(使用或12检查这些规则的计数器),因此这些数据包可能会被您的防火墙丢弃。iptables -L -n -viptables-save -c