服务器上建立了两个连接(IPSec 和 OpenVPN 客户端)。在服务器上,我看到 IPSec 中的子网,但看不到 OpenVPN 客户端中的子网。服务器上的防火墙处于活动状态,这里是公共区域:
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0 eth1
sources:
services: cockpit dhcpv6-client openvpn ssh
ports: 500/udp 4500/udp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="esp" accept
以及带有 tun0 接口的 dmz 区域
dmz (active)
target: default
icmp-block-inversion: no
interfaces: tun0
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
这是路线表:
default via publicIP dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100
10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100
publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100
感谢您的建议!
更新
ip xfrm 策略:
src 10.19.0.0/16 dst 192.168.178.0/24
dir out priority 379519 ptype main
tmpl src SERVER1 dst SERVER2
proto esp spi 0x4a7f1596 reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
dir fwd priority 379519 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
dir in priority 379519 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 71 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
这是 Strongswan 配置:
# Add connections here.
conn %default
left=SERVER1
leftsourceip=SERVER1
leftid=SERVER1
leftsubnet=10.19.0.0/16
authby=secret
auto=start
conn home
ike=aes256-sha-modp1024
esp=aes256-sha1-modp1024
right=SERVER2
rightid=@SERVER2
rightsubnet=192.168.178.0/24
ikelifetime=3600s
keylife=3600s
更新 #2
ipsec配置文件
conn %default
left=SERVER1
leftsourceip=SERVER1
leftid=SERVER1
leftsubnet=10.19.0.0/16,10.8.0.0/24
authby=secret
auto=start
xfrm 政策:
src 10.8.0.0/24 dst 192.168.178.0/24
dir out priority 375423 ptype main
tmpl src SERVER1 dst SERVER2
proto esp spi 0xc4247488 reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
dir fwd priority 375423 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
dir in priority 375423 ptype main
tmpl src SERVER2 dst SERVER1
proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
以及firewalld的直接规则:
<direct>
<rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
<rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
</direct>
和 openvpn 服务器配置:
port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
#push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.178.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_21QCUO0cRXlOaJFT.crt
key server_21QCUO0cRXlOaJFT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3
答案1
为了配置 IPSec 客户端和 OpenVPN 客户端之间的路由,您必须添加10.8.0.0/24到leftsubnet选项中。您的%default部分应如下所示:
conn %default
# IKEv1 does not support multiple subnets.
keyexchange=ikev2
left=SERVER1
leftsourceip=SERVER1
leftid=SERVER1
leftsubnet=10.19.0.0/16,10.8.0.0/24
authby=secret
auto=start
这将在每个客户端上添加:
- 附加路线(见表格
220,参见ip route show table 220)的形式为10.8.0.0/24 via <real_gateway> dev <real_interface>。 - 另外三项
xfrm政策规定,10.8.0.0/24和之间的交通192.168.178.0/24必须加密并发送至SERVER1。
要在另一个方向配置路由,请添加:
push "route 192.168.178.0 255.255.255.0"
到 OpenVPN 服务器配置。
重新加载后卡戎和OpenVPN服务器,只有防火墙可能会阻碍双向通信。您可能需要添加以下规则:
# Insert instead of append, so the order is reversed
# 3. Drop the remaining (unencrypted) traffic from/to IPSec tunnel.
# This will block private traffic from reaching the Internet,
# when the tunnel is down.
iptables -I FORWARD -s 192.168.178.0/24 -j DROP
iptables -I FORWARD -d 192.168.178.0/24 -j DROP
# 2. Allow encrypted traffic from IPSec tunnel
iptables -I FORWARD -s 192.168.178.0/24 -d 10.19.0.0/16 \
-m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 192.168.178.0/24 -d 10.8.0.0/24 \
-m policy --dir in --pol ipsec -j ACCEPT
# 1. Allow encrypted traffic to IPSec tunnel
iptables -I FORWARD -s 10.19.0.0/16 -d 192.168.178.0/24 \
-m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.178.0/24 \
-m policy --dir out --pol ipsec -j ACCEPT
或他们的防火墙相等的。
答案2
使用 ovpn 中的静态路由和 iptables 规则解决了该问题:
iptables -t nat -A POSTROUTING -p all -s 10.8.0.0/24 -d 192.168.178.0/24 -j SNAT --to-source 10.19.0.5