OpenVPN 网络和 IPSec 之间的路由流量

OpenVPN 网络和 IPSec 之间的路由流量

服务器上建立了两个连接(IPSec 和 OpenVPN 客户端)。在服务器上,我看到 IPSec 中的子网,但看不到 OpenVPN 客户端中的子网。服务器上的防火墙处于活动状态,这里是公共区域:

    public (active)
      target: default
      icmp-block-inversion: no
      interfaces: eth0 eth1
      sources:
      services: cockpit dhcpv6-client openvpn ssh
      ports: 500/udp 4500/udp
      protocols:
      masquerade: no
      forward-ports:
      source-ports:
      icmp-blocks:
      rich rules:
        rule protocol value="esp" accept

以及带有 tun0 接口的 dmz 区域

dmz (active)
  target: default
  icmp-block-inversion: no
  interfaces: tun0
  sources:
  services: ssh
  ports:
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

这是路线表:

default via publicIP dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100
10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100
publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100

感谢您的建议!

更新

ip xfrm 策略:

src 10.19.0.0/16 dst 192.168.178.0/24
    dir out priority 379519 ptype main
    tmpl src SERVER1 dst SERVER2
        proto esp spi 0x4a7f1596 reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
    dir fwd priority 379519 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
    dir in priority 379519 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 71 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

这是 Strongswan 配置:

# Add connections here.
conn %default
        left=SERVER1
        leftsourceip=SERVER1
        leftid=SERVER1
        leftsubnet=10.19.0.0/16
        authby=secret
        auto=start

conn home
        ike=aes256-sha-modp1024
        esp=aes256-sha1-modp1024
        right=SERVER2
        rightid=@SERVER2
        rightsubnet=192.168.178.0/24
        ikelifetime=3600s
        keylife=3600s

更新 #2

ipsec配置文件

conn %default
        left=SERVER1
        leftsourceip=SERVER1
        leftid=SERVER1
        leftsubnet=10.19.0.0/16,10.8.0.0/24
        authby=secret
        auto=start

xfrm 政策:

src 10.8.0.0/24 dst 192.168.178.0/24
    dir out priority 375423 ptype main
    tmpl src SERVER1 dst SERVER2
        proto esp spi 0xc4247488 reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
    dir fwd priority 375423 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
    dir in priority 375423 ptype main
    tmpl src SERVER2 dst SERVER1
        proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main
src ::/0 dst ::/0
    socket in priority 0 ptype main
src ::/0 dst ::/0
    socket out priority 0 ptype main

以及firewalld的直接规则:

<direct>
  <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
  <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
</direct>

和 openvpn 服务器配置:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
#push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.178.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_21QCUO0cRXlOaJFT.crt
key server_21QCUO0cRXlOaJFT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

答案1

为了配置 IPSec 客户端和 OpenVPN 客户端之间的路由,您必须添加10.8.0.0/24leftsubnet选项中。您的%default部分应如下所示:

conn %default
    # IKEv1 does not support multiple subnets.
    keyexchange=ikev2
    left=SERVER1
    leftsourceip=SERVER1
    leftid=SERVER1
    leftsubnet=10.19.0.0/16,10.8.0.0/24
    authby=secret
    auto=start

这将在每个客户端上添加:

  1. 附加路线(见表格220,参见ip route show table 220)的形式为10.8.0.0/24 via <real_gateway> dev <real_interface>
  2. 另外三项xfrm政策规定,10.8.0.0/24和之间的交通192.168.178.0/24必须加密并发送至SERVER1

要在另一个方向配置路由,请添加:

push "route 192.168.178.0 255.255.255.0"

到 OpenVPN 服务器配置。

重新加载后卡戎OpenVPN服务器,只有防火墙可能会阻碍双向通信。您可能需要添加以下规则:

# Insert instead of append, so the order is reversed
# 3. Drop the remaining (unencrypted) traffic from/to IPSec tunnel.
#    This will block private traffic from reaching the Internet,
#    when the tunnel is down.
iptables -I FORWARD -s 192.168.178.0/24 -j DROP
iptables -I FORWARD -d 192.168.178.0/24 -j DROP
# 2. Allow encrypted traffic from IPSec tunnel
iptables -I FORWARD -s 192.168.178.0/24 -d 10.19.0.0/16 \
    -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 192.168.178.0/24 -d 10.8.0.0/24 \
    -m policy --dir in --pol ipsec -j ACCEPT
# 1. Allow encrypted traffic to IPSec tunnel
iptables -I FORWARD -s 10.19.0.0/16 -d 192.168.178.0/24 \
    -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.178.0/24 \
    -m policy --dir out --pol ipsec -j ACCEPT

或他们的防火墙相等的。

答案2

使用 ovpn 中的静态路由和 iptables 规则解决了该问题:

iptables -t nat -A POSTROUTING -p all -s 10.8.0.0/24 -d 192.168.178.0/24 -j SNAT --to-source 10.19.0.5

相关内容