ipsec strongswan UP 但没有路由

tag-icon tag-icon debian nat ipsec
ipsec strongswan UP 但没有路由

我在 NAT 路由器后面有一台服务器 (Debian 10)。此服务器中运行多个虚拟机。我想与 Internet 上的服务器建立 IPSec 连接。以下是我ipsec.conf在两端的文件:

在本地服务器上:

config setup
  charondebug = "all"
  uniqueids = yes
  nat_traversal = yes

conn local-to-server
  type = tunnel
  auto = start
  keyexchange = ikev2
  authby = secret
  left = 192.168.1.50
  leftsubnet = 192.168.1.0/24
  right = $server-internet-ip
  rightsubnet = 172.17.41.0/24
  rightsourceip = 172.17.41.0/24
  aggressive = no

在互联网服务器上:

config setup
  charondebug="all"
  uniqueids = yes

conn server-to-local
  type = tunnel
  auto = start
  authby = secret
  left = $server-internet-ip
  leftsubnet = 172.17.41.0/24
  leftsourceip = 192.168.1.50
  leftsubnet = 192.168.1.0/24
  aggressive = no

当我运行命令时ipsec status,它会在双方都做出答复Security Associations (1 ip, 0 connecting): server-to-local[2]: ESTABLISHED...

但是,当我想从我的互联网服务器ping获取telnet本地 IP 地址 192.168.1.50 时,我什么也得不到。

运行ip a不显示与 IPSec 启动相关的其他网络接口。路由也一样,当 IPSec 启动时不会创建任何路由。

我遗漏了什么来允许从 Internet 服务器连接到内部企业虚拟机?NAT 盒正在将 UDP 500 和 4500 从其自己的 Internet IP 地址转发到内部服务器的私有 IP 地址。

非常感谢您的帮助!

EDIT ip xfrm state没有输出任何内容

ipsec statusallEDIT2本地输出:

Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-8-amd64, x86_64):
uptime: 2 seconds, since Mar 19 14:23:56 2020
malloc: sbrk 1757184, mmap 0, used 557984, free 1199200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Virtual IP pools (size/online/offline):
  172.17.41.0/24: 254/0/0
Listening IP addresses:
  192.168.1.50
Connections:
  local-to-server:  192.168.1.50...$server-internet-ip  IKEv2, dpddelay=30s
  local-to-server:   local:  [192.168.1.50] uses pre-shared key authentication
  local-to-server:   remote: [$server-internet-ip] uses pre-shared key authentication
  local-to-server:   child:  192.168.1.0/24 === 172.17.41.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  local-to-server[1]: ESTABLISHED 2 seconds ago, 192.168.1.50[192.168.1.50]...$server-internet-ip[$server-internet-ip]
  local-to-server[1]: IKEv2 SPIs: 68eab917fe1855aa_i* 87d5f2cd06b353de_r, pre-shared key reauthentication in 2 hours
  local-to-server[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

ipsec statusall网络服务器的输出:

Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.185-xxxx-std-ipv6-64, x86_64):
uptime: 12 seconds, since Mar 19 14:23:53 2020
malloc: sbrk 2478080, mmap 0, used 278288, free 2199792
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
  $server-internet-ip
  172.17.23.1
Connections:
  server-to-local:  $server-internet-ip...%any  IKEv2, dpddelay=30s
  server-to-local:   local:  [$server-internet-ip] uses pre-shared key authentication
  server-to-local:   remote: uses pre-shared key authentication
  server-to-local:   child:  192.168.1.0/24 === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
  server-to-local[2]: ESTABLISHED 9 seconds ago, $server-internet-ip[$server-internet-ip]...$box-internet-ip[192.168.1.50]
  server-to-local[2]: IKEv2 SPIs: 68eab917fe1855aa_i 87d5f2cd06b353de_r*, pre-shared key reauthentication in 2 hours
server-to-local[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072

以下是互联网服务器端的日志:

09[IKE] maximum IKE_SA lifetime 10783s
09[IKE] traffic selectors 172.17.41.0/24 === 192.168.1.0/24 inacceptable
09[IKE] failed to establish CHILD_SA, keeping IKE_SA
09[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
09[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (160 bytes)
11[IKE] sending DPD request
11[ENC] generating INFORMATIONAL request 0 [ ]
11[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (80 bytes)
12[NET] received packet: from $box-internet-ip[4500] to $server-internet-ip[4500] (80 bytes)
12[ENC] parsed INFORMATIONAL response 0 [ ]

以下是本地服务器端的日志:

13[IKE] sending keep alive to $server-internet-ip[4500]
15[IKE] sending DPD request
15[ENC] generating INFORMATIONAL request 8 [ N(NATD_S_IP) N(NATD_D_IP) ]
15[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (128 bytes)
14[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (80 bytes)
14[ENC] parsed INFORMATIONAL request 8 [ ]
14[ENC] generating INFORMATIONAL response 8 [ ]
14[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (80 bytes)
16[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (128 bytes)
16[ENC] parsed INFORMATIONAL response 8 [ N(NATD_S_IP) N(NATD_D_IP) ]

相关内容