我正在使用 Strongswan 通过 VPN 连接到 CISCO ASA 防火墙。
我的 IPSEC 状态请求如下:
root@ip-172-31-90-211:~# ipsec status
Security Associations (1 up, 0 connecting):
connection-to-vodacom[1]: ESTABLISHED 6 minutes ago, 172.31.90.211[172.31.90.211]...197.235.1.30[197.235.1.30]
connection-to-vodacom{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c9fee5f5_i 5a07752a_o
connection-to-vodacom{1}: 172.31.90.211/32 === 10.201.0.0/16
root@ip-172-31-90-211:~#
我的 IPSEC 配置文件如下:
config setup
charondebug="all"
uniqueids=no
conn connection-to-vodacom
type=tunnel
auto=start
# keyexchange=ikev1
authby=secret
# left=%defaultroute
left=%any
leftsubnet=172.31.90.211/32
right=197.235.1.30
rightsubnet=10.201.0.0/16
keyexchange=ikev1
ike=aes256-sha1-modp1536!
esp=aes256-sha1!
aggressive=yes
keyingtries=%forever
ikelifetime=86400s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
ip xfrm policy 命令返回以下内容:
oot@ip-172-31-90-211:~# ip xfrm policy
src 172.31.90.211/32 dst 10.201.0.0/16
dir out priority 375423
tmpl src 172.31.90.211 dst 197.235.1.30
proto esp spi 0x5a07752a reqid 1 mode tunnel
src 10.201.0.0/16 dst 172.31.90.211/32
dir fwd priority 375423
tmpl src 197.235.1.30 dst 172.31.90.211
proto esp reqid 1 mode tunnel
src 10.201.0.0/16 dst 172.31.90.211/32
dir in priority 375423
tmpl src 197.235.1.30 dst 172.31.90.211
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src ::/0 dst ::/0
socket out priority 0
虽然当我尝试 ping VPN 另一端的一台主机时没有得到任何响应,我甚至无法使用 TSHARK 看到 ping 消息:
root@ip-172-31-90-211:~# ping 10.201.47.102
PING 10.201.47.102 (10.201.47.102) 56(84) bytes of data.
^C
--- 10.201.47.102 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1017ms
我已经安装了以下 NAT 规则:
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
ACCEPT all -- ip-10-201-0-0.ec2.internal/16 anywhere policy match dir out pol ipsec
当我尝试检查传出的 icmp 数据包时,我只能在 vpn 关闭时看到它们,而当我启动 vpn 时,我再也看不到传出的数据包了。
我们注意到的另一件事是,从我们的服务器到 VPN 的数据包离开了我们的服务器,但没有数据包返回:
125 86.912011656 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
126 87.039966429 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
127 87.936001348 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
128 88.063989799 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
129 88.960012350 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
130 89.088001291 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
131 89.984013008 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
132 90.111999146 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
133 90.221484963 197.235.1.30 → 172.31.90.211 UDPENCAP 43 NAT-keepalive
134 91.008014628 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
135 91.135994428 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
136 92.032010593 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
137 92.159977535 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
138 93.056014269 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
139 93.183986406 172.31.90.211 → 197.235.1.30 ESP 174 ESP (SPI=0x6a01228c)
请帮忙