StrongSwan swanctl/xfrm:如何伪装隧道流量?

tag-icon tag-icon networking vpn routing ipsec strongswan
StrongSwan swanctl/xfrm:如何伪装隧道流量?
  • Ubuntu 20.04LTS
  • strongSwan swanctl 5.8.2
  • Linux 5.8.0-1035-gcp

我正在尝试设置一个 IKEv2 “roadwarrior” VPN,将 radius 身份验证推迟到我们的上游服务器。好消息是,我让客户端连接并通过 RADIUS 身份验证。但是,我已经尝试了大约一百万种方法,但我不能获取要转发的数据包。我确实看到流量到达隧道,但它不会进行出站 NAT。请注意,我在 updown 脚本中尝试对流量进行 NAT 但没有成功(目前已注释掉)。

配置如下:

sudo tee /etc/strongswan.d/charon-systemd.conf  << "EOF"
charon-systemd {
#  install_virtual_ip=no
#  install_routes=0
  load=random nonce aes sha1 sha2 hmac pem pkcs1 x509 revocation curve25519 gmp curl kernel-netlink socket-default updown vici eap-radius eap-identity
  journal {
   # Loglevel for a specific subsystem.
   # <subsystem> = <default>
   # Default loglevel.
   default=2
   enc=1
   asn=1
  }

  plugins {
    eap-radius {
      servers {
        primary {
          address=10.128.0.13
          secret=super-duper-secret
          auth_port=21812
        }
      }
    }
  }
}
EOF

sudo tee /etc/swanctl/conf.d/vpn.conf << "EOF"
connections {
  rw-eap {
    version=2
    proposals=aes128gcm16-sha256-modp2048
    local_addrs=10.128.0.14
    send_cert=always
    pools=dhcp_ipv4
    local {
      auth=pubkey
      certs=vpn.pem
      id=vpn.xxx.com
    }
    remote {
      auth=eap-radius
      id=*
    }
    children {
      net {
        local_ts=0.0.0.0/0
        remote_ts=172.16.20.64/26
        if_id_in=%unique
        if_id_out=%unique
        mark_in=%unique
        mark_out=%unique
        updown=/usr/local/bin/rw-updown.sh
        esp_proposals=aes128gcm16-sha256-modp2048
      }
    }
  }
}
pools {
  dhcp_ipv4 {
    addrs=172.16.20.64/26
    dns=10.128.0.9
  }
}
EOF

tee /usr/local/bin/rw-updown.sh << "EOF"
#!/bin/bash

set -o nounset
set -o errexit

XFRM_IF="xfrm${PLUTO_UNIQUEID}"

case "${PLUTO_VERB}" in
    up-client)
        logger -t "vpn rw-updown" ${PLUTO_VERB} ${PLUTO_UNIQUEID} ${XFRM_IF} ${PLUTO_ME} ${PLUTO_PEER} ${PLUTO_MARK_OUT%%/*} ${PLUTO_PEER_SOURCEIP}
        ip link add ${XFRM_IF} type xfrm dev ens4 if_id ${PLUTO_UNIQUEID}
        ip link set ${XFRM_IF} up
#        iptables -A FORWARD --in-interface ${XFRM_IF} -j ACCEPT
#        iptables --table nat -A POSTROUTING --out-interface ens4 -j MASQUERADE
        ;;
    down-client)
#        iptables -D FORWARD --in-interface ${XFRM_IF} -j ACCEPT
#        iptables --table nat -D POSTROUTING --out-interface ens4 -j MASQUERADE
        ip link del ${XFRM_IF}
        ;;
esac
EOF
chmod +x /usr/local/bin/rw-updown.sh

因此,在客户端连接后,我们确实会看到创建的接口:

root@vpn-iowa:~# ip xfrm policy 
src 0.0.0.0/0 dst 172.16.20.64/26 
    dir out priority 386687 
    mark 0x2/0xffffffff 
    tmpl src 10.128.0.14 dst 173.197.16.118
        proto esp spi 0x08547b23 reqid 2 mode tunnel
    if_id 0x2
src 172.16.20.64/26 dst 0.0.0.0/0 
    dir fwd priority 386687 
    mark 0x2/0xffffffff 
    tmpl src 173.197.16.118 dst 10.128.0.14
        proto esp reqid 2 mode tunnel
    if_id 0x2
src 172.16.20.64/26 dst 0.0.0.0/0 
    dir in priority 386687 
    mark 0x2/0xffffffff 
    tmpl src 173.197.16.118 dst 10.128.0.14
        proto esp reqid 2 mode tunnel
    if_id 0x2
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0

... more

在客户端上运行稳定ping 1.1.1.1会导致流量到达RX packets 246

root@vpn-iowa:~# ifconfig
ens4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1460
        inet 10.128.0.14  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::4001:aff:fe80:e  prefixlen 64  scopeid 0x20<link>
        ether 42:01:0a:80:00:0e  txqueuelen 1000  (Ethernet)
        RX packets 2668  bytes 444824 (444.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1907  bytes 586712 (586.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 140  bytes 13208 (13.2 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 140  bytes 13208 (13.2 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

xfrm2: flags=193<UP,RUNNING,NOARP>  mtu 1500
        inet6 fe80::85d9:2aa5:841:803f  prefixlen 64  scopeid 0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 246  bytes 18819 (18.8 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

如果你能帮助我解决这个问题,我将永远感激你。我读过无数资料,但仍然无法弄清楚。谢谢!

相关内容