我的服务器:
eth0: 公网 IP 35.35.35.35
eth1:10.50.0.1子网10.50.0.0/22
ipsec配置文件
config setup
charondebug="2"
uniqueids=no
conn ikev2-vpn
auto=add
compress=no
type=tunnel
keyexchange=ikev2
fragmentation=yes
forceencaps=yes
dpdaction=clear
dpddelay=300s
rekey=no
left=%any
[email protected]
leftcert=example.com.cer
leftsendcert=always
leftsubnet=0.0.0.0/0
leftauth=pubkey
right=%any
rightid=%any
rightauth=eap-mschapv2
rightsourceip=10.50.4.0/24
rightdns=10.50.1.1,10.50.1.2
rightsendcert=never
eap_identity=%identity
客户端 ipsec.conf
config setup
conn cicg
type=tunnel
fragmentation=yes
forceencaps=yes
keyexchange=ikev2
dpdaction=clear
dpddelay=300s
rekey=no
auto=add
leftauth=eap-mschapv2
left=%defaultroute
leftsourceip=%config4
right=example.com
rightauth=pubkey
rightid=%any
rightsubnet=10.50.0.0/22
rightfirewall=yes
eap_identity=test
客户端连接vpn服务器成功,获取虚拟ip:10.50.4.1
iptables 规则
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth1 -j ACCEPT
# Accept incoming packets from the WAN if the router initiated
# the connection
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Forward LAN packets to the WAN
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
# Forward WAN packets to the LAN if the LAN initiated the
# connection
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
# NAT traffic going out the WAN interface
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.50.4.0/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.50.4.0/24 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -j MASQUERADE
sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.50.4.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
客户端可以访问服务器本地子网10.50.0.0/22,但在服务器中,我无法访问客户端IP 10.50.4.1。
如何通过虚拟 IP 访问客户端?