IPsec：如何从 VPN 服务器访问连接的 IPsec VPN 客户端？

2024-6-1 • tag-icon

我的服务器：

eth0: 公网 IP 35.35.35.35

eth1：10.50.0.1子网10.50.0.0/22

ipsec配置文件

config setup
    charondebug="2"
    uniqueids=no
conn ikev2-vpn
    auto=add
    compress=no
    type=tunnel
    keyexchange=ikev2
    fragmentation=yes
    forceencaps=yes
    dpdaction=clear
    dpddelay=300s
    rekey=no
    left=%any
    [email protected]
    leftcert=example.com.cer
    leftsendcert=always
    leftsubnet=0.0.0.0/0
    leftauth=pubkey
    right=%any
    rightid=%any
    rightauth=eap-mschapv2
    rightsourceip=10.50.4.0/24
    rightdns=10.50.1.1,10.50.1.2
    rightsendcert=never
    eap_identity=%identity

客户端 ipsec.conf

config setup

conn cicg
        type=tunnel
        fragmentation=yes
        forceencaps=yes
        keyexchange=ikev2
        dpdaction=clear
        dpddelay=300s
        rekey=no
        auto=add
        leftauth=eap-mschapv2
        left=%defaultroute
        leftsourceip=%config4
        right=example.com
        rightauth=pubkey
        rightid=%any
        rightsubnet=10.50.0.0/22
        rightfirewall=yes
        eap_identity=test

客户端连接vpn服务器成功，获取虚拟ip：10.50.4.1

iptables 规则

sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -i eth1 -j ACCEPT


# Accept incoming packets from the WAN if the router initiated
# the connection
sudo iptables -A INPUT -i eth0 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Forward LAN packets to the WAN
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Forward WAN packets to the LAN if the LAN initiated the
# connection
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack \
    --ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT traffic going out the WAN interface
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo iptables -A FORWARD --match policy --pol ipsec --dir in  --proto esp -s 10.50.4.0/24 -j ACCEPT
sudo iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.50.4.0/24 -j ACCEPT

sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 10.50.4.0/24 -o eth0 -j MASQUERADE


sudo iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.50.4.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360

客户端可以访问服务器本地子网10.50.0.0/22，但在服务器中，我无法访问客户端IP 10.50.4.1。

如何通过虚拟 IP 访问客户端？

相关内容