我使用的是 Ubuntu 20.04 和 Strongswan 5.8.2。使用基于路由的 VPN指示。
站点到站点隧道已建立且稳定,但我无法通过它路由流量。当我尝试 ping、ssh、curl 时,我收到“无路由到主机”错误。我可以通过 VTI 接口在 TCPDump 中看到流量。
我使用上述说明创建了隧道:
ip tunnel add vti0 local 10.50.1.25 remote 100.100.100.100 mode vti key 50
sysctl -w net.ipv4.conf.vti0.disable_policy=1
ip link set vti0 up
ip route add 10.0.0.0/12 dev vti0
此外,我install_routes
在 charon 配置中将其禁用。
VTI0 接口之外的路由工作正常。
其他详细信息/输出:
$ ssh [email protected]
ssh: connect to host 10.1.2.3 port 22: No route to host
$ ip route list
default via 10.50.1.1 dev ens5 proto dhcp src 10.50.1.25 metric 50
10.0.0.0/12 dev vti0 scope link
10.50.1.0/20 dev ens5 proto kernel scope link src 10.50.1.25
10.50.1.1 dev ens5 proto dhcp scope link src 10.50.1.25 metric 50
$ ip route get 10.1.2.3
10.1.2.3 dev vti0 src 10.50.1.25 uid 0
cache
$ ip link
2: ens5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP mode DEFAULT group default qlen 1000
link/ether AB:AB:AB:AB:AB:AB brd ff:ff:ff:ff:ff:ff
6: vti0@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/ipip 10.50.1.25 peer 100.100.100.100
有关 ipsec 状态和 iptables 的附加信息:
$ ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1022-aws, x86_64):
uptime: 29 seconds, since Oct 20 14:17:36 2022
malloc: sbrk 2568192, mmap 0, used 786720, free 1781472
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.50.1.1
Connections:
near-to-far: %any...100.100.100.100 IKEv1, dpddelay=30s
near-to-far: local: [50.50.50.50] uses pre-shared key authentication
near-to-far: remote: [100.100.100.100] uses pre-shared key authentication
near-to-far: child: 0.0.0.0/32 === 10.0.0.0/12 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
near-to-far[1]: ESTABLISHED 29 seconds ago, 10.50.1.1[50.50.50.50]...100.100.100.100[100.100.100.100]
near-to-far[1]: IKEv1 SPIs: c371e91e6240fdd9_i* 7ce8c9676a22e5d5_r, pre-shared key reauthentication in 23 hours
near-to-far[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_1536
near-to-far{1}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c1e35cb4_i 11cb0bbe_o
near-to-far{1}: AES_CBC_256/HMAC_SHA2_256_128, 0 bytes_i, 0 bytes_o, rekeying in 41 minutes
near-to-far{1}: 0.0.0.0/32 === 10.0.0.0/12
$ iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
REJECT tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere ip-10-0-0-0.us-west-2.compute.internal/12
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
$ iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- anywhere anywhere to:50.50.50.50
ACCEPT all -- ip-10-50-1-0.us-west-2.compute.internal/20 anywhere policy match dir out pol ipsec
MASQUERADE all -- ip-10-0-0-0.us-west-2.compute.internal/12 ip-10-50-1-0.us-west-2.compute.internal/23