%20%E8%BF%9E%E6%8E%A5%E5%B7%B2%E5%BB%BA%E7%AB%8B%EF%BC%8C%E4%BD%86%E6%97%A0%E6%B3%95%E8%AE%BF%E9%97%AE%E4%BD%9C%E4%B8%BA%20VPN%20%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%9A%84%E7%B3%BB%E7%BB%9F.png)
我的 ipsec 配置
/etc/ipsec.conf
# ipsec.conf - strongSwan IPsec configuration file
conn myvpn
auto=add
keyexchange=ikev1
authby=secret
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
ike=aes128-sha1-modp2048
esp=aes128-sha1
/etc/xl2tpd/xl2tpd.conf
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
/etc/ppp/options.l2tpd.client
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name "$VPN_USER"
password "$VPN_PASSWORD"
StrongSwan VPN 连接
initiating Main Mode IKE_SA myvpn[1] to 10.4.2.4
generating ID_PROT request 0 [ SA V V V V V ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (240 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (160 bytes)
parsed ID_PROT response 0 [ SA V V V V ]
received XAuth vendor ID
received DPD vendor ID
received FRAGMENTATION vendor ID
received NAT-T (RFC 3947) vendor ID
selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (372 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (372 bytes)
parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (108 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (76 bytes)
parsed ID_PROT response 0 [ ID HASH ]
IKE_SA myvpn[1] established between 10.4.1.4[10.4.1.4]...10.4.2.4[10.4.2.4]
scheduling reauthentication in 9925s
maximum IKE_SA lifetime 10465s
generating QUICK_MODE request 310716818 [ HASH SA No ID ID ]
sending packet: from 10.4.1.4[500] to 10.4.2.4[500] (220 bytes)
received packet: from 10.4.2.4[500] to 10.4.1.4[500] (172 bytes)
parsed QUICK_MODE response 310716818 [ HASH SA No ID ID ]
selected proposal: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
CHILD_SA myvpn{1} established with SPIs c11429dc_i c53fee9d_o and TS 10.4.1.4/32[udp/l2f] === 10.4.2.4/32[udp/l2f]
generating QUICK_MODE request 310716818 [ HASH ]
connection 'myvpn' established successfully
将连接到 VPN 服务器的客户端系统的 netplan
network:
version: 2
renderer: networkd
ethernets:
enx7cc2c642ce1f:
addresses:
- 10.4.1.4/16
routes:
- to: 0.0.0.0
via: 10.4.1.1
nameservers:
addresses:
- 10.4.1.1
eno1:
addresses:
- 10.1.1.231/24
routes:
- to: 0.0.0.0
via: 10.1.1.251
nameservers:
addresses:
- 10.1.1.23
- 10.1.1.22
enx7cc2c6436994:
dhcp4: false
addresses:
- 10.2.1.1/16
vlans:
vlan.401:
id: 401
dhcp4: false
addresses:
- 10.4.1.1/15
link: enx7cc2c6436994
vlan.601:
id: 601
dhcp4: false
addresses:
- 10.6.1.1/16
link: enx7cc2c6436994
系统上存在的 IP 路由
0.0.0.0 via 10.4.1.1 dev enx7cc2c642ce1f proto static
0.0.0.0 via 10.1.1.251 dev eno1 proto static
default via 10.1.1.251 dev eno1 proto dhcp src 10.1.1.101 metric 100
10.1.1.0/24 dev eno1 proto kernel scope link src 10.1.1.231
10.1.1.22 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.23 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
10.1.1.251 dev eno1 proto dhcp scope link src 10.1.1.101 metric 100
blackhole 10.1.48.64/26 proto 80
10.1.48.93 dev cali0327d21449c scope link
10.2.0.0/16 dev enx7cc2c6436994 proto kernel scope link src 10.2.1.1
10.4.0.0/16 dev enx7cc2c642ce1f proto kernel scope link src 10.4.1.4
10.4.0.0/15 dev vlan.401 proto kernel scope link src 10.4.1.1
10.6.0.0/16 dev vlan.601 proto kernel scope link src 10.6.1.1
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
我添加了以下路由来访问在 VPN 服务器后面运行的子网 10.5.0.0/16 上的设备。
笔记:我能够从 VPN 服务器 ping 通设备。
ip route add to 10.5.0.0/16 via 10.4.1.1 dev enx7cc2c642ce1f
但是我仍然无法 ping 通 10.5.0.0/16 子网上运行的任何设备。