我想将我的本地托管服务器隐藏在公共 VPS 后面。因此,我在本地防火墙 (fortinet) 和我的 vps (strongswan) 之间建立了 VPN。 图表
VPN 已启动,但没有任何流量。即使在 tcpdump 中,我也看不到来自隧道的双向流量。
VPS:
- ens6 上的 92.xxx(srv1.domain.net)
- ens6:1 上的 10.200.0.25/29(使用“ip addr add”在网络设备上添加别名 IP)
家:
- 动态 IP -> wan1 (home.domain.net) 上的 82.xxx
- 10.1.0.0/20
虚拟专用服务器
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 93.x.x.1 0.0.0.0 UG 100 0 0 ens6
10.200.0.24 0.0.0.0 255.255.255.248 U 0 0 0 ens6
93.x.x.1 0.0.0.0 255.255.255.255 UH 100 0 0 ens6
ipsec配置文件
lifetime=3600s
ikelifetime=3h
keyingtries=3
keyexchange=ikev2
authby=secret
type=tunnel
auto=start
mobike=no
ike=aes128-aes256-sha256-sha384-x25519!
esp=aes128gcm16-aes256gcm16-x25519!
leftsubnet=10.200.0.24/29
left=92.x.x.x
conn home
right=home.domain.net
rightsubnet=10.1.0.0/20
root@ubuntu:~# ipsec status
Security Associations (1 up, 0 connecting):
home[1]: ESTABLISHED 93 minutes ago, 93.x.x.x[srv1.domain.net]...88.x.x.x[home.domain.net]
home{3}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c1fc6d50_i c502a2f6_o
home{3}: 10.200.0.24/29 === 10.1.0.0/20
root@ubuntu:~# ip xfrm state
src 93.x.x.x dst 82.x.x.x
proto esp spi 0xc502a2f6 reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0xxxxxxx 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 82.x.x.x dst 93.x.x.x
proto esp spi 0xc1fc6d50 reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xxxxxxx 128
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
从 10.1.2.77 ping 到 10.200.0.25
防火墙 Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
4.900617 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
9.866557 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
14.866824 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
19.867489 S2S-srv1 -- 10.1.2.77 -> 10.200.0.25: icmp: echo request
虚拟专用服务器
root@ubuntu:~# tcpdump -v -n -i any port not 22 and not port 53
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
[empty]
从 VPS ping 到 10.1.1.1
防火墙 Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
[empty]
虚拟专用服务器
root@ubuntu:~# tcpdump -v -n -i any port not 22
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:09:47.663917 ens6 Out IP (tos 0x0, ttl 64, id 34394, offset 0, flags [DF], proto ESP (50), length 140)
93.x.x.x > 88.x.x.x: ESP(spi=0xc502a2f6,seq=0x5), length 120
13:09:48.688043 ens6 Out IP (tos 0x0, ttl 64, id 34532, offset 0, flags [DF], proto ESP (50), length 140)
93.x.x.x > 88.x.x.x: ESP(spi=0xc502a2f6,seq=0x6), length 120
从 VPS 10.200.0.25 ping 到 10.1.1.1
防火墙 Fortigate
fw # diagnose sniffer packet "S2S-srv1" none 4
interfaces=[S2S-srv1]
filters=[none]
pcap_lookupnet: S2S-srv1: no IPv4 address assigned
[empty]
虚拟专用服务器
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
13:14:48.239905 lo In IP (tos 0x0, ttl 64, id 45593, offset 0, flags [DF], proto ICMP (1), length 92, options (NOP,LSRR 10.1.1.1))
10.200.0.25 > 10.200.0.25: ICMP echo request, id 15, seq 26, length 64
13:14:49.263958 lo In IP (tos 0x0, ttl 64, id 45646, offset 0, flags [DF], proto ICMP (1), length 92, options (NOP,LSRR 10.1.1.1))
10.200.0.25 > 10.200.0.25: ICMP echo request, id 15, seq 27, length 64
我相信我需要设置一些 iptables 规则....有人有什么提示吗?