初始数据
我正在学习基于网络的东西和 strongSwan 的正确配置。
使用我自己的通配符 SSL 证书。所有隧道均已成功解除并在它们之间授权,在配置中指定的任何一侧做出响应。远程设备成功连接到master
主机,但它们的流量仍保留在此master
主机内,不会进一步转发。远程用户的授权是通过 radius 插件进行的。
待解决的问题
具有一个公共入口点和多个出口点(动态 IP)的 VPN 网络组织
以下 Ubuntu 20.04 专用主机可用:
- 主机 A(主)-xx110.138
- 主机 B(从属 1)-xx166.115
- 主机 C (从属 2) - xx178.214
- 主机 D (从属 3) - xx140.120
RoadWarrior 客户端(macOS、iPhone、Android、Win10/11)连接到主机master
。接下来,客户端流量被随机路由(在不久的将来,我希望通过负载平衡来实现这一点,但首先我需要弄清楚基本设置)到其中一个slave
主机。如果任何到主机的 GRE 隧道slave
已失效,则将其从通用路由系统中排除。当通过主机访问网络时slave
,客户端会从其被路由到的主机获得一个 IP 地址。
专用主机配置
主主机(xx110.138)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToSlave1:
mode: gre
local: x.x.110.138
remote: x.x.166.115
addresses: [10.0.2.1/24]
mtu: 1442
ttl: 255
tunToSlave2:
mode: gre
local: x.x.110.138
remote: x.x.178.214
addresses: [10.0.3.1/24]
mtu: 1442
ttl: 255
tunToSlave3:
mode: gre
local: x.x.110.138
remote: x.x.140.120
addresses: [10.0.4.1/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn tun-slave1
left = %defaultroute
right = x.x.166.115
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn tun-slave2
left = %defaultroute
right = x.x.178.214
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn tun-slave3
left = %defaultroute
right = x.x.140.120
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = start
conn remote-mobile
dpddelay = 30s
left = %any
leftid = @mydomain.com
leftcert = cert.pem
leftsendcert = always
leftsubnet = 0.0.0.0/0,::/0
right = %any
rightid = %any
rightauth = eap-radius
rightsendcert = never
eap_identity = %identity
rightsourceip = 10.10.10.0/24
rightdns = 8.8.8.8
type = tunnel
ike=aes128gcm16-sha2_256-prfsha256-ecp256!
esp=aes128gcm16-sha2_256-ecp256!
auto = add
dpdaction = restart
ikelifetime = 240m
keylife = 60m
conn remote-pc
ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
ikelifetime=720m
keylife=60m
从属 1 主机 (xx166.115)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.166.115
remote: x.x.110.138
addresses: [10.0.2.2/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = x.x.110.138 <- slave1 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
从属2主机(xx178.214)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.178.214
remote: x.x.110.138
addresses: [10.0.3.3/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = <- slave2 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
从属3主机(xx140.120)
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1
/etc/netplan/01-grecfg.yaml
network:
version: 2
tunnels:
tunToMaster:
mode: gre
local: x.x.140.120
remote: x.x.110.138
addresses: [10.0.4.4/24]
mtu: 1442
ttl: 255
/etc/ipsec.conf
config setup
charondebug="cfg 2, dmn 2, ike 2, net 2"
strictcrlpolicy = yes
conn %default
reauth = yes
rekey = yes
keyingtries = %forever
keyexchange = ikev2
dpdaction = restart
dpddelay = 5s
mobike = yes
conn gre-master
left = %defaultroute
right = x.x.110.138 <- slave3 local ip
authby = pubkey
leftcert = cert.pem
leftsendcert = always
leftauth = pubkey
rightauth = pubkey
leftid = @mydomain.com
rightid = @mydomain.com
rightrsasigkey = /etc/central/rsa.cert.pem
leftsubnet = %dynamic[gre]
rightsubnet = %dynamic[gre]
type = transport
ike = aes256gcm16-sha384-x25519!
esp = aes256gcm16-sha384-x25519!
auto = add
问题
如何正确确定动态路由的接口参数?特别是,我无法在本地主机级别正确设置网络/子网。我能够使用以下方法实现 master->slave1 方案这指南,但对于许多主持人,我理解起来很困难 :(
对于列出的 ipsec 配置,还存在正确定义网络/子网的问题 - 如何
leftsubnet/rightsubnet
在此交互方案中正确定义每个主机的参数,或者我可以只留下%dynamic
值?使用是否多余斑驴在这种情况下进行动态路由?
一组主机(主 -> 从属)与先前描述的任务的交互方案是否定义正确?顺便说一句,我尝试从从属主机到主主机建立隧道,但每个后续隧道都会覆盖前一个隧道:\
接口和常规 ipsec 配置中的参数是否有错误?
我应该在每个主机中为 iptables 设置什么规则?我猜,在三个从属主机中,至少需要指定用于伪装的 nat 表规则。不久前,我只在 1 台服务器上安装了 strongSwan,并设置了以下一般规则:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p udp --dport 4500 -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360 iptables -A INPUT -p icmp -j DROP iptables -A INPUT -j DROP iptables -A FORWARD -j DROP
我将非常感谢任何帮助、解释和有用的信息。
干杯<3