通过多个 GRE over IPsec 隧道进行动态流量路由

通过多个 GRE over IPsec 隧道进行动态流量路由

初始数据

我正在学习基于网络的东西和 strongSwan 的正确配置。

使用我自己的通配符 SSL 证书。所有隧道均已成功解除并在它们之间授权,在配置中指定的任何一侧做出响应。远程设备成功连接到master主机,但它们的流量仍保留在此master主机内,不会进一步转发。远程用户的授权是通过 radius 插件进行的。


待解决的问题

具有一个公共入口点和多个出口点(动态 IP)的 VPN 网络组织

以下 Ubuntu 20.04 专用主机可用:

  1. 主机 A(主)-xx110.138
  2. 主机 B(从属 1)-xx166.115
  3. 主机 C (从属 2) - xx178.214
  4. 主机 D (从属 3) - xx140.120

RoadWarrior 客户端(macOS、iPhone、Android、Win10/11)连接到主机master。接下来,客户端流量被随机路由(在不久的将来,我希望通过负载平衡来实现这一点,但首先我需要弄清楚基本设置)到其中一个slave主机。如果任何到主机的 GRE 隧道slave已失效,则将其从通用路由系统中排除。当通过主机访问网络时slave,客户端会从其被路由到的主机获得一个 IP 地址。


专用主机配置

主主机(xx110.138)

/etc/sysctl.conf

net.ipv4.ip_forward = 1

/etc/netplan/01-grecfg.yaml

network:
  version: 2
  tunnels:
    tunToSlave1:
      mode: gre
      local: x.x.110.138
      remote: x.x.166.115
      addresses: [10.0.2.1/24]
      mtu: 1442
      ttl: 255
    tunToSlave2:
      mode: gre
      local: x.x.110.138
      remote: x.x.178.214
      addresses: [10.0.3.1/24]
      mtu: 1442
      ttl: 255
    tunToSlave3:
      mode: gre
      local: x.x.110.138
      remote: x.x.140.120
      addresses: [10.0.4.1/24]
      mtu: 1442
      ttl: 255

/etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    strictcrlpolicy = yes
conn %default
    reauth = yes
    rekey = yes
    keyingtries = %forever
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 5s
    mobike = yes
conn tun-slave1
    left = %defaultroute
    right = x.x.166.115
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = start
conn tun-slave2
    left = %defaultroute
    right = x.x.178.214
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = start
conn tun-slave3
    left = %defaultroute
    right = x.x.140.120
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = start
conn remote-mobile
    dpddelay = 30s
    left = %any
    leftid = @mydomain.com
    leftcert = cert.pem
    leftsendcert = always
    leftsubnet = 0.0.0.0/0,::/0
    right = %any
    rightid = %any
    rightauth = eap-radius
    rightsendcert = never
    eap_identity = %identity
    rightsourceip = 10.10.10.0/24
    rightdns = 8.8.8.8
    type = tunnel
    ike=aes128gcm16-sha2_256-prfsha256-ecp256!
    esp=aes128gcm16-sha2_256-ecp256!
    auto = add
    dpdaction = restart
    ikelifetime = 240m
    keylife = 60m
conn remote-pc
    ike=aes256gcm16-aes256gcm12-aes128gcm16-aes128gcm12-sha256-sha1-modp2048-modp4096-modp1024,aes256-aes128-sha256-sha1-modp2048-modp4096-modp1024,3des-sha1-modp1024!
    esp=aes128gcm12-aes128gcm16-aes256gcm12-aes256gcm16-modp2048-modp4096-modp1024,aes128-aes256-sha1-sha256-modp2048-modp4096-modp1024,aes128-sha1-modp2048,aes128-sha1-modp1024,3des-sha1-modp1024,aes128-aes256-sha1-sha256,aes128-sha1,3des-sha1!
    ikelifetime=720m
    keylife=60m

从属 1 主机 (xx166.115)

/etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network:
  version: 2
  tunnels:
    tunToMaster:
      mode: gre
      local: x.x.166.115
      remote: x.x.110.138
      addresses: [10.0.2.2/24]
      mtu: 1442
      ttl: 255

/etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    strictcrlpolicy = yes
conn %default
    reauth = yes
    rekey = yes
    keyingtries = %forever
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 5s
    mobike = yes
conn gre-master
    left = %defaultroute
    right = x.x.110.138 <- slave1 local ip
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = add

从属2主机(xx178.214)

/etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network:
  version: 2
  tunnels:
    tunToMaster:
      mode: gre
      local: x.x.178.214
      remote: x.x.110.138
      addresses: [10.0.3.3/24]
      mtu: 1442
      ttl: 255

/etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    strictcrlpolicy = yes
conn %default
    reauth = yes
    rekey = yes
    keyingtries = %forever
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 5s
    mobike = yes
conn gre-master
    left = %defaultroute
    right = <- slave2 local ip
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = add

从属3主机(xx140.120)

/etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.ip_no_pmtu_disc = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv6.conf.all.disable_ipv6 = 1

/etc/netplan/01-grecfg.yaml

network:
  version: 2
  tunnels:
    tunToMaster:
      mode: gre
      local: x.x.140.120
      remote: x.x.110.138
      addresses: [10.0.4.4/24]
      mtu: 1442
      ttl: 255

/etc/ipsec.conf

config setup
    charondebug="cfg 2, dmn 2, ike 2, net 2"
    strictcrlpolicy = yes
conn %default
    reauth = yes
    rekey = yes
    keyingtries = %forever
    keyexchange = ikev2
    dpdaction = restart
    dpddelay = 5s
    mobike = yes
conn gre-master
    left = %defaultroute
    right = x.x.110.138 <- slave3 local ip
    authby = pubkey
    leftcert = cert.pem
    leftsendcert = always
    leftauth = pubkey
    rightauth = pubkey
    leftid = @mydomain.com
    rightid = @mydomain.com
    rightrsasigkey = /etc/central/rsa.cert.pem
    leftsubnet = %dynamic[gre]
    rightsubnet = %dynamic[gre]
    type = transport
    ike = aes256gcm16-sha384-x25519!
    esp = aes256gcm16-sha384-x25519!
    auto = add

问题

  1. 如何正确确定动态路由的接口参数?特别是,我无法在本地主机级别正确设置网络/子网。我能够使用以下方法实现 master->slave1 方案指南,但对于许多主持人,我理解起来很困难 :(

  2. 对于列出的 ipsec 配置,还存在正确定义网络/子网的问题 - 如何 leftsubnet/rightsubnet在此交互方案中正确定义每个主机的参数,或者我可以只留下%dynamic值?

  3. 使用是否多余斑驴在这种情况下进行动态路由?

  4. 一组主机(主 -> 从属)与先前描述的任务的交互方案是否定义正确?顺便说一句,我尝试从从属主机到主主机建立隧道,但每个后续隧道都会覆盖前一个隧道:\

  5. 接口和常规 ipsec 配置中的参数是否有错误?

  6. 我应该在每个主机中为 iptables 设置什么规则?我猜,在三个从属主机中,至少需要指定用于伪装的 nat 表规则。不久前,我只在 1 台服务器上安装了 strongSwan,并设置了以下一般规则:

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -p udp --dport  500 -j ACCEPT
    iptables -A INPUT -p udp --dport 4500 -j ACCEPT
    
    iptables -A FORWARD --match policy --pol ipsec --dir in --proto esp -s 10.10.10.0/24 -j ACCEPT
    iptables -A FORWARD --match policy --pol ipsec --dir out --proto esp -d 10.10.10.0/24 -j ACCEPT
    
    iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -m policy --pol ipsec --dir out -j ACCEPT
    iptables -t nat -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
    
    iptables -t mangle -A FORWARD --match policy --pol ipsec --dir in -s 10.10.10.0/24 -o eth0 -p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 -j TCPMSS --set-mss 1360
    
    iptables -A INPUT -p icmp -j DROP
    iptables -A INPUT -j DROP
    iptables -A FORWARD -j DROP
    

我将非常感谢任何帮助、解释和有用的信息。

干杯<3

相关内容