strongswan VTI 配置中的路由错误

2024-6-2 • tag-icon

我尝试使用 strongswan 在服务器 1 和服务器 2 之间建立隧道，并使用 vti 隧道通过服务器 2 将流量路由到特定主机 (8.8.8.8)，以建立简单路由而不是 ipsec 策略。问题是它不起作用。我的配置有什么问题？

服务器配置：

# cat /etc/ipsec.conf
config setup
    charondebug="all"
    uniqueids = no

conn %default
    ikelifetime=4h
    rekey=yes
    reauth=no
    keyexchange=ikev2
    authby=secret
    dpdaction=restart
    closeaction=restart

conn test
        auto=start
        fragmentation=no
        type=tunnel
        left=%any
        [email protected]
        leftsubnet=0.0.0.0/0
        leftauth=psk
        right=%any
        rightid=%any
        rightsourceip=10.10.10.1/24
        rightauth=psk
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256-modp2048!
        replay_window=0

客户端配置：# cat /etc/ipsec.conf

config setup
    charondebug="all"
    uniqueids = no

conn %default
    ikelifetime=4h
    rekey=yes
    reauth=no
    keyexchange=ikev2
    authby=secret
    dpdaction=restart
    closeaction=restart

conn test
        auto=start
        fragmentation=no
        type=tunnel
        left=%any
        leftsubnet=0.0.0.0/0
        leftauth=psk
        right=95.216.169.150
        [email protected]
        rightsubnet=0.0.0.0/0
        rightauth=psk
        ike=aes256-sha256-modp2048!
        esp=aes256-sha256-modp2048!
        replay_window=0
        mark_in=42
        mark_out=42

VTI 接口

ip tunnel add test local 176.113.80.87 remote 95.216.169.150 mode vti okey 42 ikey 42
ip link set test up mtu 1480
ip addr add 10.10.10.2/24 remote 10.10.10.1/24 dev test
sysctl -w "net.ipv4.conf.test.disable_policy=1"
sysctl -w "net/ipv4/ip_forward=1"
ip route add 8.8.8.8 dev test

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.2 icmp_seq=1 Destination Host Unreachable
From 10.10.10.2 icmp_seq=2 Destination Host Unreachable
From 10.10.10.2 icmp_seq=3 Destination Host Unreachable

# ip -s tunnel show
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            0      0        0        0
test: ip/ip remote 95.216.169.150 local 176.113.80.87 ttl inherit nopmtudisc key 42
RX: Packets    Bytes        Errors CsumErrs OutOfSeq Mcasts
    0          0            0      0        0        0
TX: Packets    Bytes        Errors DeadLoop NoRoute  NoBufs
    0          0            443    0        443      0

# ip route show table all
default via 176.113.80.1 dev eth0
8.8.8.8 dev test scope link
10.10.10.0/24 dev test proto kernel scope link src 10.10.10.2
10.10.10.1 dev test scope link
176.113.80.0/24 dev eth0 proto kernel scope link src 176.113.80.87
broadcast 10.10.10.0 dev test table local proto kernel scope link src 10.10.10.2
local 10.10.10.2 dev test table local proto kernel scope host src 10.10.10.2
broadcast 10.10.10.255 dev test table local proto kernel scope link src 10.10.10.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 176.113.80.0 dev eth0 table local proto kernel scope link src 176.113.80.87
local 176.113.80.87 dev eth0 table local proto kernel scope host src 176.113.80.87
broadcast 176.113.80.255 dev eth0 table local proto kernel scope link src 176.113.80.87
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev test proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::200:5efe:b071:5057 dev test table local proto kernel metric 0 pref medium
local fe80::215:5dff:fe0d:7125 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev test table local proto kernel metric 256 pref medium


# cat /etc/strongswan.conf
charon {
        load_modular = yes
        install_routes = no
        install_virtual_ip = no
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-97-generic, x86_64):
  uptime: 30 minutes, since Oct 01 14:11:52 2023
  malloc: sbrk 1622016, mmap 0, used 683344, free 938672
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  176.113.80.87
  10.10.10.2
Connections:
        test:  %any...95.216.169.150  IKEv2, dpddelay=30s
        test:   local:  uses pre-shared key authentication
        test:   remote: [95.216.169.150] uses pre-shared key authentication
        test:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
        test[1]: ESTABLISHED 30 minutes ago, 176.113.80.87[176.113.80.87]...95.216.169.150[95.216.169.150]
        test[1]: IKEv2 SPIs: 53bc9c07bd057f6a_i* a95a679d5643276b_r, rekeying in 3 hours
        test[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048

相关内容