我尝试使用 strongswan 在服务器 1 和服务器 2 之间建立隧道,并使用 vti 隧道通过服务器 2 将流量路由到特定主机 (8.8.8.8),以建立简单路由而不是 ipsec 策略。问题是它不起作用。我的配置有什么问题?
服务器配置:
# cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids = no
conn %default
ikelifetime=4h
rekey=yes
reauth=no
keyexchange=ikev2
authby=secret
dpdaction=restart
closeaction=restart
conn test
auto=start
fragmentation=no
type=tunnel
left=%any
[email protected]
leftsubnet=0.0.0.0/0
leftauth=psk
right=%any
rightid=%any
rightsourceip=10.10.10.1/24
rightauth=psk
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
replay_window=0
客户端配置:# cat /etc/ipsec.conf
config setup
charondebug="all"
uniqueids = no
conn %default
ikelifetime=4h
rekey=yes
reauth=no
keyexchange=ikev2
authby=secret
dpdaction=restart
closeaction=restart
conn test
auto=start
fragmentation=no
type=tunnel
left=%any
leftsubnet=0.0.0.0/0
leftauth=psk
right=95.216.169.150
[email protected]
rightsubnet=0.0.0.0/0
rightauth=psk
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
replay_window=0
mark_in=42
mark_out=42
VTI 接口
ip tunnel add test local 176.113.80.87 remote 95.216.169.150 mode vti okey 42 ikey 42
ip link set test up mtu 1480
ip addr add 10.10.10.2/24 remote 10.10.10.1/24 dev test
sysctl -w "net.ipv4.conf.test.disable_policy=1"
sysctl -w "net/ipv4/ip_forward=1"
ip route add 8.8.8.8 dev test
# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 10.10.10.2 icmp_seq=1 Destination Host Unreachable
From 10.10.10.2 icmp_seq=2 Destination Host Unreachable
From 10.10.10.2 icmp_seq=3 Destination Host Unreachable
# ip -s tunnel show
ip_vti0: ip/ip remote any local any ttl inherit nopmtudisc key 0
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 0 0 0 0
test: ip/ip remote 95.216.169.150 local 176.113.80.87 ttl inherit nopmtudisc key 42
RX: Packets Bytes Errors CsumErrs OutOfSeq Mcasts
0 0 0 0 0 0
TX: Packets Bytes Errors DeadLoop NoRoute NoBufs
0 0 443 0 443 0
# ip route show table all
default via 176.113.80.1 dev eth0
8.8.8.8 dev test scope link
10.10.10.0/24 dev test proto kernel scope link src 10.10.10.2
10.10.10.1 dev test scope link
176.113.80.0/24 dev eth0 proto kernel scope link src 176.113.80.87
broadcast 10.10.10.0 dev test table local proto kernel scope link src 10.10.10.2
local 10.10.10.2 dev test table local proto kernel scope host src 10.10.10.2
broadcast 10.10.10.255 dev test table local proto kernel scope link src 10.10.10.2
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
broadcast 176.113.80.0 dev eth0 table local proto kernel scope link src 176.113.80.87
local 176.113.80.87 dev eth0 table local proto kernel scope host src 176.113.80.87
broadcast 176.113.80.255 dev eth0 table local proto kernel scope link src 176.113.80.87
::1 dev lo proto kernel metric 256 pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev test proto kernel metric 256 pref medium
local ::1 dev lo table local proto kernel metric 0 pref medium
local fe80::200:5efe:b071:5057 dev test table local proto kernel metric 0 pref medium
local fe80::215:5dff:fe0d:7125 dev eth0 table local proto kernel metric 0 pref medium
multicast ff00::/8 dev eth0 table local proto kernel metric 256 pref medium
multicast ff00::/8 dev test table local proto kernel metric 256 pref medium
# cat /etc/strongswan.conf
charon {
load_modular = yes
install_routes = no
install_virtual_ip = no
plugins {
include strongswan.d/charon/*.conf
}
}
include strongswan.d/*.conf
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-97-generic, x86_64):
uptime: 30 minutes, since Oct 01 14:11:52 2023
malloc: sbrk 1622016, mmap 0, used 683344, free 938672
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
176.113.80.87
10.10.10.2
Connections:
test: %any...95.216.169.150 IKEv2, dpddelay=30s
test: local: uses pre-shared key authentication
test: remote: [95.216.169.150] uses pre-shared key authentication
test: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
test[1]: ESTABLISHED 30 minutes ago, 176.113.80.87[176.113.80.87]...95.216.169.150[95.216.169.150]
test[1]: IKEv2 SPIs: 53bc9c07bd057f6a_i* a95a679d5643276b_r, rekeying in 3 hours
test[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048