我有 3 个网络,如下图所示:
子网 A:10.0.1.0/24,VPN 网关公网 IP:55.0.0.1
子网 B:172.30.0.0/24,VPN 网关公网 IP:66.0.0.1
子网 C:172.20.0.0/24,VPN 网关公网 IP:77.0.0.1
A 和 B 是我的子网,C 是我无法访问的客户。在 A 和 B 上配置了 Strongswan,并且它按预期运行,用于流量 A<->B 和 B<->C。但我想将流量从 A 传递到 C,而不添加任何新隧道。
设置:
config setup
charondebug="all"
uniqueids=yes
conn A-to-B
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=55.0.0.1
leftid=55.0.0.1
leftsubnet=10.0.1.0/24
right=66.0.0.1
rightid=66.0.0.1
rightsubnet=172.30.0.0/24
ike=3des-sha1-modp1024!
esp=3des-sha1!
aggressive=no
rekey=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
A 上的 iptables:
# Generated by iptables-save v1.8.7 on Mon Jan 29 13:08:06 2024
*filter
:INPUT ACCEPT [40025608:40188078680]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [30069133:18566093721]
:OUTPUT ACCEPT [30069133:18566093721]
COMMIT
# Completed on Mon Jan 29 13:08:06 2024
# Generated by iptables-save v1.8.7 on Mon Jan 29 13:08:06 2024
*nat
:PREROUTING ACCEPT [39774:2679080]
:INPUT ACCEPT [8831:584395]
:OUTPUT ACCEPT [1423:122095]
:POSTROUTING ACCEPT [32360:2215502]
-A POSTROUTING -s 172.30.0.0/24 -o ens10 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.30.0.0/24 -o ens10 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/24 -o ens10 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.20.0.0/24 -o ens10 -j MASQUERADE
B设置:
config setup
charondebug="all"
uniqueids=yes
conn B-to-A
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=66.0.0.1
leftid=66.0.0.1
leftsubnet=172.30.0.0/24
right=55.0.0.1
rightid=55.0.0.1
rightsubnet=10.0.1.0/24
ike=3des-sha1-modp1024!
esp=3des-sha1!
aggressive=no
rekey=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
conn B-to-C
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
left=66.0.0.1
leftid=66.0.0.1
leftsubnet=172.30.0.0/24
right=77.0.0.1
rightid=77.0.0.1
rightsubnet=172.20.0.0/24
ike=3des-sha1-modp1024!
esp=3des-sha1!
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
双 iptables:
# Generated by iptables-save v1.8.7 on Mon Jan 29 13:11:52 2024
*filter
:INPUT ACCEPT [41835373:31455924194]
:FORWARD ACCEPT [65626379:68193057513]
:OUTPUT ACCEPT [49075459:43200854736]
:ufw-track-forward - [0:0]
-A FORWARD -s 172.30.0.0/24 -d 10.0.0.0/8 -i ens10 -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.0.1.0/24 -d 172.30.0.0/24 -i eth0 -o ens10 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.30.0.0/24 -d 172.20.0.0/24 -i ens10 -o eth0 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 172.20.0.0/24 -d 172.30.0.0/24 -i eth0 -o ens10 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Jan 29 13:11:52 2024
# Generated by iptables-save v1.8.7 on Mon Jan 29 13:11:52 2024
*nat
:PREROUTING ACCEPT [139914:9106692]
:INPUT ACCEPT [52056:3907832]
:OUTPUT ACCEPT [5562:617847]
:POSTROUTING ACCEPT [76991:4903875]
-A POSTROUTING -s 10.0.1.0/24 -o ens10 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.1.0/24 -o ens10 -j MASQUERADE
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.0.1.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/24 -o ens10 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.20.0.0/24 -o ens10 -j MASQUERADE
-A POSTROUTING -s 172.20.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 172.20.0.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Jan 29 13:11:52 2024
使用从 A 到 C 的 tcpdump(并在 A 上配置通过 B 到 C 的路由),我能够看到传入的数据包,但此外还有一些公共 IP 地址。使用从 B 到 C 的 traceroute 不会发生这种情况:
13:16:01.978860 IP 10.0.1.111.40062 > 172.20.0.12.445: Flags [S], seq 645287854, win 64240, options [mss 1460,sackOK,TS val 3079411417 ecr 0,nop,wscale 7], length 0
13:16:01.978959 IP 116.203.82.31.40062 > 172.20.0.12.445: Flags [S], seq 645287854, win 64240, options [mss 1460,sackOK,TS val 3079411417 ecr 0,nop,wscale 7], length 0
您是否发现我的设置存在任何明显问题?通常我只配置直接 s2s VPN,因此我不确定这是否是我需要配置的全部内容。