IPSec 站点到站点 VPN - 路由器后面

tag-icon tag-icon networking vpn ipsec openswan
IPSec 站点到站点 VPN - 路由器后面

我想在两个路由器之间设置站点到站点 VPN。一个站点上有一个标记为“A”的 Ubuntu 路由器,另一个站点上有一个标记为“C”的 Cisco 小型企业路由器。您可以在此处查看草稿:

http://s17.postimg.org/bkdy2jnan/network.png

两个站点都配置了带 PSK 的站点到站点 VPN。在“A”上我们使用 openswan 并建立了隧道。

问题是我们无法访问远程子网。(192.168.70.x 和 192.168.10.y 之间没有连接、没有 ping 等等)

以下是“A”上的设置参数:

root@A:~# ip route
default via 192.168.1.1 dev eth0
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.2
192.168.70.0/24 dev eth1  proto kernel  scope link  src 192.168.70.1


/etc/ipsec.conf
config setup
        dumpdir=/var/run/pluto/
        protostack=netkey
        nat_traversal=yes
        plutodebug=all


conn cham
        authby=secret
        auto=add
        type=tunnel
        forceencaps=yes
        left=192.168.1.2
        leftid=78.x.y.z
        leftsubnet=192.168.70.0/24
        leftnexthop=%defaultroute
        right=62.a.b.c
        rightid=62.a.b.c
        rightsubnet=192.168.10.0/24
        rightnexthop=%defaultroute
        ike=aes-sha1;modp1024
        ikelifetime=28800s
        phase2=esp
        phase2alg=aes-sha1;modp1024
        salifetime=3600s




root@A:~# iptables -t nat -vnL
Chain PREROUTING (policy ACCEPT 3748 packets, 293K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 959 packets, 128K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 1039 packets, 79647 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 245 packets, 17799 bytes)
 pkts bytes target     prot opt in     out     source               destination
 3343  215K MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0 




root@A:~# iptables -vnL
Chain INPUT (policy ACCEPT 15635 packets, 1906K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 10 packets, 1040 bytes)
 pkts bytes target     prot opt in     out     source               destination
 120K   45M ACCEPT     all  --  eth0   eth1    0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
 113K   11M ACCEPT     all  --  eth1   eth0    0.0.0.0/0            0.0.0.0/0  
   10  1040 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0            LOG flags 0 level 4

Chain OUTPUT (policy ACCEPT 6928 packets, 1179K bytes)
 pkts bytes target     prot opt in     out     source               destination


/etc/sysctl.conf

net.ipv4.ip_forward=1

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.send_redirects = 0

net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0

net.ipv4.conf.eth1.accept_redirects = 0
net.ipv4.conf.eth1.send_redirects = 0

root@A:/etc# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
192.168.70.0    0.0.0.0         255.255.255.0   U     0      0        0 eth1

任何帮助,将不胜感激。

谢谢!

相关内容