两条IPsec隧道之间的强天鹅转发业务
给定具有外部静态IP的StrongSwan IKEv2设置的远程(集中式) VPN服务器:
- 集中式服务器内部IP 192.168.1.65,网络192.168.1.64/27
和两个为内部网络做NAT的网关:
- 第一网关内部IP 192.168.1.33,网络: 192.168.1.32/27;
- 第二网关内部IP 192.168.1.1,网络: 192.168.1.0/27;
网关也使用StrongSwan连接到集中式服务器。
连接从网关到服务器,从服务器到网关都能很好地工作: ping工作,访问服务器/网关上的服务。网关后面的设备也可以无问题地访问服务器。
当我试图访问不同网关之间的计算机时,问题就开始了。
Configurations:
集中:
conn base
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
left = centralized
leftid = @centralized
leftauth = pubkey
leftca = "..."
leftcert = centralized.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.65
right = %any
rightauth = pubkey
rightauth2 = psk
rightca = %same
conn gateway-first
auto = add
rightid = @gateway-first
rightcert = gateway-first.crt
rightsubnet = 192.168.1.32/27
rightsourceip = 192.168.1.66
also = base
conn gateway-second
auto = add
rightid = @gateway-second
rightcert = gateway-second.crt
rightsubnet = 192.168.1.0/27
rightsourceip = 192.168.1.67
also = base网关-首先:
conn gateway-first
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.0/27
leftid = @gateway-first
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-first.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.32/27
leftsourceip = %config4网关-第二步:
conn gateway-second
auto = route
dpdaction = restart
closeaction = restart
keyexchange = ikev2
keyingtries = %forever
forceencaps = yes
compress = no
rightid = @centralized
right = centralized
rightauth = pubkey
rightca = "..."
rightcert = centralized.crt
rightsubnet = 192.168.1.65,192.168.1.32/27
leftid = @gateway-second
left = %defaultroute
leftauth = pubkey
leftauth2 = psk
leftca = %same
leftcert = gateway-second.crt
leftupdown = sudo -E ipsec _updown iptables
leftsubnet = 192.168.1.1/27
leftsourceip = %config4当试图从网关后面的计算机第二次打开网关时(源计算机IP为192.168.1.40),同时在集中服务器上运行tcpdump显示:
tcpdump -i eth0 host 192.168.1.1 -n
error : ret -1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
21:27:49.030650 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 35, length 64
21:27:50.026652 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 36, length 64
21:27:51.031805 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 37, length 64
21:27:52.041165 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 38, length 64
21:27:53.029530 IP 192.168.1.40 > 192.168.1.1: ICMP echo request, id 9721, seq 39, length 64因此,根据这个日志数据包到达集中服务器,但从未转发到192.168.1.1。
在集中式服务器和两个网关上,我启用了转发:
net.ipv4.ip_forward = 1集中式服务器上的路由表:
# ip route
default via yy.yy.yy.yy dev eth0 proto static
zz.zz.zz.zz dev eth0 proto kernel scope link src xx.xx.xx.xx
192.168.1.64/27 via 192.168.1.65 dev eth1 proto static还有路由表#220 (VPN):
# ip route show table 220
192.168.1.0/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65
192.168.1.32/27 via 5.189.141.1 dev eth0 proto static src 192.168.1.65 有什么办法可以在两个不同的隧道之间进行转发吗?
回答 1
Unix & Linux用户
发布于 2015-06-23 07:16:40
尝试将这两个网关的子网添加到中央服务器上的leftsubnet。即使每个网关上的rightsubnet包含各自相反的子网,流量选择器也将缩小到中心服务器上配置为leftsubnet (即192.168.1.65)的范围。您应该在ipsec statusall的输出中看到这一点。您还可以在中央服务器上配置leftsubnet=0.0.0.0/0,然后它将接受网关建议的任何作为其rightsubnet的内容。
https://unix.stackexchange.com/questions/211410
复制相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号