IPSec隧道已开通,但我不能选择目的地ip。
IPSec隧道已开通,但我不能选择目的地ip。
提问于 2017-04-10 14:37:21
我正在尝试将IPSec隧道设置到我们不控制的外部服务。隧道似乎已通车,但我根本无法将私人IP地址接上。我刚收到一个无法到达的目标主机。
ifconfig
docker0 Link encap:Ethernet HWaddr 02:42:5d:6c:5b:ff
inet addr:172.17.0.1 Bcast:0.0.0.0 Mask:255.255.0.0
inet6 addr: fe80::42:5dff:fe6c:5bff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:153830963 errors:0 dropped:0 overruns:0 frame:0
TX packets:157996702 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:10393890115 (10.3 GB) TX bytes:15013754691 (15.0 GB)
eth0 Link encap:Ethernet HWaddr 0c:c4:7a:7d:c2:ac
inet addr:129.111.191.242 Bcast:129.111.191.247 Mask:255.255.255.248
inet6 addr: fe80::ec4:7aff:fe7d:c2ac/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:131498746 errors:0 dropped:0 overruns:0 frame:0
TX packets:166120812 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:27289309652 (27.2 GB) TX bytes:163175029250 (163.1 GB)
Memory:fb200000-fb280000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:88829366 errors:0 dropped:0 overruns:0 frame:0
TX packets:88829366 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1816449755157 (1.8 TB) TX bytes:1816449755157 (1.8 TB)
veth1a733da Link encap:Ethernet HWaddr 52:e1:f1:58:ec:1d
inet6 addr: fe80::50e1:f1ff:fe58:ec1d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:204 errors:0 dropped:0 overruns:0 frame:0
TX packets:266 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1755510 (1.7 MB) TX bytes:33966 (33.9 KB)
+ A WHOLE WHACK OF OTHER DOCKER CONTAINERSipsec.conf
version 2.0 # conforms to second version of ipsec.conf specification
config setup
#plutodebug="dpd control"
plutostderrlog=/var/log/openswan.log
dumpdir=/var/run/pluto/
nat_traversal=no
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
oe=off
protostack=netkey
interfaces="%defaultroute"
conn easypay-ipsec-vpn
authby=secret
auto=start
ike=3des-sha1;modp1024
ikelifetime=86400s
phase2alg=3des-sha1;modp1024
salifetime=3600s
pfs=yes
left=129.111.191.242
leftsubnet=129.111.191.242/32
right=196.25.143.85
rightsubnet=192.168.200.125/32ip xrfm策略
src 129.111.191.242/32 dst 192.168.200.125/32
dir out priority 2080
tmpl src 129.111.191.242 dst 196.25.143.85
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir fwd priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 192.168.200.125/32 dst 129.111.191.242/32
dir in priority 2080
tmpl src 196.25.143.85 dst 129.111.191.242
proto esp reqid 16385 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0检查IPSec已启动
sudo /usr/sbin/ipsec auto --status | grep easypay
000 "easypay-ipsec-vpn": 129.111.191.242/32===129.111.191.242<129.111.191.242>...196.25.143.85<196.25.143.85>===192.168.200.125/32; erouted; eroute owner: #3
000 "easypay-ipsec-vpn": myip=unset; hisip=unset;
000 "easypay-ipsec-vpn": ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0
000 "easypay-ipsec-vpn": policy: PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK+lKOD+rKOD; prio: 32,32; interface: eth0;
000 "easypay-ipsec-vpn": newest ISAKMP SA: #4; newest IPsec SA: #3;
000 "easypay-ipsec-vpn": IKE algorithms wanted: 3DES_CBC(5)_000-SHA1(2)_000-MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": IKE algorithms found: 3DES_CBC(5)_192-SHA1(2)_160-MODP1024(2)
000 "easypay-ipsec-vpn": IKE algorithm newest: 3DES_CBC_192-SHA1-MODP1024
000 "easypay-ipsec-vpn": ESP algorithms wanted: 3DES(3)_000-SHA1(2)_000; pfsgroup=MODP1024(2); flags=-strict
000 "easypay-ipsec-vpn": ESP algorithms loaded: 3DES(3)_192-SHA1(2)_160
000 "easypay-ipsec-vpn": ESP algorithm newest: 3DES_000-HMAC_SHA1; pfsgroup=MODP1024
000 #4: "easypay-ipsec-vpn":500 STATE_MAIN_R3 (sent MR3, ISAKMP SA established); EVENT_SA_REPLACE in 84419s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:not set
000 #3: "easypay-ipsec-vpn":500 STATE_QUICK_R2 (IPsec SA established); EVENT_SA_REPLACE in 1621s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #3: "easypay-ipsec-vpn" esp.7f654c9@196.25.143.85 esp.273d0069@129.111.191.242 tun.0@196.25.143.85 tun.0@129.111.191.242 ref=0 refhim=4294901761
000 #1: "easypay-ipsec-vpn":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 83601s; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate路由-n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 129.111.191.241 0.0.0.0 UG 0 0 0 eth0
129.111.191.240 0.0.0.0 255.255.255.248 U 0 0 0 eth0
172.17.0.0 0.0.0.0 255.255.0.0 U 0 0 0 docker0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c8dc65a94bb2
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-82217b810a12
172.20.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-7850aa98111b
172.21.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-b1a7c55d62b6
172.22.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-825780b49c2d
172.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c54a8b4052f1
172.28.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-9403e62934e3
172.29.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-4b089299a6c4
172.30.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-c9e5b9d15f93
172.31.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-20e8b7596a16
192.168.0.0 0.0.0.0 255.255.240.0 U 0 0 0 br-69356c2ae863
192.168.16.0 0.0.0.0 255.255.240.0 U 0 0 0 br-fef7a8477c50
192.168.32.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0f934a7b6bbc
192.168.48.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f436be453bc0
192.168.64.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f58d5b3092b2
192.168.80.0 0.0.0.0 255.255.240.0 U 0 0 0 br-861678c58b1d
192.168.96.0 0.0.0.0 255.255.240.0 U 0 0 0 br-0bea6a9a8ba3
192.168.128.0 0.0.0.0 255.255.240.0 U 0 0 0 br-38704ca6d035
192.168.144.0 0.0.0.0 255.255.240.0 U 0 0 0 br-dd2a427832dc
192.168.160.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f402e867a089
192.168.176.0 0.0.0.0 255.255.240.0 U 0 0 0 br-55b8290a7912
192.168.192.0 0.0.0.0 255.255.240.0 U 0 0 0 br-aad43c0bdf40
192.168.208.0 0.0.0.0 255.255.240.0 U 0 0 0 br-22d7856d7bf3
192.168.224.0 0.0.0.0 255.255.240.0 U 0 0 0 br-f968a9b6da10
192.168.240.0 0.0.0.0 255.255.240.0 U 0 0 0 br-5ee84192e789因此,隧道似乎已经启动并运行,但我不能从服务器上平ip地址192.168.200.125,我也不能跟踪它。如能提供任何协助,将不胜感激。
谢谢
更新1
我已经取得了更大的进步。
sudo ip route get 192.168.200.125
上面的命令显示,一个码头网络正以某种方式进入中间。我删除了码头网络,现在它不再仅仅接收无法到达的目的地,而是试图进行ping。仍然没有运气连接到ip,尽管。可能是码头仍然混乱的路由,但不是100%确定。
更新2
重新启动IPsec似乎解决了这个问题。
回答 1
Server Fault用户
发布于 2021-02-17 18:45:34
关于ipsec隧道(使用Libreswan),我也遇到了同样的问题。尽管已经建立了IPsec隧道,但当向主机另一侧的IPv4地址平分时,我会得到“目标主机不可访问”的消息。
在我的例子中,由于错误地设置了伪装表,发送到私有地址的数据包用接口IPv4所具有的全局eth0地址伪装。
因此,我在下面制定了新的伪装规则,不让覆盖具有私有地址目的地的传出数据包的源地址。
即
# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -d 192.168.0.0/16,172.16.0.0/12,10.0.0.0/8 -o eth0 -j RETURN
# iptables -t nat -A POSTROUTING -s 172.30.0.0/24 -o eth0 -j MASQUERADE第一条规则返回目标地址为专用网络的数据包。这些数据包将在没有伪装处理的情况下进入IPsec隧道。第二条规则是正常的伪装。只有其他的数据包被伪装并进入互联网。
页面原文内容由Server Fault提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://serverfault.com/questions/843681
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号