Iptables

使用 Strongswan 在 IPSec 隧道上沒有 ping

  • December 24, 2018

我有以下情況。

家庭網路位於 192.168.1.0/24 並使用能夠處理 IPSec 隧道的 Zyxel USG50。遠端 VPS 執行 Ubuntu 16.04 並託管一個 PPTP 伺服器 (10.0.0.1),它將地址 10.0.0.100-200 分配給客戶端。PPTP 伺服器完美執行,客戶端可以毫無問題地上網。

現在我正在設置一個 IPSec 隧道,以便能夠通過 PPTP 連接的設備訪問我的家庭網路設備。無論如何,通信似乎只能以一種方式工作:我可以從家庭網路(比如 192.168.1.4)ping VPN 連接的設備(比如 10.0.0.100),但反之則不行。此外,VPS 無法 ping 192.168.1.0 網路上的設備(數據包在網際網路上傳播)

ipsec.conf

conn home
       authby = secret
       keyexchange = ikev1
       ikelifetime = 86400
       lifetime = 28800
       ike = aes256-sha512-modp2048!
       esp = aes256-sha512-modp2048!
       auto = add
       left = %any
       leftsubnet = 10.0.0.0/24
       leftfirewall = yes
       right = (my_ddns_home_address)
       rightid = %any
       rightsubnet = 192.168.1.0/24

ipsec 狀態

Security Associations (1 up, 0 connecting):
   home[1]: ESTABLISHED 30 minutes ago, my_vpsip[my_vps_ip]...my_home_ip[my_home_ip]
   home{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce9b32e6_i 96369de8_o
   home{1}:   10.0.0.0/24 === 192.168.1.0/24

如果配置

lo        Link encap:Local Loopback
         inet addr:127.0.0.1  Mask:255.0.0.0
         inet6 addr: ::1/128 Scope:Host
         UP LOOPBACK RUNNING  MTU:65536  Metric:1
         RX packets:89426 errors:0 dropped:0 overruns:0 frame:0
         TX packets:89426 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:30719387 (30.7 MB)  TX bytes:30719387 (30.7 MB)

ppp0      Link encap:Point-to-Point Protocol
         inet addr:10.0.0.1  P-t-P:10.0.0.100  Mask:255.255.255.255
         UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1396  Metric:1
         RX packets:32314 errors:0 dropped:0 overruns:0 frame:0
         TX packets:44911 errors:0 dropped:0 overruns:0 carrier:0
         collisions:0 txqueuelen:3
         RX bytes:3108413 (3.1 MB)  TX bytes:49298247 (49.2 MB)

venet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         inet addr:127.0.0.2  P-t-P:127.0.0.2  Bcast:0.0.0.0  Mask:255.255.255.255
         UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1
         RX packets:12701126 errors:0 dropped:0 overruns:0 frame:0
         TX packets:11210758 errors:0 dropped:7605 overruns:0 carrier:0
         collisions:0 txqueuelen:0
         RX bytes:11729004253 (11.7 GB)  TX bytes:3015436822 (3.0 GB)

venet0:0  Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
         inet addr:vps_public_ip  P-t-P:212.24.96.165  Bcast:vps_public_ip  Mask:255.255.255.255
         UP BROADCAST POINTOPOINT RUNNING NOARP  MTU:1500  Metric:1

iptables -L -n -v

Chain FORWARD (policy ACCEPT 1060 packets, 436K bytes)
pkts bytes target     prot opt in     out     source               destination
3   180 ACCEPT     all  --  venet0 *       192.168.1.0/24       10.0.0.0/24          policy match dir in pol ipsec reqid 1 proto 50
9   540 ACCEPT     all  --  *      venet0  10.0.0.0/24          192.168.1.0/24       policy match dir out pol ipsec reqid 1 proto 50

ip 路由顯示表 220

192.168.1.0/24 via my_home_ip dev venet0  proto static  src 10.0.0.1

通過添加此 iptables 規則解決:

sudo iptables -t nat -I POSTROUTING 1 -j ACCEPT -s 10.0.0.0/24 -m policy --dir out --pol ipsec

有關更多詳細資訊,請參見此處:Strongswan vpn 隧道已連接,但流量未通過它路由

引用自:https://serverfault.com/questions/885229