Iptables
使用 Strongswan 在 IPSec 隧道上沒有 ping
我有以下情況。
家庭網路位於 192.168.1.0/24 並使用能夠處理 IPSec 隧道的 Zyxel USG50。遠端 VPS 執行 Ubuntu 16.04 並託管一個 PPTP 伺服器 (10.0.0.1),它將地址 10.0.0.100-200 分配給客戶端。PPTP 伺服器完美執行,客戶端可以毫無問題地上網。
現在我正在設置一個 IPSec 隧道,以便能夠通過 PPTP 連接的設備訪問我的家庭網路設備。無論如何,通信似乎只能以一種方式工作:我可以從家庭網路(比如 192.168.1.4)ping VPN 連接的設備(比如 10.0.0.100),但反之則不行。此外,VPS 無法 ping 192.168.1.0 網路上的設備(數據包在網際網路上傳播)
ipsec.conf
conn home authby = secret keyexchange = ikev1 ikelifetime = 86400 lifetime = 28800 ike = aes256-sha512-modp2048! esp = aes256-sha512-modp2048! auto = add left = %any leftsubnet = 10.0.0.0/24 leftfirewall = yes right = (my_ddns_home_address) rightid = %any rightsubnet = 192.168.1.0/24
ipsec 狀態
Security Associations (1 up, 0 connecting): home[1]: ESTABLISHED 30 minutes ago, my_vpsip[my_vps_ip]...my_home_ip[my_home_ip] home{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: ce9b32e6_i 96369de8_o home{1}: 10.0.0.0/24 === 192.168.1.0/24
如果配置
lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:65536 Metric:1 RX packets:89426 errors:0 dropped:0 overruns:0 frame:0 TX packets:89426 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:30719387 (30.7 MB) TX bytes:30719387 (30.7 MB) ppp0 Link encap:Point-to-Point Protocol inet addr:10.0.0.1 P-t-P:10.0.0.100 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1396 Metric:1 RX packets:32314 errors:0 dropped:0 overruns:0 frame:0 TX packets:44911 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:3108413 (3.1 MB) TX bytes:49298247 (49.2 MB) venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:127.0.0.2 P-t-P:127.0.0.2 Bcast:0.0.0.0 Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1 RX packets:12701126 errors:0 dropped:0 overruns:0 frame:0 TX packets:11210758 errors:0 dropped:7605 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:11729004253 (11.7 GB) TX bytes:3015436822 (3.0 GB) venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 inet addr:vps_public_ip P-t-P:212.24.96.165 Bcast:vps_public_ip Mask:255.255.255.255 UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
iptables -L -n -v
Chain FORWARD (policy ACCEPT 1060 packets, 436K bytes) pkts bytes target prot opt in out source destination 3 180 ACCEPT all -- venet0 * 192.168.1.0/24 10.0.0.0/24 policy match dir in pol ipsec reqid 1 proto 50 9 540 ACCEPT all -- * venet0 10.0.0.0/24 192.168.1.0/24 policy match dir out pol ipsec reqid 1 proto 50
ip 路由顯示表 220
192.168.1.0/24 via my_home_ip dev venet0 proto static src 10.0.0.1
通過添加此 iptables 規則解決:
sudo iptables -t nat -I POSTROUTING 1 -j ACCEPT -s 10.0.0.0/24 -m policy --dir out --pol ipsec
有關更多詳細資訊,請參見此處:Strongswan vpn 隧道已連接,但流量未通過它路由