Networking

如何配置 IPsec (strongswan) 介面,以便只有分配的介面獲得虛擬 ip?

  • February 7, 2020

這個配置我已經用過很多次了,之前沒有遇到過這個問題。基本上我建立了隧道連接,但是在連接(使用swanctl --initiate --child ch_vti0 --ike ch_vti0)之後,我在適當的介面上分配了我的虛擬 ip vti0,而且我在主介面上分配了相同的 ip enp2s0(連接到網際網路的那個)

從具有擴展調試選項的日誌中,我得到以下資訊(為簡潔起見縮短):

юли 29 09:33:45 malz charon-custom[21535]: 12[IKE] installing new virtual IP 172.13.14.3
...
юли 29 09:33:45 malz charon-custom[21535]: 12[KNL] virtual IP 172.13.14.3 installed on enp2s0
...
юли 29 09:33:45 malz charon-custom[21535]: 11[KNL] adding policy 192.168.122.0/24 === 172.13.14.3/32 in (mark 42/0xffffffff) [priority 371327, refcount 1]
...
юли 29 09:33:45 malz charon-custom[21535]: 11[KNL] using host 172.13.14.3
...
юли 29 09:33:45 malz charon-custom[21535]: 11[KNL] installing route: 192.168.122.0/24 via 10.3.218.62 src 172.13.14.3 dev enp2s0
...
юли 29 09:33:45 malz charon-custom[21535]: 11[IKE] CHILD_SA ch_vti0{1} established with SPIs cbaeec67_i c450a827_o and TS 172.13.14.3/32 === 192.168.122.0/24
...
юли 29 09:33:45 malz charon-custom[21535]: 16[KNL] 172.13.14.3 appeared on vti0

所以基本上我建立了連接,我的主介面 enp2s0 立即獲得了虛擬 ip,然後另一個介面 vti0 獲得了 ip。

旁注:我知道我可以通過刪除主界面的路線來解決這個問題,但我的目標是完全停止分配。

我的 swanctl.conf(發起者):

connections {
  ch_vti0 {
     send_cert = always
     encap = yes
     vips = 0.0.0.0
     remote_addrs = 10.3.218.62
     local {
        round = 1
        id = 10.3.72.29
        auth = psk
        certs = 
      }
     remote {
        auth = psk
        id = 10.3.218.62
        certs = 
      }
     children {
       ch_vti0 { 
           updown = /usr/local/etc/swanctl/updown.sh 0
           mark_in = 42 
           mark_out = 42 
           remote_ts = 192.168.122.2/24
           local_ts = dynamic
           inactivity = 300s
           mode = tunnel
           esp_proposals =  3des-sha1-modp2048
        }
     }
     version = 1 
     proposals =  des-md5-modp768, des-md5-modp1024, des-md5-modp1536
  }  }
secrets {
       eap-xauth {
       eap_id = test1
       id = test1
       secret = password
  }
       xauth-local {
       id = test1
       secret = password
       }
       ike-sec {
       id = %any
       secret = test
       }
       ike-local {
       id = 10.3.72.29
       secret = test
       }
}

伺服器設置(響應者):

connections {
  ch_vti0 {
     send_cert = always
     encap = yes
     pools = pools_users
     #aggressive = yes
     local {
        round = 1
        id = 10.3.218.62
        auth = psk
        certs = 
      }
     remote {
        auth = psk
        id = %any
        certs = 
      }
     children {
       ch_vti0 { 
           local_ts = 192.168.122.2/24
           inactivity = 120s
           mode = tunnel
           esp_proposals =  3des-sha1-modp2048
        }
     }
     version = 0
     proposals =  des-md5-modp768, des-md5-modp1024, des-md5-modp1536
  }  }
pools {
       pools_users {
               addrs = 172.13.14.2/24
       }
}
secrets {
       eap-xauth {
       eap_id = test1
       id = test1
       secret = password
  }
       xauth-local {
       id = test1
       secret = password
       }
       ike-sec {
       id = %any
       secret = test
       }
       ike-local {
       id = 10.3.218.62
       secret = test
       }
}

我也知道我可以使用 strongswan charon 參數:

# install_virtual_ip_on = vti0
# interfaces_use = vti0
# interfaces_ignore = enp2s0

但是如果我這樣做,程序就無法進行,好像它需要使用enp2s0介面。有沒有其他人遇到過這個問題?歡迎任何建議。

我也在使用 strongSwan 5.7.2,Linux 4.18.0-25-generic。

關於 updown 腳本真的沒關係,因為如果我在沒有腳本的情況下進行相同的配置,我會得到同樣的錯誤。

所以我終於找到了一種方法來糾正這個問題。正如我所說的問題是在正確的界面之上使用了錯誤的界面,我還沒有弄清楚為什麼,但我確實找到了我認為足夠好的解決方法。在 strongswan.conf(通常在 /etc/strongswan.conf 或 /usr/local/etc/strongswan.conf)中設置變數 install_routes = no ,預設為 yes。從 StrongSwan 文件中,變數是:

Install routes into a separate routing table for established IPsec tunnels. If disabled a more efficient lookup for source and next-hop addresses is used since 5.5.2.

因此,通過這樣做,我禁止創建表 220 並向其添加路由。相反,它通過檢查哪個介面具有到特定 IP 的路由來自行配置正確的路由。

如前所述,使用變數也可以解決您的問題。

# install_virtual_ip_on = vti0
# interfaces_use = vti0
# interfaces_ignore = enp2s0

strongswan.conf:

charon {
       install_routes = no
       load_modular = yes
       plugins {
               include strongswan.d/charon/*.conf
       }
include strongswan.d/*.conf
}

似乎您只需要添加install_virtual_ip_on = vti0選項來解決您的問題。

不要觸摸interfaces_use和選項interfaces_ignore

引用自:https://serverfault.com/questions/977099