Routing
在 OpenVPN 網路和 IPSec 之間路由流量
在伺服器上建立了兩個連接(IPSec 和來自 OpenVPN 客戶端)。在伺服器上,我看到 IPSec 中的子網,但不是來自 OpenVPN 客戶端。伺服器上的防火牆處於活動狀態,這裡是公共區域:
public (active) target: default icmp-block-inversion: no interfaces: eth0 eth1 sources: services: cockpit dhcpv6-client openvpn ssh ports: 500/udp 4500/udp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: rule protocol value="esp" accept
和帶有 tun0 介面的 dmz 區域
dmz (active) target: default icmp-block-inversion: no interfaces: tun0 sources: services: ssh ports: protocols: masquerade: yes forward-ports: source-ports: icmp-blocks: rich rules:
這是路由表:
default via publicIP dev eth0 proto static metric 100 10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1 10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100 10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100 publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100
感謝您的意見!
更新
ip xfrm 政策:
src 10.19.0.0/16 dst 192.168.178.0/24 dir out priority 379519 ptype main tmpl src SERVER1 dst SERVER2 proto esp spi 0x4a7f1596 reqid 71 mode tunnel src 192.168.178.0/24 dst 10.19.0.0/16 dir fwd priority 379519 ptype main tmpl src SERVER2 dst SERVER1 proto esp reqid 71 mode tunnel src 192.168.178.0/24 dst 10.19.0.0/16 dir in priority 379519 ptype main tmpl src SERVER2 dst SERVER1 proto esp reqid 71 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main
這是 Strongswan 配置:
# Add connections here. conn %default left=SERVER1 leftsourceip=SERVER1 leftid=SERVER1 leftsubnet=10.19.0.0/16 authby=secret auto=start conn home ike=aes256-sha-modp1024 esp=aes256-sha1-modp1024 right=SERVER2 rightid=@SERVER2 rightsubnet=192.168.178.0/24 ikelifetime=3600s keylife=3600s
更新#2
ipsec.conf
conn %default left=SERVER1 leftsourceip=SERVER1 leftid=SERVER1 leftsubnet=10.19.0.0/16,10.8.0.0/24 authby=secret auto=start
xfrm 政策:
src 10.8.0.0/24 dst 192.168.178.0/24 dir out priority 375423 ptype main tmpl src SERVER1 dst SERVER2 proto esp spi 0xc4247488 reqid 3 mode tunnel src 192.168.178.0/24 dst 10.8.0.0/24 dir fwd priority 375423 ptype main tmpl src SERVER2 dst SERVER1 proto esp reqid 3 mode tunnel src 192.168.178.0/24 dst 10.8.0.0/24 dir in priority 375423 ptype main tmpl src SERVER2 dst SERVER1 proto esp reqid 3 mode tunnel src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 ptype main src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main src ::/0 dst ::/0 socket in priority 0 ptype main src ::/0 dst ::/0 socket out priority 0 ptype main
以及 firewalld 的直接規則:
<direct> <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule> <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule> </direct>
和 openvpn 伺服器配置:
port 1194 proto udp dev tun user nobody group nobody persist-key persist-tun keepalive 10 120 topology subnet server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "dhcp-option DNS 176.103.130.130" push "dhcp-option DNS 176.103.130.131" #push "redirect-gateway def1 bypass-dhcp" push "route 192.168.178.0 255.255.255.0" dh none ecdh-curve prime256v1 tls-crypt tls-crypt.key 0 crl-verify crl.pem ca ca.crt cert server_21QCUO0cRXlOaJFT.crt key server_21QCUO0cRXlOaJFT.key auth SHA256 cipher AES-128-GCM ncp-ciphers AES-128-GCM tls-server tls-version-min 1.2 tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 status /var/log/openvpn/status.log verb 3
為了配置 IPSec 客戶端和 OpenVPN 客戶端之間的路由,您必須添加
10.8.0.0/24
到該leftsubnet
選項。您的%default
部分應如下所示:conn %default # IKEv1 does not support multiple subnets. keyexchange=ikev2 left=SERVER1 leftsourceip=SERVER1 leftid=SERVER1 leftsubnet=10.19.0.0/16,10.8.0.0/24 authby=secret auto=start
這將在每個客戶端上添加:
- 形式的附加路線(在表中
220
,參見ip route show table 220
)10.8.0.0/24 via <real_gateway> dev <real_interface>
。- 三個附加策略,其中規定和
xfrm
之間的流量必須加密並發送到.10.8.0.0/24``192.168.178.0/24``SERVER1
要配置另一個方向的路由,請添加:
push "route 192.168.178.0 255.255.255.0"
到 OpenVPN 伺服器配置。
重新載入charon和OpenVPN伺服器後,只有防火牆可能會阻礙雙向通信。您可能需要添加以下規則:
# Insert instead of append, so the order is reversed # 3. Drop the remaining (unencrypted) traffic from/to IPSec tunnel. # This will block private traffic from reaching the Internet, # when the tunnel is down. iptables -I FORWARD -s 192.168.178.0/24 -j DROP iptables -I FORWARD -d 192.168.178.0/24 -j DROP # 2. Allow encrypted traffic from IPSec tunnel iptables -I FORWARD -s 192.168.178.0/24 -d 10.19.0.0/16 \ -m policy --dir in --pol ipsec -j ACCEPT iptables -I FORWARD -s 192.168.178.0/24 -d 10.8.0.0/24 \ -m policy --dir in --pol ipsec -j ACCEPT # 1. Allow encrypted traffic to IPSec tunnel iptables -I FORWARD -s 10.19.0.0/16 -d 192.168.178.0/24 \ -m policy --dir out --pol ipsec -j ACCEPT iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.178.0/24 \ -m policy --dir out --pol ipsec -j ACCEPT
或他們的防火牆等價物。