Routing

在 OpenVPN 網路和 IPSec 之間路由流量

  • March 19, 2020

在伺服器上建立了兩個連接(IPSec 和來自 OpenVPN 客戶端)。在伺服器上,我看到 IPSec 中的子網,但不是來自 OpenVPN 客戶端。伺服器上的防火牆處於活動狀態,這裡是公共區域:

   public (active)
     target: default
     icmp-block-inversion: no
     interfaces: eth0 eth1
     sources:
     services: cockpit dhcpv6-client openvpn ssh
     ports: 500/udp 4500/udp
     protocols:
     masquerade: no
     forward-ports:
     source-ports:
     icmp-blocks:
     rich rules:
       rule protocol value="esp" accept

和帶有 tun0 介面的 dmz 區域

dmz (active)
 target: default
 icmp-block-inversion: no
 interfaces: tun0
 sources:
 services: ssh
 ports:
 protocols:
 masquerade: yes
 forward-ports:
 source-ports:
 icmp-blocks:
 rich rules:

這是路由表:

default via publicIP dev eth0 proto static metric 100
10.8.0.0/24 dev tun0 proto kernel scope link src 10.8.0.1
10.19.0.0/16 dev eth0 proto kernel scope link src 10.19.0.5 metric 100
10.19.0.0/16 via 10.19.0.1 dev eth0 proto static metric 100
publicNET/20 dev eth0 proto kernel scope link src publicIP metric 100

感謝您的意見!

更新

ip xfrm 政策:

src 10.19.0.0/16 dst 192.168.178.0/24
   dir out priority 379519 ptype main
   tmpl src SERVER1 dst SERVER2
       proto esp spi 0x4a7f1596 reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
   dir fwd priority 379519 ptype main
   tmpl src SERVER2 dst SERVER1
       proto esp reqid 71 mode tunnel
src 192.168.178.0/24 dst 10.19.0.0/16
   dir in priority 379519 ptype main
   tmpl src SERVER2 dst SERVER1
       proto esp reqid 71 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
   socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket out priority 0 ptype main
src ::/0 dst ::/0
   socket in priority 0 ptype main
src ::/0 dst ::/0
   socket out priority 0 ptype main
src ::/0 dst ::/0
   socket in priority 0 ptype main
src ::/0 dst ::/0
   socket out priority 0 ptype main

這是 Strongswan 配置:

# Add connections here.
conn %default
       left=SERVER1
       leftsourceip=SERVER1
       leftid=SERVER1
       leftsubnet=10.19.0.0/16
       authby=secret
       auto=start

conn home
       ike=aes256-sha-modp1024
       esp=aes256-sha1-modp1024
       right=SERVER2
       rightid=@SERVER2
       rightsubnet=192.168.178.0/24
       ikelifetime=3600s
       keylife=3600s

更新#2

ipsec.conf

conn %default
       left=SERVER1
       leftsourceip=SERVER1
       leftid=SERVER1
       leftsubnet=10.19.0.0/16,10.8.0.0/24
       authby=secret
       auto=start

xfrm 政策:

src 10.8.0.0/24 dst 192.168.178.0/24
   dir out priority 375423 ptype main
   tmpl src SERVER1 dst SERVER2
       proto esp spi 0xc4247488 reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
   dir fwd priority 375423 ptype main
   tmpl src SERVER2 dst SERVER1
       proto esp reqid 3 mode tunnel
src 192.168.178.0/24 dst 10.8.0.0/24
   dir in priority 375423 ptype main
   tmpl src SERVER2 dst SERVER1
       proto esp reqid 3 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
   socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
   socket out priority 0 ptype main
src ::/0 dst ::/0
   socket in priority 0 ptype main
src ::/0 dst ::/0
   socket out priority 0 ptype main
src ::/0 dst ::/0
   socket in priority 0 ptype main
src ::/0 dst ::/0
   socket out priority 0 ptype main

以及 firewalld 的直接規則:

<direct>
 <rule ipv="ipv4" table="nat" chain="POSTROUTING" priority="0">-m policy --pol ipsec --dir out -j ACCEPT</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -j DROP</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-d 192.168.178.0/24 -j DROP</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.19.0.0/16 -m policy --dir in --pol ipsec -j ACCEPT</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 192.168.178.0/24 -d 10.8.0.0/24 -m policy --dir in --pol ipsec -j ACCEPT</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.19.0.0/16 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
 <rule ipv="ipv4" table="filter" chain="FORWARD" priority="0">-s 10.8.0.0/24 -d 192.168.178.0/24 -m policy --dir out --pol ipsec -j ACCEPT</rule>
</direct>

和 openvpn 伺服器配置:

port 1194
proto udp
dev tun
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 176.103.130.130"
push "dhcp-option DNS 176.103.130.131"
#push "redirect-gateway def1 bypass-dhcp"
push "route 192.168.178.0 255.255.255.0"
dh none
ecdh-curve prime256v1
tls-crypt tls-crypt.key 0
crl-verify crl.pem
ca ca.crt
cert server_21QCUO0cRXlOaJFT.crt
key server_21QCUO0cRXlOaJFT.key
auth SHA256
cipher AES-128-GCM
ncp-ciphers AES-128-GCM
tls-server
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
status /var/log/openvpn/status.log
verb 3

為了配置 IPSec 客戶端和 OpenVPN 客戶端之間的路由,您必須添加10.8.0.0/24到該leftsubnet選項。您的%default部分應如下所示:

conn %default
   # IKEv1 does not support multiple subnets.
   keyexchange=ikev2
   left=SERVER1
   leftsourceip=SERVER1
   leftid=SERVER1
   leftsubnet=10.19.0.0/16,10.8.0.0/24
   authby=secret
   auto=start

這將在每個客戶端上添加:

  1. 形式的附加路線(在表中220,參見ip route show table 22010.8.0.0/24 via <real_gateway> dev <real_interface>
  2. 三個附加策略,其中規定和xfrm之間的流量必須加密並發送到.10.8.0.0/24``192.168.178.0/24``SERVER1

要配置另一個方向的路由,請添加:

push "route 192.168.178.0 255.255.255.0"

到 OpenVPN 伺服器配置。

重新載入charonOpenVPN伺服器後,只有防火牆可能會阻礙雙向通信。您可能需要添加以下規則:

# Insert instead of append, so the order is reversed
# 3. Drop the remaining (unencrypted) traffic from/to IPSec tunnel.
#    This will block private traffic from reaching the Internet,
#    when the tunnel is down.
iptables -I FORWARD -s 192.168.178.0/24 -j DROP
iptables -I FORWARD -d 192.168.178.0/24 -j DROP
# 2. Allow encrypted traffic from IPSec tunnel
iptables -I FORWARD -s 192.168.178.0/24 -d 10.19.0.0/16 \
   -m policy --dir in --pol ipsec -j ACCEPT
iptables -I FORWARD -s 192.168.178.0/24 -d 10.8.0.0/24 \
   -m policy --dir in --pol ipsec -j ACCEPT
# 1. Allow encrypted traffic to IPSec tunnel
iptables -I FORWARD -s 10.19.0.0/16 -d 192.168.178.0/24 \
   -m policy --dir out --pol ipsec -j ACCEPT
iptables -I FORWARD -s 10.8.0.0/24 -d 192.168.178.0/24 \
   -m policy --dir out --pol ipsec -j ACCEPT

或他們的防火牆等價物。

引用自:https://serverfault.com/questions/1005850