Ubuntu

站點到站點 IPsec vpn 未通過隧道發送 ping

  • July 27, 2014

這是我第一次嘗試站點到站點的 VPN。我選擇使用 IPec 是因為它似乎是我需要完成的最佳解決方案。上週我遵循了幾個不同的教程,但收效甚微。現在,在 ping 對方子網時,我似乎無法成功 ping。我知道我錯過了一些東西,我只是不知道是什麼。

盡我所能,我應該在路由表中看到一些東西。現在,發往另一個子網的流量在沒有被封裝的情況下流出,並被第一個在不可路由的私有 IP 目標上接收的路由器丟棄。

我嘗試將 MASQUERADE 和 RELATED,ESTABLISHED 規則添加到 iptables,認為可能會有所幫助。我最終推翻了這個想法。現在 iptables 的預設策略是在兩個 Ubuntu 機器上的所有鏈上都接受。當 IPsec 工作時我會調整一些東西。

“服務 ipsec 狀態”的輸出

IPsec running  - pluto pid: 1059
pluto pid 1059
1 tunnels up
some eroutes exist

兩個站點的 /etc/ipsec.conf

version 2 

config setup
   dumpdir=/var/run/pluto/

   nat_traversal=yes
   virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
   protostack=netkey
   force_keepalive=yes
   keep_alive=60


conn site1-site2
   leftsubnets=10.248.248.64/16
   rightsubnet=10.131.250.194/16
   auto=start
   left=162.243.XXX.XXX
   right=178.62.YYY.YYY

   leftid=@site1
   rightid=@site2
   authby=secret
   ike=aes128-sha1;modp1024
   phase2=esp
   phase2alg=aes128-sha1;modp1024
   aggrmode=no
   ikelifetime=8h
   salifetime=1h
   dpddelay=10
   dpdtimeout=40
   dpdaction=restart
   type=tunnel
   forceencaps=yes

兩個站點的“ipsec verify”輸出(IP 轉發在 /etc/sysctl.conf 中打開)

Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                 [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel                [OK]
SAref kernel support                       [N/A]
NETKEY:  Testing XFRM related proc values          [OK]
                               [OK]
                               [OK]
Checking that pluto is running                                  [OK]
Pluto listening for IKE on udp 500                             [OK]
Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

站點1:/etc/ipsec.secrets

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc

162.243.XXX.XXX 178.62.YYY.YYY : PSK “sameRandomString“

站點 1:“ip xfrm 策略”的輸出

src 10.248.0.0/16 dst 10.131.0.0/16 
   dir out priority 2608 
   tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
       proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16 
   dir fwd priority 2608 
   tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
       proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16 
   dir in priority 2608 
   tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
       proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0 
   socket out priority 0 
src ::/0 dst ::/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 

Site1:“ip route”的輸出

default via 162.243.XXX.1 dev eth0 
10.128.128.0/24 dev eth1  proto kernel  scope link  src 10.128.128.64 
162.243.XXX.0/24 dev eth0  proto kernel  scope link  src 162.243.XXX.XXX 

站點2:/etc/ipsec.secrets

# this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc

178.62.YYY.YYY 162.243.XXX.XXX : PSK “sameRandomString“

站點 2:“ip xfrm 策略”的輸出

src 10.131.0.0/16 dst 10.248.0.0/16 
   dir out priority 2608 
   tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
       proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16 
   dir fwd priority 2608 
   tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
       proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16 
   dir in priority 2608 
   tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
       proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0 
   socket out priority 0 
src ::/0 dst ::/0 
   socket in priority 0 
src ::/0 dst ::/0 
   socket out priority 0 
src ::/0 dst ::/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
   socket in priority 0 

Site2:“ip route”的輸出

default via 178.62.YYY.1 dev eth0 
10.131.0.0/16 dev eth1  proto kernel  scope link  src 10.131.250.194 
178.62.YYY.0/18 dev eth0  proto kernel  scope link  src 178.62.YYY.YYY 

site2 上 /var/log/auth.log 的一段

Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=115 
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: responding to Main Mode
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R1: sent MR1, expecting MI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R2: sent MR2, expecting MI3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Main mode peer ID is ID_IPV4_ADDR: '162.243.XXX.XXX'
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: new NAT mapping for #3, was 162.243.XXX.XXX:500, now 162.243.XXX.XXX:4500
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: the peer proposed: 10.131.0.0/16:0/0 -> 10.248.0.0/16:0/0
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: responding to Quick Mode proposal {msgid:9e504ac0}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4:     us: 10.131.0.0/16===178.62.YYY.YYY<178.62.YYY.YYY>
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4:   them: 162.243.XXX.XXX<162.243.XXX.XXX>===10.248.0.0/16
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: keeping refhim=4294901761 during rekey
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x5b14c281 <0xd731b1b1 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=162.243.XXX.XXX:4500 DPD=enabled

任何幫助是極大的讚賞。

對我來說,這聽起來像是您試圖讓站點到站點隧道網關通過其內部 IP 地址而不是其公共 IP 地址進行通信。為了使用單個隧道執行此操作,您需要配置左右內部源地址。見下文…

leftsourceip=10.248.248.64
rightsourceip=10.131.250.194

添加這些行並重新啟動 ipsec,然後您可以使用內部網關 ping。

引用自:https://serverfault.com/questions/615356