ubuntu – 站点到站点IPsec vpn不通过隧道发送ping

这是我第一次尝试使用站点到站点VPN.我选择使用IPec,因为它似乎是我需要完成的最佳解决方案.我在上周跟踪了几个不同的教程,但收效甚微.现在,当ping相反的子网时,我似乎无法获得成功.我知道我错过了什么,我只是不知道是什么.

我能说的最好,我应该在路线表中看到一些东西.现在,绑定到另一个子网的流量将在没有封装的情况下运行,并被第一个在不可路由的私有IP目标上获取的路由器丢弃.

我已经尝试过向MAStables添加MASQUERADE和RELATED,ESTABLISHED规则,思考可能有所帮助.我结束了这个想法.现在iptables的默认策略是在Ubuntu盒子上的所有链上接受.我会在IPsec工作时调整的东西.

“service ipsec status”的输出

IPsec running  - pluto pid: 1059
pluto pid 1059
1 tunnels up
some eroutes exist@H_404_8@ 
 /etc/ipsec.conf在两个站点
 
  
 version 2 
config setup
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10
    protostack=netkey
    force_keepalive=yes
    keep_alive=60
conn site1-site2
    leftsubnets=10.248.248.64/16
    rightsubnet=10.131.250.194/16
    auto=start
    left=162.243.XXX.XXX
    right=178.62.YYY.YYY
    leftid=@site1
    rightid=@site2
    authby=secret
    ike=aes128-sha1;modp1024
    phase2=esp
    phase2alg=aes128-sha1;modp1024
    aggrmode=no
    ikelifetime=8h
    salifetime=1h
    dpddelay=10
    dpdtimeout=40
    dpdaction=restart
    type=tunnel
    forceencaps=yes@H_404_8@ 
 两个站点的“ipsec verify”输出(IP转发在/etc/sysctl.conf中打开)
 
  
 Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                 [OK]
Linux Openswan U2.6.38/K3.13.0-24-generic (netkey)
Checking for IPsec support in kernel                [OK]
 SAref kernel support                       [N/A]
 NETKEY:  Testing XFRM related proc values          [OK]
                                [OK]
                                [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found,checking IP forwarding            [Failed]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [OK]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]@H_404_8@ 
 站点1：/etc/ipsec.secrets
 
  
 # this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
162.243.XXX.XXX 178.62.YYY.YYY : PSK “sameRandomString“@H_404_8@ 
 Site1：“ip xfrm policy”的输出
 
  
 src 10.248.0.0/16 dst 10.131.0.0/16 
    dir out priority 2608 
    tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
        proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16 
    dir fwd priority 2608 
    tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
        proto esp reqid 16385 mode tunnel
src 10.131.0.0/16 dst 10.248.0.0/16 
    dir in priority 2608 
    tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
        proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0 
    socket out priority 0 
src ::/0 dst ::/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0@H_404_8@ 
 Site1：“ip route”的输出
 
  
 default via 162.243.XXX.1 dev eth0 
10.128.128.0/24 dev eth1  proto kernel  scope link  src 10.128.128.64 
162.243.XXX.0/24 dev eth0  proto kernel  scope link  src 162.243.XXX.XXX@H_404_8@ 
 站点2：/etc/ipsec.secrets
 
  
 # this file is managed with debconf and will contain the automatically created RSA keys
include /var/lib/openswan/ipsec.secrets.inc
178.62.YYY.YYY 162.243.XXX.XXX : PSK “sameRandomString“@H_404_8@ 
 Site2：“ip xfrm policy”的输出
 
  
 src 10.131.0.0/16 dst 10.248.0.0/16 
    dir out priority 2608 
    tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX
        proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16 
    dir fwd priority 2608 
    tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
        proto esp reqid 16385 mode tunnel
src 10.248.0.0/16 dst 10.131.0.0/16 
    dir in priority 2608 
    tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY
        proto esp reqid 16385 mode tunnel
src ::/0 dst ::/0 
    socket out priority 0 
src ::/0 dst ::/0 
    socket in priority 0 
src ::/0 dst ::/0 
    socket out priority 0 
src ::/0 dst ::/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket out priority 0 
src 0.0.0.0/0 dst 0.0.0.0/0 
    socket in priority 0@H_404_8@ 
 Site2：“ip route”的输出
 
  
 default via 178.62.YYY.1 dev eth0 
10.131.0.0/16 dev eth1  proto kernel  scope link  src 10.131.250.194 
178.62.YYY.0/18 dev eth0  proto kernel  scope link  src 178.62.YYY.YYY@H_404_8@ 
 site2上的/var/log/auth.log的一部分
 
  
 Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection]
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=115 
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108,but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106,but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107,but already using method 115
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: responding to Main Mode
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R1: sent MR1,expecting MI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R2: sent MR2,expecting MI3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Main mode peer ID is ID_IPV4_ADDR: '162.243.XXX.XXX'
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: new NAT mapping for #3,was 162.243.XXX.XXX:500,now 162.243.XXX.XXX:4500
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R3: sent MR3,ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: the peer proposed: 10.131.0.0/16:0/0 -> 10.248.0.0/16:0/0
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: responding to Quick Mode proposal {msgid:9e504ac0}
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4:     us: 10.131.0.0/16===178.62.YYY.YYY<178.62.YYY.YYY>
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4:   them: 162.243.XXX.XXX<162.243.XXX.XXX>===10.248.0.0/16
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: keeping refhim=4294901761 during rekey
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R1: sent QR1,inbound IPsec SA installed,expecting QI2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: Dead Peer Detection (RFC 3706): enabled
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x5b14c281 <0xd731b1b1 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=162.243.XXX.XXX:4500 DPD=enabled@H_404_8@ 
 任何帮助是极大的赞赏.

对我来说,听起来你正试图让站点到站点的隧道网关通过它们的内部IP地址而不是它们的公共IP地址进行通信.要使用单个隧道执行此操作,您需要配置左侧和右侧内部源地址.见下文…

leftsourceip=10.248.248.64
rightsourceip=10.131.250.194@H_404_8@ 
 添加这些行并重新启动ipsec,然后您可以使用内部网关ping.

ubuntu – 站点到站点IPsec vpn不通过隧道发送ping

猜你在找的Ubuntu相关文章