任务:在连接到VPN服务器(在Ubuntu上)和连接到Cisco ASA的公司networking(10.1.2.0/24)上的远程客户端(192.168.79.0/24)之间build立通信。
架构: 192.168.79.0/24 <-Strongswan RA-> Ubuntu srv <-Strongswan s2s-> ASA(10.1.2.0/24)
问题1.客户端不接收来自VPN服务器的路由。 但是Strongswan发送它。 “在远程networking上使用默认网关”未选中。
Mar 11 17:41:20 ubuntuSrv charon: 07[IKE] CHILD_SA ASA{1} established with SPIs ccdbd590_i 7cf6b605_o and TS 192.168.79.0/24 === 10.1.2.0/24 问题2.stream量从192.168.79.10到10.1.2.85,但不是相反。 临时检查“在远程networking上使用默认网关”,客户端使用默认路由连接到VPN。
Ubuntu的SRV Strongswanconfiguration
cat /etc/ipsec.conf config setup # uniqueids=never charondebug="cfg 2, dmn 2, ike 2, net 2" conn %default keyexchange=ikev2 ike=aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes128-sha1-modp2048,aes256-sha384-modp409$ esp=aes128gcm16-ecp256,aes256gcm16-ecp384,aes128-sha256-ecp256,aes256-sha384-ecp384,aes128-sha256-modp2048,aes1$ dpdaction=clear dpddelay=300s rekey=no left=%any leftcert=vpnHostCert.pem right=%any rightdns=8.8.8.8,8.8.4.4 conn win7 keyexchange=ikev2 auto=add rightsourceip=192.168.79.10 rightid="C=CH, O=strongSwan, CN=win7" leftsubnet=10.1.2.0/24 conn win8 keyexchange=ikev2 auto=add rightsourceip=192.168.79.11 rightid="C=CH, O=strongSwan, CN=win8" leftsubnet=10.1.2.0/24 conn ASA authby=secret keyexchange=ikev1 ikelifetime=1440m keylife=60m rekeymargin=3m keyingtries=1 left=1.1.1.78 leftsubnet=192.168.79.0/24 leftid=1.1.1.78 leftfirewall=yes right=1.1.1.72 rightsubnet=10.1.2.0/24 rightid=1.1.1.72 auto=start ike=aes256-sha1-modp1024 esp=aes256-sha1-modp1024
Ubuntu的ipsec状态和路由打印
root@ubuntuSrv:/etc/ipsec.d# ipsec status Security Associations (2 up, 0 connecting): win7[2]: ESTABLISHED 7 minutes ago, 1.1.1.78[C=CH, O=strongSwan, CN=1.1.1.78]...2.2.2.238[C=CH, O=strongSwan, CN=win7] win7{2}: INSTALLED, TUNNEL, ESP in UDP SPIs: c9696f69_i ce82f3bc_o win7{2}: 10.1.2.0/24 === 192.168.79.10/32 ASA[1]: ESTABLISHED 7 minutes ago, 1.1.1.78[1.1.1.78]...1.1.1.72[1.1.1.72] ASA{1}: INSTALLED, TUNNEL, ESP SPIs: ccdbd590_i 7cf6b605_o ASA{1}: 192.168.79.0/24 === 10.1.2.0/24 root@ubuntuSrv:/etc/ipsec.d# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface default 1.1.1.1 0.0.0.0 UG 0 0 0 eth0 1.1.1.0 * 255.255.255.0 U 0 0 0 eth0
ASAencryptionipsec sa
sh crypto ipsec sa peer 1.1.1.78 peer address: 1.1.1.78 Crypto map tag: outside4_map, seq num: 9, local addr: 1.1.1.72 access-list acl extended permit ip 10.1.2.0 255.255.255.0 192.168.79.0 255.255.255.0 local ident (addr/mask/prot/port): (10.1.2.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (192.168.79.0/255.255.255.0/0/0) current_peer: 1.1.1.78 #pkts encaps: 16, #pkts encrypt: 16, #pkts digest: 16 #pkts decaps: 8, #pkts decrypt: 8, #pkts verify: 8 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 16, #pkts comp failed: 0, #pkts decomp failed: 0
从每一方面,我做了8个ICMP请求。 看起来Ubuntu的stream量已经丢失了。
更新: ubuntu srv接收数据包,但不发送回来。
tcpdump -pni eth0 16:51:22.073543 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40 16:51:22.073633 IP 10.1.2.95 > 192.168.79.10: ICMP echo request, id 512, seq 3584, length 40
我怀疑你的问题不是用Strongswan,而是用你的防火墙规则。 如果你的Ubuntu盒子充当防火墙,并且你有客户端,nat规则将尝试处理到你公司networking的stream量。
通常,以下nat规则将伪装成互联网stream量:
Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes) pkts bytes target prot opt in out source destination 93M 6869M MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0
但是,这也将masq vpn的stream量。 在ipsecstream量的伪装规则之前添加规则将解决问题:
iptables -A POSTROUTING -o eth1 -m policy --dir out --pol ipsec -j ACCEPT
所以iptables -t nat -L -v -n应该是这样的:
Chain POSTROUTING (policy ACCEPT 757K packets, 49M bytes) pkts bytes target prot opt in out source destination 343 16028 ACCEPT all -- * eth1 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec 93M 6869M MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0