这是我第一次尝试在站点到站点的VPN。 我select使用IPec,因为它似乎是我需要完成的最佳解决scheme。 上周我已经跟随了几个不同的教程,取得了一些成功。 现在,当ping相反的子网时,我似乎无法获得成功。 我知道我错过了什么,我只是不知道是什么。
最好我可以告诉,我应该在路线表中看到一些东西。 现在,stream向另一个子网的stream量不会被封装,而是被在不可路由的私有IP目的地上的第一个路由器丢弃。
我试过把MASQUERADE和RELATED,ESTABLISHED规则添加到iptables中,思考可能会有所帮助。 我最终冲淡了这个想法。 现在,iptables的默认策略是在两个Ubuntu盒子的所有链上接受。 当IPsec正在工作时,我会调整一些东西。
IPsec running - pluto pid: 1059 pluto pid 1059 1 tunnels up some eroutes exist version 2 config setup dumpdir=/var/run/pluto/ nat_traversal=yes virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v6:fd00::/8,%v6:fe80::/10 protostack=netkey force_keepalive=yes keep_alive=60 conn site1-site2 leftsubnets=10.248.248.64/16 rightsubnet=10.131.250.194/16 auto=start left=162.243.XXX.XXX right=178.62.YYY.YYY leftid=@site1 rightid=@site2 authby=secret ike=aes128-sha1;modp1024 phase2=esp phase2alg=aes128-sha1;modp1024 aggrmode=no ikelifetime=8h salifetime=1h dpddelay=10 dpdtimeout=40 dpdaction=restart type=tunnel forceencaps=yes
Checking your system to see if IPsec got installed and started correctly: Version check and ipsec on-path [OK] Linux Openswan U2.6.38/K3.13.0-24-generic (netkey) Checking for IPsec support in kernel [OK] SAref kernel support [N/A] NETKEY: Testing XFRM related proc values [OK] [OK] [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for NAT-T on udp 4500 [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking NAT and MASQUERADEing [OK] Checking for 'ip' command [OK] Checking /bin/sh is not /bin/dash [OK] Checking for 'iptables' command [OK] Opportunistic Encryption Support [DISABLED]
# this file is managed with debconf and will contain the automatically created RSA keys include /var/lib/openswan/ipsec.secrets.inc 162.243.XXX.XXX 178.62.YYY.YYY : PSK “sameRandomString“
src 10.248.0.0/16 dst 10.131.0.0/16 dir out priority 2608 tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY proto esp reqid 16385 mode tunnel src 10.131.0.0/16 dst 10.248.0.0/16 dir fwd priority 2608 tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX proto esp reqid 16385 mode tunnel src 10.131.0.0/16 dst 10.248.0.0/16 dir in priority 2608 tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX proto esp reqid 16385 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0
default via 162.243.XXX.1 dev eth0 10.128.128.0/24 dev eth1 proto kernel scope link src 10.128.128.64 162.243.XXX.0/24 dev eth0 proto kernel scope link src 162.243.XXX.XXX
# this file is managed with debconf and will contain the automatically created RSA keys include /var/lib/openswan/ipsec.secrets.inc 178.62.YYY.YYY 162.243.XXX.XXX : PSK “sameRandomString“
src 10.131.0.0/16 dst 10.248.0.0/16 dir out priority 2608 tmpl src 178.62.YYY.YYY dst 162.243.XXX.XXX proto esp reqid 16385 mode tunnel src 10.248.0.0/16 dst 10.131.0.0/16 dir fwd priority 2608 tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY proto esp reqid 16385 mode tunnel src 10.248.0.0/16 dst 10.131.0.0/16 dir in priority 2608 tmpl src 162.243.XXX.XXX dst 178.62.YYY.YYY proto esp reqid 16385 mode tunnel src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src ::/0 dst ::/0 socket out priority 0 src ::/0 dst ::/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket out priority 0 src 0.0.0.0/0 dst 0.0.0.0/0 socket in priority 0
default via 178.62.YYY.1 dev eth0 10.131.0.0/16 dev eth1 proto kernel scope link src 10.131.250.194 178.62.YYY.0/18 dev eth0 proto kernel scope link src 178.62.YYY.YYY
Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Openswan (this version) 2.6.38 ] Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [Dead Peer Detection] Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [RFC 3947] method set to=115 Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 115 Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 115 Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 115 Jul 24 18:41:14 gb pluto[3365]: packet from 162.243.XXX.XXX:500: received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00] Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: responding to Main Mode Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R1: sent MR1, expecting MI2 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R2: sent MR2, expecting MI3 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Main mode peer ID is ID_IPV4_ADDR: '162.243.XXX.XXX' Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: new NAT mapping for #3, was 162.243.XXX.XXX:500, now 162.243.XXX.XXX:4500 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_sha group=modp1024} Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: Dead Peer Detection (RFC 3706): enabled Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #3: the peer proposed: 10.131.0.0/16:0/0 -> 10.248.0.0/16:0/0 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: responding to Quick Mode proposal {msgid:9e504ac0} Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: us: 10.131.0.0/16===178.62.YYY.YYY<178.62.YYY.YYY> Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: them: 162.243.XXX.XXX<162.243.XXX.XXX>===10.248.0.0/16 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: keeping refhim=4294901761 during rekey Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: Dead Peer Detection (RFC 3706): enabled Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2 Jul 24 18:41:14 gb pluto[3365]: "site1-site2/1x0" #4: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP/NAT=>0x5b14c281 <0xd731b1b1 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD=162.243.XXX.XXX:4500 DPD=enabled
任何帮助是极大的赞赏。
对我来说,这听起来像你正试图让站点到站点隧道网关通过他们的内部IP地址而不是他们的公共IP地址进行通信。 为了使用单个隧道来完成此操作,您需要configuration左侧和右侧的内部源地址。 见下文…
leftsourceip=10.248.248.64 rightsourceip=10.131.250.194
添加这些行并重新启动ipsec,然后您可以使用内部网关进行ping。