服务器 Gind.cn
  1. 服务器 Gind.cn
  3. LEDE 17.01.1,StrongSwan 5.6.0 swanctl NAT
Intereting Posts
AWS EC2实例启动configuration 更改我的Ubuntu系统的主机名后,Apache2无法正常工作 我的应用程序应该使用普通HTTP还是HTTPS + HTTP2,如果它在nginx后面? 没有@DOMAIN后缀的REMOTE_USERvariables 最安全:Citrix Access Gateway或Web Interface上的身份validation点 微软许可证的集中pipe理 重新平衡池磁盘 NFS exportfs -a失败 同一虚拟networking下的Azure虚拟机 PHP-SOAP扩展未加载 CPU非常棘手和不稳定,networking延迟。 Windows Server 2003 什么是阻止来自旧域名的HTTP / HTTPS请求的最有效方法? Elasticsearch:环回接口上的高stream量 有没有一种方法来查询没有VSphere的VMWare ESxi 5.5上的硬件传感器数据? 如何检查Apache上每个连接使用的带宽?

LEDE 17.01.1,StrongSwan 5.6.0 swanctl NAT

就像这个例子,我在两个网关之间有一个运行strongswan隧道。

moon可以平阳,反之亦然。

alice不能ping通bob

/etc/firewall.user 

 /usr/sbin/iptables -I INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT /usr/sbin/iptables -I FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT /usr/sbin/iptables -I FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT /usr/sbin/iptables -I OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT /usr/sbin/iptables -t nat -I POSTROUTING -m policy --pol ipsec --dir out -j ACCEPT

我不知道该怎么做。

编辑1

我不是iptables专家,lede / openwrt的规则很混乱。 有许多别名规则。 ESP的规则似乎是好的,否则隧道不能build立正确的? 

  Client A Client B /////////////////// Gateway A Gateway B ///////////////// / / ***************** *************** / / / 192.168.100.110 / * 192.168.100.1 * <=> * 192.168.1.1 * / 192.168.1.200 / / / ***************** *************** / / /////////////////// /////////////////

客户A

https://pastebin.com/qVS9Nquk 

 root@LEDE:~# ip route list table 220 192.168.1.0/24 dev ipsec0 proto static src 192.168.100.1

客户B

https://pastebin.com/bkaG7s7k 

 root@Lede:~# ip route list table 220 192.168.100.0/24 dev ipsec0 proto static src 192.168.1.1

编辑2

我看看我的规则。 第一个提示allow esp before processing (input/output)完成之前执行 

 Chain INPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere policy match dir in pol ipsec proto esp 

 Chain OUTPUT (policy ACCEPT) num target prot opt source destination 1 ACCEPT all -- anywhere anywhere policy match dir out pol ipsec proto esp

对? 所以INPUT和OUTPUT首先处理esp包并接受。

现在你说我的FORWARD规则总是错误的,因为DIR / IN / OUT是否被接受?

我不知道我是否需要strongswan-mod-kernel-libipsec。 正如我已经阅读libipsec不应该使用。 但是不加载这个插件导致隧道在build立过程中失败。

编辑3

iptables-save -c 

  root@LEDE:~# iptables-save -c # Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017 *nat :PREROUTING ACCEPT [6248:527283] :INPUT ACCEPT [3903:355245] :OUTPUT ACCEPT [1157:92992] :POSTROUTING ACCEPT [78:6018] :postrouting_lan_rule - [0:0] :postrouting_rule - [0:0] :postrouting_vpn_rule - [0:0] :postrouting_wan_rule - [0:0] :prerouting_lan_rule - [0:0] :prerouting_rule - [0:0] :prerouting_vpn_rule - [0:0] :prerouting_wan_rule - [0:0] :zone_lan_postrouting - [0:0] :zone_lan_prerouting - [0:0] :zone_vpn_postrouting - [0:0] :zone_vpn_prerouting - [0:0] :zone_wan_postrouting - [0:0] :zone_wan_prerouting - [0:0] [6248:527283] -A PREROUTING -m comment --comment "!fw3: user chain for prerouting" -j prerouting_rule [5072:419263] -A PREROUTING -i br-lan -m comment --comment "!fw3" -j zone_lan_prerouting [1176:108020] -A PREROUTING -i eth0.2 -m comment --comment "!fw3" -j zone_wan_prerouting [0:0] -A PREROUTING -i tun0 -m comment --comment "!fw3" -j zone_vpn_prerouting [0:0] -A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT [3424:245233] -A POSTROUTING -m comment --comment "!fw3: user chain for postrouting" -j postrouting_rule [2:674] -A POSTROUTING -o br-lan -m comment --comment "!fw3" -j zone_lan_postrouting [3346:239215] -A POSTROUTING -o eth0.2 -m comment --comment "!fw3" -j zone_wan_postrouting [0:0] -A POSTROUTING -o tun0 -m comment --comment "!fw3" -j zone_vpn_postrouting [2:674] -A zone_lan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_lan_rule [0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.1/32 -p tcp -m tcp --dport 22 -m comment --comment "!fw3: SSH (reflection)" -j SNAT --to-source 192.168.100.1 [0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p tcp -m tcp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1 [0:0] -A zone_lan_postrouting -s 192.168.100.0/24 -d 192.168.100.110/32 -p udp -m udp --dport 4000 -m comment --comment "!fw3: Misc (reflection)" -j SNAT --to-source 192.168.100.1 [5072:419263] -A zone_lan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_lan_rule [0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH (reflection)" -j DNAT --to-destination 192.168.100.1:22 [0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000 [0:0] -A zone_lan_prerouting -s 192.168.100.0/24 -d 37.49.120.76/32 -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc (reflection)" -j DNAT --to-destination 192.168.100.110:4000 [0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule [0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule [0:0] -A zone_vpn_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_vpn_rule [0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE [0:0] -A zone_vpn_postrouting -m comment --comment "!fw3" -j MASQUERADE [0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule [0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule [0:0] -A zone_vpn_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_vpn_rule [3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3: user chain for postrouting" -j postrouting_wan_rule [3346:239215] -A zone_wan_postrouting -m comment --comment "!fw3" -j MASQUERADE [1176:108020] -A zone_wan_prerouting -m comment --comment "!fw3: user chain for prerouting" -j prerouting_wan_rule [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j DNAT --to-destination 192.168.100.1:22 [0:0] -A zone_wan_prerouting -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000 [0:0] -A zone_wan_prerouting -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j DNAT --to-destination 192.168.100.110:4000 COMMIT # Completed on Sun Oct 29 07:02:41 2017 # Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017 *mangle :PREROUTING ACCEPT [83933:59010388] :INPUT ACCEPT [12107:2416154] :FORWARD ACCEPT [71817:56593482] :OUTPUT ACCEPT [8645:669977] :POSTROUTING ACCEPT [80462:57263459] [936:56056] -A FORWARD -o eth0.2 -p tcp -m tcp --tcp-flags SYN,RST SYN -m comment --comment "!fw3: wan (mtu_fix)" -j TCPMSS --clamp-mss-to-pmtu COMMIT # Completed on Sun Oct 29 07:02:41 2017 # Generated by iptables-save v1.4.21 on Sun Oct 29 07:02:41 2017 *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] :forwarding_lan_rule - [0:0] :forwarding_rule - [0:0] :forwarding_vpn_rule - [0:0] :forwarding_wan_rule - [0:0] :input_lan_rule - [0:0] :input_rule - [0:0] :input_vpn_rule - [0:0] :input_wan_rule - [0:0] :output_lan_rule - [0:0] :output_rule - [0:0] :output_vpn_rule - [0:0] :output_wan_rule - [0:0] :reject - [0:0] :syn_flood - [0:0] :zone_lan_dest_ACCEPT - [0:0] :zone_lan_forward - [0:0] :zone_lan_input - [0:0] :zone_lan_output - [0:0] :zone_lan_src_ACCEPT - [0:0] :zone_vpn_dest_ACCEPT - [0:0] :zone_vpn_dest_REJECT - [0:0] :zone_vpn_forward - [0:0] :zone_vpn_input - [0:0] :zone_vpn_output - [0:0] :zone_vpn_src_ACCEPT - [0:0] :zone_wan_dest_ACCEPT - [0:0] :zone_wan_dest_REJECT - [0:0] :zone_wan_forward - [0:0] :zone_wan_input - [0:0] :zone_wan_output - [0:0] :zone_wan_src_REJECT - [0:0] [0:0] -A INPUT -m policy --dir in --pol ipsec --proto esp -j ACCEPT [304:24349] -A INPUT -i lo -m comment --comment "!fw3" -j ACCEPT [11807:2392013] -A INPUT -m comment --comment "!fw3: user chain for input" -j input_rule [1671:638675] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT [955:38932] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m comment --comment "!fw3" -j syn_flood [7953:1389086] -A INPUT -i br-lan -m comment --comment "!fw3" -j zone_lan_input [2183:364252] -A INPUT -i eth0.2 -m comment --comment "!fw3" -j zone_wan_input [0:0] -A INPUT -i tun0 -m comment --comment "!fw3" -j zone_vpn_input [0:0] -A FORWARD -m policy --dir out --pol ipsec --proto esp -j ACCEPT [0:0] -A FORWARD -m policy --dir in --pol ipsec --proto esp -j ACCEPT [71817:56593482] -A FORWARD -m comment --comment "!fw3: user chain for forwarding" -j forwarding_rule [69392:56423832] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT [2425:169650] -A FORWARD -i br-lan -m comment --comment "!fw3" -j zone_lan_forward [0:0] -A FORWARD -i eth0.2 -m comment --comment "!fw3" -j zone_wan_forward [0:0] -A FORWARD -i tun0 -m comment --comment "!fw3" -j zone_vpn_forward [0:0] -A FORWARD -m comment --comment "!fw3" -j reject [0:0] -A OUTPUT -m policy --dir out --pol ipsec --proto esp -j ACCEPT [304:24349] -A OUTPUT -o lo -m comment --comment "!fw3" -j ACCEPT [8345:646508] -A OUTPUT -m comment --comment "!fw3: user chain for output" -j output_rule [7236:557447] -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "!fw3" -j ACCEPT [3:1007] -A OUTPUT -o br-lan -m comment --comment "!fw3" -j zone_lan_output [1106:88054] -A OUTPUT -o eth0.2 -m comment --comment "!fw3" -j zone_wan_output [0:0] -A OUTPUT -o tun0 -m comment --comment "!fw3" -j zone_vpn_output [1246:50770] -A reject -p tcp -m comment --comment "!fw3" -j REJECT --reject-with tcp-reset [109:21160] -A reject -m comment --comment "!fw3" -j REJECT --reject-with icmp-port-unreachable [955:38932] -A syn_flood -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m limit --limit 25/sec --limit-burst 50 -m comment --comment "!fw3" -j RETURN [0:0] -A syn_flood -m comment --comment "!fw3" -j DROP [3:1007] -A zone_lan_dest_ACCEPT -o br-lan -m comment --comment "!fw3" -j ACCEPT [2425:169650] -A zone_lan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_lan_rule [2425:169650] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> wan" -j zone_wan_dest_ACCEPT [0:0] -A zone_lan_forward -m comment --comment "!fw3: forwarding lan -> vpn" -j zone_vpn_dest_ACCEPT [0:0] -A zone_lan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT [0:0] -A zone_lan_forward -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT [7953:1389086] -A zone_lan_input -m comment --comment "!fw3: user chain for input" -j input_lan_rule [0:0] -A zone_lan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT [7953:1389086] -A zone_lan_input -m comment --comment "!fw3" -j zone_lan_src_ACCEPT [3:1007] -A zone_lan_output -m comment --comment "!fw3: user chain for output" -j output_lan_rule [3:1007] -A zone_lan_output -m comment --comment "!fw3" -j zone_lan_dest_ACCEPT [7953:1389086] -A zone_lan_src_ACCEPT -i br-lan -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT [0:0] -A zone_vpn_dest_ACCEPT -o tun0 -m comment --comment "!fw3" -j ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule [0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule [0:0] -A zone_vpn_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_vpn_rule [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> lan" -j zone_lan_dest_ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3: forwarding vpn -> wan" -j zone_wan_dest_ACCEPT [0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT [0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT [0:0] -A zone_vpn_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT [0:0] -A zone_vpn_forward -m comment --comment "!fw3" -j zone_vpn_dest_REJECT [0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule [0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule [0:0] -A zone_vpn_input -m comment --comment "!fw3: user chain for input" -j input_vpn_rule [0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT [0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT [0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT [0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT [0:0] -A zone_vpn_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT [0:0] -A zone_vpn_input -m comment --comment "!fw3" -j zone_vpn_src_ACCEPT [0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule [0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule [0:0] -A zone_vpn_output -m comment --comment "!fw3: user chain for output" -j output_vpn_rule [0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT [0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT [0:0] -A zone_vpn_output -m comment --comment "!fw3" -j zone_vpn_dest_ACCEPT [0:0] -A zone_vpn_src_ACCEPT -i tun0 -m conntrack --ctstate NEW,UNTRACKED -m comment --comment "!fw3" -j ACCEPT [3531:257704] -A zone_wan_dest_ACCEPT -o eth0.2 -m comment --comment "!fw3" -j ACCEPT [0:0] -A zone_wan_dest_REJECT -o eth0.2 -m comment --comment "!fw3" -j reject [0:0] -A zone_wan_forward -m comment --comment "!fw3: user chain for forwarding" -j forwarding_wan_rule [0:0] -A zone_wan_forward -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port forwards" -j ACCEPT [0:0] -A zone_wan_forward -m comment --comment "!fw3" -j zone_wan_dest_REJECT [2183:364252] -A zone_wan_input -m comment --comment "!fw3: user chain for input" -j input_wan_rule [820:292000] -A zone_wan_input -p udp -m udp --dport 68 -m comment --comment "!fw3: Allow-DHCP-Renew" -j ACCEPT [7:230] -A zone_wan_input -p icmp -m icmp --icmp-type 8 -m comment --comment "!fw3: Allow-Ping" -j ACCEPT [0:0] -A zone_wan_input -p igmp -m comment --comment "!fw3: Allow-IGMP" -j ACCEPT [0:0] -A zone_wan_input -p tcp -m tcp --dport 2200 -m comment --comment "!fw3: SSH" -j ACCEPT [0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT [0:0] -A zone_wan_input -p udp -m udp --dport 1194 -m comment --comment "!fw3: Allow-OpenVPN-Inbound" -j ACCEPT [0:0] -A zone_wan_input -p tcp -m tcp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT [0:0] -A zone_wan_input -p udp -m udp --dport 8000 -m comment --comment "!fw3: Misc" -j ACCEPT [0:0] -A zone_wan_input -p esp -m comment --comment "!fw3: @rule[11]" -j ACCEPT [1:92] -A zone_wan_input -p udp -m udp --dport 500 -m comment --comment "!fw3: @rule[12]" -j ACCEPT [0:0] -A zone_wan_input -p udp -m udp --dport 4500 -m comment --comment "!fw3: @rule[13]" -j ACCEPT [0:0] -A zone_wan_input -p ah -m comment --comment "!fw3: @rule[14]" -j ACCEPT [0:0] -A zone_wan_input -m conntrack --ctstate DNAT -m comment --comment "!fw3: Accept port redirections" -j ACCEPT [1355:71930] -A zone_wan_input -m comment --comment "!fw3" -j zone_wan_src_REJECT [1106:88054] -A zone_wan_output -m comment --comment "!fw3: user chain for output" -j output_wan_rule [1106:88054] -A zone_wan_output -m comment --comment "!fw3" -j zone_wan_dest_ACCEPT [1355:71930] -A zone_wan_src_REJECT -i eth0.2 -m comment --comment "!fw3" -j reject COMMIT # Completed on Sun Oct 29 07:02:41 2017

编辑4

所以到目前为止,所有规则都可以。

问题是加载的kernel-libipsec插件。 在这种情况下,使用userland ipsec实现(而不是内核本身),并且不使用内核路由表。

禁用此模块并为内核crypt支持安装kmod-crypto-gcm解决了所有问题。