基本上我试图通过IPsec site2site连接一个pfSense到EdgeRouter。
(由'1.2'混淆的公共ipnetworking)
[pfsense] <-> [edgerouter] public: 1.2.156.229/30 <-> 1.2.112.249/30 tunnel: 10.5.44.100/24 <-> 10.20.30.100/24 两个站点上的IPsec设置:
阶段1:IKEv2 PSK AES128 SHA1 DH2
阶段2:ESP AES128 SHA1
EdgeRouter通过网状路由OLSR可以访问Internet,因此它的网关通常是非本地的,如果网状networking发生变化,它也会发生变化。 这是OLSR这样devise的,所以在这个设置中它没有错,网关不在同一个子网上。
隧道/连接已经启动,但是没有stream量通过它,所以在两个站点上提高了strongswan内核日志级别和在charon.log中挖掘之后,我在EdgeRouter上发现了一个设置路由的问题:
charon.log在edgerouter上:
Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting a local address in traffic selector 10.20.30.0/24 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using host 10.20.30.100 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 207: => 52 bytes @ 0x711f80a8 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 34 00 00 00 1A 00 01 00 CF 00 00 00 6A 6B 00 00 4...........jk.. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 00 00 00 00 00 00 00 00 00 00 00 08 00 10 00 ................ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: FF FF FF FF 08 00 07 00 4E 29 70 F9 08 00 01 00 ........N)p..... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: C1 EE 9C E5 .... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received RTM_NEWROUTE 207: => 112 bytes @ 0x604f58 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 70 00 00 00 18 00 00 00 CF 00 00 00 6A 6B 00 00 p...........jk.. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 20 00 00 FE 00 00 01 00 02 00 00 08 00 0F 00 . .............. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: FE 00 00 00 08 00 01 00 C1 EE 9C E5 08 00 04 00 ................ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 0A 00 00 00 08 00 07 00 4E 29 70 F9 08 00 05 00 ........N)p..... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 64: 4E 29 76 75 08 00 10 00 FF FF FF FF 24 00 0C 00 N)vu........$... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 80: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 96: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> using 1.2.118.117 as nexthop to reach 1.2.156.229/32 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 1.2.112.249 is on interface br0 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> installing route: 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br0 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> getting iface index for br0 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_NEWROUTE 208: => 60 bytes @ 0x711f8090 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 3C 00 00 00 18 00 05 06 D0 00 00 00 6A 6B 00 00 <...........jk.. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: 02 18 00 00 DC 04 00 01 00 00 00 00 08 00 01 00 ................ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: 0A 05 2C 00 08 00 07 00 0A 14 1E 64 08 00 05 00 ..,........d.... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 4E 29 76 75 08 00 04 00 0A 00 00 00 N)vu........ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> received (2) 208: => 80 bytes @ 0x604fe8 Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 0: 50 00 00 00 02 00 00 00 D0 00 00 00 6A 6B 00 00 P...........jk.. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 16: FD FF FF FF 3C 00 00 00 18 00 05 06 D0 00 00 00 ....<........... Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 32: 6A 6B 00 00 02 18 00 00 DC 04 00 01 00 00 00 00 jk.............. Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 48: 08 00 01 00 0A 05 2C 00 08 00 07 00 0A 14 1E 64 ......,........d Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> 64: 08 00 05 00 4E 29 76 75 08 00 04 00 0A 00 00 00 ....N)vu........ Mar 4 23:27:27 12[KNL] <peer-1.2.156.229-tunnel-1|1> unable to install source route for 10.20.30.100 Mar 4 23:27:27 12[IKE] <peer-1.2.156.229-tunnel-1|1> CHILD_SA peer-1.2.156.229-tunnel-1{2} established with SPIs c042bc69_i c46929b0_o and TS 10.20.30.0/24 === 10.5.44.0/24 Mar 4 23:27:40 11[KNL] creating roam job due to route change Mar 4 23:27:40 11[KNL] <peer-1.2.156.229-tunnel-1|1> sending RTM_GETROUTE 209: => 52 bytes @ 0x719f8888
我试图重现错误,以了解发生了什么错误。
# # reproduce error: # ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1 RTNETLINK answers: No such process # # check default route and local ip address: # ip route show | grep 0.0.0.0 0.0.0.0/1 via 1.2.118.117 dev br0 metric 2 onlink # ip -f inet address show br0 10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default inet 1.2.112.249/30 brd 1.2.112.251 scope global br0 # ip -f inet address show br1 11: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1462 qdisc noqueue state UP group default inet 10.20.30.100/24 brd 10.20.30.255 scope global br1 # # try to narrow down the problem # ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1 RTNETLINK answers: No such process # ip route add 10.5.44.0/24 src 10.20.30.100 dev br1 # ip route change 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br1 RTNETLINK answers: No such process
现在我不明白什么rtnetlink丢失或网关有什么问题?
寻找strongswan或rtnetlink的错误,不给任何特别的答案,只是我已经理解的一般解释。 我的下一个猜测是,我在build立这个隧道时错过了一些东西? EdgeRouter有一个网桥接口(br0),带有用于互联网访问的公共ip和用于pipe理networking的本地ip的第二个网桥接口(br1)。
另外我查看了描述EdgeRouter上的IPsec的这篇文章 ,我的configuration几乎是一样的,除了使用网桥接口和IKEv2(而不是IKEv1)。
挖掘更深入只是让我可以导致'RTNETLINK的答案:没有这样的过程'添加路线时 ,现在我不知道什么是错的。
解决了这个问题。
因为strongswan守护进程想要安装以下路由:
ip route add 10.5.44.0/24 via 1.2.118.117 src 10.20.30.100 dev br0
根本没有工作, 网关在Linux上的一个不同的子网我已经在edgerouter上设置以下两个路由:
ip route add 10.5.44.101 dev br1 ip route add 10.5.44.0/24 via 10.5.44.101 dev br1
10.5.44.101是ipsec隧道的内部远端。 需要使用接口br1,因为隧道与定义的本地networking的原因一起工作。
心连心