我有思科CSR路由器和Strongswan之间的局域网到局域网VPN隧道.在Strongswan上,我看到:
[root@ip-172-31-20-224 log]# strongswan status
Security Associations (1 up, 0 connecting):
tenant-13[2]: ESTABLISHED 66 minutes ago, 172.31.20.224[local_public_ip]...remote_public_ip[remote_public_ip]
tenant-13{3}: INSTALLED, TRANSPORT, reqid 1, ESP in UDP SPIs: cdf35340_i cb506e65_o
tenant-13{3}: 172.31.20.224/32 === remote_public_ip/32
tenant-13{147}: INSTALLED, TUNNEL, reqid 3, ESP in UDP SPIs: ca2c0328_i 0295d7bf_o
tenant-13{147}: 0.0.0.0/0 === 0.0.0.0/0我的加密SA允许0/0-〉0/0。所以一切看起来都很好。
我确实在Strongswan上收到了加密数据包,这些数据包被正确解密,例如:我们可以看到在虚拟VTI接口上接收到UDP分组(正确地解密):
[root@ip-172-31-20-224 log]# tcpdump -i vti13 -n udp port 3000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vti13, link-type RAW (Raw IP), capture size 262144 bytes
11:19:57.834374 IP 192.168.1.116.54545 > X.X.X.X.hbci: UDP, length 340现在X.X.X. X是一个公共IP地址,这些数据包应该被转发(使用默认路由通过eth0转发出去),但是我在通过tcpdump查看时看不到这些数据包:
[root@ip-172-31-20-224 log]# tcpdump -i eth0 -n host X.X.X.X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
^C
0 packets captured我只有一个物理接口(eth0,用于ipsec的传输和默认路由)+一个虚拟接口(用于解密流量),所以解密后的流量应该通过同一个eth0接口发送出去:
[root@ip-172-31-20-224 log]# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc mq state UP group default qlen 1000
link/ether 02:ab:39:97:b0:7e brd ff:ff:ff:ff:ff:ff
inet 172.31.20.224/20 brd 172.31.31.255 scope global dynamic eth0
valid_lft 2673sec preferred_lft 2673sec
inet6 fe80::ab:39ff:fe97:b07e/64 scope link
valid_lft forever preferred_lft forever
3: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
9: vti13@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN group default qlen 1000
link/ipip 172.31.20.224 peer 89.68.162.135
inet 1.0.0.2/30 scope global vti13
valid_lft forever preferred_lft forever
inet6 fe80::5efe:ac1f:14e0/64 scope link
valid_lft forever preferred_lft forever本人已确认:
1.路由已启用
1.策略检查已禁用(sysctl-w网络. ipv4.配置.默认. rp过滤器= 0和sysctl-w网络. ipv4.配置. vti13.禁用策略= 1)
- iptables INPUT,OUTPUT,FORWARD是空的,但我也添加了特定的规则,并看到0命中:
[root@ip-172-31-20-224 log]# iptables -I INPUT -i vti13 -j ACCEPT
[root@ip-172-31-20-224 log]# iptables -I FORWARD -i vti13 -j ACCEPT
[root@ip-172-31-20-224 log]# iptables -L -v -n
Chain INPUT (policy ACCEPT 9 packets, 1164 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- vti13 * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- vti13 * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6 packets, 776 bytes)
pkts bytes target prot opt in out source destination我在PREROUTING和POSTROUTING中添加了条目,只是为了检查是否在那里看到这些数据包,并确认我只能在PREROUTING中看到这些数据包(因此数据包确实没有被路由):
[root@ip-172-31-20-224 log]# iptables -L -v -n -t nat
Chain PREROUTING (policy ACCEPT 2 packets, 184 bytes)
pkts bytes target prot opt in out source destination
19192 25M DNAT udp -- vti13 * 0.0.0.0/0 0.0.0.0/0 udp dpt:3000 to:X.X.X.X:3000我试着通过syslog(启用内核日志)查看,但没有发现任何有趣的东西。
问题是什么?为什么我的Linux不转发这些数据包?
谢谢你,
1条答案
按热度按时间ttp71kqs1#
好了,找到解决方案了,因为https://docs.strongswan.org/docs/5.9/features/routeBasedVpn.html必须禁用charon.install_routes。