Strongswan ipsec ikev2 RAS 클라이언트 위장

Strongswan ipsec ikev2 RAS 클라이언트 위장

스웨덴에 VPS가 있고 IKEv2 RAS 연결을 설정하고 싶습니다. 연결이 설정되고 유효한 SA가 생성됩니다.

이제 wan 인터페이스를 통해 0.0.0.0/0의 트래픽을 위장하고 싶습니다. 나는 (평소처럼) 노력했다

# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE

그러나 패킷이 목적지에 도달하지 않기 때문에 트래픽이 실제로 위장되지 않은 것 같습니다.

tcpdump의 출력:

# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64

문제는 인터페이스 유형인 것 같습니다. OpenVZ VM에 갇혀 있고 기본 경로가 없습니다.

# ip route show
default dev venet0  scope link

ipsec statusall의 출력

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
  uptime: 2 minutes, since Apr 28 16:19:45 2018
  malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
  10.9.0.110/16: 145/1/0
Listening IP addresses:
  XXX.XXX.XXX.XXX
  XXXX:XXXX:XXXX::XXXX
Connections:
     rw-test:  %any...%any  IKEv2
     rw-test:   local:  [sweden] uses pre-shared key authentication
     rw-test:   remote: [testuser@sweden] uses pre-shared key authentication
     rw-test:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
     rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
     rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
     rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     rw-test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
     rw-test{1}:  AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
     rw-test{1}:   0.0.0.0/0 === 10.9.0.110/32

이것은 내 ipsec.conf입니다.

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="ike 4, knl 4, cfg 4"

conn %default
        compress=no
        type=tunnel
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        ike=aes256-sha1-modp2048,3des-sha1-modp1024!
        esp=aes256-sha1,3des-sha1!
        left=%any
        leftsubnet=0.0.0.0/0
        leftid=@sweden
        leftfirewall=yes
        rightdns=8.8.8.8,8.8.4.4
        authby=secret



conn rw-test
        right=%any
        rightid=testuser@sweden
        rightsourceip=10.9.0.110/16
        auto=add

이 문제를 처리하는 방법을 아는 사람이 있나요?

관련 정보