스웨덴에 VPS가 있고 IKEv2 RAS 연결을 설정하고 싶습니다. 연결이 설정되고 유효한 SA가 생성됩니다.
이제 wan 인터페이스를 통해 0.0.0.0/0의 트래픽을 위장하고 싶습니다. 나는 (평소처럼) 노력했다
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
그러나 패킷이 목적지에 도달하지 않기 때문에 트래픽이 실제로 위장되지 않은 것 같습니다.
tcpdump의 출력:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
문제는 인터페이스 유형인 것 같습니다. OpenVZ VM에 갇혀 있고 기본 경로가 없습니다.
# ip route show
default dev venet0 scope link
ipsec statusall의 출력
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test{1}: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test{1}: 0.0.0.0/0 === 10.9.0.110/32
이것은 내 ipsec.conf입니다.
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
이 문제를 처리하는 방법을 아는 사람이 있나요?