Strongswan 패키지를 사용하여 centos 8에 Ikev2 VPN 서버 Road Warrior를 구성했는데 제대로 작동합니다. 클라이언트가 연결되면 탐색을 위해 원격 사이트 인터넷을 사용합니다. 클라이언트가 인터넷을 사용하도록 허용하는 방법은 내 IP 테이블 및 방화벽 규칙 아래에 있습니다.
iptables-S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N LIBVIRT_INP
-N LIBVIRT_OUT
-N LIBVIRT_FWO
-N LIBVIRT_FWI
-N LIBVIRT_FWX
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
iptables -S 입력
-P INPUT ACCEPT
-A INPUT -j LIBVIRT_INP
iptables -S 출력
-P OUTPUT ACCEPT
-A OUTPUT -j LIBVIRT_OUT
iptables-L
Chain INPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_INP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
LIBVIRT_FWX all -- anywhere anywhere
LIBVIRT_FWI all -- anywhere anywhere
LIBVIRT_FWO all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
LIBVIRT_OUT all -- anywhere anywhere
Chain LIBVIRT_INP (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
Chain LIBVIRT_OUT (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootpc
ACCEPT tcp -- anywhere anywhere tcp dpt:bootpc
Chain LIBVIRT_FWO (1 references)
target prot opt source destination
ACCEPT all -- 192.168.122.0/24 anywhere
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWI (1 references)
target prot opt source destination
ACCEPT all -- anywhere 192.168.122.0/24 ctstate RELATED,ESTABLISHED
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain LIBVIRT_FWX (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
방화벽-cmd --목록-모두
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1 enp0s20f0u14
sources:
services: cockpit dhcpv6-client http https ipsec openvpn ssh
ports: 500/udp 4500/udp
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule protocol value="esp" accept
rule protocol value="ah" accept
iptables-저장
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*nat
:PREROUTING ACCEPT [27115:3345403]
:INPUT ACCEPT [69:9680]
:POSTROUTING ACCEPT [3405:252395]
:OUTPUT ACCEPT [214:16188]
:LIBVIRT_PRT - [0:0]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*filter
:INPUT ACCEPT [65756:14700930]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48913:35869992]
:LIBVIRT_INP - [0:0]
:LIBVIRT_OUT - [0:0]
:LIBVIRT_FWO - [0:0]
:LIBVIRT_FWI - [0:0]
:LIBVIRT_FWX - [0:0]
-A INPUT -j LIBVIRT_INP
-A FORWARD -j LIBVIRT_FWX
-A FORWARD -j LIBVIRT_FWI
-A FORWARD -j LIBVIRT_FWO
-A OUTPUT -j LIBVIRT_OUT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
-A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
-A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
-A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
-A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
-A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*security
:INPUT ACCEPT [47156:11962633]
:FORWARD ACCEPT [78894:39398425]
:OUTPUT ACCEPT [48920:35871732]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*raw
:PREROUTING ACCEPT [150103:54480128]
:OUTPUT ACCEPT [48922:35872348]
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
# Generated by iptables-save v1.8.4 on Sun Mar 28 12:39:48 2021
*mangle
:PREROUTING ACCEPT [150103:54480128]
:INPUT ACCEPT [65757:14700982]
:FORWARD ACCEPT [78940:39400265]
:OUTPUT ACCEPT [48923:35872484]
:POSTROUTING ACCEPT [127964:75288423]
:LIBVIRT_PRT - [0:0]
-A POSTROUTING -j LIBVIRT_PRT
-A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
COMMIT
# Completed on Sun Mar 28 12:39:48 2021
답변1
분할 터널링을 사용하여 로컬 네트워크를 통해 라우팅하려면 경로를 0.0.0.0으로 설정하고 VPN을 통해 라우팅하려면 경로를 사무실 네트워크(10.0.0.0?)로 설정하세요.