.png)
나는 양쪽에서 동일한 네트워크를 사용하여 구현 가이드를 따랐습니다(https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/) 아래는 내 구성입니다. 패킷이 VPN을 통과하지 않기 때문에 내 IPtables 또는 업다운 구성에 문제가 있는 것 같습니다(또는 이해가 안 됩니다).
참고: 출력물을 청소해 보았습니다.
vpn-to-server {
....
remote_addrs=16.16.16.65
local_addrs=16.9.4.35
children {
vpn-to-server {
....
local_ts=172.168.48.0/24
remote_ts=16.16.65.0/24
dpd_action=restart
mark_in = 8
set_mark_in = %same
mark_out = 4
updown = /usr/lib/ipsec/_updown
}
VPN 터널이 시작되었습니다
root@vpn-server:/etc/iptables# swanctl -l
vpn-to-server: #31, ESTABLISHED, IKEv2, 9ff137d4cdd8f543_i* d24cbee7dd1a3ddb_r
local '16.9.4.35' @ 16.9.4.35[4500]
remote '16.16.16.65' @ 16.16.16.65[4500]
AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
established 2030s ago, rekeying in 25633s
vpn-to-server: #13101, reqid 50, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_384_192
installed 2157s ago, rekeying in 1443s, expires in 1443s
in c3dedc5f (0x00000008), 0 bytes, 0 packets
out e7cfcfac (0x00000004), 0 bytes, 0 packets
local 172.168.48.0/24
remote 16.16.65.0/24
(bob에서 alice로) 핑에 대한 패킷 추적[IPsec이 아닌 인터페이스로 나가는 두 번째 줄과 아래의 마지막 줄)
root@vpn-server:/etc/iptables# dmesg -c
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:rule:1 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: nat:PREROUTING:rule:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: filter:FORWARD:rule:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: nat:POSTROUTING:rule:2 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
IP 테이블 출력
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- anywhere 172.16.48.0/24 mark match 0x8 to:10.108.0.0/24
2 NETMAP all -- anywhere 172.16.51.0/24 mark match 0x4 to:16.16.65.0/24
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- 16.16.65.0/24 anywhere mark match 0x8 to:172.16.51.0/24
2 NETMAP all -- 10.108.0.0/24 anywhere mark match 0x4 to:172.16.48.0/24
3 ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
4 MASQUERADE all -- 10.108.0.0/20 anywhere
5 MASQUERADE tcp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
6 MASQUERADE udp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere mark match 0x4
2 ACCEPT all -- anywhere anywhere mark match 0x8
3 ACCEPT all -- xxxxxxxx 10.108.0.0/20 policy match dir out pol ipsec proto esp
4 ACCEPT all -- xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
5 ACCEPT all -- 10.108.0.0/20 anywhere
6 ACCEPT all -- anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK all -- 10.108.0.0/24 172.16.51.0/24 MARK set 0x4
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t raw
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
root@vpn-server:/etc/iptables#
통계자료
root@vpn-server:/etc/iptables# iptables -L -v
Chain INPUT (policy ACCEPT 281 packets, 20288 bytes)
pkts bytes target prot opt in out source destination
80022 11M f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17 1284 ACCEPT all -- any eth0 anywhere anywhere mark match 0x4
0 0 ACCEPT all -- eth0 any anywhere anywhere mark match 0x8
0 0 ACCEPT all -- any eth0 xxxxxxx/23 10.108.0.0/20 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
104K 8108K ACCEPT all -- eth1 any 10.108.0.0/20 anywhere
49043 3738K ACCEPT all -- any eth1 anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any 10.108.0.0/20 xxxxxxxxx policy match dir in pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 192.168.22.0/24 10.108.0.0/16 policy match dir out pol ipsec proto esp
Chain OUTPUT (policy ACCEPT 306 packets, 26032 bytes)
pkts bytes target prot opt in out source destination