사이트 간 터널을 설정 중입니다.
192.168.2.0/24===10.103.6.40<10.103.6.40>---10.103.6.1...10.103.6.29<10.103.6.29>===192.168.1.0/24;
로컬 IP: 10.103.6.40
로컬 LAN: 192.168.2.0/24
원격 LAN은 10.103.6.29(라우터) 뒤에 있고 LAN 10.1.1.0/24가 있습니다.
원격 IP: 10.1.1.44(10.103.6.29 뒤에는 VPN Passthrough가 활성화되어 있습니다)
원격 LAN: 192.168.1.0/24
이제 터널이 설정되었지만 192.168.1.2에서 원격 LAN 시스템을 ping할 수 없습니다.
IPsec 로그:
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: listening for IKE messages
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface br0/br0 192.168.2.1:500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface br0/br0 192.168.2.1:4500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface eth3/eth3 10.103.6.40:500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface eth3/eth3 10.103.6.40:4500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo 127.0.0.1:500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo 127.0.0.1:4500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo ::1:500
Mar 4 16:34:45 NG authpriv.warn pluto[9431]: loading secrets from "/etc/ipsec.secrets"
Mar 4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: initiating Main Mode
Mar 4 16:34:46 NG daemon.err ipsec__plutorun: 104 "NG" #1: STATE_MAIN_I1: initiate
Mar 4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Mar 4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [Dead Peer Detection]
Mar 4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [RFC 3947] method set to=115
Mar 4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [CAN-IKEv2]
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.29'
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: Dead Peer Detection (RFC 3706): enabled
Mar 4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:f5d74d20 proposal=AES(12)_128-MD5(1)_128, AES(12)_192-MD5(1)_128, AES(12)_256-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_192-SHA1(2)_160, AES(12)_256-SHA1(2)_160, 3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Mar 4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: Dead Peer Detection (RFC 3706): enabled
Mar 4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar 4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9143bd7d <0x1cb79f9a xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.29:4500 DPD=enabled}
터널이 성공적으로 구축되었습니다.
로컬 구성(10.103.6.40 측):
config setup
nat_traversal=yes
oe=off
protostack=netkey
conn NGpassthrough
left=192.168.2.1
right=0.0.0.0
leftsubnet=192.168.2.0/24
rightsubnet=192.168.2.0/24
authby=never
type=passthrough
auto=route
conn NG
right=10.103.6.29
rightsubnet=192.168.1.0/24
left=10.103.6.40
leftsubnet=192.168.2.0/24
leftnexthop=10.103.6.1
auto=start
leftid=10.103.6.40
rightid=10.103.6.29
#x_rightdynamic=yes
authby=secret
compress=no
failureshunt=drop
dpddelay=15
dpdtimeout=60
dpdaction=restart
pfs=yes
ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1
원격 구성(10.1.1.44 종료):
config setup
nat_traversal=yes
oe=off
protostack=netkey
conn NGpassthrough
left=192.168.1.1
right=0.0.0.0
leftsubnet=192.168.1.0/24
rightsubnet=192.168.1.0/24
authby=never
type=passthrough
auto=route
conn NG
right=10.103.6.40
rightsubnet=192.168.2.0/24
left=10.1.1.44
leftsubnet=192.168.1.0/24
leftnexthop=10.1.1.1
auto=start
leftid=10.103.6.29
rightid=10.103.6.40
#x_rightdynamic=yes
authby=secret
compress=no
failureshunt=drop
dpddelay=15
dpdtimeout=60
dpdaction=restart
pfs=yes
ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1
10.103.6.29의 방화벽 규칙:
-A PREROUTING -p udp -m udp --dport 500 -j DNAT --to-destination 10.1.1.44:500
-A PREROUTING -p udp -m udp --dport 4500 -j DNAT --to-destination 10.1.1.44:4500
양쪽 끝에 두 대의 컴퓨터가 있습니다. 로컬 PC의 IP 주소는 192.168.2.2이고, 원격 PC의 IP 주소는 192.168.1.2입니다.
원격 라우터(192.168.1.1)에는 ping이 가능하지만 원격 LAN PC(192.168.1.2)에는 액세스/ping할 수 없습니다.
도와주세요.