Openswan이 NAT 터널을 설정했지만 원격 LAN PC를 ping할 수 없습니다.

Openswan이 NAT 터널을 설정했지만 원격 LAN PC를 ping할 수 없습니다.

사이트 간 터널을 설정 중입니다.

192.168.2.0/24===10.103.6.40<10.103.6.40>---10.103.6.1...10.103.6.29<10.103.6.29>===192.168.1.0/24;

로컬 IP: 10.103.6.40

로컬 LAN: 192.168.2.0/24

원격 LAN은 10.103.6.29(라우터) 뒤에 있고 LAN 10.1.1.0/24가 있습니다.

원격 IP: 10.1.1.44(10.103.6.29 뒤에는 VPN Passthrough가 활성화되어 있습니다)

원격 LAN: 192.168.1.0/24

이제 터널이 설정되었지만 192.168.1.2에서 원격 LAN 시스템을 ping할 수 없습니다.

IPsec 로그:

Mar  4 16:34:45 NG authpriv.warn pluto[9431]: listening for IKE messages
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface br0/br0 192.168.2.1:500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface br0/br0 192.168.2.1:4500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface eth3/eth3 10.103.6.40:500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface eth3/eth3 10.103.6.40:4500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo 127.0.0.1:500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo 127.0.0.1:4500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: adding interface lo/lo ::1:500
Mar  4 16:34:45 NG authpriv.warn pluto[9431]: loading secrets from "/etc/ipsec.secrets"
Mar  4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: initiating Main Mode
Mar  4 16:34:46 NG daemon.err ipsec__plutorun: 104 "NG" #1: STATE_MAIN_I1: initiate
Mar  4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [Openswan (this version) 2.6.38 ]
Mar  4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [Dead Peer Detection]
Mar  4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [RFC 3947] method set to=115 
Mar  4 16:34:46 NG authpriv.warn pluto[9431]: "NG" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): peer is NATed
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: received Vendor ID payload [CAN-IKEv2]
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: Main mode peer ID is ID_IPV4_ADDR: '10.103.6.29'
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=aes_128 prf=oakley_md5 group=modp1024}
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #1: Dead Peer Detection (RFC 3706): enabled
Mar  4 16:34:47 NG authpriv.warn pluto[9431]: "NG" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+PFS+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:f5d74d20 proposal=AES(12)_128-MD5(1)_128, AES(12)_192-MD5(1)_128, AES(12)_256-MD5(1)_128, AES(12)_128-SHA1(2)_160, AES(12)_192-SHA1(2)_160, AES(12)_256-SHA1(2)_160, 3DES(3)_192-MD5(1)_128, 3DES(3)_192-SHA1(2)_160 pfsgroup=OAKLEY_GROUP_MODP1024}
Mar  4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: Dead Peer Detection (RFC 3706): enabled
Mar  4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Mar  4 16:34:49 NG authpriv.warn pluto[9431]: "NG" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x9143bd7d <0x1cb79f9a xfrm=AES_128-HMAC_MD5 NATOA=none NATD=10.103.6.29:4500 DPD=enabled}

터널이 성공적으로 구축되었습니다.

로컬 구성(10.103.6.40 측):

config setup
    nat_traversal=yes
    oe=off
    protostack=netkey

conn NGpassthrough
    left=192.168.2.1
    right=0.0.0.0
    leftsubnet=192.168.2.0/24
    rightsubnet=192.168.2.0/24
    authby=never
    type=passthrough
    auto=route

conn NG
    right=10.103.6.29
    rightsubnet=192.168.1.0/24
    left=10.103.6.40
    leftsubnet=192.168.2.0/24
    leftnexthop=10.103.6.1
    auto=start
    leftid=10.103.6.40
    rightid=10.103.6.29
    #x_rightdynamic=yes
    authby=secret
    compress=no
    failureshunt=drop
    dpddelay=15
    dpdtimeout=60
    dpdaction=restart
    pfs=yes
    ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
    esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1

원격 구성(10.1.1.44 종료):

config setup
    nat_traversal=yes
    oe=off
    protostack=netkey

conn NGpassthrough
    left=192.168.1.1
    right=0.0.0.0
    leftsubnet=192.168.1.0/24
    rightsubnet=192.168.1.0/24
    authby=never
    type=passthrough
    auto=route

conn NG
    right=10.103.6.40
    rightsubnet=192.168.2.0/24
    left=10.1.1.44
    leftsubnet=192.168.1.0/24
    leftnexthop=10.1.1.1
    auto=start
    leftid=10.103.6.29
    rightid=10.103.6.40
    #x_rightdynamic=yes
    authby=secret
    compress=no
    failureshunt=drop
    dpddelay=15
    dpdtimeout=60
    dpdaction=restart
    pfs=yes
    ike=aes128-md5-modp1024,aes192-md5-modp1024,aes256-md5-modp1024,aes128-sha1-modp1024,aes192-sha1-modp1024,aes256-sha1-modp1024,3des-md5-modp1024,3des-sha1-modp1024,aes128-md5-modp1536,aes192-md5-modp1536,aes256-md5-modp1536,aes128-sha1-modp1536,aes192-sha1-modp1536,aes256-sha1-modp1536,3des-md5-modp1536,3des-sha1-modp1536,aes128-md5-modp2048,aes192-md5-modp2048,aes256-md5-modp2048,aes128-sha1-modp2048,aes192-sha1-modp2048,aes256-sha1-modp2048,3des-md5-modp2048,3des-sha1-modp2048
    esp=aes128-md5,aes192-md5,aes256-md5,aes128-sha1,aes192-sha1,aes256-sha1,3des-md5,3des-sha1

10.103.6.29의 방화벽 규칙:

-A PREROUTING -p udp -m udp --dport 500 -j DNAT --to-destination 10.1.1.44:500 
-A PREROUTING -p udp -m udp --dport 4500 -j DNAT --to-destination 10.1.1.44:4500 

양쪽 끝에 두 대의 컴퓨터가 있습니다. 로컬 PC의 IP 주소는 192.168.2.2이고, 원격 PC의 IP 주소는 192.168.1.2입니다.

원격 라우터(192.168.1.1)에는 ping이 가능하지만 원격 LAN PC(192.168.1.2)에는 액세스/ping할 수 없습니다.

도와주세요.

관련 정보