Ping 到 IPsec 主机上的子网仅适用于 -I 参数

发布于 2024-11-10 05:30:45 字数 982 浏览 5 评论 0原文

我有以下情况。两台主机使用 Strongswan IpSec 通过 Internet 连接两个子网

  • 主机 1 是子网 10.13.0.0/24 的路由器
  • 主机 2 租用没有子网的专用 Ubuntu 服务器(ifconfig 表示子掩码为 Mask:255.255.255.255)
  • 主机 2 还托管另一个子网,使用打开VPN。该子网为 192.168.23.0/24
  • 主机 2 在该子网上的 Ip 为 192.168.23.1。

当执行 ping -I 192.168.23.1 10.23.23.23 时,我可以到达另一台服务器。当我 ping 10.23.23.23 时,它不起作用。在 192.168.0./24 网络中的所有其他客户端上,ping 确实有效。

我必须添加哪个路由条目才能使其正常工作?因为现在主机本身无法到达另一端的客户端。

更多信息: host2 有两个接口:eth0 和 tun0(用于 openvpn)

host2 上的 ipconfig 如下所示:

charonstart=yes
plutostart=yes
left=host2externalIp
leftsubnet=192.168.23.0/24
leftnexthop=host2router
right=remoteIp
rightsubnet=10.13.0.0/24

在这里找到答案:http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/adv_config.html#multitunnel

这是可能的,需要一些额外的配置。不幸的是,我无法控制另一侧的配置,因此它对我不起作用。

I have the following situation. Two hosts connect two subnets over the Internet using Strongswan IpSec

  • Host 1 a router for subnet 10.13.0.0/24
  • Host 2 is rented dedicated Ubuntu server with no subnet (ifconfig says submask is Mask:255.255.255.255)
  • Host 2 also hosts another subnet using OpenVpn. That subnet is 192.168.23.0/24
  • Host 2 has 192.168.23.1 as Ip on that subnet.

When do ping -I 192.168.23.1 10.23.23.23 I can reach the other server. when I do ping 10.23.23.23 it doesn't work. On all other clients in the 192.168.0./24 network, the ping does work.

Which routing entry do I have to add to make it work? Because now the host itself cannot reach clients on the other side.

Further info:
host2 has two interfaces: eth0 and tun0 (for openvpn)

ipconfig on host2 looks like this:

charonstart=yes
plutostart=yes
left=host2externalIp
leftsubnet=192.168.23.0/24
leftnexthop=host2router
right=remoteIp
rightsubnet=10.13.0.0/24

Found the answer here: http://www.freeswan.org/freeswan_trees/freeswan-1.99/doc/adv_config.html#multitunnel

It is possible, with some extra configuration. Unfortunately I don't control the configuration on the other side so it didn't work for me.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

绝對不後悔。 2024-11-17 05:30:45

它不会 ping,因为当从 host2 执行 ping 操作时,ping 使用您的公共 IP 地址(来自 eth0)作为源。

IPSec 的内核规则规定,只有来自 192.168.23.0/24 => 的流量10.13.0.0/24 正在穿过该隧道。

您需要添加 NAT 才能使其正常工作,例如:

iptables -t nat -A POSTROUTING ! -s 192.168.23.0/24 -d 10.13.0.0/24 -j SNAT --to-source 192.168.23.1

it does not ping, because when pinging from host2, ping is using your public IP address (from eth0) as source.

kernel rules for IPSec say, that only traffic from 192.168.23.0/24 => 10.13.0.0/24 is going through that tunnel.

you need to add NAT to make it work, something like:

iptables -t nat -A POSTROUTING ! -s 192.168.23.0/24 -d 10.13.0.0/24 -j SNAT --to-source 192.168.23.1
月亮是我掰弯的 2024-11-17 05:30:45

mighq 解决了问题,但寻找解决方案的方向错误(或者也许 3 年前正确的方向太难达到)。

问题:您已将防火墙配置为允许出站数据包发送到默认网关,但您没有将最终接口的端点包含在网络列表中。

解决方案:通过 /32 或 /128 屏蔽网络将上行 IP(路由器用于与默认网关通信的地址)添加到左/右网络列表中。

mighq nailed the problem, but went in the wrong direction for a solution (or maybe 3 years ago the correct direction was too difficult to reach).

Problem: You already configured your firewall to allow the outbound packets out to the default gateway, BUT you didn't include the endpoint that is that final interface in your list of networks.

Solution: Add the uplink IP (the address that the router uses to talk to the default gateway) to the list of left/right networks via a /32 or /128 masked network.

嗼ふ静 2024-11-17 05:30:45

不要忘记在您的网关示例中添加到远程网络的路由 ip r add开发也是。

dont forget to add route to remote net in your gate example ip r add <net/mask> dev too.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文