IPSEC/IKEv2 StrongSwan只应用第一条来自拆分包含的路由,其余的将被忽略。
IPSEC/IKEv2 StrongSwan只应用第一条来自拆分包含的路由,其余的将被忽略。
提问于 2020-12-22 13:57:55
我有一个IPSEC/IKEv2VPN服务器(在一个MikroTik路由器上),我正在尝试从我的Ubuntu20.04.1LTS系统连接到它。服务器使用x509证书和私钥/公钥对进行身份验证。我可以连接到服务器,但并不是服务器推送的所有路由都应用于客户端。
,这是一个问题:为什么它不适用于所有的路线?我怎样才能解决这个问题?
详情如下。
远程端(VPN服务器)有:
- 私人(办公室)局域网: 192.168.13.0/24
- 为VPN客户端预留的池: 10.0.88.0/24
- FQDN *.my.server.hu (替换实名)
- 公共广域网地址1.2.3.5 (取代实际IP)
- 它还连接了其他内部网络(这就是为什么我需要从VPN服务器推送多条路由)。
本地(VPN客户端)端有:
- 私人(家庭)局域网: 192.168.14.0/24
- VPN客户端IP (由VPN服务器提供):10.0.88.100
- 公共广域网地址1.2.3.4 (取代实际IP)
连接到VPN服务器后,在路由表中可以看到以下内容:
root@laci-ryzen:~# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.14.1 0.0.0.0 UG 0 0 0 enp5s0
1.2.3.4 192.168.14.1 255.255.255.255 UGH 0 0 0 enp5s0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp5s0
192.168.14.0 0.0.0.0 255.255.255.0 U 0 0 0 enp5s0
192.168.14.1 0.0.0.0 255.255.255.255 UH 0 0 0 enp5s0
root@laci-ryzen:~# 正如你所看到的,
- 默认网关192.168.14.1
- 通往公共广域网地址的路线(用1.2.3.4代替)
- 链接本地默认地址169.254.0.0
- 通往私人(家庭)局域网的路线192.168.14.0/24
- 到本地(家庭)路由器的直接路由192.168.14.1。
没有通往10.0.88.0/24或192.168.13.0/24的路线。
拆分-包含中给出的第一条路由作为ip转换添加。
root@laci-ryzen:~# ip xfrm state
src 192.168.14.2 dst 1.2.3.5
proto esp spi 0x0c51282e reqid 4 mode tunnel
replay-window 0 flag af-unspec
auth-trunc hmac(sha512) 0xfa80fddcd4db0019e7e8f2cc1b3ad3487cff50f27267376b2dc189d790488abb1aa08f6473146e7cde697c696dbbf64f62e1e6e928b72cbb8d8fd7b22b164a58 256
enc cbc(aes) 0x09d94b3501a7e95ec20c7378c6493d591f291b8819a4a9c69de25f1a8918afb3
encap type espinudp sport 54067 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xb, bitmap 0x00000000
src 1.2.3.5 dst 192.168.14.2
proto esp spi 0xcf16ebb2 reqid 4 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha512) 0xc38ba5586eb6c06d34b92a606ca3a1e6aec988adad87c3f6def719ba3c9a371aafabfd52f240e320d23c39a0bcd06f718a69830d2098757ca6121cee3d50deaf 256
enc cbc(aes) 0x89807b8796ecfd5975f143dae279af70aa7e52ab9b4d123fa84901743d90db10
encap type espinudp sport 4500 dport 54067 addr 0.0.0.0
anti-replay context: seq 0x7, oseq 0x0, bitmap 0x0000007f
root@laci-ryzen:~# ip xfrm policy | head -20
src 192.168.14.1/32 dst 192.168.14.1/32
dir fwd priority 167231
src 192.168.14.1/32 dst 192.168.14.1/32
dir in priority 167231
src 192.168.14.1/32 dst 192.168.14.1/32
dir out priority 167231
src 10.0.88.100/32 dst 192.168.13.0/24
dir out priority 371327
tmpl src 192.168.14.2 dst 1.2.3.5
proto esp spi 0x0c51282e reqid 4 mode tunnel
src 192.168.13.0/24 dst 10.0.88.100/32
dir fwd priority 371327
tmpl src 1.2.3.5 dst 192.168.14.2
proto esp reqid 4 mode tunnel
src 192.168.13.0/24 dst 10.0.88.100/32
dir in priority 371327
tmpl src 1.2.3.5 dst 192.168.14.2
proto esp reqid 4 mode tunnel
src fe80::/64 dst fe80::/64
dir fwd priority 134463 192.168.13.0/24的数据包似乎被正确地转换并路由到VPN服务器。但是10.0.88.0/100的数据包不是。
这些路由应该自动添加,因为它们存在于VPN服务器上的拆分包含中:
/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no问题不在于VPN服务器,因为当我从Windows 10连接到VPN服务器时,正确地应用了这些路由。在Windows 10上,添加了192.168.13.0/24和10.0.88.0/24的路由,我可以平移远程地址10.0.88.1和192.168.13.254 (它们是不同网络上的VPN服务器地址)。
更新
不管我在服务器上提供了什么路由--包括在服务器上,第一个路由是由客户端的strongswan正确地应用的。但其余的都不是。
因此,例如,如果我将服务器配置更改为:
/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=172.111.0.0/16,192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no172.111.0.0/16由强天鹅正确添加,192.168.13.0/24和10.0.88.0/24则不正确。
我真的需要增加多条路线,一条是不够的。
以下是我的syslog (IP地址和主机名被替换):
Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info> [1608642655.8085] audit: op="connection-activate" uuid="e430f863-b8b7-4f23-8b49-0fd2a8036d13" name="laci@my.server.hu" pid=2578 uid=1001 result="success"
Dec 22 14:10:55 laci-ryzen gnome-shell[1662]: JS ERROR: TypeError: item is undefined#012setActiveConnections/<@resource:///org/gnome/shell/ui/status/network.js:1523:17#012setActiveConnections@resource:///org/gnome/shell/ui/status/network.js:1520:24#012_syncVpnConnections@resource:///org/gnome/shell/ui/status/network.js:1867:26
Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info> [1608642655.8095] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Saw the service appear; activating connection
Dec 22 14:10:55 laci-ryzen NetworkManager[1186]: <info> [1608642655.8265] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN connection: (ConnectInteractive) reply received
Dec 22 14:10:55 laci-ryzen charon-nm: 05[CFG] received initiate for NetworkManager connection laci@my.server.hu
Dec 22 14:10:55 laci-ryzen charon-nm: 05[CFG] using CA certificate, gateway identity 'vpn.my.server.hu'
Dec 22 14:10:57 laci-ryzen charon-nm: 05[IKE] initiating IKE_SA laci@my.server.hu[2] to 1.2.3.5
Dec 22 14:10:57 laci-ryzen charon-nm: 05[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 05[NET] sending packet: from 192.168.14.2[37786] to 1.2.3.5[500] (1128 bytes)
Dec 22 14:10:57 laci-ryzen NetworkManager[1186]: <info> [1608642657.4221] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN plugin: state changed: starting (3)
Dec 22 14:10:57 laci-ryzen charon-nm: 08[NET] received packet: from 1.2.3.5[500] to 192.168.14.2[37786] (38 bytes)
Dec 22 14:10:57 laci-ryzen charon-nm: 08[ENC] parsed IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 08[IKE] peer didn't accept DH group ECP_256, it requested MODP_2048
Dec 22 14:10:57 laci-ryzen charon-nm: 08[IKE] initiating IKE_SA laci@my.server.hu[2] to 1.2.3.5
Dec 22 14:10:57 laci-ryzen charon-nm: 08[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Dec 22 14:10:57 laci-ryzen charon-nm: 08[NET] sending packet: from 192.168.14.2[37786] to 1.2.3.5[500] (1320 bytes)
Dec 22 14:10:58 laci-ryzen charon-nm: 09[NET] received packet: from 1.2.3.5[500] to 192.168.14.2[37786] (429 bytes)
Dec 22 14:10:58 laci-ryzen charon-nm: 09[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) CERTREQ ]
Dec 22 14:10:58 laci-ryzen charon-nm: 09[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] local host is behind NAT, sending keep alives
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] sending cert request for "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=my.server.hu"
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] authentication of 'C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=laci@vpn.my.server.hu' (myself) with RSA signature successful
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] sending end entity cert "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=laci@vpn.my.server.hu"
Dec 22 14:10:58 laci-ryzen charon-nm: 09[IKE] establishing CHILD_SA laci@my.server.hu{2}
Dec 22 14:10:58 laci-ryzen charon-nm: 09[ENC] generating IKE_AUTH request 1 [ IDi CERT N(INIT_CONTACT) CERTREQ AUTH CPRQ(ADDR ADDR6 DNS NBNS DNS6) SA TSi TSr N(MOBIKE_SUP) N(ADD_4_ADDR) N(ADD_4_ADDR) N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
Dec 22 14:10:58 laci-ryzen charon-nm: 09[NET] sending packet: from 192.168.14.2[44719] to 1.2.3.5[4500] (2560 bytes)
Dec 22 14:10:59 laci-ryzen charon-nm: 06[NET] received packet: from 1.2.3.5[4500] to 192.168.14.2[44719] (2304 bytes)
Dec 22 14:10:59 laci-ryzen charon-nm: 06[ENC] parsed IKE_AUTH response 1 [ CERT IDr AUTH CPRP(ADDR MASK SUBNET SUBNET DNS) TSi TSr SA N(ADD_TS_POSS) ]
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] received end entity cert "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] using certificate "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] using trusted ca certificate "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] checking certificate status of "C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=vpn.my.server.hu"
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] certificate status is not available
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] reached self-signed root ca with a path length of 0
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] authentication of 'vpn.my.server.hu' with RSA signature successful
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] IKE_SA laci@my.server.hu[2] established between 192.168.14.2[C=HU, ST=Heves, L=Eger, O=my.server.hu, CN=laci@vpn.my.server.hu]...1.2.3.5[vpn.my.server.hu]
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] scheduling rekeying in 35488s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] maximum IKE_SA lifetime 36088s
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_NETMASK attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] handling INTERNAL_IP4_SUBNET attribute failed
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] installing new virtual IP 10.0.88.100
Dec 22 14:10:59 laci-ryzen avahi-daemon[1177]: Registering new address record for 10.0.88.100 on enp5s0.IPv4.
Dec 22 14:10:59 laci-ryzen charon: 05[KNL] 10.0.88.100 appeared on enp5s0
Dec 22 14:10:59 laci-ryzen charon-nm: 06[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/NO_EXT_SEQ
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1946] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN connection: (IP Config Get) reply received.
Dec 22 14:10:59 laci-ryzen charon-nm: 06[IKE] CHILD_SA laci@my.server.hu{2} established with SPIs c7ea1582_i 0d47fc2e_o and TS 10.0.88.100/32 === 192.168.13.0/24
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1947] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN plugin: state changed: started (4)
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1948] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN connection: (IP4 Config Get) reply received
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: VPN Gateway: 1.2.3.5
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: Tunnel Device: (null)
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: IPv4 configuration:
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: Internal Address: 10.0.88.100
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: Internal Prefix: 32
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: Internal Point-to-Point Address: 10.0.88.100
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: Internal DNS: 10.0.88.1
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: DNS Domain: '(none)'
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1950] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: Data: No IPv6 configuration
Dec 22 14:10:59 laci-ryzen NetworkManager[1186]: <info> [1608642659.1954] vpn-connection[0x5616750ee2e0,e430f863-b8b7-4f23-8b49-0fd2a8036d13,"laci@my.server.hu",0]: VPN connection: (IP Config Get) complete
Dec 22 14:10:59 laci-ryzen dbus-daemon[1185]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service' requested by ':1.10' (uid=0 pid=1186 comm="/usr/sbin/NetworkManager --no-daemon " label="unconfined")
Dec 22 14:10:59 laci-ryzen systemd[1]: Starting Network Manager Script Dispatcher Service...
Dec 22 14:10:59 laci-ryzen dbus-daemon[1185]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
Dec 22 14:10:59 laci-ryzen systemd[1]: Started Network Manager Script Dispatcher Service.
Dec 22 14:10:59 laci-ryzen dunst[3085]: WARNING: No icon found in path: 'gnome-lockscreen'
Dec 22 14:10:59 laci-ryzen charon-nm: 09[IKE] installed bypass policy for 192.168.14.1/32我觉得有趣的是:
VPN plugin: state changed: started (4)
VPN connection: (IP4 Config Get) reply received
Data: VPN Gateway: 1.2.3.5
Data: Tunnel Device: (null)
Data: IPv4 configuration:
Data: Internal Address: 10.0.88.100
Data: Internal Prefix: 32
Data: Internal Point-to-Point Address: 10.0.88.100
Data: Internal DNS: 10.0.88.1
Data: DNS Domain: '(none)'
Data: No IPv6 configuration
VPN connection: (IP Config Get) complete这就是我如何设置我的强天鹅客户端:
为了完整起见,下面是来自我的VPN服务器配置(路由器)的一些片段:
/ip ipsec mode-config
add address-pool=vpn.my.server.hu address-prefix-length=32 name="modeconf vpn.my.server.hu" split-include=192.168.13.0/24,10.0.88.0/24 static-dns=10.0.88.1 system-dns=no
/ip ipsec policy group
add name="group vpn.my.server.hu"
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=aes-256,aes-192,aes-128 hash-algorithm=sha256 name="profile vpn.my.server.hu"
/ip ipsec peer
add exchange-mode=ike2 local-address=1.2.3.5 name="peer 1.2.3.5" passive=yes profile="profile vpn.my.server.hu"
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc pfs-group=modp2048
add auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm,aes-192-ctr,aes-192-gcm,aes-128-cbc,aes-128-ctr,aes-128-gcm lifetime=8h name="proposal vpn.my.server.hu" pfs-group=\
modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=vpn.my.server.hu generate-policy=port-strict match-by=certificate mode-config="modeconf vpn.my.server.hu" peer="peer 1.2.3.5" policy-template-group=\
"group vpn.my.server.hu" remote-certificate=laci@vpn.my.server.hu remote-id=user-fqdn:laci.vpn.my.server.hu
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=10.0.88.0/24 group="group vpn.my.server.hu" proposal="proposal vpn.my.server.hu" src-address=0.0.0.0/0 template=yes比较而言,这是我在Windows 10中的路由表中看到的,它使用相同的VPN服务器,具有相同的凭据。
回答 1
Ask Ubuntu用户
发布于 2022-06-22 22:36:46
我有同样的问题- MikroTik服务器- Windows 10正在接受提供的子网(在禁用远程网络上的默认网关之后),另一个MikroTik作为客户端正在接受提供的子网。但是强天鹅只接受在VPN服务器上配置的拆分隧道子网列表中定义的第一个子网。在Linux、FreeBSD和Android上也有相同的行为。
在Android上,有一个选项可以手动添加拆分隧道子网。在Linux和FreeBSD上,解决这个问题的唯一方法是为每个子网配置一个连接(或者在新的swanctl配置语法中配置“子”)。
页面原文内容由Ask Ubuntu提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://askubuntu.com/questions/1302088
复制相关文章
相似问题
腾讯云开发者
