Strongswan-流量未通过VPN路由

时间:2020-03-04 11:07:16

标签: routing ipsec strongswan

我正在两个数字海洋小滴之间建立VPN。这些服务器都有公共IP地址。我正在尝试通过IPSEC隧道发送纯文本流量,但似乎没有通过加密隧道发送流量。

这是我的配置-除了IP颠倒之外,每端的配置完全相同,并且一端具有auto = start,另一端具有auto = add。

config setup
     strictcrlpolicy=no
     uniqueids = no

conn any
    leftid=178.62.150.163
    leftsubnet=178.62.150.163/32
    leftsourceip=178.62.150.163
    right=209.97.111.12
    rightsubnet=209.97.111.12/32
    rightid=209.97.111.12
    keyingtries=%forever
    ike=aes256-sha2_512-modp1536
    esp=aes256-sha2_512-modp1536
    ikelifetime=3h
    keylife=1h
    compress=yes
    dpdaction=restart
    dpddelay=30
    dpdtimeout=120
    authby=secret
    fragmentation=yes
    auto=start
    authby=secret
    keyexchange=ike
    type=tunnel

VPN似乎已启动。

root@ubuntu-s-1vcpu-1gb-lon1-01:~# ipsec statusall any
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-66-generic, x86_64):
  uptime: 10 minutes, since Mar 04 10:51:54 2020
  malloc: sbrk 1630208, mmap 0, used 662496, free 967712
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
  loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  178.62.150.163
  10.16.0.7
Connections:
         any:  %any...209.97.111.12  IKEv1/2, dpddelay=30s
         any:   local:  [178.62.150.163] uses pre-shared key authentication
         any:   remote: [209.97.111.12] uses pre-shared key authentication
         any:   child:  178.62.150.163/32 === 209.97.111.12/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
         any[1]: ESTABLISHED 10 minutes ago, 178.62.150.163[178.62.150.163]...209.97.111.12[209.97.111.12]
         any[1]: IKEv2 SPIs: a5c8f64f5221786c_i* e7b90ff29d2566e9_r, pre-shared key reauthentication in 2 hours
         any[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536

但是。当我尝试在两个IP之间进行traceroute时,似乎可以访问Internet了:

root@ubuntu-s-1vcpu-1gb-lon1-01:~# traceroute 209.97.111.12
traceroute to 209.97.111.12 (209.97.111.12), 30 hops max, 60 byte packets
 1  46.101.0.253 (46.101.0.253)  0.676 ms 46.101.0.254 (46.101.0.254)  4.185 ms 46.101.0.253 (46.101.0.253)  0.644 ms
 2  138.197.249.106 (138.197.249.106)  0.939 ms 138.197.249.122 (138.197.249.122)  1.041 ms 138.197.249.120 (138.197.249.120)  1.460 ms
 3  138.197.249.119 (138.197.249.119)  0.580 ms 138.197.249.125 (138.197.249.125)  0.588 ms 138.197.249.109 (138.197.249.109)  0.603 ms
 4  209.97.111.12 (209.97.111.12)  1.661 ms  1.682 ms  1.660 ms

据我了解,此命令中应该有一条路线: ip -s xfrm状态

尽管此命令不返回任何内容。 我也没有创建任何接口,即使启动了VPN,我也只能看到lo和eth0。

有人可以帮忙吗?

0 个答案:

没有答案