我正在两个数字海洋小滴之间建立VPN。这些服务器都有公共IP地址。我正在尝试通过IPSEC隧道发送纯文本流量,但似乎没有通过加密隧道发送流量。
这是我的配置-除了IP颠倒之外,每端的配置完全相同,并且一端具有auto = start,另一端具有auto = add。
config setup
strictcrlpolicy=no
uniqueids = no
conn any
leftid=178.62.150.163
leftsubnet=178.62.150.163/32
leftsourceip=178.62.150.163
right=209.97.111.12
rightsubnet=209.97.111.12/32
rightid=209.97.111.12
keyingtries=%forever
ike=aes256-sha2_512-modp1536
esp=aes256-sha2_512-modp1536
ikelifetime=3h
keylife=1h
compress=yes
dpdaction=restart
dpddelay=30
dpdtimeout=120
authby=secret
fragmentation=yes
auto=start
authby=secret
keyexchange=ike
type=tunnel
VPN似乎已启动。
root@ubuntu-s-1vcpu-1gb-lon1-01:~# ipsec statusall any
Status of IKE charon daemon (strongSwan 5.6.2, Linux 4.15.0-66-generic, x86_64):
uptime: 10 minutes, since Mar 04 10:51:54 2020
malloc: sbrk 1630208, mmap 0, used 662496, free 967712
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
178.62.150.163
10.16.0.7
Connections:
any: %any...209.97.111.12 IKEv1/2, dpddelay=30s
any: local: [178.62.150.163] uses pre-shared key authentication
any: remote: [209.97.111.12] uses pre-shared key authentication
any: child: 178.62.150.163/32 === 209.97.111.12/32 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
any[1]: ESTABLISHED 10 minutes ago, 178.62.150.163[178.62.150.163]...209.97.111.12[209.97.111.12]
any[1]: IKEv2 SPIs: a5c8f64f5221786c_i* e7b90ff29d2566e9_r, pre-shared key reauthentication in 2 hours
any[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/MODP_1536
但是。当我尝试在两个IP之间进行traceroute时,似乎可以访问Internet了:
root@ubuntu-s-1vcpu-1gb-lon1-01:~# traceroute 209.97.111.12
traceroute to 209.97.111.12 (209.97.111.12), 30 hops max, 60 byte packets
1 46.101.0.253 (46.101.0.253) 0.676 ms 46.101.0.254 (46.101.0.254) 4.185 ms 46.101.0.253 (46.101.0.253) 0.644 ms
2 138.197.249.106 (138.197.249.106) 0.939 ms 138.197.249.122 (138.197.249.122) 1.041 ms 138.197.249.120 (138.197.249.120) 1.460 ms
3 138.197.249.119 (138.197.249.119) 0.580 ms 138.197.249.125 (138.197.249.125) 0.588 ms 138.197.249.109 (138.197.249.109) 0.603 ms
4 209.97.111.12 (209.97.111.12) 1.661 ms 1.682 ms 1.660 ms
据我了解,此命令中应该有一条路线: ip -s xfrm状态
尽管此命令不返回任何内容。 我也没有创建任何接口,即使启动了VPN,我也只能看到lo和eth0。
有人可以帮忙吗?