Туннель IPSec работает, но почему я не могу пинговать IP-адреса назначения?

Рейтинг: 0Ответов: 1Опубликовано: 13.07.2023

Оба сервера Debian, они же шлюзы

Настройки 1 сервера:

  • ifconfig
eth0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether 04:42:1a:08:7c:84  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::e21a:eaff:fe76:96f4  prefixlen 64  scopeid 0x20<link>
        ether e0:1a:ea:76:96:f4  txqueuelen 1000  (Ethernet)
        RX packets 399930669  bytes 150437986833 (140.1 GiB)
        RX errors 3  dropped 0  overruns 0  frame 3
        TX packets 507386332  bytes 412721154240 (384.3 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16

eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 1.1.1.1  netmask 255.255.255.240  broadcast 1.1.1.255
        inet6 fe80::6a05:caff:fef3:ba78  prefixlen 64  scopeid 0x20<link>
        ether 68:05:ca:f3:ba:78  txqueuelen 1000  (Ethernet)
        RX packets 523293735  bytes 416686613426 (388.0 GiB)
        RX errors 4  dropped 1264  overruns 0  frame 2
        TX packets 387723159  bytes 149380371502 (139.1 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xa0ac0000-a0ae0000

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 1362162  bytes 67625872 (64.4 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1362162  bytes 67625872 (64.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • ipsec.conf
config setup
  charondebug="all"
  uniqueids=yes

conn ptgateway-to-bmgateway
  type=tunnel
  auto=start
  keyexchange=ikev2
  authby=secret
  left=1.1.1.1
  leftsubnet=10.0.0.0/24
  right=2.2.2.2
  rightsubnet=20.0.0.0/24
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  • ipsec.secrets
1.1.1.1 2.2.2.2 : PSK "sdfsdfgvtgdtgdac032zVFKkrXdfddfv/ya04WzPA="
  • route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         1.1.1.241     0.0.0.0         UG    0      0        0 eth2
10.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
1.1.1.240     0.0.0.0         255.255.255.240 U     0      0        0 eth2
  • ipsec status

Security Associations (1 up, 1 connecting): ptgateway-to-bmgateway[3]: CONNECTING, 1.1.1.1[%any]...2.2.2.2[%any] ptgateway-to-bmgateway[1]: ESTABLISHED 11 minutes ago, 1.1.1.1[1.1.1.1]...2.2.2.2[2.2.2.2] ptgateway-to-bmgateway{4}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c6b23b59_i cef0242a_o ptgateway-to-bmgateway{4}: 10.0.0.0/24 === 20.0.0.0/24

Настройки 2 сервера:

  • ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 2.2.2.2  netmask 255.255.255.0  broadcast 2.2.2.255
        inet6 fe80::642:1aff:fe08:7c7f  prefixlen 64  scopeid 0x20<link>
        ether 04:42:1a:08:7c:7f  txqueuelen 1000  (Ethernet)
        RX packets 1322  bytes 124291 (121.3 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1017  bytes 208160 (203.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 20.0.0.1  netmask 255.255.255.0  broadcast 20.0.0.255
        inet6 fe80::6a05:caff:fef3:bdb9  prefixlen 64  scopeid 0x20<link>
        ether 68:05:ca:f3:bd:b9  txqueuelen 1000  (Ethernet)
        RX packets 421  bytes 38387 (37.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 291  bytes 26543 (25.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xa13c0000-a13e0000

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 4  bytes 156 (156.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4  bytes 156 (156.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • ipsec.conf
config setup
  charondebug="all"
  uniqueids=yes

conn bmgateway-to-ptgateway
  type=tunnel
  auto=start
  keyexchange=ikev2
  authby=secret
  left=2.2.2.2
  leftsubnet=20.0.0.0/24
  right=1.1.1.1
  rightsubnet=10.0.0.0/24
  ike=aes256-sha1-modp1024!
  esp=aes256-sha1!
  aggressive=no
  keyingtries=%forever
  ikelifetime=28800s
  lifetime=3600s
  dpddelay=30s
  dpdtimeout=120s
  dpdaction=restart
  • ipsec.secrets
2.2.2.2 1.1.1.1 : PSK "sdfsdfgvtgdtgdac032zVFKkrXdfddfv/ya04WzPA="
  • route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         2.2.2.254     0.0.0.0         UG    0      0        0 eth0
20.0.0.0        0.0.0.0         255.255.255.0   U     0      0        0 eth1
2.2.2.0       0.0.0.0         255.255.255.0   U     0      0        0 eth0
  • ipsec status

Security Associations (1 up, 0 connecting): bmgateway-to-ptgateway[2]: ESTABLISHED 11 minutes ago, 2.2.2.2[2.2.2.2]...1.1.1.1[1.1.1.1] bmgateway-to-ptgateway{2}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cef0242a_i c6b23b59_o bmgateway-to-ptgateway{2}: 20.0.0.0/24 === 10.0.0.0/24

Не пингуются ПК в обоих сетях.....

debian ipsec
Источник: Stack Overflow на русском

Ответы

▲ 0

Огромное спасибо Valentin Barbolin за неоценимую помощь!!!

-A POSTROUTING -s 10.0.0.0/24 ! -d 20.0.0.0/24 -o eth2 -j MASQUERADE
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-I FORWARD -s 10.0.0.0/24 -d 20.0.0.0/24 -j ACCEPT
-A FORWARD -s 20.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT

и аналогично для второго сервера

-A POSTROUTING -s 20.0.0.0/24 ! -d 10.0.0.0/24 -o eth2 -j MASQUERADE
-A INPUT -p udp -m udp --dport 500 -j ACCEPT
-A INPUT -p esp -j ACCEPT
-A INPUT -p ah -j ACCEPT
-I FORWARD -s 20.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
-A FORWARD -s 10.0.0.0/24 -d 20.0.0.0/24 -j ACCEPT