私は両側で同じネットワークを使用して実装ガイドに従いました(https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/)以下は私の設定です。パケットがVPNを通過しないため、私のIPtablesまたはアップダウン設定に問題があるようです(または理解できません)。
注:印刷物を清掃してみました。
vpn-to-server {
....
remote_addrs=16.16.16.65
local_addrs=16.9.4.35
children {
vpn-to-server {
....
local_ts=172.168.48.0/24
remote_ts=16.16.65.0/24
dpd_action=restart
mark_in = 8
set_mark_in = %same
mark_out = 4
updown = /usr/lib/ipsec/_updown
}
VPNトンネルが開始されました
root@vpn-server:/etc/iptables# swanctl -l
vpn-to-server: #31, ESTABLISHED, IKEv2, 9ff137d4cdd8f543_i* d24cbee7dd1a3ddb_r
local '16.9.4.35' @ 16.9.4.35[4500]
remote '16.16.16.65' @ 16.16.16.65[4500]
AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
established 2030s ago, rekeying in 25633s
vpn-to-server: #13101, reqid 50, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_384_192
installed 2157s ago, rekeying in 1443s, expires in 1443s
in c3dedc5f (0x00000008), 0 bytes, 0 packets
out e7cfcfac (0x00000004), 0 bytes, 0 packets
local 172.168.48.0/24
remote 16.16.65.0/24
(bob から alice へ) ping のパケット追跡[IPsec以外のインターフェイスに出る2行目と下の最後の行)
root@vpn-server:/etc/iptables# dmesg -c
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:rule:1 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122
TRACE: mangle:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: nat:PREROUTING:rule:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122 MARK=0x4
TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: filter:FORWARD:rule:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
TRACE: nat:POSTROUTING:rule:2 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122 MARK=0x4
IPテーブル出力
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- anywhere 172.16.48.0/24 mark match 0x8 to:10.108.0.0/24
2 NETMAP all -- anywhere 172.16.51.0/24 mark match 0x4 to:16.16.65.0/24
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 NETMAP all -- 16.16.65.0/24 anywhere mark match 0x8 to:172.16.51.0/24
2 NETMAP all -- 10.108.0.0/24 anywhere mark match 0x4 to:172.16.48.0/24
3 ACCEPT all -- anywhere anywhere policy match dir out pol ipsec
4 MASQUERADE all -- 10.108.0.0/20 anywhere
5 MASQUERADE tcp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
6 MASQUERADE udp -- 10.108.0.0/20 !10.108.0.0/20 masq ports: 1024-65535
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- anywhere anywhere mark match 0x4
2 ACCEPT all -- anywhere anywhere mark match 0x8
3 ACCEPT all -- xxxxxxxx 10.108.0.0/20 policy match dir out pol ipsec proto esp
4 ACCEPT all -- xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
5 ACCEPT all -- 10.108.0.0/20 anywhere
6 ACCEPT all -- anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 MARK all -- 10.108.0.0/24 172.16.51.0/24 MARK set 0x4
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
root@vpn-server:/etc/iptables# iptables -L --line-numbers -t raw
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 TRACE icmp -- anywhere anywhere
root@vpn-server:/etc/iptables#
統計資料
root@vpn-server:/etc/iptables# iptables -L -v
Chain INPUT (policy ACCEPT 281 packets, 20288 bytes)
pkts bytes target prot opt in out source destination
80022 11M f2b-sshd tcp -- any any anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
17 1284 ACCEPT all -- any eth0 anywhere anywhere mark match 0x4
0 0 ACCEPT all -- eth0 any anywhere anywhere mark match 0x8
0 0 ACCEPT all -- any eth0 xxxxxxx/23 10.108.0.0/20 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
104K 8108K ACCEPT all -- eth1 any 10.108.0.0/20 anywhere
49043 3738K ACCEPT all -- any eth1 anywhere 10.108.0.0/20 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 any 10.108.0.0/20 xxxxxxxxx policy match dir in pol ipsec proto esp
0 0 ACCEPT all -- any eth0 xxxxxxx 10.108.0.0/16 policy match dir out pol ipsec proto esp
0 0 ACCEPT all -- any eth0 192.168.22.0/24 10.108.0.0/16 policy match dir out pol ipsec proto esp
Chain OUTPUT (policy ACCEPT 306 packets, 26032 bytes)
pkts bytes target prot opt in out source destination