パケットがVPNを通過しないシナリオ(net2netと同じネットワーク上)

パケットがVPNを通過しないシナリオ(net2netと同じネットワーク上)

私は両側で同じネットワークを使用して実装ガイドに従いました(https://www.strongswan.org/testing/testresults/ikev2/net2net-same-nets/)以下は私の設定です。パケットがVPNを通過しないため、私のIPtablesまたはアップダウン設定に問題があるようです(または理解できません)。

注:印刷物を清掃してみました。

vpn-to-server {
               ....
                remote_addrs=16.16.16.65
                local_addrs=16.9.4.35
                children {
                        vpn-to-server {
                                 ....
                                local_ts=172.168.48.0/24  
                                remote_ts=16.16.65.0/24
                                dpd_action=restart
                                mark_in = 8
                                set_mark_in = %same
                                mark_out = 4
                                updown = /usr/lib/ipsec/_updown
                        }

VPNトンネルが開始されました

root@vpn-server:/etc/iptables# swanctl -l
vpn-to-server: #31, ESTABLISHED, IKEv2, 9ff137d4cdd8f543_i* d24cbee7dd1a3ddb_r
  local  '16.9.4.35' @ 16.9.4.35[4500]
  remote '16.16.16.65' @ 16.16.16.65[4500]
  AES_CBC-256/HMAC_SHA2_384_192/PRF_HMAC_SHA2_384/MODP_2048
  established 2030s ago, rekeying in 25633s
  vpn-to-server: #13101, reqid 50, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA2_384_192
    installed 2157s ago, rekeying in 1443s, expires in 1443s
    in  c3dedc5f (0x00000008),      0 bytes,     0 packets
    out e7cfcfac (0x00000004),      0 bytes,     0 packets
    local  172.168.48.0/24
    remote 16.16.65.0/24

(bob から alice へ) ping のパケット追跡[IPsec以外のインターフェイスに出る2行目と下の最後の行)

root@vpn-server:/etc/iptables# dmesg -c
TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  
TRACE: mangle:PREROUTING:rule:1 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  
TRACE: mangle:PREROUTING:policy:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  MARK=0x4 
TRACE: nat:PREROUTING:rule:2 IN=eth1 OUT= MAC=MAC SRC=10.108.0.3 DST=172.16.51.197 ID=23122  MARK=0x4 
TRACE: mangle:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: filter:FORWARD:rule:1 IN=eth1 OUT=eth0 MAC=MAC SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 
TRACE: nat:POSTROUTING:rule:2 IN= OUT=eth0 SRC=10.108.0.3 DST=16.16.65.197 ID=23122  MARK=0x4 

IPテーブル出力

root@vpn-server:/etc/iptables# iptables -L --line-numbers -t nat
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    NETMAP     all  --  anywhere             172.16.48.0/24       mark match 0x8 to:10.108.0.0/24
2    NETMAP     all  --  anywhere             172.16.51.0/24       mark match 0x4 to:16.16.65.0/24

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    NETMAP     all  --  16.16.65.0/24      anywhere             mark match 0x8 to:172.16.51.0/24
2    NETMAP     all  --  10.108.0.0/24        anywhere             mark match 0x4 to:172.16.48.0/24
3    ACCEPT     all  --  anywhere             anywhere             policy match dir out pol ipsec
4    MASQUERADE  all  --  10.108.0.0/20        anywhere            
5    MASQUERADE  tcp  --  10.108.0.0/20       !10.108.0.0/20        masq ports: 1024-65535
6    MASQUERADE  udp  --  10.108.0.0/20       !10.108.0.0/20        masq ports: 1024-65535


root@vpn-server:/etc/iptables# iptables -L --line-numbers -t filter
Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         
1    ACCEPT     all  --  anywhere             anywhere             mark match 0x4
2    ACCEPT     all  --  anywhere             anywhere             mark match 0x8
3    ACCEPT     all  --  xxxxxxxx            10.108.0.0/20        policy match dir out pol ipsec proto esp
4    ACCEPT     all  --  xxxxxxxxx           10.108.0.0/16        policy match dir out pol ipsec proto esp
5    ACCEPT     all  --  10.108.0.0/20        anywhere            
6    ACCEPT     all  --  anywhere             10.108.0.0/20        state RELATED,ESTABLISHED


Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

root@vpn-server:/etc/iptables# iptables -L --line-numbers -t mangle
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    MARK       all  --  10.108.0.0/24        172.16.51.0/24       MARK set 0x4

Chain INPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
num  target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
num  target     prot opt source               destination         


root@vpn-server:/etc/iptables# iptables -L --line-numbers -t raw
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    TRACE      icmp --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
num  target     prot opt source               destination         
1    TRACE      icmp --  anywhere             anywhere            
root@vpn-server:/etc/iptables# 

統計資料

root@vpn-server:/etc/iptables# iptables -L -v
Chain INPUT (policy ACCEPT 281 packets, 20288 bytes)
 pkts bytes target     prot opt in     out     source               destination         
80022   11M f2b-sshd   tcp  --  any    any     anywhere             anywhere             multiport dports ssh

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
   17  1284 ACCEPT     all  --  any    eth0    anywhere             anywhere             mark match 0x4
    0     0 ACCEPT     all  --  eth0   any     anywhere             anywhere             mark match 0x8
    0     0 ACCEPT     all  --  any    eth0    xxxxxxx/23       10.108.0.0/20        policy match dir out pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    xxxxxxxxx        10.108.0.0/16        policy match dir out pol ipsec proto esp
 104K 8108K ACCEPT     all  --  eth1   any     10.108.0.0/20        anywhere            
49043 3738K ACCEPT     all  --  any    eth1    anywhere             10.108.0.0/20        state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  eth0   any     10.108.0.0/20        xxxxxxxxx       policy match dir in pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    xxxxxxx        10.108.0.0/16        policy match dir out pol ipsec proto esp
    0     0 ACCEPT     all  --  any    eth0    192.168.22.0/24      10.108.0.0/16        policy match dir out pol ipsec proto esp

Chain OUTPUT (policy ACCEPT 306 packets, 26032 bytes)
 pkts bytes target     prot opt in     out     source               destination         

関連情報