У меня есть сервер (Debian 10) за NAT-маршрутизатором. На этом сервере работают несколько виртуальных машин. Я хочу установить соединение IPSec с сервером в Интернете. Вот мои ipsec.conf файлы с обеих сторон:
На локальном сервере:
config setup
charondebug = "all"
uniqueids = yes
nat_traversal = yes
conn local-to-server
type = tunnel
auto = start
keyexchange = ikev2
authby = secret
left = 192.168.1.50
leftsubnet = 192.168.1.0/24
right = $server-internet-ip
rightsubnet = 172.17.41.0/24
rightsourceip = 172.17.41.0/24
aggressive = no
На Интернет-сервере:
config setup
charondebug="all"
uniqueids = yes
conn server-to-local
type = tunnel
auto = start
authby = secret
left = $server-internet-ip
leftsubnet = 172.17.41.0/24
leftsourceip = 192.168.1.50
leftsubnet = 192.168.1.0/24
aggressive = no
Когда я запускаю команду ipsec status, он отвечает с обеих сторон Security Associations (1 ip, 0 connecting): server-to-local[2]: ESTABLISHED....
Однако когда я хочу ping или telnet локальный IP-адрес 192.168.1.50 с моего Интернет-сервера, я ничего не получил.
Бег ip a не показывает дополнительный сетевой интерфейс, связанный с IPSec up. То же самое для маршрутов, при переходе IPSec маршруты не создаются.
Что я пропустил, чтобы разрешить подключение с Интернет-сервера к внутренним виртуальным машинам предприятия? Блок NAT пересылает UDP 500 и 4500 со своего собственного IP-адреса в Интернете на частный IP-адрес внутреннего сервера.
Большое спасибо за помощь!
РЕДАКТИРОВАТЬ ip xfrm state ничего не выводит
EDIT2 Вывод ipsec statusall на местном:
Status of IKE charon daemon (strongSwan 5.7.2, Linux 4.19.0-8-amd64, x86_64):
uptime: 2 seconds, since Mar 19 14:23:56 2020
malloc: sbrk 1757184, mmap 0, used 557984, free 1199200
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 7
loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown counters
Virtual IP pools (size/online/offline):
172.17.41.0/24: 254/0/0
Listening IP addresses:
192.168.1.50
Connections:
local-to-server: 192.168.1.50...$server-internet-ip IKEv2, dpddelay=30s
local-to-server: local: [192.168.1.50] uses pre-shared key authentication
local-to-server: remote: [$server-internet-ip] uses pre-shared key authentication
local-to-server: child: 192.168.1.0/24 === 172.17.41.0/24 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
local-to-server[1]: ESTABLISHED 2 seconds ago, 192.168.1.50[192.168.1.50]...$server-internet-ip[$server-internet-ip]
local-to-server[1]: IKEv2 SPIs: 68eab917fe1855aa_i* 87d5f2cd06b353de_r, pre-shared key reauthentication in 2 hours
local-to-server[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Выход ipsec statusall на интернет-сервере:
Status of IKE charon daemon (strongSwan 5.5.1, Linux 4.9.185-xxxx-std-ipv6-64, x86_64):
uptime: 12 seconds, since Mar 19 14:23:53 2020
malloc: sbrk 2478080, mmap 0, used 278288, free 2199792
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 4
loaded plugins: charon aes rc2 sha2 sha1 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem fips-prf gmp xcbc hmac attr kernel-netlink resolve socket-default stroke updown
Listening IP addresses:
$server-internet-ip
172.17.23.1
Connections:
server-to-local: $server-internet-ip...%any IKEv2, dpddelay=30s
server-to-local: local: [$server-internet-ip] uses pre-shared key authentication
server-to-local: remote: uses pre-shared key authentication
server-to-local: child: 192.168.1.0/24 === dynamic TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
server-to-local[2]: ESTABLISHED 9 seconds ago, $server-internet-ip[$server-internet-ip]...$box-internet-ip[192.168.1.50]
server-to-local[2]: IKEv2 SPIs: 68eab917fe1855aa_i 87d5f2cd06b353de_r*, pre-shared key reauthentication in 2 hours
server-to-local[2]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_3072
Вот логи на стороне Интернет-сервера:
09[IKE] maximum IKE_SA lifetime 10783s
09[IKE] traffic selectors 172.17.41.0/24 === 192.168.1.0/24 inacceptable
09[IKE] failed to establish CHILD_SA, keeping IKE_SA
09[ENC] generating IKE_AUTH response 1 [ IDr AUTH N(AUTH_LFT) N(MOBIKE_SUP) N(ADD_4_ADDR) N(TS_UNACCEPT) ]
09[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (160 bytes)
11[IKE] sending DPD request
11[ENC] generating INFORMATIONAL request 0 [ ]
11[NET] sending packet: from $server-internet-ip[4500] to $box-internet-ip[4500] (80 bytes)
12[NET] received packet: from $box-internet-ip[4500] to $server-internet-ip[4500] (80 bytes)
12[ENC] parsed INFORMATIONAL response 0 [ ]
Вот журналы на стороне локального сервера:
13[IKE] sending keep alive to $server-internet-ip[4500]
15[IKE] sending DPD request
15[ENC] generating INFORMATIONAL request 8 [ N(NATD_S_IP) N(NATD_D_IP) ]
15[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (128 bytes)
14[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (80 bytes)
14[ENC] parsed INFORMATIONAL request 8 [ ]
14[ENC] generating INFORMATIONAL response 8 [ ]
14[NET] sending packet: from 192.168.1.50[4500] to $server-internet-ip[4500] (80 bytes)
16[NET] received packet: from $server-internet-ip[4500] to 192.168.1.50[4500] (128 bytes)
16[ENC] parsed INFORMATIONAL response 8 [ N(NATD_S_IP) N(NATD_D_IP) ]