Mascaramento de clientes robustos ipsec ikev2 RAS

0

Tenho um VPS na Suécia e quero estabelecer uma conexão RAS do IKEv2. A conexão é estabelecida e uma SA válida foi criada.

Agora quero mascarar o tráfego para 0.0.0.0/0 através da interface wan. Eu tentei (como sempre) com

# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE

mas parece que o tráfego não está realmente mascarado, porque os pacotes nunca chegam ao destino.

Saída do tcpdump:

# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64

Eu acho que a coisa é o tipo de interface ... Eu estou preso em uma VM OpenVZ e não há uma rota padrão:

# ip route show
default dev venet0  scope link

Saída do status ipsec

# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
  uptime: 2 minutes, since Apr 28 16:19:45 2018
  malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
  loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
  10.9.0.110/16: 145/1/0
Listening IP addresses:
  XXX.XXX.XXX.XXX
  XXXX:XXXX:XXXX::XXXX
Connections:
     rw-test:  %any...%any  IKEv2
     rw-test:   local:  [sweden] uses pre-shared key authentication
     rw-test:   remote: [testuser@sweden] uses pre-shared key authentication
     rw-test:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
     rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
     rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
     rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
     rw-test{1}:  INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
     rw-test{1}:  AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
     rw-test{1}:   0.0.0.0/0 === 10.9.0.110/32

Este é o meu ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file

config setup
        charondebug="ike 4, knl 4, cfg 4"

conn %default
        compress=no
        type=tunnel
        ikelifetime=60m
        keylife=20m
        rekeymargin=3m
        keyingtries=1
        keyexchange=ikev2
        ike=aes256-sha1-modp2048,3des-sha1-modp1024!
        esp=aes256-sha1,3des-sha1!
        left=%any
        leftsubnet=0.0.0.0/0
        leftid=@sweden
        leftfirewall=yes
        rightdns=8.8.8.8,8.8.4.4
        authby=secret



conn rw-test
        right=%any
        rightid=testuser@sweden
        rightsourceip=10.9.0.110/16
        auto=add

Alguém tem uma ideia de como lidar com isso?

    
por papayawhip 28.04.2018 / 22:35

0 respostas