Tenho um VPS na Suécia e quero estabelecer uma conexão RAS do IKEv2. A conexão é estabelecida e uma SA válida foi criada.
Agora quero mascarar o tráfego para 0.0.0.0/0 através da interface wan. Eu tentei (como sempre) com
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -m policy --dir out --pol ipsec -j ACCEPT
# iptables -t nat -A POSTROUTING -s 10.9.0.0/16 -o venet0 -j MASQUERADE
mas parece que o tráfego não está realmente mascarado, porque os pacotes nunca chegam ao destino.
Saída do tcpdump:
# tcpdump icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on venet0, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
16:25:50.153272 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:50.153328 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 1, length 64
16:25:51.154079 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:51.154126 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 2, length 64
16:25:52.050239 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.050837 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 10347, seq 0, length 64
16:25:52.168143 IP 10.9.0.110 > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
16:25:52.168188 IP XXX.XXX.XXX.XXX > google-public-dns-b.google.com: ICMP echo request, id 24931, seq 3, length 64
Eu acho que a coisa é o tipo de interface ... Eu estou preso em uma VM OpenVZ e não há uma rota padrão:
# ip route show
default dev venet0 scope link
Saída do status ipsec
# ipsec statusall
Status of IKE charon daemon (strongSwan 5.3.5, Linux 2.6.32-042stab127.2, x86_64):
uptime: 2 minutes, since Apr 28 16:19:45 2018
malloc: sbrk 1466368, mmap 0, used 348064, free 1118304
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 2
loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown
Virtual IP pools (size/online/offline):
10.9.0.110/16: 145/1/0
Listening IP addresses:
XXX.XXX.XXX.XXX
XXXX:XXXX:XXXX::XXXX
Connections:
rw-test: %any...%any IKEv2
rw-test: local: [sweden] uses pre-shared key authentication
rw-test: remote: [testuser@sweden] uses pre-shared key authentication
rw-test: child: 0.0.0.0/0 === dynamic TUNNEL
Security Associations (1 up, 0 connecting):
rw-test[1]: ESTABLISHED 2 minutes ago, XXX.XXX.XXX.XXX[sweden]...XXX.XXX.XXX.XXX[testuser@sweden]
rw-test[1]: IKEv2 SPIs: 8f084b68e20909d1_i 94a565274cecd493_r*, pre-shared key reauthentication in 53 minutes
rw-test[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
rw-test{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: cc5c3401_i 1e30ba5a_o
rw-test{1}: AES_CBC_256/HMAC_SHA1_96, 336 bytes_i (4 pkts, 24s ago), 0 bytes_o, rekeying in 12 minutes
rw-test{1}: 0.0.0.0/0 === 10.9.0.110/32
Este é o meu ipsec.conf
# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup
charondebug="ike 4, knl 4, cfg 4"
conn %default
compress=no
type=tunnel
ikelifetime=60m
keylife=20m
rekeymargin=3m
keyingtries=1
keyexchange=ikev2
ike=aes256-sha1-modp2048,3des-sha1-modp1024!
esp=aes256-sha1,3des-sha1!
left=%any
leftsubnet=0.0.0.0/0
leftid=@sweden
leftfirewall=yes
rightdns=8.8.8.8,8.8.4.4
authby=secret
conn rw-test
right=%any
rightid=testuser@sweden
rightsourceip=10.9.0.110/16
auto=add
Alguém tem uma ideia de como lidar com isso?
Tags networking routing ipsec strongswan