есть поднятый туннель между подсетью 192.168.250.0/24 и 192.168.2.0/24. В целом туннель работает данные между маршрутизатором в сети 192.168.250.0/24 и хостами в 192.168.2.0/24 - бегают. а вот к хостам в сети 192.168.250.0/24 из 192.168.2.0/24 - не достучаться.Сеть 192.168.2.0/24 - спрятана за NSX Edge
Сеть 192.168.250.0/24 - поднят Libreswan на сервер в локалке и этот сервер находится за NAT.
Сервер:
$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.5 LTS
Release: 18.04
Codename: bionic
$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.250.2 netmask 255.255.255.0 broadcast 192.168.250.255
inet6 fe80::250:56ff:fea1:997d prefixlen 64 scopeid 0x20<link>
ether 00:50:56:a1:99:7d txqueuelen 1000 (Ethernet)
RX packets 68679538 bytes 18707430743 (18.7 GB)
RX errors 0 dropped 8 overruns 0 frame 0
TX packets 50187520 bytes 5291809224 (5.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 23503072 bytes 1881838589 (1.8 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 23503072 bytes 1881838589 (1.8 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
таблица маршрутов
$ sudo netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.250.1 0.0.0.0 UG 0 0 0 ens160
10.77.45.21 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
10.160.35.41 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
10.160.35.42 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
10.160.35.43 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
10.160.35.44 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
10.236.20.1 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
172.19.7.5 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
a.a.a.a 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
192.168.1.0 192.168.250.1 255.255.255.0 UG 0 0 0 ens160
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160
192.168.250.0 0.0.0.0 255.255.255.0 U 0 0 0 ens160
b.b.b.b 192.168.250.1 255.255.255.255 UGH 0 0 0 ens160
c.c.c.c 192.168.250.1 255.255.255.240 UG 0 0 0 ens160
Версия либры
$ dpkg -l | grep libreswan| awk '{print $2,$3}'
libreswan 3.23-4
Конфиг:
conn dtln2
type= tunnel
authby= secret
left= 192.168.250.2
leftid= x.x.x.x
leftsubnet= 192.168.250.0/24
leftnexthop= %defaultroute
leftsourceip= 192.168.250.2
right= y.y.y.y
rightsubnet= 192.168.2.0/24
rightnexthop= %defaultroute
ike= aes256-sha1-modp1536
ikelifetime= 28800
salifetime= 3600
pfs= yes
rekey= yes
keyingtries= %forever
phase2alg= aes256-sha1;modp1536
auto= start
dpddelay= 3
dpdtimeout= 10
dpdaction= restart_by_peer
keyexchange=ike
ikev2=insist
$ sudo ip xfrm state
...
src y.y.y.y dst 192.168.250.2
proto esp spi 0x928bcbae reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0xf46e08a..... 96
enc cbc(aes) 0xd5d8....
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x1369, oseq 0x0, bitmap 0xffffffff
src 192.168.250.2 dst y.y.y.y
proto esp spi 0xcee160c8 reqid 16393 mode tunnel
replay-window 32 flag af-unspec
auth-trunc hmac(sha1) 0x37a6626..... 96
enc cbc(aes) 0x12789....
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0xddd, bitmap 0x00000000
...
$ sudo ip xfrm policy
...
src 192.168.250.0/24 dst 192.168.2.0/24
dir out priority 2344
tmpl src 192.168.250.2 dst y.y.y.y
proto esp reqid 16393 mode tunnel
src 192.168.2.0/24 dst 192.168.250.0/24
dir fwd priority 2344
tmpl src y.y.y.y dst 192.168.250.2
proto esp reqid 16393 mode tunnel
src 192.168.2.0/24 dst 192.168.250.0/24
dir in priority 2344
tmpl src y.y.y.y dst 192.168.250.2
proto esp reqid 16393 mode tunnel
...
src ::/0 dst ::/0
socket out priority 0
src ::/0 dst ::/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir out priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir fwd priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 135
dir in priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir out priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir fwd priority 1
src ::/0 dst ::/0 proto ipv6-icmp type 136
dir in priority 1
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
f2b-sshd tcp -- anywhere anywhere multiport dports ssh
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 192.168.250.0/24 192.168.2.0/24
ACCEPT all -- 192.168.2.0/24 192.168.250.0/24
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain f2b-sshd (1 references)
target prot opt source destination
...
Вот как ведёт себя хост из сети 192.168.2.0/24 (192.168.2.19)
Проверяем доступность маршрутизатора:
ist@mdp-tfk-2:~$ ping 192.168.250.2
PING 192.168.250.2 (192.168.250.2) 56(84) bytes of data.
64 bytes from 192.168.250.2: icmp_seq=1 ttl=63 time=1.80 ms
64 bytes from 192.168.250.2: icmp_seq=2 ttl=63 time=1.98 ms
^C
--- 192.168.250.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 1.806/1.897/1.988/0.091 ms
Все пакеты прошли
Проверяем доступ к хосту за маршрутизатором
ist@mdp-tfk-2:~$ ping 192.168.250.20
PING 192.168.250.20 (192.168.250.20) 56(84) bytes of data.
64 bytes from 192.168.250.20: icmp_seq=1 ttl=62 time=2.15 ms
^C
--- 192.168.250.20 ping statistics ---
3 packets transmitted, 1 received, 66% packet loss, time 2016ms
rtt min/avg/max/mdev = 2.159/2.159/2.159/0.000 ms
ist@mdp-tfk-2:~$
Проскакивает первый пакет , а потом тишина.
Со стороны сети 192.168.250.0/24.
С маршрутизатора (192.168.250.2)
$ ping 192.168.2.19
PING 192.168.2.19 (192.168.2.19) 56(84) bytes of data.
64 bytes from 192.168.2.19: icmp_seq=1 ttl=63 time=2.26 ms
64 bytes from 192.168.2.19: icmp_seq=2 ttl=63 time=2.12 ms
64 bytes from 192.168.2.19: icmp_seq=3 ttl=63 time=2.05 ms
^C
--- 192.168.2.19 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 2.058/2.151/2.269/0.102 ms
С хоста в сети (192.168.250.222)
$ ping 192.168.2.19
PING 192.168.2.19 (192.168.2.19) 56(84) bytes of data.
From 192.168.250.2 icmp_seq=1 Redirect Host(New nexthop: 192.168.2.19)
From 192.168.250.2: icmp_seq=1 Redirect Host(New nexthop: 192.168.2.19)
64 bytes from 192.168.2.19: icmp_seq=1 ttl=62 time=2.56 ms
From 192.168.250.222 icmp_seq=2 Destination Host Unreachable
From 192.168.250.222 icmp_seq=3 Destination Host Unreachable
From 192.168.250.222 icmp_seq=4 Destination Host Unreachable
From 192.168.250.222 icmp_seq=5 Destination Host Unreachable
From 192.168.250.2 icmp_seq=6 Redirect Host(New nexthop: 192.168.2.19)
From 192.168.250.2: icmp_seq=6 Redirect Host(New nexthop: 192.168.2.19)
64 bytes from 192.168.2.19: icmp_seq=6 ttl=62 time=2.52 ms
^C
--- 192.168.2.19 ping statistics ---
8 packets transmitted, 2 received, +6 errors, 75% packet loss, time 7003ms
rtt min/avg/max/mdev = 2.524/2.542/2.560/0.018 ms, pipe 4
[eyeline@gw-01 ~]$
Если судить по доке https://libreswan.org/wiki/Subnet_to_subnet_VPN - всё сделано верно. А не работает для всей подсети
Может кто-то подсказать, где затык?
Вариант для распечатки
