linux - IPSec linux 不会将 SIP 连接路由到中继

Question

我试图通过 IPSec 隧道连接到带有 Asterisk 的 SIP 中继，但它似乎路由不正常......当我来自 OpenVPN 时，我在想 IPSec 启用了某些接口并让流量通过。

我将在这里列出我的 IP 为 X、Y、Z ...

我对 IPSec 的配置是：

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
#
# Manual:     ipsec.conf.5


version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
        # Do not set debug options to debug configuration issues!
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
        # "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
        # eg:
        # plutodebug="control parsing"
        # Again: only enable plutodebug or klipsdebug when asked by a developer
        #
        # enable to get logs per-peer
        # plutoopts="--perpeerlog"
        #
        # Enable core dumps (might require system changes, like ulimit -C)
        # This is required for abrtd to work properly
        # Note: incorrect SElinux policies might prevent pluto writing the core
        dumpdir=/var/run/pluto/
        interfaces="%defaultroute"
        #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
        nat_traversal=yes
        # exclude networks used on server side by adding %v4:!a.b.c.0/24
        # It seems that T-Mobile in the US and Rogers/Fido in Canada are
        # using 25/8 as "private" address space on their 3G network.
        # This range has not been announced via BGP (at least upto 2010-12-21)
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v6:fd00::/8,%v6:fe80::/10
        # OE is now off by default. Uncomment and change to on, to enable.
        oe=off
        # which IPsec stack to use. auto will try netkey, then klips then mast
        protostack=netkey
        # Use this to log to a file, or disable logging on embedded systems (like openwrt)
        #plutostderrlog=/dev/null
conn sTest01
        type=tunnel
        connaddrfamily=ipv4
        left=XXX.XXX.XXX.XXX
        leftnexthop=%defaultroute
        leftsourceip=XXX.XXX.XXX.XXX
        right=YYY.YYY.YYY.YYY
        rightid=YYY.YYY.YYY.YYY
        rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32
        #rightsubnet=0.0.0.0/0
        pfs=no
        keyingtries=4
        rekeymargin=15m
        authby=secret
        ike=aes256-sha1;modp1536
        phase2alg=aes256-sha1;modp1536
        lifetime=28800s
        auto=start

conn sTest02
        type=tunnel
        connaddrfamily=ipv4
        left=XXX.XXX.XXX.XXX
        leftnexthop=%defaultroute
        leftsourceip=XXX.XXX.XXX.XXX
        right=YYY.YYY.YYY.YYY
        rightsubnet=ZZZ.ZZZ.ZZZ.ZZZ/32 
        #rightsubnet=0.0.0.0/0
        pfs=no
        keyingtries=4
        rekeymargin=15m
        authby=secret
        ike=aes256-sha1;modp1536
        phase2alg=aes256-sha1;modp1536
        lifetime=28800s
        auto=start

我的路由表：

    root@lix ~ # netstat -rn
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
    0.0.0.0         192.168.1.1     0.0.0.0         UG        0 0          0 wlan0
1 Trunk XXX.XXX.XXX.XXX 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
2 Trunk XXX.XXX.XXX.XXX 0.0.0.0         255.255.255.255 UH        0 0          0 eth0
    84.XXX.XXX.0    0.0.0.0         255.255.192.0   U         0 0          0 eth0
    192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 wlan0

ipsec 验证

root@lix ~ # ipsec verify
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.37/K3.12.28+ (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
    [OK]
    [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [OK]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

当我在日志中重新启动 ipsec 时，我没有看到任何异常。

系统日志：

Feb  9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:35 lix ipsec_starter[4050]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:35 lix ipsec_setup: Stopping Openswan IPsec...
Feb  9 16:22:39 lix kernel: [ 1066.612566] NET: Unregistered protocol family 15
Feb  9 16:22:39 lix ipsec_setup: ...Openswan IPsec stopped
Feb  9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:39 lix ipsec_starter[4125]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:39 lix kernel: [ 1066.965557] NET: Registered protocol family 15
Feb  9 16:22:39 lix ipsec_setup: Starting Openswan IPsec U2.6.37/K3.12.28+...
Feb  9 16:22:40 lix ipsec_setup: Using NETKEY(XFRM) stack
Feb  9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_setup: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:40 lix ipsec_starter[4209]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_setup: ...Openswan IPsec started
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4220]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix pluto: adjusting ipsec.d to /etc/ipsec.d
Feb  9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4221]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec__plutorun: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:41 lix ipsec_starter[4222]: defaulting leftsubnet to XXX.XXX.XXX.XXX
Feb  9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest01"
Feb  9 16:22:42 lix ipsec__plutorun: 002 added connection description "sTest02"
Feb  9 16:22:42 lix ipsec__plutorun: 104 "sTest01" #1: STATE_MAIN_I1: initiate

重击

root@lix ~ # ipsec whack --name sTest01 --initiate
002 "sTest01" #4: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:ea6824a9 proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest01" #4: STATE_QUICK_I1: initiate
002 "sTest01" #4: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest01" #4: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x2caadd64 <0x69b0a0e0 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

root@lix ~ # ipsec whack --name sTest02 --initiate
002 "sTest02" #5: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEv2ALLOW+SAREFTRACK {using isakmp#1 msgid:956ccc0e proposal=AES(12)_256-SHA1(2)_160 pfsgroup=no-pfs}
117 "sTest02" #5: STATE_QUICK_I1: initiate
002 "sTest02" #5: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
004 "sTest02" #5: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP=>0x6e58c948 <0x7177b9ed xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=none DPD=none}

星号命令行界面：

lix*CLI> sip show peers
Name/username             Host                                    Dyn Forcerport ACL Port     Status     
peer                      80.XX.XXX.149                                N             5060     UNREACHABLE

如果有人可以提供帮助，如果有人需要，我可以发布更多信息，，，

谢谢

score 0 · Accepted Answer

完成隧道设置后，您需要重新启动星号。

您已将 localnet 或 externip 设置为您的 vpn 地址。

对不起，没有办法帮助你，因为你通配的信息太多。

linux - IPSec linux 不会将 SIP 连接路由到中继

1 回答 1

Related

Reference