nat - 两个 Mikrotik 站点的 NAT 到 Strongswan 的公共 IP

Question

我正在尝试重现 strongswan 测试 net2net-gw 中的模式，但在 NAT 后面使用“月亮”和“太阳”（请参阅​​ https://www.strongswan.org/testing/testresults/swanctl/net2net-gw/）。到目前为止，CA 已配置，证书已颁发，mikrotik 已配置，我可以建立隧道并设置 SA，但我无法从另一个站点 ping 通一个站点。卡罗尔配置：

connections {

    gw-base {
        local {
            auth = pubkey
            certs = carol.crt
            id = carol
        }
        remote {
            auth = pubkey
        }
        children {
            net {
                esp_proposals = aes128-sha1-modp2048,aes256-sha256-modp2048
            }
        }
        version = 2
        mobike = no
        proposals = aes128-sha1-modp2048,aes256-sha256-modp2048
        pools = pool-ipv4
    }

    gw-moon : connections.gw-base{
        remote {
            id = moon
        }
        children {
            net {
                local_ts  = 192.168.3.0/24
                remote_ts = 192.168.1.0/24

                updown = /usr/libexec/strongswan/_updown iptables
            }
        }
    }

    gw-sun : connections.gw-base {
        remote {
        id = sun
        }
        children {
            net {
                local_ts  = 192.168.1.0/24
                remote_ts = 192.168.3.0/24

                updown = /usr/libexec/strongswan/_updown iptables
            }
        }
    }
}

pools {
    pool-ipv4 {
        addrs = 192.168.99.0/24
    }
}

这是“月亮” mikrotik 配置本地子网 192.168.1.0/24 ：

/ip ipsec mode-config
add name=ike2 responder=no
/ip ipsec policy group
add name=ike2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
add dh-group=modp2048 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add address=carol exchange-mode=ike2 name=ike2 profile=ike2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=moon.p12_0 generate-policy=port-strict mode-config=ike2 notrack-chain=prerouting peer=ike2 policy-template-group=ike2
/ip ipsec policy
add dst-address=192.168.3.0/24 group=ike2 proposal=ike2 src-address=192.168.1.0/24 template=yes
/ip ipsec settings
set accounting=no

这是“sun” mikrotik 配置本地子网 192.168.3.0/24 ：

/ip ipsec mode-config
add name=ike2 responder=no
/ip ipsec policy group
add name=ike2
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-128
add dh-group=modp2048 enc-algorithm=aes-128 name=ike2
/ip ipsec peer
add address=carol exchange-mode=ike2 name=ike2 profile=ike2
/ip ipsec proposal
add enc-algorithms=aes-128-cbc name=ike2 pfs-group=modp2048
/ip ipsec identity
add auth-method=digital-signature certificate=sun.p12_0 generate-policy=port-strict mode-config=ike2 notrack-chain=prerouting peer=ike2 policy-template-group=ike2
/ip ipsec policy
add dst-address=192.168.1.0/24 group=ike2 proposal=ike2 src-address=192.168.3.0/24 template=yes
/ip ipsec settings
set accounting=no

swanctl -l 的“carol”输出

gw-moon: #12, ESTABLISHED, IKEv2, 278ded8c94f60a25_i dc1ea6a863cbbc3f_r*
  local  'carol' @ PUBLICIP[4500]
  remote 'moon' @ NATIP[9860] [192.168.99.1]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 1938s ago, rekeying in 11168s
  net: #11, reqid 8, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 498s ago, rekeying in 2840s, expires in 3462s
    in  cb0314bb,      0 bytes,     0 packets
    out 0159b817,      0 bytes,     0 packets
    local  192.168.3.0/24
    remote 192.168.1.0/24
gw-sun: #11, ESTABLISHED, IKEv2, b972f69efe68b876_i 1c57914f302e627b_r*
  local  'carol' @ PUBLICIP[4500]
  remote 'sun' @ NATIP[4500] [192.168.99.2]
  AES_CBC-128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
  established 1962s ago, rekeying in 11975s
  net: #10, reqid 7, INSTALLED, TUNNEL-in-UDP, ESP:AES_CBC-128/HMAC_SHA1_96/MODP_2048
    installed 519s ago, rekeying in 2890s, expires in 3441s
    in  c3a515f5,      2856 bytes,    34 packets,     0s ago
    out 0b5614c6,      0 bytes,     0 packets
    local  192.168.1.0/24
    remote 192.168.3.0/24

“carol” iptables 有：

-A FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 8 --proto esp -j ACCEPT
-A FORWARD -s 192.168.3.0/24 -d 192.168.1.0/24 -i eth0 -m policy --dir in --pol ipsec --reqid 7 --proto esp -j ACCEPT
-A FORWARD -s 192.168.1.0/24 -d 192.168.3.0/24 -o eth0 -m policy --dir out --pol ipsec --reqid 7 --proto esp -j ACCEPT

“carol”有 sysctl

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

当我从“sun”后面的工作站 192.168.3.254 之一运行 ping 时，“carol”tcpdump net 192.168.0.0/16：

08:46:57.820968 IP 192.168.3.254 > 192.168.1.1: ICMP echo request, id 30901, seq 357, length 64
08:46:57.821075 IP PUBLICIP > 192.168.1.1: ICMP echo request, id 30901, seq 357, length 64

PUBLICIP = carols public internet ip
NATIP = sun & moon nat ip

当我尝试从“sun” ping 192.168.1.1 时，我看到数据包计数器增加，但没有回复，就像我从“moon” ping 192.168.3.1 一样。但是，如果我断开“sun”并将虚拟 IP 地址 192.168.3.1 添加到 carol ip addr add 192.168.3.1/24 dev eth0ping 从“moon”到 192.168.3.1 成功，但奇怪的是 - 我无法从 carol ping“moon”...

感谢您提前提供任何建议:)