我正在尝试在同一网络中的两个虚拟机 (R2 R3) 之间配置 IPSEC 隧道,其中一个将用作路由器 (R2),因此我可以通过 IPSEC 隧道将数据从第三个虚拟机 (R1) 发送到 R3 .
我做了以下拓扑:
我更改了错误的 IP 地址,但虚拟机在同一个网络中,所以它可能像 R3:1.2.3.4,R2:1.2.3.5,R1:1.2.3.6
R3 虚拟机 /etc/ipsec.d/mytunnel.conf 的配置:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
R2 /etc/ipsec.d/mytunnel.conf的配置:
config setup
protostack=netkey
#conn mysubnet
# also=mytunnel
# leftsubnet=10.0.1.1/24
# rightsubnet=10.0.0.1/24
# auto=start
conn mytunnel
left=4.6.7.8
right=1.2.3.4
authby=secret
leftsubnet=10.0.1.1/24
rightsubnet=10.0.0.1/24
auto=start
# route-based VPN requires marking and an interface
mark=5/0xffffffff
vti-interface=vti03
# do not setup routing because we don't want to send 0.0.0.0/0 over the tunnel
vti-routing=yes
# If you run a subnet with BGP (quagga) daemons over IPsec, you can configure the VTI interface
leftvti=10.0.7.1/24
通过上面的配置,我可以使用 ping -I 10.0.1.1 10.0.0.1 从 R2 ping 到 R3
在 R1 机器上,我配置了静态路由,即:
root@9.10.11.12:~# ip route
default via 9.10.11.1 dev ens18 onlink
10.0.0.0/24 via 5.6.7.8 dev ens18
10.0.1.0/24 via 5.6.7.8 dev ens18
但是当我想通过 R2 从 R1 ping 10.0.0.1 时,它给了我icmp_seq=1 Destination Host Unreachable
我应该改变什么,以便 R1 可以通过 R2 dummy0 接口(即 10.0.1.1)看到 R3?
谢谢你的帮助!