在我的环境中有三个 ipsec vpn 网关,彼此互联方式如下:
moon <--> sun
moon <--> mars
但是测试过程中出现了,moon 和 sun 是 ok 的,但 moon 和 mars 无法连通
1. moon 的配置和 log
root@debian:guide/ipsec-vpn/03-ipsec-fip-to-host main ✗ 16h45m ✖ ⚑ ◒
▶ k exec -it -n ns1 moon-0 -- bash
Defaulted container "ipsec-vpn" out of: ipsec-vpn, keepalived
root@moon-0:/#
root@moon-0:/# cat /etc/hosts
# Kubernetes-managed hosts file.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.1.0.2 moon-0
# --- STRONGSWAN_CONTENT_START ---
# --- connection moon-sun ---
127.0.2.1 moon.vpn.gw.com
172.19.0.101 moon.vpn.gw.com
172.19.0.102 sun.vpn.gw.com
# --- connection moon-mars ---
127.0.2.1 moon.vpn.gw.com
172.19.0.101 moon.vpn.gw.com
172.19.0.103 mars.vpn.gw.com
# --- STRONGSWAN_CONTENT_END ---
root@moon-0:/# cat /etc/swanctl/swanctl.conf
connections {
net-net-moon-sun {
local {
auth = pubkey
certs = tls.crt
}
remote {
auth = pubkey
id = "CN=sun.vpn.gw.com"
}
remote_addrs = sun.vpn.gw.com
children {
net-net {
local_ts = 10.1.0.0/24
remote_ts = 10.2.0.0/24
dpd_action = restart
start_action = trap
}
}
version = 2
proposals = default
}
net-net-moon-mars {
local {
auth = pubkey
certs = tls.crt
}
remote {
auth = pubkey
id = "CN=mars.vpn.gw.com"
}
remote_addrs = mars.vpn.gw.com
children {
net-net {
local_ts = 10.1.0.0/24
remote_ts = 172.21.0.0/16
dpd_action = restart
start_action = trap
}
}
version = 2
proposals = default
}
}
root@moon-0:/#
root@moon-0:/# swanctl --list-conns
net-net-moon-sun: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: sun.vpn.gw.com
local public key authentication:
id: CN=moon.vpn.gw.com
certs: CN=moon.vpn.gw.com
remote public key authentication:
id: CN=sun.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 10.1.0.0/24
remote: 10.2.0.0/24
net-net-moon-mars: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: mars.vpn.gw.com
local public key authentication:
id: CN=moon.vpn.gw.com
certs: CN=moon.vpn.gw.com
remote public key authentication:
id: CN=mars.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 10.1.0.0/24
remote: 172.21.0.0/16
root@moon-0:/#
root@moon-0:/# swanctl --log
07[IKE] sending keep alive to 172.19.0.102[4500]
15[IKE] sending keep alive to 172.19.0.102[4500]
09[KNL] creating delete job for CHILD_SA ESP/0x00000000/172.19.0.103
13[JOB] CHILD_SA ESP/0x00000000/172.19.0.103 not found for delete
06[IKE] sending keep alive to 172.19.0.102[4500]
14[IKE] sending keep alive to 172.19.0.102[4500]
13[IKE] sending keep alive to 172.19.0.102[4500]
12[IKE] sending keep alive to 172.19.0.102[4500]
09[IKE] sending keep alive to 172.19.0.102[4500]
13[IKE] sending keep alive to 172.19.0.102[4500]
12[IKE] sending keep alive to 172.19.0.102[4500]
16[IKE] sending keep alive to 172.19.0.102[4500]
13[IKE] sending keep alive to 172.19.0.102[4500]
15[IKE] sending keep alive to 172.19.0.102[4500]
14[IKE] sending keep alive to 172.19.0.102[4500]
07[IKE] sending keep alive to 172.19.0.102[4500]
15[IKE] sending keep alive to 172.19.0.102[4500]
14[IKE] sending keep alive to 172.19.0.102[4500]
07[IKE] sending keep alive to 172.19.0.102[4500]
15[IKE] sending keep alive to 172.19.0.102[4500]
16[IKE] sending keep alive to 172.19.0.102[4500]
可以看到上述问题,没有和 172.19.0.103 建立连接 但是 对方的网络和端口都是正常的
root@moon-0:/# ping 172.19.0.103
PING 172.19.0.103 (172.19.0.103): 56 data bytes
64 bytes from 172.19.0.103: icmp_seq=0 ttl=63 time=6.038 ms
64 bytes from 172.19.0.103: icmp_seq=1 ttl=63 time=0.508 ms
^C--- 172.19.0.103 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.508/3.273/6.038/2.765 ms
root@moon-0:/# nc -vuz 172.19.0.103 4500
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Connected to 172.19.0.103:4500.
Ncat: UDP packet sent successfully
Ncat: 1 bytes sent, 0 bytes received in 2.03 seconds.
root@moon-0:/#
2. sun 的配置和 log
root@sun-0:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
20: eth0@if21: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 7a:0b:16:58:8a:83 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.2.0.2/24 brd 10.2.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.2.0.22/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::780b:16ff:fe58:8a83/64 scope link
valid_lft forever preferred_lft forever
root@sun-0:/#
root@sun-0:/#
root@sun-0:/# cat /etc/hosts
# Kubernetes-managed hosts file.
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
fe00::0 ip6-mcastprefix
fe00::1 ip6-allnodes
fe00::2 ip6-allrouters
10.2.0.2 sun-0
# --- STRONGSWAN_CONTENT_START ---
# --- connection sun-moon ---
127.0.2.1 sun.vpn.gw.com
172.19.0.102 sun.vpn.gw.com
172.19.0.101 moon.vpn.gw.com
# --- STRONGSWAN_CONTENT_END ---
root@sun-0:/# cat /etc/swanctl/swanctl.conf
connections {
net-net-sun-moon {
local {
auth = pubkey
certs = tls.crt
}
remote {
auth = pubkey
id = "CN=moon.vpn.gw.com"
}
remote_addrs = moon.vpn.gw.com
children {
net-net {
local_ts = 10.2.0.0/24
remote_ts = 10.1.0.0/24
dpd_action = restart
start_action = trap
}
}
version = 2
proposals = default
}
}
root@sun-0:/# swanctl --list-conns
net-net-sun-moon: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: moon.vpn.gw.com
local public key authentication:
id: CN=sun.vpn.gw.com
certs: CN=sun.vpn.gw.com
remote public key authentication:
id: CN=moon.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 10.2.0.0/24
remote: 10.1.0.0/24
root@sun-0:/# swanctl --log
16[IKE] sending keep alive to 172.19.0.101[4500]
07[IKE] sending keep alive to 172.19.0.101[4500]
13[IKE] sending keep alive to 172.19.0.101[4500]
05[IKE] sending keep alive to 172.19.0.101[4500]
07[IKE] sending keep alive to 172.19.0.101[4500]
13[IKE] sending keep alive to 172.19.0.101[4500]
05[IKE] sending keep alive to 172.19.0.101[4500]
07[IKE] sending keep alive to 172.19.0.101[4500]
13[IKE] sending keep alive to 172.19.0.101[4500]
3. mars 的配置和 log
三个 mars ipsec 服务基于静态 pod 维护,是在 kind 模拟的 node 中
ipsec 使用 keepalvied vip 保证高可用,ip 172.19.0.103
内网在 eth2
root@kube-ovn-control-plane:/# ip a | grep -C 2 -E "172.19.0.103|172.21"
16: eth2@if125: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 4e:cb:0d:d2:c0:08 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.21.0.2/16 brd 172.21.255.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fc00:5645:6976:1737::2/64 scope global nodad
--
inet 172.19.0.2/16 brd 172.19.255.255 scope global br-external
valid_lft forever preferred_lft forever
inet 172.19.0.103/32 scope global br-external
valid_lft forever preferred_lft forever
inet6 fc00:adb1:b29b:608d::2/64 scope global nodad
root@kube-ovn-control-plane:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 172.18.0.1 0.0.0.0 UG 0 0 0 eth0
10.16.0.0 100.64.0.1 255.255.0.0 UG 0 0 0 ovn0
100.64.0.0 0.0.0.0 255.255.0.0 U 0 0 0 ovn0
172.18.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
172.19.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br-external
172.21.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
root@kube-ovn-control-plane:/# cat /etc/hosts
# Kubernetes-managed hosts file (host network).
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.4 kube-ovn-control-plane
fc00:f853:ccd:e793::4 kube-ovn-control-plane
172.19.0.2 kube-ovn-control-plane
fc00:adb1:b29b:608d::2 kube-ovn-control-plane
172.21.0.2 kube-ovn-control-plane
fc00:5645:6976:1737::2 kube-ovn-control-plane
# --- STRONGSWAN_CONTENT_START ---
# --- connection mars-moon ---
127.0.2.1 mars.vpn.gw.com
172.19.0.103 mars.vpn.gw.com
172.19.0.101 moon.vpn.gw.com
# --- STRONGSWAN_CONTENT_END ---
root@kube-ovn-control-plane:/# cat /etc/swanctl/swanctl.conf
connections {
net-net-mars-moon {
local {
auth = pubkey
certs = tls.crt
}
remote {
auth = pubkey
id = "CN=moon.vpn.gw.com"
}
remote_addrs = moon.vpn.gw.com
children {
net-net {
local_ts = 172.21.0.0/16
remote_ts = 10.1.0.0/24
dpd_action = restart
start_action = trap
}
}
version = 2
proposals = default
}
}
root@kube-ovn-control-plane:/#
以上配置应该也是没有问题的,目前采用的的是 daemon 模式的 ipsec,connection 可以动态加载,在 ipsec 启动之后,更新的 ipsec 配置是需要手动 load 的
4. 手动 load 之后
4.1 host 侧 ipsec
换了一个节点
root@kube-ovn-worker:/etc/host-init-strongswan# cat /etc/hosts
# Kubernetes-managed hosts file (host network).
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00:: ip6-localnet
ff00:: ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.2 kube-ovn-worker
fc00:f853:ccd:e793::2 kube-ovn-worker
172.19.0.4 kube-ovn-worker
fc00:adb1:b29b:608d::4 kube-ovn-worker
172.21.0.4 kube-ovn-worker
fc00:5645:6976:1737::4 kube-ovn-worker
# --- STRONGSWAN_CONTENT_START ---
# --- connection mars-moon ---
127.0.2.1 mars.vpn.gw.com
172.19.0.103 mars.vpn.gw.com
172.19.0.101 moon.vpn.gw.com
# --- STRONGSWAN_CONTENT_END ---
root@kube-ovn-worker:/etc/host-init-strongswan# cat /etc/swanctl/swanctl.conf
connections {
net-net-mars-moon {
local {
auth = pubkey
certs = tls.crt
}
remote {
auth = pubkey
id = "CN=moon.vpn.gw.com"
}
remote_addrs = moon.vpn.gw.com
children {
net-net {
local_ts = 172.21.0.0/16
remote_ts = 10.1.0.0/24
dpd_action = restart
start_action = trap
}
}
version = 2
proposals = default
}
}
18: eth2@if175: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 62:ac:25:7b:38:2a brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 172.21.0.4/16 brd 172.21.255.255 scope global eth2
valid_lft forever preferred_lft forever
inet6 fc00:5645:6976:1737::4/64 scope global nodad
--
19: br-external: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN group default qlen 1000
link/ether 7e:6d:ba:99:64:63 brd ff:ff:ff:ff:ff:ff
inet 172.19.0.4/16 brd 172.19.255.255 scope global br-external
valid_lft forever preferred_lft forever
inet 172.19.0.103/32 scope global br-external
valid_lft forever preferred_lft forever
inet6 fc00:adb1:b29b:608d::4/64 scope global nodad
# 172.21.0.0/16 是内网互联网段
# 172.19.0.103 是模拟公网 IP
check 脚本会 ping 测另一端 site 的(模拟)公网ip
root@kube-ovn-worker:/etc/host-init-strongswan# bash -x check
+ set -eux
+ ping -n -c 1 172.19.0.101 # 可以看到是通的
PING 172.19.0.101 (172.19.0.101): 56 data bytes
64 bytes from 172.19.0.101: icmp_seq=0 ttl=63 time=0.776 ms
--- 172.19.0.101 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.776/0.776/0.776/0.000 ms
+ /usr/sbin/swanctl --load-all
loaded certificate from '/etc/swanctl/x509/tls.crt'
loaded certificate from '/etc/swanctl/x509ca/ca.crt'
loaded RSA key from '/etc/swanctl/private/tls.key'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'net-net-mars-moon'
successfully loaded 1 connections, 0 unloaded
+ swanctl --list-conns
net-net-mars-moon: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: moon.vpn.gw.com
local public key authentication:
id: CN=mars.vpn.gw.com
certs: CN=mars.vpn.gw.com
remote public key authentication:
id: CN=moon.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 172.21.0.0/16
remote: 10.1.0.0/24
+ /usr/sbin/swanctl --list-sas
net-net-mars-moon: #5, ESTABLISHED, IKEv2, 89b5d2659b70c56e_i d2c103f3cd25ed25_r*
local 'CN=mars.vpn.gw.com' @ 172.19.0.103[4500]
remote 'CN=moon.vpn.gw.com' @ 172.19.0.101[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
established 10943s ago, rekeying in 3120s
net-net: #17, reqid 1, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
installed 1798s ago, rekeying in 1496s, expires in 2162s
in c6e8d208, 0 bytes, 0 packets
out caf5c361, 0 bytes, 0 packets
local 172.21.0.0/16
remote 10.1.0.0/24
+ /usr/sbin/swanctl --stats
uptime: 14 hours, since Mar 03 11:23:55 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 2
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 3358720, mmap 0, used 1665536, free 1693184
loaded plugins: charon-systemd test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
+ ip xfrm state
src 172.19.0.103 dst 172.19.0.101
proto esp spi 0xcaf5c361 reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0xdb7821cf0fb5109fecd8aa946e7368e209e52805 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
src 172.19.0.101 dst 172.19.0.103
proto esp spi 0xc6e8d208 reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xce8ab0285263e584114943ca708a7605f3516e53 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x0, bitmap 0x00000000
+ ip xfrm policy
src 172.21.0.0/16 dst 10.1.0.0/24
dir out priority 379519 ptype main
tmpl src 172.19.0.103 dst 172.19.0.101
proto esp spi 0xcaf5c361 reqid 1 mode tunnel
src 10.1.0.0/24 dst 172.21.0.0/16
dir fwd priority 379519 ptype main
tmpl src 172.19.0.101 dst 172.19.0.103
proto esp reqid 1 mode tunnel
src 10.1.0.0/24 dst 172.21.0.0/16
dir in priority 379519 ptype main
tmpl src 172.19.0.101 dst 172.19.0.103
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
而且另一端 site 显示也是通的
root@moon-0:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 4e:e7:9d:c8:b8:92 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.2/24 brd 10.1.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.1.0.11/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4ce7:9dff:fec8:b892/64 scope link
valid_lft forever preferred_lft forever
root@moon-0:/#
root@moon-0:/# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.1.0.1 0.0.0.0 UG 0 0 0 eth0
10.1.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@moon-0:/# ./check
+ ping -n -c 1 172.19.0.102
PING 172.19.0.102 (172.19.0.102): 56 data bytes
64 bytes from 172.19.0.102: icmp_seq=0 ttl=62 time=12.089 ms
--- 172.19.0.102 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 12.089/12.089/12.089/0.000 ms
+ ping -n -c 1 172.19.0.103
PING 172.19.0.103 (172.19.0.103): 56 data bytes
64 bytes from 172.19.0.103: icmp_seq=0 ttl=63 time=0.760 ms
--- 172.19.0.103 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.760/0.760/0.760/0.000 ms
+ /usr/sbin/swanctl --load-all
loaded certificate from '/etc/swanctl/x509/tls.crt'
loaded certificate from '/etc/swanctl/x509ca/ca.crt'
loaded RSA key from '/etc/swanctl/private/tls.key'
no authorities found, 0 unloaded
no pools found, 0 unloaded
loaded connection 'net-net-moon-sun'
loaded connection 'net-net-moon-mars'
successfully loaded 2 connections, 0 unloaded
+ swanctl --list-conns
net-net-moon-sun: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: sun.vpn.gw.com
local public key authentication:
id: CN=moon.vpn.gw.com
certs: CN=moon.vpn.gw.com
remote public key authentication:
id: CN=sun.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 10.1.0.0/24
remote: 10.2.0.0/24
net-net-moon-mars: IKEv2, no reauthentication, rekeying every 14400s
local: %any
remote: mars.vpn.gw.com
local public key authentication:
id: CN=moon.vpn.gw.com
certs: CN=moon.vpn.gw.com
remote public key authentication:
id: CN=mars.vpn.gw.com
net-net: TUNNEL, rekeying every 3600s
local: 10.1.0.0/24
remote: 172.21.0.0/16
+ /usr/sbin/swanctl --list-sas
net-net-moon-mars: #5, ESTABLISHED, IKEv2, 89b5d2659b70c56e_i* d2c103f3cd25ed25_r
local 'CN=moon.vpn.gw.com' @ 10.1.0.2[4500]
remote 'CN=mars.vpn.gw.com' @ 172.19.0.103[4500]
AES_CBC-128/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/CURVE_25519
established 8957s ago, rekeying in 4389s
net-net: #17, reqid 2, INSTALLED, TUNNEL-in-UDP, ESP:AES_GCM_16-128
installed 3138s ago, rekeying in 438s, expires in 822s
in c49c541f, 22344 bytes, 266 packets, 12s ago
out cdc2dce4, 22092 bytes, 263 packets, 12s ago
local 10.1.0.0/24
remote 172.21.0.0/16
+ /usr/sbin/swanctl --stats
uptime: 13 hours, since Mar 03 11:23:36 2025
worker threads: 16 total, 11 idle, working: 4/0/1/0
job queues: 0/0/0/0
jobs scheduled: 3
IKE_SAs: 1 total, 0 half-open
mallinfo: sbrk 3444736, mmap 0, used 1702416, free 1742320
loaded plugins: charon-systemd test-vectors ldap pkcs11 aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark forecast farp vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-radius eap-tls eap-ttls eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
+ ip xfrm state
src 10.1.0.2 dst 172.19.0.103
proto esp spi 0xcdc2dce4 reqid 2 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0xbf544d43fd60f7fe971987aa555b7e218896bf27 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x107, bitmap 0x00000000
src 172.19.0.103 dst 10.1.0.2
proto esp spi 0xc49c541f reqid 2 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0x0a9803958290f93d933ab1da1e3726a23c971c26 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x11f, oseq 0x0, bitmap 0xffffffff
+ ip xfrm policy
src 10.1.0.0/24 dst 172.21.0.0/16
dir out priority 379519 ptype main
tmpl src 10.1.0.2 dst 172.19.0.103
proto esp spi 0xcdc2dce4 reqid 2 mode tunnel
src 172.21.0.0/16 dst 10.1.0.0/24
dir fwd priority 379519 ptype main
tmpl src 172.19.0.103 dst 10.1.0.2
proto esp reqid 2 mode tunnel
src 172.21.0.0/16 dst 10.1.0.0/24
dir in priority 379519 ptype main
tmpl src 172.19.0.103 dst 10.1.0.2
proto esp reqid 2 mode tunnel
src 10.1.0.0/24 dst 10.2.0.0/24
dir out priority 375424 ptype main
tmpl src 10.1.0.2 dst 172.19.0.102
proto esp reqid 1 mode tunnel
src 10.2.0.0/24 dst 10.1.0.0/24
dir fwd priority 375424 ptype main
tmpl src 172.19.0.102 dst 10.1.0.2
proto esp reqid 1 mode tunnel
src 10.2.0.0/24 dst 10.1.0.0/24
dir in priority 375424 ptype main
tmpl src 172.19.0.102 dst 10.1.0.2
proto esp reqid 1 mode tunnel
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket in priority 0 ptype main
src 0.0.0.0/0 dst 0.0.0.0/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
src ::/0 dst ::/0
socket in priority 0 ptype main
src ::/0 dst ::/0
socket out priority 0 ptype main
root@moon-0:/# swanctl --log
12[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
15[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
05[IKE] sending keep alive to 172.19.0.103[4500]
15[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
05[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
05[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
10[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
10[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
07[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
14[IKE] sending keep alive to 172.19.0.103[4500]
06[IKE] sending keep alive to 172.19.0.103[4500]
09[IKE] sending keep alive to 172.19.0.103[4500]
^Cdisconnecting...
root@moon-0:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
26: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1450 qdisc noqueue state UP group default
link/ether 4e:e7:9d:c8:b8:92 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet 10.1.0.2/24 brd 10.1.0.255 scope global eth0
valid_lft forever preferred_lft forever
inet 10.1.0.11/32 scope global eth0
valid_lft forever preferred_lft forever
inet6 fe80::4ce7:9dff:fec8:b892/64 scope link
valid_lft forever preferred_lft forever
root@moon-0:/#
5. 工具:ip xfrm
上述4章节中,查看了 ip xfrm 相关信息:
5.1. ip xfrm state
ip xfrm state 命令显示了关于 IPsec 事务的状态信息,包括源和目标地址、用于加密和解密的协议等。
输出解释:
- src 10.1.0.2 dst 172.19.0.103:表示一个加密隧道的源地址为
10.1.0.2,目标地址为172.19.0.103。 10.1.0.2 对应公网 ip 172.19.0.101,在 vpc 里面只能看到自己的内网 ip,和对方的公网 ip。 - proto esp:表示使用 ESP (Encapsulating Security Payload) 协议进行加密。
- spi 0xcdc2dce4:安全参数索引 (SPI),用于唯一标识加密会话。
- reqid 2:请求 ID,标识这个 IPsec 会话的请求。
- mode tunnel:隧道模式,表明 IPsec 被用作网络层的隧道。
- aead:表示使用 AEAD (Authenticated Encryption with Associated Data) 模式来加密数据,这里使用的是 GCM (Galois/Counter Mode) 和 AES (Advanced Encryption Standard)。
- encap type espinudp:表示隧道通过 UDP 封装 ESP 数据包,这种封装常用于 NAT(网络地址转换)环境。
- addr 0.0.0.0:表示这条记录不特定于某个地址,可能用于动态地址情况。
- anti-replay context:包含重放窗口的状态,防止重放攻击。
2. ip xfrm policy
ip xfrm policy 命令显示了其中每条具体的策略,控制哪些流量应该通过 IPsec 进行处理。
输出解释:
- src 10.1.0.0/24 dst 172.21.0.0/16:意味着从
10.1.0.0/24段到172.21.0.0/16段的流量会被处理。 - dir out 和 dir in:表明这个策略是针对流出的 (out) 还是流入的 (in) 流量。
- priority 379519:优先级值,所有策略根据此值进行排序,优先级高的策略会被优先匹配。
- tmpl:模板,定义了具体的源和目的地址,以及使用的协议等。例如,
tmpl src 10.1.0.2 dst 172.19.0.103表示与上述状态中定义的光标匹配。
类似的,有若干策略定义了不同的源和目的地址对,以指示哪些流量应该被加密和解密。
这里有点像路由策略,但是这个不是三层路由场景,只是为了匹配包做封装和解封装。
src 10.1.0.0/24 dst 172.21.0.0/16
dir out priority 379519 ptype main
tmpl src 10.1.0.2 dst 172.19.0.103
proto esp spi 0xc185150e reqid 2 mode tunnel
# 从本地内网网段 10.1.0.0/24 访问 172.21.0.0/16 需要走隧道
# 隧道对端是 172.19.0.103
类比路由策略: 基于源|&目的地址(段)的匹配,发给下一跳,源和目的地址没变 这里可以理解为隧道策略:基于源|&目的地址(段)的匹配,进行隧道封装,然后发包,源和目的地址被封装进去了。
总结
整体来看,这段输出提供了 IPsec 的状态和策略信息,使得管理员可以检查和管理网络安全设置。特别是在使用 VPN 或其他安全通信解决方案时,这些信息非常重要。确保流量通过加密隧道可以保护数据传输的机密性和完整性。
