Ich verwende DO, um meinen Produktionsserver zu hosten. Ich baue derzeit eine DR-Umgebung und habe Probleme mit der Weiterleitung des Datenverkehrs. Ich habe die gleiche Art von Konfigurationen aus der Produktionsumgebung verwendet und es funktioniert gut (ich habe sogar versucht, die VM zu klonen, die IPs zu ändern und habe das gleiche Problem wie bei einer Neuinstallation). Der Server empfängt Pakete auf eth1, sendet sie jedoch nicht aus. (wie es auf eth0 sein soll, über die IPsec-Richtlinie)

Die DR-VPN-Serverinformationen finden Sie unten (Bitte beachten Sie, dass die Daten bereinigt werden)

[email protected]:~# ip a
eth0: 20.99.90.5/20
eth1: 10.10.0.2/20

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
vpn-to-DR[1]: ESTABLISHED 46 minutes ago, 20.99.90.5[20.99.90.5]...x1.xx3.x.xx4[x1.xx3.x.xx4]
vpn-to-env{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0ac5230_i 0b8674b3_o
vpn-to-env{1}: 10.10.0.3/32 === x1.xx3.x.x9/32

Dies sind die iptable-Einstellungen

[email protected]:~# iptables-save
*filter
:INPUT ACCEPT [3881983:1293276786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3858285:672322166]
-A FORWARD -s 10.10.0.0/16 -d x1.xx3.x.x9/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s x1.xx3.x.x9/32 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [1266750:71807552]
:INPUT ACCEPT [1259384:71241122]
:OUTPUT ACCEPT [38114:4106963]
:POSTROUTING ACCEPT [38115:4107047]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth1 -j MASQUERADE

Ich habe es für die Weiterleitung konfiguriert

sudo sysctl -a | grep net.ipv4.conf.*.forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0

Zusätzliche Informationen durch einen Trace auf den IPtables

########## production
[6814683.211912] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.211979] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212037] TRACE: filter:FORWARD:rule:3 IN=eth1 OUT=eth0 MAC=52:68: SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212053] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.132.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1

[email protected]_PROD:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
3 MASQUERADE udp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
4 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16
5 MASQUERADE all -- 10.13.0.0/16 0.0.0.0/0

[email protected]_PROD:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.13.0.0/16 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.13.0.0/16 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.13.0.0/16 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.13.0.0/16 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[email protected]_PROD:~#

und die Spur von DR

######## DR
[ 3152.620125] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620202] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620265] TRACE: filter:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=c2:6251: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620283] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.108.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[email protected]:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
3 MASQUERADE udp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
4 MASQUERADE all -- 10.10.0.0/20 0.0.0.0/0

[email protected]:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.10.0.0/20 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.10.0.0/20 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.10.0.0/20 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.10.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
no answer