내 프로덕션 서버를 호스팅하기 위해 DO를 사용하고 있습니다. 현재 DR 환경을 구축 중이며 트래픽 전달에 문제가 있습니다. 프로덕션 환경에서 동일한 종류의 구성을 사용했으며 제대로 작동합니다(VM을 복제하려고 시도했지만 IP 변경 사항과 동일한 문제가 있음). 서버는 eth1에서 패킷을 수신하지만 보내지 않습니다. (IPsec 정책을 통해 eth0에 있어야 함)

DR-VPN 서버 정보는 아래와 같습니다.

[email protected]:~# ip a
eth0: 20.99.90.5/20
eth1: 10.10.0.2/20

[email protected]:~# ipsec status
Security Associations (1 up, 0 connecting):
vpn-to-DR[1]: ESTABLISHED 46 minutes ago, 20.99.90.5[20.99.90.5]...x1.xx3.x.xx4[x1.xx3.x.xx4]
vpn-to-env{1}: INSTALLED, TUNNEL, reqid 1, ESP SPIs: c0ac5230_i 0b8674b3_o
vpn-to-env{1}: 10.10.0.3/32 === x1.xx3.x.x9/32

다음은 iptable 설정입니다.

[email protected]:~# iptables-save
*filter
:INPUT ACCEPT [3881983:1293276786]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [3858285:672322166]
-A FORWARD -s 10.10.0.0/16 -d x1.xx3.x.x9/32 -i eth0 -m policy --dir in --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s x1.xx3.x.x9/32 -d 10.10.0.0/16 -o eth0 -m policy --dir out --pol ipsec --proto esp -j ACCEPT
-A FORWARD -s 10.10.0.0/16 -i eth1 -j ACCEPT
-A FORWARD -d 10.10.0.0/16 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
*nat
:PREROUTING ACCEPT [1266750:71807552]
:INPUT ACCEPT [1259384:71241122]
:OUTPUT ACCEPT [38114:4106963]
:POSTROUTING ACCEPT [38115:4107047]
-A POSTROUTING -m policy --dir out --pol ipsec -j ACCEPT
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p udp -j MASQUERADE --to-ports 1024-65535
-A POSTROUTING -s 10.10.0.0/16 ! -d 10.10.0.0/16 -p tcp -j MASQUERADE
-A POSTROUTING -s 10.10.0.0/16 -o eth1 -j MASQUERADE

전달하도록 구성했습니다.

sudo sysctl -a | grep net.ipv4.conf.*.forwarding
net.ipv4.conf.all.bc_forwarding = 0
net.ipv4.conf.all.forwarding = 1
net.ipv4.conf.all.mc_forwarding = 0
net.ipv4.conf.default.bc_forwarding = 0
net.ipv4.conf.default.forwarding = 1
net.ipv4.conf.default.mc_forwarding = 0
net.ipv4.conf.eth0.bc_forwarding = 0
net.ipv4.conf.eth0.forwarding = 1
net.ipv4.conf.eth0.mc_forwarding = 0
net.ipv4.conf.eth1.bc_forwarding = 0
net.ipv4.conf.eth1.forwarding = 1
net.ipv4.conf.eth1.mc_forwarding = 0
net.ipv4.conf.lo.bc_forwarding = 0
net.ipv4.conf.lo.forwarding = 1
net.ipv4.conf.lo.mc_forwarding = 0

IPtables에서 추적을 수행하여 추가 정보

########## production
[6814683.211912] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.211979] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=52:68:7d SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212037] TRACE: filter:FORWARD:rule:3 IN=eth1 OUT=eth0 MAC=52:68: SRC=10.13.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1
[6814683.212053] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.132.0.4 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=30853 DF PROTO=ICMP TYPE=8 CODE=0 ID=19134 SEQ=1

[email protected]_PROD:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
3 MASQUERADE udp -- 10.13.0.0/16 !10.13.0.0/16 masq ports: 1024-65535
4 MASQUERADE tcp -- 10.13.0.0/16 !10.13.0.0/16
5 MASQUERADE all -- 10.13.0.0/16 0.0.0.0/0

[email protected]_PROD:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.13.0.0/16 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.13.0.0/16 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.13.0.0/16 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.13.0.0/16 state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
[email protected]_PROD:~#

그리고 DR의 추적

######## DR
[ 3152.620125] TRACE: raw:PREROUTING:policy:2 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620202] TRACE: nat:PREROUTING:policy:1 IN=eth1 OUT= MAC=c2:62:51: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620265] TRACE: filter:FORWARD:policy:1 IN=eth1 OUT=eth0 MAC=c2:6251: SRC=10.10.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[ 3152.620283] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.108.0.3 DST=x1.xx3.x.x9 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=31401 DF PROTO=ICMP TYPE=8 CODE=0 ID=71 SEQ=1
[email protected]:~# iptables -L -t nat --line-numbers -n
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 policy match dir out pol ipsec
2 MASQUERADE tcp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
3 MASQUERADE udp -- 10.10.0.0/20 !10.10.0.0/20 masq ports: 1024-65535
4 MASQUERADE all -- 10.10.0.0/20 0.0.0.0/0

[email protected]:~# iptables -L -t filter --line-numbers -n
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
1 ACCEPT all -- 10.10.0.0/20 x1.xx3.0.0/16 policy match dir in pol ipsec proto 50
2 ACCEPT all -- x1.xx3.0.0/16 10.10.0.0/20 policy match dir out pol ipsec proto 50
3 ACCEPT all -- 10.10.0.0/20 0.0.0.0/0
4 ACCEPT all -- 0.0.0.0/0 10.10.0.0/20 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
no answer