7月 282020
 

防火墙IPSEC规则方向:入站方向

Firewall -> Rules -> IPsec

[SITE A][10.25.100.0/22] 
Allow Protocol IPv4 * Source 10.25.112.0/22 Port * to Destination 10.25.100.0/22 Port *

[SITE B][10.25.112.0/22]
Allow Protocol IPv4 * Source 10.25.100.0/22 Port * to Destination 10.25.112.0/22 Port *

基于隧道的路由测试A节点

[A][10.25.100.4]

[root@test ~]# ip route add 10.25.112.0/22 via 10.25.100.3 dev ens7 metric 101 proto static

[root@test ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=64 time=0.455 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=64 time=0.540 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=64 time=0.465 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=64 time=0.455 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 116ms
rtt min/avg/max/mdev = 0.455/0.478/0.540/0.044 ms
[root@test ~]#
[root@test ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=63 time=36.0 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=63 time=35.9 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=63 time=35.9 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 7ms
rtt min/avg/max/mdev = 35.860/35.922/36.009/0.145 ms
[root@test ~]#

基于隧道的路由测试B节点

[B][10.25.112.4]

[root@test2 ~]# ip route add 10.25.100.0/22 via 10.25.112.3 dev ens7 metric 101 proto static

[root@test2 ~]# ping -c 4 10.25.112.3
PING 10.25.112.3 (10.25.112.3) 56(84) bytes of data.
64 bytes from 10.25.112.3: icmp_seq=1 ttl=64 time=0.573 ms
64 bytes from 10.25.112.3: icmp_seq=2 ttl=64 time=0.558 ms
64 bytes from 10.25.112.3: icmp_seq=3 ttl=64 time=0.458 ms
64 bytes from 10.25.112.3: icmp_seq=4 ttl=64 time=0.469 ms

--- 10.25.112.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 93ms
rtt min/avg/max/mdev = 0.458/0.514/0.573/0.056 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.3
PING 10.25.100.3 (10.25.100.3) 56(84) bytes of data.
64 bytes from 10.25.100.3: icmp_seq=1 ttl=63 time=35.9 ms
64 bytes from 10.25.100.3: icmp_seq=2 ttl=63 time=35.8 ms
64 bytes from 10.25.100.3: icmp_seq=3 ttl=63 time=35.7 ms
64 bytes from 10.25.100.3: icmp_seq=4 ttl=63 time=35.7 ms

--- 10.25.100.3 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 5ms
rtt min/avg/max/mdev = 35.663/35.783/35.947/0.170 ms
[root@test2 ~]#
[root@test2 ~]# ping -c 4 10.25.100.4
PING 10.25.100.4 (10.25.100.4) 56(84) bytes of data.
64 bytes from 10.25.100.4: icmp_seq=1 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=2 ttl=62 time=36.5 ms
64 bytes from 10.25.100.4: icmp_seq=3 ttl=62 time=36.3 ms
64 bytes from 10.25.100.4: icmp_seq=4 ttl=62 time=36.5 ms

--- 10.25.100.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min/avg/max/mdev = 36.300/36.448/36.535/0.162 ms
[root@test2 ~]#

节点A与节点B均需要配置静态路由,即必须有双向路由,节点间才可正常通信。