1. 服务器/VPS/主机用户Telegram电报群: https://t.me/openos
    黑群晖 Synology Telegram电报群: https://t.me/nasfan
    排除公告

無公網 IP 如何建立 ipsec 站對站虛擬網路

本帖由 PiPi_OPENOS2024-11-28 发布。版面名称:路由器 Router Wi-fi

  1. PiPi_OPENOS

    PiPi_OPENOS New Member

    注册:
    2024-06-20
    帖子:
    8
    2024-11-28 #1
    社區網路僅提供private ip,想將位於不同區域兩戶自宅內網可以互聯。


    https://drive.google.com/file/d/129dXS8Zbnk0R7Xr0KtX1EWok2-JZU8qu/view

    https://drive.google.com/file/d/1OlKGlh4GanY41oddEmDkGFBk4lFOt8Sw/view

    https://drive.google.com/file/d/1rbF-r81Re3MxRJZPygDBPx-KemIYYUIe/view


    Unifi 參考資料:

    https://help.tw.ui.com/articles/360002426234/

    UniFi 閘道器沒有公用 IP 位址(雙 NAT)
    如果 UniFi 閘道器是位於另一個使用網路位址轉譯(NAT)的路由器/數據機之後,則通常會發生此情況。如果 UniFi 閘道器的 WAN IP 位址是在下列任一範圍內,則可能會受到影響:

    • 10.0.0.0/8 (10.0.0.0 - 10.255.255.255)
    • 172.16.0.0/12 (172.16.0.0 - 172.31.255.255)
    • 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)
    • 100.64.0.0/10 (100.64.0.0 - 100.127.255.255)
    想要解決此問題,請將上游路由器設為橋接器模式(Bridge Mode)。如果不可行,則嘗試將必要連接埠從上游路由器/數據機轉送至 UniFi 閘道器。IPsec 使用 UDP 連接埠 500 和 4500。在預設情況下,Open'威-皮-恩' 使用 UDP 連接埠 1194,但是可進行變更。請注意,如果上游路由器沒有公用 IP 位址時,此方法將無效。

    如果此方法無效時,建議聯絡 ISP。請注意,100.64.0.0/10 子網路範圍內的 IP 位址,一律需要 ISP 協助才能建立 '威-皮-恩' 連線


    https://help.ui.com/hc/en-us/articles/360002426234-UniFi-Gateway-Site-to-Site-IPsec-'威-皮-恩'
    4. Can IPsec Site-to-Site '威-皮-恩's be used when the UniFi Gateway is behind NAT?
    We recommend to use IPsec Site-to-Site '威-皮-恩's on a UniFi Gateway that has access to a public IP address. Any performance or port forwarding issues on the upstream router can cause the '威-皮-恩' to disconnect.

    If this is not an option, then configure the authentication IDs. For example, an IPsec Site-to-Site '威-皮-恩' is set up between the below UniFi Gateways:

    • UniFi Gateway Site A - WAN IP 192.168.5.1 (behind NAT)
    • ISP modem/router Site A - WAN IP 203.0.113.1 (public IP)
    • UniFi Gateway Site B - WAN IP IP 198.51.100.1 (public IP)
    The '威-皮-恩' is set up between the public IP addresses 203.0.113.1 > 198.51.100.1.

    When Site B receives the IPsec '威-皮-恩' peer request from Site A, it will contain both the 192.168.5.1 and 203.0.113.1 IP addresses. However, Site B is only configured to peer with 203.0.113.1 causing a mismatch. To resolve this, configure 203.0.113.1 as the Local Authentication ID on Site A.

    The reverse is also possible. The 192.168.5.1 IP address can be configured as the Remote Authentication ID on site B.

    Besides IP addresses, authentication IDs also support hostnames, email addresses and distinguished names.
     
    最后编辑: 2024-11-28
  2. osx

    osx 管理员 管理成员

    注册:
    2017-03-30
    帖子:
    949
    2024-11-28 #2
    双方都没有公网IP, 那么怎么链接ipsec呢?