VPN 问题-AWS 和 Sonicwall

2024-6-18 • tag-icon

您好，我在 AWS 中的 VPC 后面有一个 Sonicwall 和一个 OpenSwan 实例。我在连接 VPN 时遇到问题。我遵循了以下指南：https://www.sonicwall.com/en-us/support/knowledge-base/170504906528100

其他步骤

net.ipv4.ip_forward = 1

AWS 实例 - 禁用源检查。

检查安全组 - UDP 500 和 UDP 4500。

网络 ACL - 允许任何入站和出站

日志：在 Sonicwall (182.57.3.179) 上：

17:52:06 Sep 21 358 VPN Inform  IKE Initiator: Start Aggressive Mode negotiation (Phase 1)  182.57.3.179, 500   17.221.128.14, 500  udp VPN Policy: AWS
VPN OPENSWAN    [Show Details] [Click to disable this kind of events]
17:52:06 Sep 21 403 VPN Inform  IKE negotiation aborted due to Timeout

17:53:18 Sep 21 930 VPN Inform  IKE Initiator: Remote party Timeout - Retransmitting IKE Request.

在 OpenSwan 实例 (17.221.128.14) 上 ipsec barf：

+ sed -n '2243,$p' /var/log/secure
Sep 21 21:49:59 ip-172-31-16-12 ipsec__plutorun: Starting Pluto subsystem...
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: nss directory plutomain: /etc/ipsec.d
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS Initialized
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:25537
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: LEAK_DETECTIVE support [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: OCF support for IKE [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAref support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAbind support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: HAVE_STATSD notification support not compiled in
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Setting NAT-Traversal port-4500 floating to on
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]:    port floating activation criteria nat_t=1/port_float=1
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]:    NAT-Traversal support  [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: starting up 1 cryptographic helpers
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: started helper (thread) pid=139735991080704 (fd:8)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Using Linux 2.6 IPsec interface code on 4.9.43-17.39.amzn1.x86_64 (experimental code)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/cacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/aacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/crls'
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: added connection description "SonicWall"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: listening for IKE messages
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo ::1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: loading secrets from "/etc/ipsec.secrets"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: "SonicWall": We cannot identify ourselves with either end of this connection.
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring unknown Vendor ID payload [5b362bc820f60007]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [Dead Peer Detection]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [XAUTH]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.154:500: initial Aggressive Mode message from 182.57.3.154 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

听起来 173.57.3.154（Sonicwall）正在与 OpenSwan 通信，但没有建立隧道。

仅供参考 - 我使用了 AWS VPC VPN 和 Sonicwall。但是我仅将该实例用于测试目的，OpenSwan 实例比 VPC-VPN 连接更便宜。此外，我可以关闭/打开实例。再次强调，这是 AWS 和 Sonicwall 之间的测试环境。我愿意接受所有建议。

相关内容