我正在尝试使用他们的 VPN 系统和 Linux 服务器在我们的公司网络和 Amazon 的虚拟私有云之间建立 IPSec VPN 连接。不幸的是,我找到的唯一指南讨论了如何使用主机 Linux 机器设置隧道并让该 Linux 机器访问 VPC 实例,但我在网上找不到关于如何让实例访问公司网络(或通过该网络访问互联网的其余部分)的讨论。
网络信息
Local subnet: 10.3.0.0/25
Remote subnet: 10.4.0.0/16
Tunnel 1:
Outside IP Addresses:
- Customer Gateway: : 199.167.xxx.xxx
- VPN Gateway : 205.251.233.121
Inside IP Addresses
- Customer Gateway : 169.254.249.2/30
- VPN Gateway : 169.254.249.1/30
Tunnel 2:
Outside IP Addresses:
- Customer Gateway: : 199.167.xxx.xxx
- VPN Gateway : 205.251.233.122
Inside IP Addresses
- Customer Gateway : 169.254.249.6/30
- VPN Gateway : 169.254.249.5/30
这是我的 /etc/ipsec-tools.conf:
flush;
spdflush;
spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec
esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec
esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec
esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec
esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec
esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
这是我的 /etc/racoon/racoon.conf:
remote 205.251.233.122 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
remote 205.251.233.121 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
BGP 运行良好,所以我不会发布这些配置。
以下是有效的方法
- 从 Linux 机器中,我可以 ping 本地端点 (169.254.249.2/169.254.249.6) 及其远程等效端点 (169.254.249.1/169.254.249.5)。
- 我还可以 ping VPC 中的实例、通过 SSH 连接它们等等。
- 从 VPC 中的远程实例,我也可以 ping 本地和远程端点
- 我无法 ping 10.3.0.0/25 子网上的本地服务器
我认为我遗漏了一些简单的东西,但我已尝试向 ipsec-tools.conf 添加条目来镜像 {local endpoint} <-> {remote subnet},使用 {local subnet} <-> {remote endpoint},但似乎没有起作用。
当我从 {远程实例} ping 到 {本地服务器} 时,ping 超时。数据包在 eth0 接口上可见(即使本地网络在 eth1 上)。
谷歌帮不上什么忙;它只显示人们尝试使用 OpenSwan,或者遇到类似的问题但使用硬件路由器,或者使用较旧的工具。
答案1
好吧,我作弊了 :) 我安装了亚马逊官方支持的 Astaro 网关,然后用它来建模我自己的网关。您只需通过 SSH 进入 Astaro 设备,看看他们是如何设置一切的。当然,如果您愿意付费,您可以继续使用 Astaro 设备。
答案2
搞清楚了。必须将我的 ipsec-tools.conf 更改为:
flush;
spdflush;
# Generic routing
spdadd 10.4.0.0/16 10.3.0.0/25 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 10.3.0.0/25 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
# Tunnel 1
spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;
# Tunnel 2
spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;
并将我的 racoon.conf 更改为如下内容:
path pre_shared_key "/etc/racoon/psk.txt";
remote 205.251.233.122 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
remote 205.251.233.121 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
sainfo address 10.3.0.0/25 any address 10.4.0.0/16 any {
pfs_group 2;
lifetime time 3600 seconds;
encryption_algorithm aes128;
authentication_algorithm hmac_sha1;
compression_algorithm deflate;
}
但是,据我所知,此配置只会通过第一个隧道(通过 xxx121)路由 10.3.0.0/25 和 10.4.0.0/16 之间的流量。当我弄清楚后,我会更新答案。
答案3
您知道在 setkey 配置中使用“require”而不是“use”的原因吗?您是否还知道我在 remote 和 sainfo 部分中放置语句的顺序以及错误地重复某些语句是否重要?例如:
#original
remote 205.251.233.121 {
exchange_mode main;
lifetime time 28800 seconds;
proposal {
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
dh_group 2;
}
generate_policy off;
}
对比
#edited
remote 205.251.233.121 {
generate_policy off; #moved/duplicated
lifetime time 28800 seconds;
proposal {
dh_group 2; #moved
encryption_algorithm aes128;
hash_algorithm sha1;
authentication_method pre_shared_key;
}
exchange_mode main; #moved
generate_policy off; #duplicated/moved
}
您是否还想出了如何让交通在两个隧道上畅通?
谢谢您的指导。