是否有可能在一端没有静态和公共 IP 的情况下实现 IPSec 站点到站点 VPN?

tag-icon tag-icon vpn ipsec site-to-site-vpn openswan
是否有可能在一端没有静态和公共 IP 的情况下实现 IPSec 站点到站点 VPN?

我正在为我的工程学位做一个项目,需要我与一些现有的设备进行交互,所以我的选择相当有限。我对 VPN 和 ipsec 还不太熟悉。如果我完全搞错了,请告诉我。我已尽力阅读手册页和文档。

我正在尝试将蜂窝 3G 路由器 (Moxa OnCell 5104-HSPA) 连接到 Amazon EC2 云中的 VPN 服务器,以在任一网络上的两个设备之间提供端到端访问。3G 路由器支持带 PSK 的 IPSec VPN。困难的部分是,我目前没有蜂窝路由器的静态、面向公众的 IP。获取该 IP 正在准备中,但我正在尝试看看能否让它同时工作。如果没有公共静态 IP 地址就无法做到这一点,请告诉我。

 [ Openswan VPN Server ] ---> internet  ---> Cellular NAT(s) ---> [ Cellular Router ] 
       ^                                                                   ^
       |                                                                   |
 [ End User ]                                                      [ Remote Device ]

蜂窝路由器似乎仅支持站点到站点 VPN 配置。我有它成功连接 (见下文)到 VPN 网络,但我不确定如何从 VPN 的任一端获取数据包路由。

从 /var/log/auth.log 确认连接 (在此示例中,更改了 IP:

 172.31.0.1    = EC2 IP (VPN server)
 22.22.22.22   = Cellular NAT
 10.185.42.114 = 3G Router

pluto[11336]: "RWConn"[7] 22.22.22.22 #11: responding to Main Mode from unknown peer 22.22.22.22
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: STATE_MAIN_R1: sent MR1, expecting MI2
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike (MacOS X): both are NATed
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: STATE_MAIN_R2: sent MR2, expecting MI3
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: Main mode peer ID is ID_IPV4_ADDR: '10.185.42.114'
 pluto[11336]: "RWConn"[7] 22.22.22.22 #11: switched from "RWConn" to "RWConn"
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: deleting connection "RWConn" instance with peer 22.22.22.22 {isakmp=#0/ipsec=#0}
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: new NAT mapping for #11, was 22.22.22.22:52862, now 22.22.22.22:46828
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1536}
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: Dead Peer Detection (RFC 3706): enabled
 pluto[11336]: "RWConn"[8] 22.22.22.22 #11: the peer proposed: 10.0.1.0/24:17/1701 -> 10.0.50.0/24:17/0
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: responding to Quick Mode proposal 
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12:     us: 172.31.0.1/32===172.31.0.1<172.31.0.1>:17/1701---172.31.0.1
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12:   them: 22.22.22.22[10.185.42.114]:17/0
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: Dead Peer Detection (RFC 3706): enabled
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
 pluto[11336]: "RWConn"[8] 22.22.22.22 #12: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x********* <0x********** xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=22.22.22.22:46828 DPD=enabled}

** 因此,此时,我相信我已经正确连接了 VPN 客户端,但我不确定下一步该去哪里设置设备之间的数据包转发 **

ipsec.conf 和相关文件可以根据需要提供。我想让我的初始帖子保持简洁。

相关内容