我正在尝试在我的办公室和我们的 Amazon VPC 之间创建一个 ipsec 隧道。但是我以前从未使用过 ipsec,所以我很困惑。
网关/防火墙在 FreeBSD 8.3-RELEASE-p16 上运行 pfsense 2.1.3-RELEASE (i386)。
办公网络使用 192.168.1.0/24 和 192.168.2.0/24(OpenVPN 客户端)。VPC 使用 10.0.0.0/24。VPC 网关使用静态路由。
我尝试阅读不同指南中有关如何创建隧道的内容,但大多对 ipsec 的工作原理感到困惑,或者指南针对的是不同版本的 pfsense/aws,由于我缺乏理解,因此很难翻译。有些指南谈到了虚拟 IP,有些则没有,等等。
因此,我谦虚地询问这里是否有人可以为我创建一个分步指南,以便在 pfSense 中创建隧道,并尝试解释一下事情是如何运作的。
这是我从亚马逊获得的配置指南(带有混淆的凭证和办公室 IP)
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key :
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel interface.
Outside IP Addresses:
- Customer Gateway : x.x.x.x
- Virtual Private Gateway : y.y.y.y
Inside IP Addresses
- Customer Gateway : 169.254.254.62/30
- Virtual Private Gateway : 169.254.254.61/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC, you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.254.61 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.
IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : xxxx
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel interface.
Outside IP Addresses:
- Customer Gateway : x.x.x.x
- Virtual Private Gateway : z.z.z.z
Inside IP Addresses
- Customer Gateway : 169.254.254.58/30
- Virtual Private Gateway : 169.254.254.57/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC, you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.254.57 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.
答案1
我在 PFSense 上配置了 IPSec 到 AWS。
我不会为您提供逐个点击指南,但我可以向您展示我们的工作配置是什么样的。用 %% 替换嵌入的变量
PH1
<phase1>
<ikeid>6</ikeid>
<interface>lan</interface>
<remote-gateway>%%AWS_GW_IP%%</remote-gateway>
<mode>main</mode>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data/>
<peerid_type>peeraddress</peerid_type>
<peerid_data/>
<encryption-algorithm>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>%%AWS_PSK%%</pre-shared-key>
<private-key/>
<certref/>
<caref/>
<authentication_method>pre_shared_key</authentication_method>
<generate_policy/>
<proposal_check/>
<descr><![CDATA[ VPC AWS ]]></descr>
<nat_traversal>off</nat_traversal>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>2</dpd_maxfail>
</phase1>
PH2
<phase2>
<ikeid>6</ikeid>
<mode>tunnel</mode>
<localid>
<type>network</type>
<address>%%YOUR_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</localid>
<remoteid>
<type>network</type>
<address>%%VPC_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<pinghost>%%HOST TO CHECK%%</pinghost>
<descr><![CDATA[VPC AWS]]></descr>
</phase2>
据我所知,在 PF 上配置两个隧道使它们冗余工作是不可能的。