我正在尝试在 AWS 上配置 Cisco CSR1000V,以便在另一台 AWS 机器上使用 Strongswan 5.1.2(在 Ubuntu 14.04 上)创建 IPSec VPN。我可以从 Strongswan 端建立 VPN,它似乎已正确构建了安全关联,但没有任何流量在两个方向路由。可能相关的是,我无法从 Cisco 端引入 VPN。
我尝试基于以下配置http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc2针对特定 IP 地址和网络进行更改。所以我
10.87.189.36 client
|
CSR 1000V: Eth0 10.87.50.122 (mapped to Elastic IP 54.154.54.AAA)
Eth1 10.87.189.50
|
|
Strongswan: 172.31.1.1 (mapped to Elastic IP 54.229.30.BBB)
|
Webserver 172.31.2.33
目的是能够通过 VPN 从客户端浏览到 Web 服务器。客户端可以连接到外部互联网,并通过 CSR1000 进行路由(设置方式如https://rbgeek.wordpress.com/2014/09/15/cisco-csr1000v-router-as-nat-instance-on-aws/)。我还可以在 Strongswan 机器和另一台本地运行 Strongswan 4.5.2 的机器之间创建 VPN,并按预期查看 Web 服务器。
CSR 和 Strongswan 机器上的所有以太网端口均已禁用 EC2 的 src/dest 检查。
Strongswan 的连接配置如下
conn ciscotest
left=%defaultroute
leftid=54.229.30.BBB
leftsubnet=172.31.0.0/16
leftfirewall=no
right=54.154.54.AAA
rightid=%any
rightsubnet=10.87.189.0/24
auto=add
authby=secret
ike=aes256-sha1-modp1024
ikelifetime=8h
aggressive=no
esp=aes128-sha1
lifetime=1h
keyexchange=ikev2
Strongswan 机器上的防火墙和 sysctl
# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 5 packets, 349 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth0 0.0.0.0/0 172.31.0.0/16 policy match dir out pol ipsec
5 349 MASQUERADE all -- * eth0 0.0.0.0/0 172.31.0.0/16
# sysctl -p
net.ipv4.ip_forward = 1
Cisco 机器上的配置
version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ip-10-87-50-122
!
boot-start-marker
boot-end-marker
!
subscriber templating
!
multilink bundle-name authenticated
!
redundancy
!
crypto ikev2 proposal ikev2proposal
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy ikev2policy
match fvrf any
proposal ikev2proposal
!
crypto ikev2 keyring keys
peer strongswan
address 54.229.30.BBB
pre-shared-key local ----------------
pre-shared-key remote ----------------
!
!
!
crypto ikev2 profile ikev2profile
match identity remote address 54.229.30.BBB 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local keys
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode tunnel
!
crypto map cmap 10 ipsec-isakmp
set peer 54.229.30.BBB
set transform-set TS
set ikev2-profile ikev2profile
match address cryptoacl
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
crypto map cmap
!
interface GigabitEthernet2
ip address 10.87.189.50 255.255.255.0
ip nat inside
negotiation auto
!
virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
!
ip nat inside source list NATList interface GigabitEthernet1 overload
ip forward-protocol nd
!
ip access-list extended NATList
permit ip 10.87.189.0 0.0.0.255 any
ip access-list extended cryptoacl
permit ip 10.87.189.0 0.0.0.255 172.31.2.0 0.0.0.255
permit ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255
从 Strongswan 端建立连接时:
# ipsec up ciscotest
initiating IKE_SA ciscotest[17] to 54.154.54.AAA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.31.1.1[500] to 54.154.54.AAA[500] (1044 bytes)
received packet: from 54.154.54.AAA[500] to 172.31.1.1[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '54.229.30.BBB' (myself) with pre-shared key
establishing CHILD_SA ciscotest
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 172.31.1.1[4500] to 54.154.54.AAA[4500] (332 bytes)
received packet: from 54.154.54.AAA[4500] to 172.31.1.1[4500] (252 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '10.87.50.122' with pre-shared key successful
IKE_SA ciscotest[17] established between 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
scheduling reauthentication in 27954s
maximum IKE_SA lifetime 28494s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
connection 'ciscotest' established successfully
# ipsec status ciscotest
Security Associations (1 up, 0 connecting):
ciscotest[17]: ESTABLISHED 19 seconds ago, 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
ciscotest{15}: INSTALLED, TUNNEL, ESP in UDP SPIs: c42a57f8_i 1cc99de5_o
ciscotest{15}: 172.31.0.0/16 === 10.87.189.0/24
思科方面
Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)
No Active Message Discriminator.
No Inactive Message Discriminator.
Console logging: level debugging, 2479 messages logged, xml disabled,
filtering disabled
Monitor logging: level debugging, 0 messages logged, xml disabled,
filtering disabled
Buffer logging: level debugging, 2486 messages logged, xml disabled,
filtering disabled
Exception Logging: size (4096 bytes)
Count and timestamp logging messages: disabled
Persistent logging: disabled
No active filter modules.
Trap logging: level informational, 62 message lines logged
Logging Source-Interface: VRF Name:
Log Buffer (4096 bytes):
edur= 0s and 0kb,
spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 18 15:41:34.873: Crypto mapdb : proxy_match
src addr : 10.87.189.0
dst addr : 172.31.0.0
protocol : 0
src port : 0
dst port : 0
*Feb 18 15:41:34.873: (ipsec_process_proposal)Map Accepted: cmap, 10
*Feb 18 15:41:34.873: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get peer's preshared key for 54.229.30.BBB
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generate my authentication data
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Use preshared key for id 10.87.50.122, key len 5
*Feb 18 15:41:34.873: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 18 15:41:34.873: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generating IKE_AUTH message
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Constructing IDr payload: '10.87.50.122' of type 'IPv4 address'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation),
Num. transforms: 3
AES-CBC SHA96 Don't use ESN
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Building packet for encryption.
Payload contents:
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS)
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 54.229.30.BBB:4500/From 10.87.50.122:4500/VRF i0:f0]
Initiator SPI : D88218943FE3BDCA - Responder SPI : D5D0EFB19DDB3A57 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE
Payload contents:
ENCR
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Session with IKE ID PAIR (54.229.30.BBB, 10.87.50.122) is UP
*Feb 18 15:41:34.874: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Load IPSEC key material
*Feb 18 15:41:34.874: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Feb 18 15:41:34.874: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:41:34.874: Crypto mapdb : proxy_match
src addr : 10.87.189.0
dst addr : 172.31.0.0
protocol : 256
src port : 0
dst port : 0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (crypto_ipsec_create_ipsec_sas) Map found cmap, 10
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
(sa) sa_dest= 10.87.50.122, sa_proto= 50,
sa_spi= 0x1CC99DE5(482975205),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2017
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
local_proxy= 10.87.189.0/255.255.255.0/256/0,
remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
(sa) sa_dest= 54.229.30.BBB, sa_proto= 50,
sa_spi= 0xC42A57F8(3291109368),
sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2018
sa_lifetime(k/sec)= (4608000/3600),
(identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
local_proxy= 10.87.189.0/255.255.255.0/256/0,
remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:35.064: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):No duplicate IKEv2 SA found
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Starting timer (8 sec) to delete negotiation context
上面的思科文章建议从思科命令行我应该能够做到
ping 172.31.2.33 source gigabitethernet 2
从 Cisco 端启动 VPN,但这只是表示没有响应。我可以在客户端和 Cisco 机器之间双向 ping,同样可以在 Strongswan 和 Web 服务器之间双向 ping。但似乎没有流量通过它们之间的 VPN,无论是当时还是一旦从 Strongswan 端建立,如上所述。
编辑:来自 CSR1000 的更多诊断
ip-10-87-50-122#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: GigabitEthernet1
Session status: DOWN
Peer: 54.229.30.BBB port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.2.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: GigabitEthernet1
Profile: ikev2profile
Uptime: 00:00:41
Session status: UP-ACTIVE
Peer: 54.229.30.#show crypto ipsec sa
interface: GigabitEthernet1
Crypto map tag: cmap, local addr 10.87.50.122
protected vrf: (none)
local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.2.0/255.255.255.0/0/0)
current_peer 54.229.30.BBB port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
current_peer 54.229.30.BBB port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
current outbound spi: 0xC3012269(3271631465)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1CB79056(481792086)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4608000/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC3012269(3271631465)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: cmap
sa timing: remaining key lifetime (k/sec): (4608000/3504)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 54.229.30.BBB
Desc: (none)
Session ID: 21
IKEv2 SA: local 10.87.50.122/4500 remote 54.229.30.BBB/4500 Active
Capabilities:N connid:2 lifetime:23:59:19
IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 310 drop 0 life (KB/Sec) 4608000/3558
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3558
#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 10.87.50.122/4500 54.229.30.BBB/4500 none/none READY
Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/126 sec
CE id: 1021, Session-id: 8
Status Description: Negotiation done
Local spi: DEB67BE7456C5407 Remote spi: 1C2A344A8A10262E
Local id: 10.87.50.122
Remote id: 54.229.30.BBB
Local req msg id: 0 Remote req msg id: 2
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 2
Local window: 5 Remote window: 1
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No
IPv6 Crypto IKEv2 SA
编辑2:ping 示例,因为它不适合下面的评论回复。
ip-10-87-50-96#ping 172.31.1.1 source gigabitEthernet 2 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.87.189.59
..
Success rate is 0 percent (0/2)
无论 VPN 是否未启动或者已由 Strongswan 启动,输出都是相同的。
答案1
因此问题出在访问控制列表试图应用 NAT 而不是路由到 VPN。使用
ip access-list extended NATList
deny ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255 log
permit ip 10.87.189.0 0.0.0.255 any log
ip access-list extended cryptoacl
permit ip host 10.87.189.36 host 172.31.2.33
修复。