AWS 上的 Cisco CSR1000v 和 Strongswan IPSec 端点之间没有流量路由

AWS 上的 Cisco CSR1000v 和 Strongswan IPSec 端点之间没有流量路由

我正在尝试在 AWS 上配置 Cisco CSR1000V,以便在另一台 AWS 机器上使用 Strongswan 5.1.2(在 Ubuntu 14.04 上)创建 IPSec VPN。我可以从 Strongswan 端建立 VPN,它似乎已正确构建了安全关联,但没有任何流量在两个方向路由。可能相关的是,我无法从 Cisco 端引入 VPN。

我尝试基于以下配置http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc2针对特定 IP 地址和网络进行更改。所以我

10.87.189.36 client
   | 
CSR 1000V: Eth0 10.87.50.122 (mapped to Elastic IP 54.154.54.AAA)
           Eth1 10.87.189.50
   |
   |
Strongswan: 172.31.1.1 (mapped to Elastic IP 54.229.30.BBB)
   |
Webserver 172.31.2.33

目的是能够通过 VPN 从客户端浏览到 Web 服务器。客户端可以连接到外部互联网,并通过 CSR1000 进行路由(设置方式如https://rbgeek.wordpress.com/2014/09/15/cisco-csr1000v-router-as-nat-i​​nstance-on-aws/)。我还可以在 Strongswan 机器和另一台本地运行 Strongswan 4.5.2 的机器之间创建 VPN,并按预期查看 Web 服务器。

CSR 和 Strongswan 机器上的所有以太网端口均已禁用 EC2 的 src/dest 检查。

Strongswan 的连接配置如下

conn ciscotest                                                                                         
    left=%defaultroute
    leftid=54.229.30.BBB
    leftsubnet=172.31.0.0/16
    leftfirewall=no

    right=54.154.54.AAA
    rightid=%any
    rightsubnet=10.87.189.0/24

    auto=add
    authby=secret

    ike=aes256-sha1-modp1024
    ikelifetime=8h
    aggressive=no

    esp=aes128-sha1
    lifetime=1h
    keyexchange=ikev2

Strongswan 机器上的防火墙和 sysctl

# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 220 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4 packets, 220 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5 packets, 349 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            172.31.0.0/16        policy match dir out pol ipsec
    5   349 MASQUERADE all  --  *      eth0    0.0.0.0/0            172.31.0.0/16

# sysctl -p
net.ipv4.ip_forward = 1

Cisco 机器上的配置

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ip-10-87-50-122
!
boot-start-marker
boot-end-marker
!
subscriber templating
!
multilink bundle-name authenticated

!
redundancy
!
crypto ikev2 proposal ikev2proposal 
 encryption aes-cbc-256
 integrity sha1
 group 2
!
crypto ikev2 policy ikev2policy 
 match fvrf any
 proposal ikev2proposal
!
crypto ikev2 keyring keys
 peer strongswan
  address 54.229.30.BBB
  pre-shared-key local ----------------
  pre-shared-key remote ----------------
 !
!
!
crypto ikev2 profile ikev2profile
 match identity remote address 54.229.30.BBB 255.255.255.255 
 authentication remote pre-share
 authentication local pre-share
 keyring local keys
!
crypto isakmp policy 10
 authentication pre-share
 group 2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
 mode tunnel
!
crypto map cmap 10 ipsec-isakmp 
 set peer 54.229.30.BBB
 set transform-set TS 
 set ikev2-profile ikev2profile
 match address cryptoacl
!
interface GigabitEthernet1
 ip address dhcp
 ip nat outside
 negotiation auto
 crypto map cmap
!
interface GigabitEthernet2
 ip address 10.87.189.50 255.255.255.0
 ip nat inside
 negotiation auto
!
virtual-service csr_mgmt
 ip shared host-interface GigabitEthernet1
 activate
!
ip nat inside source list NATList interface GigabitEthernet1 overload
ip forward-protocol nd
!
ip access-list extended NATList
 permit ip 10.87.189.0 0.0.0.255 any
ip access-list extended cryptoacl
 permit ip 10.87.189.0 0.0.0.255 172.31.2.0 0.0.0.255
 permit ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255

从 Strongswan 端建立连接时:

# ipsec up ciscotest
initiating IKE_SA ciscotest[17] to 54.154.54.AAA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.31.1.1[500] to 54.154.54.AAA[500] (1044 bytes)
received packet: from 54.154.54.AAA[500] to 172.31.1.1[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '54.229.30.BBB' (myself) with pre-shared key
establishing CHILD_SA ciscotest
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 172.31.1.1[4500] to 54.154.54.AAA[4500] (332 bytes)
received packet: from 54.154.54.AAA[4500] to 172.31.1.1[4500] (252 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '10.87.50.122' with pre-shared key successful
IKE_SA ciscotest[17] established between 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
scheduling reauthentication in 27954s
maximum IKE_SA lifetime 28494s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
connection 'ciscotest' established successfully

# ipsec status ciscotest
Security Associations (1 up, 0 connecting):
   ciscotest[17]: ESTABLISHED 19 seconds ago, 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
   ciscotest{15}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c42a57f8_i 1cc99de5_o
   ciscotest{15}:   172.31.0.0/16 === 10.87.189.0/24

思科方面

Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


    Console logging: level debugging, 2479 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging:  level debugging, 2486 messages logged, xml disabled,
                    filtering disabled
    Exception Logging: size (4096 bytes)
    Count and timestamp logging messages: disabled
    Persistent logging: disabled

No active filter modules.

    Trap logging: level informational, 62 message lines logged
        Logging Source-Interface:       VRF Name:

Log Buffer (4096 bytes):
edur= 0s and 0kb, 
    spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 18 15:41:34.873: Crypto mapdb : proxy_match
    src addr     : 10.87.189.0
    dst addr     : 172.31.0.0
    protocol     : 0
    src port     : 0
    dst port     : 0
*Feb 18 15:41:34.873: (ipsec_process_proposal)Map Accepted: cmap, 10
*Feb 18 15:41:34.873: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get peer's preshared key for 54.229.30.BBB
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generate my authentication data
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Use preshared key for id 10.87.50.122, key len 5
*Feb 18 15:41:34.873: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 18 15:41:34.873: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generating IKE_AUTH message
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Constructing IDr payload: '10.87.50.122' of type 'IPv4 address'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
   AES-CBC   SHA96   Don't use ESN
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Building packet for encryption.  
Payload contents: 
 VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 54.229.30.BBB:4500/From 10.87.50.122:4500/VRF i0:f0] 
Initiator SPI : D88218943FE3BDCA - Responder SPI : D5D0EFB19DDB3A57 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
 ENCR 

*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Session with IKE ID PAIR (54.229.30.BBB, 10.87.50.122) is UP
*Feb 18 15:41:34.874: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Load IPSEC key material
*Feb 18 15:41:34.874: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Feb 18 15:41:34.874: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:41:34.874: Crypto mapdb : proxy_match
    src addr     : 10.87.189.0
    dst addr     : 172.31.0.0
    protocol     : 256
    src port     : 0
    dst port     : 0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (crypto_ipsec_create_ipsec_sas) Map found cmap, 10
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
  (sa) sa_dest= 10.87.50.122, sa_proto= 50, 
    sa_spi= 0x1CC99DE5(482975205), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2017
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
    local_proxy= 10.87.189.0/255.255.255.0/256/0,
    remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
  (sa) sa_dest= 54.229.30.BBB, sa_proto= 50, 
    sa_spi= 0xC42A57F8(3291109368), 
    sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2018
    sa_lifetime(k/sec)= (4608000/3600),
  (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
    local_proxy= 10.87.189.0/255.255.255.0/256/0,
    remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:35.064: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):No duplicate IKEv2 SA found
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Starting timer (8 sec) to delete negotiation context

上面的思科文章建议从思科命令行我应该能够做到

ping 172.31.2.33 source gigabitethernet 2 

从 Cisco 端启动 VPN,但这只是表示没有响应。我可以在客户端和 Cisco 机器之间双向 ping,同样可以在 Strongswan 和 Web 服务器之间双向 ping。但似乎没有流量通过它们之间的 VPN,无论是当时还是一旦从 Strongswan 端建立,如上所述。


编辑:来自 CSR1000 的更多诊断

ip-10-87-50-122#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: GigabitEthernet1
Session status: DOWN
Peer: 54.229.30.BBB port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.2.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: GigabitEthernet1
Profile: ikev2profile
Uptime: 00:00:41
Session status: UP-ACTIVE


Peer: 54.229.30.#show crypto ipsec sa

interface: GigabitEthernet1
    Crypto map tag: cmap, local addr 10.87.50.122

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.31.2.0/255.255.255.0/0/0)
   current_peer 54.229.30.BBB port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
     plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
   current_peer 54.229.30.BBB port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
     current outbound spi: 0xC3012269(3271631465)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1CB79056(481792086)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4608000/3504)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC3012269(3271631465)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: cmap
        sa timing: remaining key lifetime (k/sec): (4608000/3504)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 54.229.30.BBB
      Desc: (none)
  Session ID: 21  
  IKEv2 SA: local 10.87.50.122/4500 remote 54.229.30.BBB/4500 Active
          Capabilities:N connid:2 lifetime:23:59:19
  IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.0.0/255.255.0.0
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 310 drop 0 life (KB/Sec) 4608000/3558
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3558




#show crypto ikev2 sa detailed
 IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.87.50.122/4500     54.229.30.BBB/4500    none/none            READY  
      Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 86400/126 sec
      CE id: 1021, Session-id: 8
      Status Description: Negotiation done
      Local spi: DEB67BE7456C5407       Remote spi: 1C2A344A8A10262E
      Local id: 10.87.50.122
      Remote id: 54.229.30.BBB
      Local req msg id:  0              Remote req msg id:  2         
      Local next msg id: 0              Remote next msg id: 2         
      Local req queued:  0              Remote req queued:  2         
      Local window:      5              Remote window:      1         
      DPD configured for 0 seconds, retry 0
      Fragmentation not configured.
      Extended Authentication not configured.
      NAT-T is detected inside
      Cisco Trust Security SGT is disabled
      Initiator of SA : No

 IPv6 Crypto IKEv2  SA

编辑2:ping 示例,因为它不适合下面的评论回复。

ip-10-87-50-96#ping 172.31.1.1 source gigabitEthernet 2 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.87.189.59
..
Success rate is 0 percent (0/2)

无论 VPN 是否未启动或者已由 Strongswan 启动,输出都是相同的。

答案1

因此问题出在访问控制列表试图应用 NAT 而不是路由到 VPN。使用

ip access-list extended NATList
 deny   ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255 log
 permit ip 10.87.189.0 0.0.0.255 any log
ip access-list extended cryptoacl
 permit ip host 10.87.189.36 host 172.31.2.33

修复。

相关内容