我最近一直在尝试使用 StrongSwan 来替代需要花钱的 Amazon VPN。
我在完全配置远程服务器和运行 StrongSwan 的 Ubuntu EC2 机器之间的 IPSec 隧道时遇到了麻烦。
我的目标是让我们的远程服务器能够通过 VPN 进入我们的 VPC 并在 AWS 上的私有子网之间进行双向访问。
目前,我可以建立隧道。我可以从 EC2 计算机(运行 StrongSwan)ping 到远程 OSX 服务器。我可以在我的 VPC 中的公有子网和私有子网之间的计算机之间 ping。
目前,我无法从我的 OSX 服务器 ping 到运行 Strong Swan 的 AWS 上的 EC2 实例。我没有设置任何 iptables 来将流量从 EC2(StrongSwan)机器转发到我的私有子网中的其他机器。
AWS
VPC: 10.0.0.0/16
Public Subnet: 10.0.1.0/24
Private Subnet: 10.0.2.0/24
Web EIP: 77.77.77.77 (default for VPC IGW)
VPN EIP: 66.66.66.66
AWS StrongSwan EC2
Ubuntu running StrongSwan 5.2.2
IP: 10.0.1.233
远程客户端网关(蜂窝调制解调器 + 网关组合,带静态 IP)
Running StrongSwan 5.2.2 internally for IPSec
Public (static) IP: 55.55.55.55
LAN: 10.1.1.0/24 (DHCP Server)
远程客户端服务器(用于测试的 OSX 机器)
IP: 10.1.1.1
网络拓扑结构
公共子网中的安全组完全开放,允许所有 ICMP、UDP 和 TCP 流量进行测试(忽略上图中的值)。
另请注意,StrongSwan EC2 实例上的 src/dst 检查已被禁用
远程网关 StrongSwan 配置(StrongSwan 5.2.2)
version 2.0
config setup
# charondebug="knl 4, asn 4, cfg 4, chd 4, dmn 4, enc 4, esp 4, ike 4, imc 4, imv 4, job 4, lib 4, mgr 4, net 4, pts 4,tls 4, tnc 4"
conn %default
keyexchange=ikev2
authby=secret
conn net-to-net
ike=aes256-sha256-modp1536,aes256-sha1-modp1536,aes128-sha256-modp1536,aes128-sha1-modp1536,3des-sha256-modp1536,3des-sha1-modp1536
esp=aes256-sha256_96-modp1536,aes256-sha1-modp1536,aes128-sha256_96-modp1536,aes128-sha1-modp1536,3des-sha256_96-modp1536,3des-sha1-modp1536
mobike=no
keyingtries=%forever
dpdaction=restart
dpddelay=5s
dpdtimeout=10s
#AWS
leftid=%any
left=10.0.1.233
leftsubnet=10.0.0.0/16
#CLIENT
rightid=%any
right=55.55.55.55
rightsubnet=10.1.1.0/24
auto=add
远程网关上的 IPSec 设置
eth0 正在运行 DHCP 服务器,CIDR 块为 10.1.1.0/24。我的 OSX 服务器的 IP 为 10.1.1.1(在 eth0 上)
StrongSwan EC2 上的系统日志
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[CFG] loaded IKE secret for 66.66.66.66 55.55.55.55
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[JOB] spawning 16 worker threads
Mar 30 18:43:58 ip-10-0-1-233 charon: 10[CFG] received stroke: add connection 'net-to-net'
Mar 30 18:43:58 ip-10-0-1-233 charon: 10[CFG] added configuration 'net-to-net'
Mar 30 18:44:01 ip-10-0-1-233 charon: 00[DMN] signal of type SIGINT received. Shutting down
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-44-generic, x86_64)
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loaded IKE secret for 66.66.66.66 55.55.55.55
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies)
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
Mar 30 18:44:07 ip-10-0-1-233 charon: 00[JOB] spawning 16 worker threads
Mar 30 18:44:07 ip-10-0-1-233 charon: 10[CFG] received stroke: add connection 'net-to-net'
Mar 30 18:44:07 ip-10-0-1-233 charon: 10[CFG] added configuration 'net-to-net'
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[NET] received packet: from 55.55.55.55[500] to 10.0.1.233[500] (660 bytes)
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] 55.55.55.55 is initiating an IKE_SA
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] local host is behind NAT, sending keep alives
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] DH group MODP_2048 inacceptable, requesting MODP_1536
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ]
Mar 30 18:44:17 ip-10-0-1-233 charon: 11[NET] sending packet: from 10.0.1.233[500] to 55.55.55.55[500] (38 bytes)
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[NET] received packet: from 55.55.55.55[500] to 10.0.1.233[500] (596 bytes)
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[IKE] 55.55.55.55 is initiating an IKE_SA
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[IKE] local host is behind NAT, sending keep alives
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ]
Mar 30 18:44:17 ip-10-0-1-233 charon: 12[NET] sending packet: from 10.0.1.233[500] to 55.55.55.55[500] (376 bytes)
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[NET] received packet: from 55.55.55.55[4500] to 10.0.1.233[4500] (336 bytes)
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(IPCOMP_SUP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ]
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] looking for peer configs matching 10.0.1.233[%any]...55.55.55.55[55.55.55.55]
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] selected peer config 'net-to-net'
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] authentication of '55.55.55.55' with pre-shared key successful
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] no IDr configured, fall back on IP address
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] authentication of '10.0.1.233' (myself) with pre-shared key
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] IKE_SA net-to-net[2] established between 10.0.1.233[10.0.1.233]...55.55.55.55[55.55.55.55]
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] scheduling reauthentication in 10081s
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] maximum IKE_SA lifetime 10621s
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] CHILD_SA net-to-net{1} established with SPIs c2a08785_i cc1db76f_o and TS 10.0.1.0/24 === 10.1.1.0/24
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ]
Mar 30 18:44:18 ip-10-0-1-233 charon: 13[NET] sending packet: from 10.0.1.233[4500] to 55.55.55.55[4500] (224 bytes)
Mar 30 18:44:23 ip-10-0-1-233 charon: 14[IKE] sending DPD request
远程连接时 AWS 端的 tpcdump
18:41:14.660917 IP mobile-55-55-55-55.mycingular.net.isakmp > ip-10-0-1-233.ec2.internal.isakmp: isakmp: parent_sa ikev2_init[I]
18:41:14.681096 IP ip-10-0-1-233.ec2.internal.isakmp > mobile-55-55-55-55.mycingular.net.isakmp: isakmp: parent_sa ikev2_init[R]
18:41:15.259862 IP mobile-55-55-55-55.mycingular.net.isakmp > ip-10-0-1-233.ec2.internal.isakmp: isakmp: parent_sa ikev2_init[I]
18:41:15.271718 IP ip-10-0-1-233.ec2.internal.isakmp > mobile-55-55-55-55.mycingular.net.isakmp: isakmp: parent_sa ikev2_init[R]
18:41:15.809157 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I]
18:41:15.813883 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[R]
18:41:20.812881 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: parent_sa inf2
18:41:21.139689 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I]
18:41:21.140103 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R]
18:41:21.289057 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: parent_sa inf2[IR]
18:41:26.088336 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I]
18:41:26.088827 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R]
18:41:31.103016 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I]
18:41:31.103931 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R]
我相信我的设置已经很接近了,但我缺少一些基本的东西。有人知道为什么我的隧道不能双向工作吗?我可以从 AWS->Remote ping 通,但反过来不行。注意:我没有在 Ubuntu (StrongSwan) EC2 实例上设置 ip 转发或任何自定义 iptable 规则。
注意:还有这个文件由 StrongSwan 人员创建,我查看过并尝试实现,但比我当前的设置运气不佳。
答案1
事实证明,我犯了一个错误,客户端网关上存在路由后问题,这就是为什么只允许单向流量的原因。StrongSwan 和 AWS 配置正确。