Openswan 通过 Amazon VPC 路由到办公网络

tag-icon tag-icon vpn centos6 amazon-vpc openswan
Openswan 通过 Amazon VPC 路由到办公网络

我们正在尝试创建一个 road warrior VPN 网络。由于我们办公室的互联网速度很慢,我们通过具有复制 AD 和文件服务器的 VPC 运行它。目前有一个 Amazon VPC VPN 连接到办公室的 VPC。在 VPC 中,我们有一个 OpenSwan 服务器,它允许您通过 VPN 进入 AWS 网络。我无法让它路由回办公室,以允许两者使用单个 VPN 连接。此外,通过 Openswan 路由时,互联网无法正常工作。因此,必须在 Mac OS X 上手动添加路由。有谁知道正确的配置,以使每个连接都连接起来,并在用户需要时提供互联网?此外,OpenSwan 如何提供路由?

(10.1.5.0)IPSEC VPN <-OpenSwan CentOS 服务器-> (172.16.1.0)Amazon VPC 子网 <-Meraki/VPC VPN-> (192.168.1.0)在办公网络中

当前 OpenSwan 配置

    # basic configuration
    config setup
        # plutodebug / klipsdebug = "all", "none" or a combation from below:
            # "raw crypt parsing emitting control klips pfkey natt x509 private"
            # eg: plutodebug="control parsing"
            #
        # ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
            #
        # NAT-TRAVERSAL support, see README.NAT-Traversal
            nat_traversal=yes
            #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
            # If we consider that we have an internal interface on subnet 192.168.22.0/24,
            # we need to had here we had %v4:!192.168.22.0/24
            virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
            #
        # enable this if you see "failed to find any available worker"
            nhelpers=0
            protostack=netkey
            oe=no
    conn L2TP-PSK-CLIENTS
      #
      # Configuration for one user with any type of IPsec/L2TP client
      # including the updated Windows 2000/XP (MS KB Q818043), but
      # excluding the non-updated Windows 2000/XP.
      #
      #
      # Use a Preshared Key. Disable Perfect Forward Secrecy.
      #
      # PreSharedSecret needs to be specified in /etc/ipsec.secrets as
      # YourIPAddress  %any: "sharedsecret"
      authby=secret
      pfs=no
      auto=add
      keyingtries=3
      # we cannot rekey for %any, let client rekey
      rekey=no
      type=transport
      #
      left=172.16.1.53
      leftnexthop=172.16.1.1
      #leftsubnets={172.16.0.0/12,192.168.1.0/24}
      leftsubnet=0.0.0.0/0
      #leftsubnet=172.16.0.0/12
      # or you can use: left=YourIPAddress
      # leftnexthop=YourGatewayIPAddress
      #
      # For updated Windows 2000/XP clients,
      # to support old clients as well, use leftprotoport=17/%any
      leftprotoport=17/%any
      #
      # The remote user.
right=%any
  rightsubnet=0.0.0.0/0
  rightnexthop=172.16.1.1
  # Using the magic port of "0" means "any one single port". This is
  # a work around required for Apple OSX clients that use a randomly
  # high port, but propose "0" instead of their port.
  rightprotoport=0/%any

当前 Openswan 路由表

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
10.5.1.11       0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
172.16.1.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
0.0.0.0         172.16.1.1      0.0.0.0         UG        0 0          0 eth0

Openswan 版本:

openswan-2.6.43

VPC 路由表

Destination Target
172.16.0.0/16 local
0.0.0.0/0 igw-xxxxxxxx
10.5.1.0/24 eni-xxxxxx / i-xxxxxx (openswan)
192.168.0.0/16 vgw-xxxxxxx

相关内容