AWS 隧道上的 Openswan IPSec VPN 已建立但没有流量

我正在使用 AWS/VPC/EC2/Centos7/Libreswan 与一家电信公司建立隧道，但已经陷入困境数周。非常感谢大家的帮助！

我有 192.168.16.73（VPN GW，EIP 52.76.xx）和 192.168.16.116（加密域服务器）。隧道似乎已启动，但无法获得任何 ping 响应。我认为 ping 流量根本没有通过隧道。

我已经完成了这些。1
. 禁用 VPN GW 上的源/目标检查
2. 在我的 VPC 路由表中，我为目标 192.100.86.0/24 添加了 Target=VPN GW

tcpdump -n icmp（从 192.168.16.116 ping 到 192.100.86.69 时）

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
17:32:04.926003 IP 192.168.16.116 > 192.100.86.69: ICMP echo request, id 22412, seq 9593, length 64
17:32:04.926029 IP 52.76.x.x > 192.100.86.69: ICMP echo request, id 22412, seq 9593, length 64
17:32:05.186064 IP 192.168.16.116 > 192.100.86.69: ICMP echo request, id 23423, seq 6789, length 64
17:32:05.186092 IP 52.76.x.x > 192.100.86.69: ICMP echo request, id 23423, seq 6789, length 64

tcpdump 端口 500 或端口 4500

0 packets captured
0 packets received by filter
0 packets dropped by kernel

ipsec 状态

000 "telco":
192.168.16.116/32===192.168.16.73[52.76.x.x]---192.168.16.1...203.92.y.y<203.92.y.y>===192.100.86.0/24; erouted; eroute owner: #2
000 "telco":     oriented; my_ip=192.168.16.116; their_ip=unset
000 "telco":   xauth info: us:none, them:none,  my_xauthuser=[any]; their_xauthuser=[any]
000 "telco":   modecfg info: us:none, them:none, modecfg policy:push, dns1:unset, dns2:unset, domain:unset, banner:unset;
000 "telco":   labeled_ipsec:no;
000 "telco":   policy_label:unset;
000 "telco":   ike_life: 86400s; ipsec_life: 3600s; rekey_margin: 540s; rekey_fuzz: 100%; keyingtries: 0;
000 "telco":   retransmit-interval: 500ms; retransmit-timeout: 60s;
000 "telco":   sha2_truncbug:no; initial_contact:no; cisco_unity:no; send_vendorid:no;
000 "telco":   policy: PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW;
000 "telco":   conn_prio: 32,24; interface: eth0; metric: 0; mtu: unset; sa_prio:auto; nflog-group: unset;
000 "telco":   dpd: action:hold; delay:0; timeout:0; nat-t: force_encaps:yes; nat_keepalive:yes; ikev1_natt:both
000 "telco":   newest ISAKMP SA: #1; newest IPsec SA: #2;
000 "telco":   IKE algorithms wanted: 3DES_CBC(5)_000-MD5(1)_000-MODP1024(2)
000 "telco":   IKE algorithms found:  3DES_CBC(5)_192-MD5(1)_128-MODP1024(2)
000 "telco":   IKE algorithm newest: 3DES_CBC_192-MD5-MODP1024
000 "telco":   ESP algorithms wanted: 3DES(3)_000-MD5(1)_000
000 "telco":   ESP algorithms loaded: 3DES(3)_000-MD5(1)_000
000 "telco":   ESP algorithm newest: 3DES_000-HMAC_MD5; pfsgroup=<N/A>
000 #2: "telco":500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2837s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "telco" [email protected] [email protected] [email protected] [email protected] ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B 
000 #1: "telco":500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 85396s; newest ISAKMP; nodpd; idle; import:admin initiate

ip xfrm 策略

src 192.168.16.116/32 dst 192.100.86.0/24 
    dir out priority 2088 ptype main 
    tmpl src 192.168.16.73 dst 203.92.y.y
        proto esp reqid 16397 mode tunnel
src 192.100.86.0/24 dst 192.168.16.116/32 
    dir fwd priority 2088 ptype main 
    tmpl src 203.92.y.y dst 192.168.16.73
        proto esp reqid 16397 mode tunnel
src 192.100.86.0/24 dst 192.168.16.116/32 
    dir in priority 2088 ptype main 
    tmpl src 203.92.y.y dst 192.168.16.73
        proto esp reqid 16397 mode tunnel

猫/etc/ipsec.conf

config setup
    protostack=netkey
    plutodebug=all
    plutostderrlog=/var/log/pluto.log
    dumpdir=/var/run/pluto/
    nat_traversal=yes
    virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10,%v6:fd00::/8,%v6:fe80::/10
# Add connections here
conn telco
    type=tunnel
    pfs=no
    forceencaps=yes
#   auto=start
#gx#
    left=%defaultroute
    leftid=52.76.x.x
    leftnexthop=%defaultroute
    leftsubnet=192.168.16.116/32
    leftsourceip=192.168.16.116
#telco
    right=203.92.y.y
    rightid=203.92.y.y
#   rightnexthop=%defaultroute
    rightsubnet=192.100.86.0/24
#   rightsourceip=192.100.86.203
#phase 1 encryption-integrity-DiffieHellman
    keyexchange=ike
    ike=3des-md5-modp1024
    ikelifetime=86400s
    authby=secret #use presharedkey
    rekey=yes  #should we rekey when key lifetime is about to expire
#phase 2 encryption-pfsgroup
    phase2=esp #esp for encryption | ah for authentication only
    phase2alg=3des-md5
    keylife=3600s 
include /etc/ipsec.d/*.conf

路线-n

> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.16.1    0.0.0.0         UG    0      0        0 eth0
192.100.86.0    192.168.16.1    255.255.255.0   UG    0      0        0 eth0
192.168.16.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

猫/etc/sysctl.conf

net.ipv4.ip_forward=1
#
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.lo.rp_filter=0
#
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.lo.send_redirects=0
#
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
#
net.ipv4.conf.default.accept_source_route=0
net.ipv6.conf.all.disable_ipv6=1
net.ipv6.conf.default.disable_ipv6=1
net.ipv4.conf.default.log_martians=0
net.ipv4.conf.all.log_martians=0
net.ipv4.icmp_ignore_bogus_error_responses=1