我希望这个网站能够帮助我解决这个问题,因为我一直在为此烦恼!
我正在使用 OpenSwan 在 Rackspace 上的 VPN 服务器和 AWS 上的 VPN 服务器之间设置 IPSec 隧道。我在网上浏览过几个教程,也尝试过查看日志和查找某些错误,但还是找不到一个明确的答案。
这是我的 Rackspace 机器的 ipsec.conf 文件
## general configuration parameters ##
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
## disable opportunistic encryption in Red Hat ##
#oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Debian ##
conn compconnection
authby=rsasig
auto=start
## phase 1 ##
keyexchange=ike
## phase 2 ##
esp=3des-md5
pfs=yes
type=tunnel
left=104.130.13.126
leftrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
rightrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
leftsourceip=192.168.3.1
leftsubnet=192.168.3.0/24
## for direct routing ##
#leftsubnet=/32
leftnexthop=%defaultroute
right=54.164.228.5
rightsubnet=172.31.16.0/20
这是我的 AWS 机器的 ipsec.conf:
## general configuration parameters ##
config setup
plutodebug=all
plutostderrlog=/var/log/pluto.log
protostack=netkey
nat_traversal=yes
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
## disable opportunistic encryption in Red Hat ##
#oe=off
## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf
## connection definition in Debian ##
conn compconnection
authby=rsasig
auto=start
## phase 1 ##
keyexchange=ike
## phase 2 ##
esp=3des-md5
pfs=yes
type=tunnel
left=54.164.228.5
leftrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
rightrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
leftsourceip=172.31.24.171
leftsubnet=172.31.16.0/20
## for direct routing ##
#leftsubnet=/32
leftnexthop=%defaultroute
right=104.130.13.126
rightsubnet=192.168.3.0/24
设置完配置文件后,我打开了 Ipsec 服务,但无法启动隧道。我在 pluto.log 文件中注意到的一件事是,Rackspace 端正在向 AWS 的公共 IP 发送数据,但 AWS 的响应如下:
| find_host_connection2 called from main_inI1_outR1, me=172.31.24.171:500 him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): 172.31.24.171:500 %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from 104.130.13.126:500: initial Main Mode message received on 172.31.24.171:500 but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE
因此,由于某些奇怪的原因,它似乎没有授权 RSASIG 密钥
我还尝试通过执行 ipsec auto --up 命令手动打开隧道,但它在 rackspace 端超时,AWS 会提示“我们无法通过此连接的任何一端来识别自己”
说实话,我不知道问题是什么,也不知道为什么它会给我一些奇怪的错误,而我似乎无法修复
任何帮助,将不胜感激!
编辑
Rackspace 的公网 IP:104.130.13.126 Rackspace 的私网 IP:192.168.3.1
AWS 公网 IP:54.164.228.5 AWS 私网 IP:172.31.24.171
附加编辑/问题
我试图通过端口 4500 从一台服务器 telnet 到另一台服务器,因为 IPSec 使用该端口建立连接,但我收到来自两端的主动拒绝连接,这很奇怪,因为它说它允许在 IPtables 上进行此操作,而在 AWS 端我已经配置了安全组。
IP表:
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
ACCEPT tcp -- anywhere anywhere tcp dpt:4500
ACCEPT udp -- anywhere anywhere udp dpt:ipsec-nat-t
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
这就是 IPtables 在两端的样子
此外,我在两端都使用 Ubuntu 作为操作系统。
IPSEC 验证输出
AWS 上的 IPSec 验证:
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]
Rackspace IPSec 验证
Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel [OK]
SAref kernel support [N/A]
NETKEY: Testing XFRM related proc values [OK]
[OK]
[OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for NAT-T on udp 4500 [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking NAT and MASQUERADEing [OK]
Checking for 'ip' command [OK]
Checking /bin/sh is not /bin/dash [WARNING]
Checking for 'iptables' command [OK]
Opportunistic Encryption Support [DISABLED]