OpenSwan VPN IPSEC 隧道连接

OpenSwan VPN IPSEC 隧道连接

我希望这个网站能够帮助我解决这个问题,因为我一直在为此烦恼!

我正在使用 OpenSwan 在 Rackspace 上的 VPN 服务器和 AWS 上的 VPN 服务器之间设置 IPSec 隧道。我在网上浏览过几个教程,也尝试过查看日志和查找某些错误,但还是找不到一个明确的答案。

这是我的 Rackspace 机器的 ipsec.conf 文件

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn    compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=104.130.13.126
        leftrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        rightrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        leftsourceip=192.168.3.1
        leftsubnet=192.168.3.0/24
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=54.164.228.5
        rightsubnet=172.31.16.0/20

这是我的 AWS 机器的 ipsec.conf:

## general configuration parameters ##

config setup
        plutodebug=all
        plutostderrlog=/var/log/pluto.log
        protostack=netkey
        nat_traversal=yes
        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
        ## disable opportunistic encryption in Red Hat ##
        #oe=off

## disable opportunistic encryption in Debian ##
## Note: this is a separate declaration statement ##
#include /etc/ipsec.d/examples/no_oe.conf

## connection definition in Debian ##
conn compconnection
        authby=rsasig
        auto=start
        ## phase 1 ##
        keyexchange=ike
        ## phase 2 ##
        esp=3des-md5
        pfs=yes
        type=tunnel
        left=54.164.228.5
        leftrsasigkey=0sAQOxf6HhY2cYpyVFbHG7+owH/LzwJdRnj/HgBmSaATf+NY281JTxcehZqALW24/PiLuspObIJaj/DmOpjS1OW4z/fIODMZwMk/J+PNW73i54/trrUMy7PGbWM0a76WXGODvwkRVbQZ0skcJhBiDOxD6I/o03HOeLN7z9s/Q2unuTdvEHsN0v0J23sxoF7fe0Rlfp5kac++tyjcVXZ6GNV/NSDAKdx9+FFaxxrQwOJOI3+LPvVrDdxA582omgZSF2J+0AGpOGkA5LwJdI2uttEQBaEHayJ6qFrCBk3YpaeYzYK4EYb5PvtdD1+w5eMfIKaLd1cakY0Tc9maO8O3N6pngpT5oQBkChWlfBT96UtHdT3RUf
        rightrsasigkey=0sAQNQjjD6EgYknzjnEY7APlkUMEvP6y/CUHbX/B/JQy3BDZafGkaQDjXPdLwRDjGKCGcka2MxaDGklL7uARmlHOHZnFJyZlbr6iW5c7H5f2bif/Ms1UmELXf1uFFwDiwzHjFp9uTZEEV7d3qLM8iAiwBaKPPUgbb2LiQPIYDNC3QAs5anIvUtTBPB8MPG/W11H36CM5Ce51C1pUTdJl3Z9i3/nOG6Lz5c+Kxe40Pi5WHPg39093QkIDEPy0K2mvttTxgvzwDogD1h9M30vK2QPpMstkPKSLdipqj3m71SQDk1VieIkeMQqFIR2+PMn+KDzuTCjeZWTgxMk8ipuyNBuSkl
        leftsourceip=172.31.24.171
        leftsubnet=172.31.16.0/20
        ## for direct routing ##
        #leftsubnet=/32
        leftnexthop=%defaultroute
        right=104.130.13.126
        rightsubnet=192.168.3.0/24

设置完配置文件后,我打开了 Ipsec 服务,但无法启动隧道。我在 pluto.log 文件中注意到的一件事是,Rackspace 端正在向 AWS 的公共 IP 发送数据,但 AWS 的响应如下:


| find_host_connection2 called from main_inI1_outR1, me=172.31.24.171:500 him=%any:500 policy=RSASIG
| find_host_pair_conn (find_host_connection2): 172.31.24.171:500 %any:500 -> hp:none
| searching for connection with policy = RSASIG
| find_host_connection2 returns empty
packet from 104.130.13.126:500: initial Main Mode message received on 172.31.24.171:500 but no connection has been authorized with policy=RSASIG
| complete state transition with STF_IGNORE

因此,由于某些奇怪的原因,它似乎没有授权 RSASIG 密钥

我还尝试通过执行 ipsec auto --up 命令手动打开隧道,但它在 rackspace 端超时,AWS 会提示“我们无法通过此连接的任何一端来识别自己”

说实话,我不知道问题是什么,也不知道为什么它会给我一些奇怪的错误,而我似乎无法修复

任何帮助,将不胜感激!

编辑

Rackspace 的公网 IP:104.130.13.126 Rackspace 的私网 IP:192.168.3.1

AWS 公网 IP:54.164.228.5 AWS 私网 IP:172.31.24.171

附加编辑/问题

我试图通过端口 4500 从一台服务器 telnet 到另一台服务器,因为 IPSec 使用该端口建立连接,但我收到来自两端的主动拒绝连接,这很奇怪,因为它说它允许在 IPtables 上进行此操作,而在 AWS 端我已经配置了安全组。

IP表:


target     prot opt source               destination
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:4500
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

这就是 IPtables 在两端的样子

此外,我在两端都使用 Ubuntu 作为操作系统。

IPSEC 验证输出

AWS 上的 IPSec 验证:


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-74-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

Rackspace IPSec 验证


Checking your system to see if IPsec got installed and started correctly:
Version check and ipsec on-path                                 [OK]
Linux Openswan U2.6.38/K3.13.0-79-generic (netkey)
Checking for IPsec support in kernel                            [OK]
 SAref kernel support                                           [N/A]
 NETKEY:  Testing XFRM related proc values                      [OK]
        [OK]
        [OK]
Checking that pluto is running                                  [OK]
 Pluto listening for IKE on udp 500                             [OK]
 Pluto listening for NAT-T on udp 4500                          [OK]
Two or more interfaces found, checking IP forwarding            [FAILED]
Checking NAT and MASQUERADEing                                  [OK]
Checking for 'ip' command                                       [OK]
Checking /bin/sh is not /bin/dash                               [WARNING]
Checking for 'iptables' command                                 [OK]
Opportunistic Encryption Support                                [DISABLED]

相关内容