pfsense ipsec vpn 与 amazon aws 无法连接

tag-icon tag-icon vpn amazon-web-services ipsec pfsense amazon-vpc
pfsense ipsec vpn 与 amazon aws 无法连接

我正在尝试从我们的 DC 网络到我们的 amazon vpc 设置一个 ipsec vpn,即 site2site 又称网络到网络连接。为此,我设置了 pfsense 2.2.6,并在 WAN 接口上为其提供了一个公共 IP 和三个内部“lan”连接,我们可以从这些连接管理 pfsense,并且可以将其用作我们每个 vlan 中通向 aws 的网关。对于初始设置,我在 aws 上使用 172.24.00.0/16 作为内部范围(VPC 范围),在我们的 DC 上使用 172.20.20.0/24 作为内部范围。所有接口都已启动并可以访问(如果我将防火墙设置为允许 ping 和/或其他流量)。然后,我在每个 vlan 中添加了一些服务器的路由,这些服务器将 aws 子网的流量发送到该 vlan 中的 pfsense ip。

我已经按照设置了 ipsec 连接http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/并观察它是否连接。在创建 ipsec 设置并激活它后,我没有看到防火墙中出现任何“允许”规则,所以我自己添加了一些允许规则(目前允许来自 ipsec 和 lan 网络的所有内容,只是为了确保防火墙没有阻止任何东西)。不幸的是,40 秒后连接断开,并创建了一个新的连接。这种情况永远重复。

我尝试过第 1 阶段和第 2 阶段的设置,但没有任何改变使它变得更好。我看了https://doc.pfsense.org/index.php/IPsec_Troubleshooting尝试找出问题所在,但我没有看到那里列出的症状。

以下是其中一个连接的日志输出:

Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33  charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33  charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33  charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33  charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33  charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33  charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33  charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33  charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35  charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:35  charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35  charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37  charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37  charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43  charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43  charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43  charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43  charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44  charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44  charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47  charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:47  charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57  charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:57  charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57  charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57  charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09  charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:59:09  charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13  charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13  charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13  charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13  charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13  charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13  charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13  charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING

这是 aws 通用配置(已混淆):

Amazon Web Services
Virtual Private Cloud

VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of 
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier 
and is associated with two other identifiers, namely the 
Customer Gateway Identifier and the Virtual Private Gateway Identifier.

Your VPN Connection ID               : vpn-<hex>
Your Virtual Private Gateway ID          : vgw-<hex>
Your Customer Gateway ID             : cgw-<hex>

A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). 
It is important that both tunnel security associations be configured. 


IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : <shizzl>
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

希望这是我忽略的明显问题。如果能提供任何帮助或见解来解决这个问题,我将不胜感激。

答案1

事实证明,当我们想要路由到的子网与 aws vpc 上定义的子网不匹配时,aws 不允许建立隧道。由于我们在 aws 上只定义了一个 /24 子网,因此我们无法在那里发送 /16。只有当我们将路由掩码减小到 /24 时,ipsec vpn 才能正确连接。我们原本希望亚马逊允许这样做,并丢弃所有没有子网的流量。但事实并非如此。

相关内容