我想将我们的办公室与 Amazon AWS VPC 连接起来,以管理位于非公共子网内的 RDS 和 EC2 实例。我对此还很陌生,但我的想法是使用 fpsense 的软件实例来测试设置,因为这是一个受支持的平台,我们想为我们的办公室购买一个与 fpsense 兼容的路由器。
我想建立一个从 fpsense 到 AWS VPC 的安全 IPsec VPN 连接,并使 VPC 内的实例可从我们的办公室访问,目前 fpsense 防火墙在我的开发人员机器上的 VirtualBox VM 内运行。
网络设置
External office IP: 88.77.66.55
Office LAN Subnet: 192.168.56.0/24 via VirtualBox
fpsense router IP: 192.168.0.100
Amazon VPC Subnet: 10.0.0.0/16
AWS VPN Connection Tunnel: 111.222.333.444
AWS 设置
1)创建 CIDR 为 10.0.0.0/16 的 VPC
2)在 VPC 内创建一个具有相同 CIDR 10.0.0.0/16 的子网
3) 创建指向外部办公室 IP(88.77.66.55)的客户网关,静态路由为 192.168.56.0/24(Vbox 网络)
4)创建虚拟专用网关并将其与VPC关联
5)创建VPN连接,并将其与客户网关和虚拟专用网关链接起来
6)下载 fpsense 配置
VirtualBox 设置
1)添加两块网卡。一块桥接网络,一块主机专用连接
2)安装fpsense镜像
fpsense 设置
1)启动fpsense
2)将 WAN 分配给桥接网络的 IP(变为 192.168.0.100)
3)将 LAN 分配给仅主机网络(192.168.56.1)
4) 根据下载的 fpsense 配置文件设置 IPsec 隧道
5)从 fpsense ping VPN 隧道
6)在 WAN 和 LAN 接口上启用 IPv4 的所有流量
办公室路由器
端口 500 和 4500 转发至 fpsense IP 192.168.0.100
网络图
+--------------------+ +-----------------+ +-------------------+
| VPN Connection +--> Virtual Private +--> Amazon VPC |
| Tunnel 1 | | Gateway | | |
| 111.222.333.444 <--+ <--+ 10.0.0.0/16 |
+------+------^------+ +-----------------+ +-------------------+
| |
| |
| |
| | +---------------------+
+------v------+------+ +----------------+ | VirtualBox fpSense |
| Customer Gateway +--->Office Router +-------> WAN 192.168.0.100 |
| <---+ 88.77.66.55 <-------+ LAN 192.168.0.56 |
+--------------------+ +----------------+ +---------------------+
配置截图
示例日志
Nov 23 09:55:12 pfSense ipsec_starter[58921]: Starting strongSwan 5.6.0 IPsec [starter]...
Nov 23 09:55:12 pfSense ipsec_starter[58921]: no netkey IPsec stack detected
Nov 23 09:55:12 pfSense ipsec_starter[58921]: no KLIPS IPsec stack detected
Nov 23 09:55:12 pfSense ipsec_starter[58921]: no known IPsec stack detected, ignoring!
Nov 23 09:55:12 pfSense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p4, amd64)
Nov 23 09:55:12 pfSense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument
Nov 23 09:55:12 pfSense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
Nov 23 09:55:12 pfSense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys'
Nov 23 09:55:12 pfSense charon: 00[CFG] ipseckey plugin is disabled
Nov 23 09:55:12 pfSense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls'
Nov 23 09:55:12 pfSense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets'
Nov 23 09:55:12 pfSense charon: 00[CFG] loaded IKE secret for %any 111.222.333.444
Nov 23 09:55:12 pfSense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory
Nov 23 09:55:12 pfSense charon: 00[CFG] loaded 0 RADIUS server configurations
Nov 23 09:55:12 pfSense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock
Nov 23 09:55:12 pfSense charon: 00[JOB] spawning 16 worker threads
Nov 23 09:55:12 pfSense ipsec_starter[59608]: charon (59869) started after 40 ms
Nov 23 09:55:12 pfSense charon: 15[CFG] received stroke: add connection 'con1000'
Nov 23 09:55:12 pfSense charon: 15[CFG] conn con1000
Nov 23 09:55:12 pfSense charon: 15[CFG] left=192.168.0.100
Nov 23 09:55:12 pfSense charon: 15[CFG] leftsubnet=192.168.56.0/24
Nov 23 09:55:12 pfSense charon: 15[CFG] leftauth=psk
Nov 23 09:55:12 pfSense charon: 15[CFG] leftid=192.168.0.100
Nov 23 09:55:12 pfSense charon: 15[CFG] right=111.222.333.444
Nov 23 09:55:12 pfSense charon: 15[CFG] rightsubnet=10.0.0.0/16
Nov 23 09:55:12 pfSense charon: 15[CFG] rightauth=psk
Nov 23 09:55:12 pfSense charon: 15[CFG] rightid=111.222.333.444
Nov 23 09:55:12 pfSense charon: 15[CFG] ike=aes128-sha1-modp1024!
Nov 23 09:55:12 pfSense charon: 15[CFG] esp=aes128-sha1-modp1024!
Nov 23 09:55:12 pfSense charon: 15[CFG] dpddelay=10
Nov 23 09:55:12 pfSense charon: 15[CFG] dpdtimeout=60
Nov 23 09:55:12 pfSense charon: 15[CFG] dpdaction=3
Nov 23 09:55:12 pfSense charon: 15[CFG] sha256_96=no
Nov 23 09:55:12 pfSense charon: 15[CFG] mediation=no
Nov 23 09:55:12 pfSense charon: 15[CFG] keyexchange=ikev1
Nov 23 09:55:12 pfSense charon: 15[CFG] added configuration 'con1000'
Nov 23 09:55:12 pfSense charon: 14[CFG] received stroke: route 'con1000'
Nov 23 09:55:12 pfSense charon: 14[CFG] proposing traffic selectors for us:
Nov 23 09:55:12 pfSense charon: 14[CFG] 192.168.56.0/24|/0
Nov 23 09:55:12 pfSense charon: 14[CFG] proposing traffic selectors for other:
Nov 23 09:55:12 pfSense charon: 14[CFG] 10.0.0.0/16|/0
Nov 23 09:55:12 pfSense charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Nov 23 09:55:12 pfSense charon: 14[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED
Nov 23 09:55:12 pfSense ipsec_starter[59608]: 'con1000' routed
Nov 23 09:55:12 pfSense ipsec_starter[59608]:
Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 connected
Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 registered for: list-sa
Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 requests: list-sas
Nov 23 09:55:14 pfSense charon: 15[CFG] vici client 1 disconnected
Nov 23 09:55:17 pfSense charon: 15[CFG] received stroke: terminate 'con1000'
Nov 23 09:55:17 pfSense charon: 15[CFG] no IKE_SA named 'con1000' found
Nov 23 09:55:17 pfSense charon: 15[CFG] received stroke: initiate 'con1000'
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_VENDOR task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_CERT_PRE task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing MAIN_MODE task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_CERT_POST task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_NATD task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing QUICK_MODE task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating new tasks
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_VENDOR task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_CERT_PRE task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating MAIN_MODE task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_CERT_POST task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_NATD task
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending XAuth vendor ID
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending DPD vendor ID
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending FRAGMENTATION vendor ID
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending NAT-T (RFC 3947) vendor ID
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> initiating Main Mode IKE_SA con1000[1] to 111.222.333.444
Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> IKE_SA con1000[1] state change: CREATED => CONNECTING
Nov 23 09:55:17 pfSense charon: 13[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Nov 23 09:55:17 pfSense charon: 13[ENC] <con1000|1> generating ID_PROT request 0 [ SA V V V V V ]
Nov 23 09:55:17 pfSense charon: 13[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes)
Nov 23 09:55:17 pfSense charon: 13[CFG] vici client 2 connected
Nov 23 09:55:17 pfSense charon: 13[CFG] vici client 2 registered for: list-sa
Nov 23 09:55:17 pfSense charon: 12[CFG] vici client 2 requests: list-sas
Nov 23 09:55:17 pfSense charon: 12[CFG] vici client 2 disconnected
Nov 23 09:55:21 pfSense charon: 06[IKE] <con1000|1> sending retransmit 1 of request message ID 0, seq 1
Nov 23 09:55:21 pfSense charon: 06[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes)
Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 connected
Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 registered for: list-sa
Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 requests: list-sas
Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 disconnected
Nov 23 09:55:28 pfSense charon: 08[CFG] vici client 4 connected
Nov 23 09:55:28 pfSense charon: 06[CFG] vici client 4 registered for: list-sa
Nov 23 09:55:28 pfSense charon: 10[CFG] vici client 4 requests: list-sas
Nov 23 09:55:28 pfSense charon: 10[CFG] vici client 4 disconnected
Nov 23 09:55:29 pfSense charon: 10[IKE] <con1000|1> sending retransmit 2 of request message ID 0, seq 1
Nov 23 09:55:29 pfSense charon: 10[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes)
问题
客户端立即断开连接,我没有看到非常明确的错误消息。我猜问题是因为 fpsense 位于 NAT 后面。左边的 IP 地址是否也应该是虚拟机子网 IP,例如 192.168.56.2?
答案1
日志文件中的 leftsubnet 和 rightsubnet 相同。leftsubnet 应该是 VPC CIDR。rightsubnet 应该是办公室 CIDR。left 和 right 看起来也不正确。
您从哪里获得连接的配置 (ipsec.conf)?从 Amazon 下载还是手动创建?