我正在尝试将 Vyos VPN 从 AWS VPC 配置到 Cisco VPN。
我正在使用准备好的 AWS AIM 图像 - 尝试了 vyos 1.1.7 和 vyos 1.2。
我的 Vyos 实例位于 VPC 的公共段中:
vyos@ip-10-0-2-238:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.0.2.238/24 u/u
lo 127.0.0.1/8 u/u
::1/128
它还有外部IP。
我的配置是:
interfaces {
ethernet eth0 {
address dhcp
}
loopback lo {
}
}
....
interfaces {
ethernet eth0 {
address dhcp
}
loopback lo {
}
}
vpn {
ipsec {
esp-group test-esp {
compression disable
lifetime 7200
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group test-ike {
ikev2-reauth no
key-exchange ikev2
lifetime 28800
proposal 1 {
dh-group 2
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface eth0
}
site-to-site {
peer IP_OF_REMOTE_CISCO {
authentication {
id MY_REMOTE_IP
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
ike-group test-ike
ikev2-reauth inherit
local-address LOCAL_IP_OF_VYOS_INSTANCE
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group test-esp
local {
prefix MY_MASK_OF_PRIVATE_SUBNET
}
remote {
prefix LOCAL_SUBNET_BEHIND_VPN
}
}
}
VPN 连接保持“连接中”状态:
peer-X.X.X.X-tunnel-1[1]: CONNECTING, Y.Y.Y.Y[%any]...X.X.X.X[%any]
peer-X.X.X.X-tunnel-1[1]: IKEv2 SPIs: 6911b8b8bf6ad261_i* 0000000000000000_r
peer-X.X.X.X-tunnel-1[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE
我做错了什么?