无法在 AWS 中通过 Strongswan 站点到站点 VPN 进行 ping 操作

tag-icon tag-icon networking vpn nat site-to-site-vpn strongswan
无法在 AWS 中通过 Strongswan 站点到站点 VPN 进行 ping 操作

我们在 aws 中有两个 Ubuntu-20.04 服务器,不同的 VPC,都安装了 StrongSwan 并具有如下配置(ipsec.conf):

# basic configuration
config setup
# Add connections here.
conn %default
 ikelifetime=28800s
 lifetime=3600s
#rekeymargin= You choose; must match other side
 keyingtries=%forever
 keyexchange=ikev2
 authby=secret
 mobike=no

conn remote-side
# private ip
 left=10.0.0.7

# vpc cidr
 leftsubnet=10.0.0.0/24

# elastic ip
 leftid=xxx.xxx.xxx.xxx

# private ip
 leftsourceip=10.0.0.7

# elastic ip
 right=xxx.xxx.xxx.xxx

# vpc cidr
 rightsubnet=172.31.0.0/16

 auto=start
 type=tunnel
 ike=aes256-sha1-modp1024!
 esp=aes256-sha1!
 dpddelay=30s
 dpdtimeout=120s
 dpdaction=restart

左右是服务器2上的开关,其他配置相同

预共享密钥(ipsec.secrets)如下:

Server-1-IP Server-2-IP : PSK "AAABBBCCCDDD"

服务器 2 上的两个 IP 也进行了切换

IP 转发:

net.ipv4.ip_forward = 1 
net.ipv6.conf.all.forwarding = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.all.send_redirects = 0

运行“sudo ipsec restart”后,隧道似乎已成功建立。

#sudo ipsec status

Security Associations (1 up, 0 connecting):
 remote-side[1]: ESTABLISHED 6 minutes ago, 10.0.0.7[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]

#sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.4.0-1028-aws, x86_64):
  uptime: 7 minutes, since May 26 01:47:35 2021
  malloc: sbrk 2580480, mmap 0, used 620272, free 1960208
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 5
  loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
  10.0.0.7
Connections:
 remote-side:  10.0.0.7...xxx.xxx.xxx.xxx  IKEv2, dpddelay=30s
 remote-side:   local:  [xxx.xxx.xxx.xxx] uses pre-shared key authentication
 remote-side:   remote: [xxx.xxx.xxx.xxx] uses pre-shared key authentication
 remote-side:   child:  10.0.0.0/24 === 172.31.0.0/16 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
 remote-side[1]: ESTABLISHED 7 minutes ago, 10.0.0.7[xxx.xxx.xxx.xxx]...xxx.xxx.xxx.xxx[xxx.xxx.xxx.xxx]
 remote-side[1]: IKEv2 SPIs: d32eda951e3c567e_i* 6b2ae87360a4a4dc_r, pre-shared key reauthentication in 7 hours
 remote-side[1]: IKE proposal: AES_CBC_256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024

UFW 处于非活动状态,aws 安全组设置为接受来自任何地方的所有 TCP 和 UDP(我知道这是不安全的)。

两个实例均禁用源/目标检查

但是,从任一服务器,我都无法通过私有 IP 地址 ping 通另一台服务器。

任何帮助都将受到赞赏。

答案1

好的,我是新手,不知道完成上述所有步骤后,我应该运行

sudo ipsec up conn_name

此处 conn_name 是 ipsec.conf 中定义的 conn 行中的任意名称

此后它开始工作并且我能够 ping 通。

相关内容