我按照几个教程设置了 strongswan site-2-site vpn,但是遇到了困难……
情况就是这样的:
SITE A <-------> SITE B
AWS VPN GATEWAY STRONGSWAN
HOST 1 HOST 2 (Strongswan host, also EC2)
- 我可以从主机 1 ping 主机 2,但没有得到任何答复 (主机 2 上的 tcpdump)。
00:30:46.360533 eth0 In IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 599, length 64 00:30:47.384644 eth0 In IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 600, length 64 00:30:48.408526 eth0 In IP 10.250.10.6 > 10.250.9.4: ICMP echo request, id 5, seq 601, length 64 ... etc.
- 我看到主机 2 向主机 1 发出的 ping 请求被破坏。
00:36:41.881802 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 297 00:36:41.881891 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60 00:36:41.893326 IP ip-10-250-10-6.eu-central-1.compute.internal > 169.254.169.254: ICMP time exceeded in-transit, length 60
有人可以帮忙吗?我将不胜感激。
这是我的 strongswan 配置:
config setup
charondebug="all"
uniqueids=yes
# from generated AWS config
strictcrlpolicy=no
conn customer
type=tunnel
auto=start
keyexchange=ikev2
authby=secret
ike=aes256-sha2_512-ecp256
esp=aes256-sha2_512-ecp256
aggressive=no
keyingtries=%forever
ikelifetime=28800s
lifetime=3600s
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
# PUBLIC network interfaces, "left" is "us"
left=%defaultroute
right=CENSORED # public IP
# PRIVATE subnets
leftsubnet=10.250.9.0/28
rightsubnet=10.250.10.0/28
# settings taken from AWS generated config
margintime=270s
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay_window=1024
mark=100
这是ipsec statusall
Connections:
customer: %any...XXXX IKEv2, dpddelay=30s
customer: local: uses pre-shared key authentication
customer: remote: [XXXX] uses pre-shared key authentication
customer: child: 10.250.9.0/28 === 10.250.10.0/28 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
customer[3]: ESTABLISHED 21 minutes ago, 10.250.9.5[EEEE]...XXXX[XXXX]
customer[3]: IKEv2 SPIs: aca26c16528c6023_i b8d244b9ba20a4ba_r*, pre-shared key reauthentication in 7 hours
customer[3]: IKE proposal: AES_CBC_256/HMAC_SHA2_512_256/PRF_HMAC_SHA2_512/ECP_256
customer{3}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c2e749c9_i ccd2a33d_o
customer{3}: AES_CBC_256/HMAC_SHA2_512_256, 51072 bytes_i, 3108 bytes_o (37 pkts, 198s ago), rekeying in 29 minutes
customer{3}: 10.250.9.0/28 === 10.250.10.0/28
XXXX / EEEE - public IP addresses of the VPN gateways
最后,ipsec reload ; journalctl -f
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 06[CFG] deleted connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] received stroke: add connection 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 08[CFG] added configuration 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[CFG] received stroke: initiate 'customer'
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[IKE] establishing CHILD_SA customer{4}
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[ENC] generating CREATE_CHILD_SA request 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 05[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (448 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (304 bytes)
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[ENC] parsed CREATE_CHILD_SA response 0 [ SA No KE TSi TSr ]
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[CFG] selected proposal: ESP:AES_CBC_256/HMAC_SHA2_512_256/ECP_256/NO_EXT_SEQ
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:36 ip-10-250-9-5 charon[443]: 07[IKE] CHILD_SA customer{4} established with SPIs c66eb670_i cb56dea4_o and TS 10.250.9.0/28 === 10.250.10.0/28
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] received packet: from XXXX[4500] to 10.250.9.5[4500] (96 bytes)
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] parsed INFORMATIONAL request 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[ENC] generating INFORMATIONAL response 142 [ ]
Nov 11 00:41:46 ip-10-250-9-5 charon[443]: 12[NET] sending packet: from 10.250.9.5[4500] to XXXX[4500] (96 bytes)