我需要与供应商建立站点到站点的 IPSec 隧道,我们需要使用各自的公共 IP 访问位于 LAN 上的彼此的 API 服务器。我们使用 AWS,我已配置了具有 2 个子网的 VPC,供应商使用 CISCO ASA 防火墙。
几个星期以来,我一直在努力尝试,但毫无成果。
以下是要求:
AWS Subnet 1 10.100.128.0/20 AWS Subnet 2
[Our API server]-----------------------[Ubuntu/StrongSwan]---------[Vendors VPN Gw = 41.x.x.6]-----[Vendor's API Server=41.x.x.233]
| |
13.x.x.115/10.100.133.21 13.x.x.175/10.100.11.25
以下是我目前所做的
- 我已经更新了子网 1 的路由表,以便它的 Gw 朝向 Ubuntu StrongSwan
- 我已将 Ubuntu StrongSwan EC2 实例配置为充当 NAT 实例
- 停止源/目标检查
- 允许内核转发
net.ipv4.ip_forward = 1 - 添加了源 NAT
sudo iptables -t nat -A POSTROUTING -s 10.100.133.21 -d 41.x.x.233 -j SNAT --to-source 13.x.x.115 - 添加了目标 NAT
sudo iptables -t nat -A PREROUTING -d 13.x.x.115 -j DNAT --to-destination 10.100.133.21 - 伪装来自 10.100.128.0/20 的其余流量:
sudo iptables -t nat -A POSTROUTING -s 10.100.128.0/20 -j MASQUERADE
最后,我设置了隧道如下
conn %default
# Tunnel properties
type=tunnel
authby=psk
auto=start
keyexchange=ikev2
mobike=no
rekey=yes
reauth=no
compress=no
# Session configuration
ikelifetime=86400s
lifetime=3600s
dpdaction=restart
closeaction=restart
dpddelay=10s
dpdtimeout=30
# keyingtries=1
# Default ph1
# Encryption, hash and authentication
ike=aes256-sha256-ecp256!
# Default ph2
# phase2=esp
# phase2alg=aes256-sha256!
# No pfs
esp=aes256-sha256!
conn TigoPesa-Tunnel
# Us
left=%defaultroute
leftid=10.100.11.25
leftsubnet=13.x.x.115/32
# Them
right=41.x.x.6
rightid=41.x.x.6
rightsubnet=41.x.x.233/32
并将 PSK 配置为ipsec.secrets:
10.100.133.21 41.x.x.6 : PSK "xxxx"
每当我尝试启动隧道时,总是会出现以下错误!
initiating IKE_SA TigoPesa-Tunnel[4] to 41.x.x.6
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.100.11.25[500] to 41.x.x.6[500] (272 bytes)
received packet: from 41.x.x.6[500] to 10.100.11.25[500] (447 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
local host is behind NAT, sending keep alives
received 3 cert requests for an unknown ca
authentication of '10.100.11.25' (myself) with pre-shared key
establishing CHILD_SA TigoPesa-Tunnel{5}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.100.11.25[4500] to 41.x.x.6[4500] (304 bytes)
received packet: from 41.x.x.6[4500] to 10.100.11.25[4500] (160 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
authentication of '41.x.x.6' with pre-shared key successful
IKE_SA TigoPesa-Tunnel[4] established between 10.100.11.25[10.100.11.25]...41.x.x.6[41.x.x.6]
scheduling rekeying in 85567s
maximum IKE_SA lifetime 86107s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'TigoPesa-Tunnel' failed
谁能救救我!(为了方便交流,我并不是一名网络工程师,而是一名软件工程师)