Strongswan VPN 到 AWS / 连接问题 / 没有响应 ping

Strongswan VPN 到 AWS / 连接问题 / 没有响应 ping

我在带有 strongswan 的 ec2 和连接到带有动态路由 (bgp) 的 vpn 网关的 aws vpn 连接之间创建了一个 VPN。隧道已启动。从目标到客户端的单向 Ping 正常,但从另一方向 Ping 不正常。您能帮我排除故障吗?

我遵循了这个优秀的教程:“https://medium.com/@almclean_tw/connecting-strongswan-ipsec-vpn-to-aws-transit-gateway-with-bgp-141cebca6ce1”

EC2 CLIENT(strongswan client accountA) => VPN AWS(customer gateway) => EC2 DEST(destination accountB)
10.136.54.20                          =>  34.230.165.13             => 10.132.8.106

从 EC2 客户端 ping 目标超时

root@ip-10-136-54-20:~# ping 10.132.8.106
PING 10.132.8.106 (10.132.8.106) 56(84) bytes of data.

root@ip-10-132-8-106:~# tcpdump -ni eth0 icmp
12:50:45.641604 IP 169.254.48.98 > 10.132.8.106: ICMP echo request, id 88, seq 113, length 64
12:50:45.641636 IP 10.132.8.106 > 169.254.48.98: ICMP echo reply, id 88, seq 113, length 64

从 EC2 目标站 ping 至客户端成功

root@ip-10-132-8-106:~# ping 10.136.54.20
PING 10.136.54.20 (10.136.54.20) 56(84) bytes of data.
64 bytes from 10.136.54.20: icmp_seq=1 ttl=64 time=82.9 ms

会议强天鹅

root@ip-10-136-54-20:~# cat /etc/swanctl/swanctl.conf 
connections {
 aws_tun1 {
  local_addrs = 10.136.54.20
  remote_addrs = 34.230.165.13
# The following is for the XFRM interface ID

  if_id_out = 42
  if_id_in = 42

  local {
   auth = psk
   id = 13.36.171.2
  }

  remote {
   auth = psk
   id = 34.230.165.13
  }

  children {
   aws_tun1 {
# This allows arbitrary traffic in the tunnel from both ends
    local_ts = 0.0.0.0/0
    remote_ts = 0.0.0.0/0

    esp_proposals = aes256gcm128-modp4096
    start_action = trap
   }
  }
  
# IKE V2 -- remember this when you download the config file.
  version = 2
  proposals = aes256-sha256-modp4096 
 }
}

secrets {
 ike-awstun1 {
  id = 34.230.165.13
  secret =*******
 }
}

IPSEC 状态

root@ip-10-136-54-20:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1051-aws, x86_64):
  uptime: 19 minutes, since Dec 15 12:37:54 2023
  malloc: sbrk 2129920, mmap 0, used 1194480, free 935440
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  10.136.54.20
  10.136.54.20
  169.254.48.98
Connections:
    aws_tun1:  10.136.54.20...34.230.165.13  IKEv2
    aws_tun1:   local:  [13.36.171.2] uses pre-shared key authentication
    aws_tun1:   remote: [34.230.165.13] uses pre-shared key authentication
    aws_tun1:   child:  0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Routed Connections:
    aws_tun1{1}:  ROUTED, TUNNEL, reqid 1
    aws_tun1{1}:   0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
    aws_tun1[1]: ESTABLISHED 19 minutes ago, 10.136.54.20[13.36.171.2]...34.230.165.13[34.230.165.13]
    aws_tun1[1]: IKEv2 SPIs: e5613fe092565676_i* baf6f0d76ad729c7_r, rekeying in 3 hours
    aws_tun1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
    aws_tun1{2}:  INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c785164f_i c7d20def_o
    aws_tun1{2}:  AES_GCM_16_256, 15495 bytes_i (254 pkts, 1s ago), 29445 bytes_o (416 pkts, 1s ago), rekeying in 35 minutes
    aws_tun1{2}:   0.0.0.0/0 === 0.0.0.0/0

IP 配置

root@ip-10-136-54-20:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 06:d5:c4:9b:be:f8 brd ff:ff:ff:ff:ff:ff
    inet 10.136.54.20/27 brd 10.136.54.31 scope global dynamic eth0
       valid_lft 3594sec preferred_lft 3594sec
    inet6 fe80::4d5:c4ff:fe9b:bef8/64 scope link 
       valid_lft forever preferred_lft forever
3: ipsec0@eth0: <NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1000
    link/none 
    inet 10.136.54.20 peer 169.254.171.1/30 scope global ipsec0
       valid_lft forever preferred_lft forever
    inet 169.254.48.98 peer 169.254.48.97/30 scope global ipsec0
       valid_lft forever preferred_lft forever
    inet6 fe80::d0be:a6a1:9c8e:8574/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

IP路由

root@ip-10-136-54-20:~# ip route
default via 10.136.54.1 dev eth0 proto dhcp src 10.136.54.20 metric 100 
10.132.8.0/24 via 169.254.48.97 dev ipsec0 proto bird metric 32 
10.136.54.0/27 dev eth0 proto kernel scope link src 10.136.54.20 
10.136.54.0/27 dev eth0 proto bird scope link metric 32 
10.136.54.1 dev eth0 proto dhcp scope link src 10.136.54.20 metric 100 
10.136.54.20/30 dev ipsec0 proto bird scope link metric 32 
169.254.48.96/30 dev ipsec0 proto kernel scope link src 169.254.48.98 
169.254.48.96/30 dev ipsec0 proto bird scope link metric 32 
169.254.48.97 dev ipsec0 scope link 
169.254.171.0/30 dev ipsec0 proto kernel scope link src 10.136.54.20 

路由表 AWS 子网 EC2 目标

10.136.54.0/27  vgw-04ed836a1baf7acd0   Active  Yes

路由表 AWS EC2 目标

root@ip-10-132-8-106:~# netstat -arn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         10.132.8.97     0.0.0.0         UG        0 0          0 eth0
10.132.8.2      10.132.8.97     255.255.255.255 UGH       0 0          0 eth0
10.132.8.96     0.0.0.0         255.255.255.240 U         0 0          0 eth0
10.132.8.97     0.0.0.0         255.255.255.255 UH        0 0          0 eth0

IP隧道


root@ip-10-136-54-20:~# ip xfrm state
src 10.136.54.20 dst 34.230.165.13
        proto esp spi 0xc7d20def reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        aead rfc4106(gcm(aes)) 0x0a76aa479ecbb2483c815c39bf7ea45caebf87c952cbe55ab861569008afdab1d38918e8 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x17a, bitmap 0x00000000
        if_id 0x2a
src 34.230.165.13 dst 10.136.54.20
        proto esp spi 0xc785164f reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0xd97714f93418e817983e5b99aa1df8b8f9354e20217b1f622785ca6752eef8089527d6f0 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0xd8, oseq 0x0, bitmap 0xffffffff
        if_id 0x2a

root@ip-10-136-54-20:~# ip xfrm policy
src 10.136.54.20 dst 34.230.165.13
        proto esp spi 0xc7d20def reqid 1 mode tunnel
        replay-window 0 flag af-unspec
        aead rfc4106(gcm(aes)) 0x0a76aa479ecbb2483c815c39bf7ea45caebf87c952cbe55ab861569008afdab1d38918e8 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0x0, oseq 0x16e, bitmap 0x00000000
        if_id 0x2a
src 34.230.165.13 dst 10.136.54.20
        proto esp spi 0xc785164f reqid 1 mode tunnel
        replay-window 32 flag af-unspec
        aead rfc4106(gcm(aes)) 0xd97714f93418e817983e5b99aa1df8b8f9354e20217b1f622785ca6752eef8089527d6f0 128
        encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
        anti-replay context: seq 0xcc, oseq 0x0, bitmap 0xffffffff
        if_id 0x2a

没有 ACL AWS、IPTABLES CONFIG、UFW、源和目标检查已禁用、net.ipv4.ip_forward = 1、安全组全部打开

操作系统是 ubuntu 22.04

答案1

好的,已经解决了

不知道为什么。我只是输入了这个

apt-get upgrade && apt-get update && reboot

现在我在 dest 上得到了这个

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:12:32.216506 IP 10.136.54.20 > 10.132.8.106: ICMP echo request, id 10, seq 6, length 64
09:12:32.216534 IP 10.132.8.106 > 10.136.54.20: ICMP echo reply, id 10, seq 6, length 64

猜测这是 NAT-T 和 UDP 封装的内核问题

相关内容