我在带有 strongswan 的 ec2 和连接到带有动态路由 (bgp) 的 vpn 网关的 aws vpn 连接之间创建了一个 VPN。隧道已启动。从目标到客户端的单向 Ping 正常,但从另一方向 Ping 不正常。您能帮我排除故障吗?
我遵循了这个优秀的教程:“https://medium.com/@almclean_tw/connecting-strongswan-ipsec-vpn-to-aws-transit-gateway-with-bgp-141cebca6ce1”
EC2 CLIENT(strongswan client accountA) => VPN AWS(customer gateway) => EC2 DEST(destination accountB)
10.136.54.20 => 34.230.165.13 => 10.132.8.106
从 EC2 客户端 ping 目标超时
root@ip-10-136-54-20:~# ping 10.132.8.106
PING 10.132.8.106 (10.132.8.106) 56(84) bytes of data.
root@ip-10-132-8-106:~# tcpdump -ni eth0 icmp
12:50:45.641604 IP 169.254.48.98 > 10.132.8.106: ICMP echo request, id 88, seq 113, length 64
12:50:45.641636 IP 10.132.8.106 > 169.254.48.98: ICMP echo reply, id 88, seq 113, length 64
从 EC2 目标站 ping 至客户端成功
root@ip-10-132-8-106:~# ping 10.136.54.20
PING 10.136.54.20 (10.136.54.20) 56(84) bytes of data.
64 bytes from 10.136.54.20: icmp_seq=1 ttl=64 time=82.9 ms
会议强天鹅
root@ip-10-136-54-20:~# cat /etc/swanctl/swanctl.conf
connections {
aws_tun1 {
local_addrs = 10.136.54.20
remote_addrs = 34.230.165.13
# The following is for the XFRM interface ID
if_id_out = 42
if_id_in = 42
local {
auth = psk
id = 13.36.171.2
}
remote {
auth = psk
id = 34.230.165.13
}
children {
aws_tun1 {
# This allows arbitrary traffic in the tunnel from both ends
local_ts = 0.0.0.0/0
remote_ts = 0.0.0.0/0
esp_proposals = aes256gcm128-modp4096
start_action = trap
}
}
# IKE V2 -- remember this when you download the config file.
version = 2
proposals = aes256-sha256-modp4096
}
}
secrets {
ike-awstun1 {
id = 34.230.165.13
secret =*******
}
}
IPSEC 状态
root@ip-10-136-54-20:~# ipsec statusall
Status of IKE charon daemon (strongSwan 5.8.2, Linux 5.15.0-1051-aws, x86_64):
uptime: 19 minutes, since Dec 15 12:37:54 2023
malloc: sbrk 2129920, mmap 0, used 1194480, free 935440
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 3
loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
10.136.54.20
10.136.54.20
169.254.48.98
Connections:
aws_tun1: 10.136.54.20...34.230.165.13 IKEv2
aws_tun1: local: [13.36.171.2] uses pre-shared key authentication
aws_tun1: remote: [34.230.165.13] uses pre-shared key authentication
aws_tun1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
Routed Connections:
aws_tun1{1}: ROUTED, TUNNEL, reqid 1
aws_tun1{1}: 0.0.0.0/0 === 0.0.0.0/0
Security Associations (1 up, 0 connecting):
aws_tun1[1]: ESTABLISHED 19 minutes ago, 10.136.54.20[13.36.171.2]...34.230.165.13[34.230.165.13]
aws_tun1[1]: IKEv2 SPIs: e5613fe092565676_i* baf6f0d76ad729c7_r, rekeying in 3 hours
aws_tun1[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_4096
aws_tun1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c785164f_i c7d20def_o
aws_tun1{2}: AES_GCM_16_256, 15495 bytes_i (254 pkts, 1s ago), 29445 bytes_o (416 pkts, 1s ago), rekeying in 35 minutes
aws_tun1{2}: 0.0.0.0/0 === 0.0.0.0/0
IP 配置
root@ip-10-136-54-20:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 06:d5:c4:9b:be:f8 brd ff:ff:ff:ff:ff:ff
inet 10.136.54.20/27 brd 10.136.54.31 scope global dynamic eth0
valid_lft 3594sec preferred_lft 3594sec
inet6 fe80::4d5:c4ff:fe9b:bef8/64 scope link
valid_lft forever preferred_lft forever
3: ipsec0@eth0: <NOARP,UP,LOWER_UP> mtu 1436 qdisc noqueue state UNKNOWN group default qlen 1000
link/none
inet 10.136.54.20 peer 169.254.171.1/30 scope global ipsec0
valid_lft forever preferred_lft forever
inet 169.254.48.98 peer 169.254.48.97/30 scope global ipsec0
valid_lft forever preferred_lft forever
inet6 fe80::d0be:a6a1:9c8e:8574/64 scope link stable-privacy
valid_lft forever preferred_lft forever
IP路由
root@ip-10-136-54-20:~# ip route
default via 10.136.54.1 dev eth0 proto dhcp src 10.136.54.20 metric 100
10.132.8.0/24 via 169.254.48.97 dev ipsec0 proto bird metric 32
10.136.54.0/27 dev eth0 proto kernel scope link src 10.136.54.20
10.136.54.0/27 dev eth0 proto bird scope link metric 32
10.136.54.1 dev eth0 proto dhcp scope link src 10.136.54.20 metric 100
10.136.54.20/30 dev ipsec0 proto bird scope link metric 32
169.254.48.96/30 dev ipsec0 proto kernel scope link src 169.254.48.98
169.254.48.96/30 dev ipsec0 proto bird scope link metric 32
169.254.48.97 dev ipsec0 scope link
169.254.171.0/30 dev ipsec0 proto kernel scope link src 10.136.54.20
路由表 AWS 子网 EC2 目标
10.136.54.0/27 vgw-04ed836a1baf7acd0 Active Yes
路由表 AWS EC2 目标
root@ip-10-132-8-106:~# netstat -arn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 10.132.8.97 0.0.0.0 UG 0 0 0 eth0
10.132.8.2 10.132.8.97 255.255.255.255 UGH 0 0 0 eth0
10.132.8.96 0.0.0.0 255.255.255.240 U 0 0 0 eth0
10.132.8.97 0.0.0.0 255.255.255.255 UH 0 0 0 eth0
IP隧道
root@ip-10-136-54-20:~# ip xfrm state
src 10.136.54.20 dst 34.230.165.13
proto esp spi 0xc7d20def reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0x0a76aa479ecbb2483c815c39bf7ea45caebf87c952cbe55ab861569008afdab1d38918e8 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x17a, bitmap 0x00000000
if_id 0x2a
src 34.230.165.13 dst 10.136.54.20
proto esp spi 0xc785164f reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xd97714f93418e817983e5b99aa1df8b8f9354e20217b1f622785ca6752eef8089527d6f0 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xd8, oseq 0x0, bitmap 0xffffffff
if_id 0x2a
root@ip-10-136-54-20:~# ip xfrm policy
src 10.136.54.20 dst 34.230.165.13
proto esp spi 0xc7d20def reqid 1 mode tunnel
replay-window 0 flag af-unspec
aead rfc4106(gcm(aes)) 0x0a76aa479ecbb2483c815c39bf7ea45caebf87c952cbe55ab861569008afdab1d38918e8 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0x0, oseq 0x16e, bitmap 0x00000000
if_id 0x2a
src 34.230.165.13 dst 10.136.54.20
proto esp spi 0xc785164f reqid 1 mode tunnel
replay-window 32 flag af-unspec
aead rfc4106(gcm(aes)) 0xd97714f93418e817983e5b99aa1df8b8f9354e20217b1f622785ca6752eef8089527d6f0 128
encap type espinudp sport 4500 dport 4500 addr 0.0.0.0
anti-replay context: seq 0xcc, oseq 0x0, bitmap 0xffffffff
if_id 0x2a
没有 ACL AWS、IPTABLES CONFIG、UFW、源和目标检查已禁用、net.ipv4.ip_forward = 1、安全组全部打开
操作系统是 ubuntu 22.04
答案1
好的,已经解决了
不知道为什么。我只是输入了这个
apt-get upgrade && apt-get update && reboot
现在我在 dest 上得到了这个
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
09:12:32.216506 IP 10.136.54.20 > 10.132.8.106: ICMP echo request, id 10, seq 6, length 64
09:12:32.216534 IP 10.132.8.106 > 10.136.54.20: ICMP echo reply, id 10, seq 6, length 64
猜测这是 NAT-T 和 UDP 封装的内核问题