带有 AWS EC2 VPC VPN 客户端的 strongSwan IPsec 服务器

带有 AWS EC2 VPC VPN 客户端的 strongSwan IPsec 服务器

我正在尝试在两个 AWS 区域之间创建 VPN 隧道。我尝试这样做的方法是在一个区域中使用 strongSwan 在 Linux 中设置 IPsec 服务器,然后在另一个区域中设置 VPC VPN。
问题是我无法想出一个正确的配置。

AWS 提供了以下用于设置 IPsec VPN 的信息:

#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : ***********************
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.



The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel
interface. 

Outside IP Addresses:
  - Customer Gateway                : 54.241.138.199 
  - Virtual Private Gateway         : 87.238.85.44

Inside IP Addresses
  - Customer Gateway                : 169.254.254.6/30
  - Virtual Private Gateway         : 169.254.254.5/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

To route traffic between your internal network and your VPC, 
you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop       : 169.254.254.5

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over 
the tunnels.  

本地 strongSwan 端的私有子网为10.2.0.0/16
远程 VPN 端的私有子网为10.4.0.0/16

为此,我尝试使用如下配置:

conn eu-west-1-1
        left=10.2.0.40
        leftsubnet=0.0.0.0/0
        right=87.238.85.40
        rightsubnet=10.4.0.0/16
        auto=add
        type=tunnel
        keyexchange=ikev1
        authby=secret
        ikelifetime=28800s
        keylife=28800s
        ike=aes128
        esp=aes128

但这会导致以下错误:

pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0

根据我在 strongSwan 邮件列表中发现的一个想法,我尝试0.0.0.0/0leftsubnetand放在rightsubnet一起,这确实会导致隧道启动(如 AWS Web GUI 所报告的),但我失去了与服务器的所有连接(我猜它正在创建一条到 0.0.0.0/0 的路由,使所有流量陷入黑洞)。

有人可以提供一些关于如何调整配置以使其正常工作的提示吗?

是的,我知道我可以在两端使用 2 个 strongSwan、OpenVPN 或其他软件 VPN,但是通过使用 AWS 的 VPN 功能,我只需要担心维护 VPN 的一端,而不必担心两端。

答案1

我知道您发布此帖子已经有一段时间了,但我已经按照您描述的方式做了,这里有一个使用您的值的示例连接块:

conn vpc1
        type=tunnel
        compress=no
        keyexchange=ikev1
        ike=aes128-sha1-modp1024!
        auth=esp
        authby=psk
        left=54.241.138.199 
        leftid=54.241.138.199 
        leftsubnet=169.254.254.6/32,10.2.0.0/16
        rightsubnet=169.254.254.5/32,10.4.0.0/16
        right=87.238.85.44
        rightid=87.238.85.44
        esp=aes128-sha1-modp1024!
        auto=route

然后你就可以做了ipsec up vpc1 ; ipsec route vpc1

左边是本地端,右边是 Amazon VPC VPN 端。希望我输入的 IP 正确。

问题在于 ipsec 必须在内核中创建正确的 ip xfrm 策略,如果没有正确的设置,它就不知道如何建立隧道。这一点和加密设置都必须完美无缺。

我尝试了很多次,最后与 strongswan 开发人员合作才解决了这个问题。注意事项:此连接无法正确执行 DPD,有时会断开。调用 service ipsec start 时它也不会启动+路由。

祝你好运!

相关内容