服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Amazon VPC和Linux服务器之间的IPSec VPN
Intereting Posts
Hyper-V Server 2012 – 获取正版票证失败 默认Relayhost和自定义relayhost的域 IIS 6.0应用程序池崩溃 当您在RDP会话中的Server Core上的CMD窗口中键入Exit时会发生什么情况 在公司networking中使用公共DNS的下行 共享服务器上PHPconfiguration的最佳实践 当我杀死-9或拉动力量时,究竟会发生什么? chkconfig入口的细微差别 随机redirect到一个.html网站的404 如何修复OpenVPN服务器configuration中的Logjam漏洞? 如何在Cisco 2801上为VPN客户端configuration远程IP地址审核日志logging Django设置 – 一个项目,Nginx + Apache2的多个子域 我如何从脚本分配DHCP租约? Outlook发现旧服务器而不是Office 365(Exchange Online)服务器? 我如何安装Sharepoint 2010并在远程服务器上使用SQL?

Amazon VPC和Linux服务器之间的IPSec VPN

我试图在我们的企业networking和亚马逊的虚拟私有云之间build立一个IPSec VPN连接,使用他们的VPN系统和Linux服务器。 不幸的是,我find的唯一指南讨论了如何使用主机Linux机器来build立隧道,并让该机器访问VPC实例,但没有关于如何让实例访问公司networking的在线讨论(或通过该networking的其他互联网)。

networking信息 

Local subnet: 10.3.0.0/25 Remote subnet: 10.4.0.0/16 Tunnel 1: Outside IP Addresses: - Customer Gateway: : 199.167.xxx.xxx - VPN Gateway : 205.251.233.121 Inside IP Addresses - Customer Gateway : 169.254.249.2/30 - VPN Gateway : 169.254.249.1/30 Tunnel 2: Outside IP Addresses: - Customer Gateway: : 199.167.xxx.xxx - VPN Gateway : 205.251.233.122 Inside IP Addresses - Customer Gateway : 169.254.249.6/30 - VPN Gateway : 169.254.249.5/30

这是我的/etc/ipsec-tools.conf: 

 flush; spdflush; spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require; spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require; spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require; spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require; spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require; spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require; spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require; spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;

这是我的/etc/racoon/racoon.conf: 

 remote 205.251.233.122 { exchange_mode main; lifetime time 28800 seconds; proposal { encryption_algorithm aes128; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } generate_policy off; } remote 205.251.233.121 { exchange_mode main; lifetime time 28800 seconds; proposal { encryption_algorithm aes128; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } generate_policy off; } sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any { pfs_group 2; lifetime time 3600 seconds; encryption_algorithm aes128; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any { pfs_group 2; lifetime time 3600 seconds; encryption_algorithm aes128; authentication_algorithm hmac_sha1; compression_algorithm deflate; }

BGP工作正常,所以我不会发布这些configuration。

这是有用的

  • 在Linux中,我可以ping通本地端点(169.254.249.2/169.254.249.6),以及它们的远程端点(169.254.249.1/169.254.249.5)。
  • 我也可以ping通VPC中的实例,SSH等等。
  • 从VPC中的远程实例中,我也可以ping本地和远程端点
  • 我无法ping通10.3.0.0/25子网上的本地服务器

我假设我错过了一些简单的事情,但是我已经尝试使用{local subnet} < – > {remote endpoint}添加条目到ipsec-tools.conf来镜像{本地端点} < – > {remote subnet}但似乎没有工作。

当从{远程实例} ping到{本地服务器}时,ping超时。 数据包在eth0接口上可见(即使本地networking位于eth1上)。

谷歌几乎没有帮助; 它只显示人们试图使用OpenSwan,或者有类似的问题,但硬件路由器,或使用旧的工具。

弄清楚了。 必须改变我的ipsec-tools.conf到这个: 

 flush; spdflush; # Generic routing spdadd 10.4.0.0/16 10.3.0.0/25 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require; spdadd 10.3.0.0/25 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require; # Tunnel 1 spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require; spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require; spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require; spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require; # Tunnel 2 spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require; spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require; spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require; spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;

并将我的racoon.conf更改为: 

 path pre_shared_key "/etc/racoon/psk.txt"; remote 205.251.233.122 { exchange_mode main; lifetime time 28800 seconds; proposal { encryption_algorithm aes128; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } generate_policy off; } remote 205.251.233.121 { exchange_mode main; lifetime time 28800 seconds; proposal { encryption_algorithm aes128; hash_algorithm sha1; authentication_method pre_shared_key; dh_group 2; } generate_policy off; } sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any { pfs_group 2; lifetime time 3600 seconds; encryption_algorithm aes128; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any { pfs_group 2; lifetime time 3600 seconds; encryption_algorithm aes128; authentication_algorithm hmac_sha1; compression_algorithm deflate; } sainfo address 10.3.0.0/25 any address 10.4.0.0/16 any { pfs_group 2; lifetime time 3600 seconds; encryption_algorithm aes128; authentication_algorithm hmac_sha1; compression_algorithm deflate; }

但是,据我所知,这种configuration只能通过第一个隧道(通过xxx121)在10.3.0.0/25和10.4.0.0/16之间路由stream量。 当我弄明白的时候,我会更新答案。

那么,我骗了:)我安装了由亚马逊官方支持的Astaro网关,然后用它来build模我自己的。 你可以通过SSH进入Astaro单元,看看它们是如何设置的。 当然,如果你想付钱,你可以坚持Astaro的单位。