带有AWS EC2 VPC VPN客户端的strongSwan IPsec服务器

我正在尝试在两个AWS区域之间创build一个VPN隧道。 我试图这样做的方法是在Linux中使用strongSwan在一个区域中设置IPsec服务器，然后在其他区域使用VPC VPN。
问题是我不能想出一个正确的configuration。

AWS提供了有关设置IPsec VPN的以下信息：

#1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : *********************** - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : 54.241.138.199 - Virtual Private Gateway : 87.238.85.44 Inside IP Addresses - Customer Gateway : 169.254.254.6/30 - Virtual Private Gateway : 169.254.254.5/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.254.5 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels. 

本地strongSwan端的私有子网是10.2.0.0/16 。
远程VPN侧的私有子网是10.4.0.0/16 。

有了这个，我尝试使用如下configuration：

• AWS CloudFormation：VPC默认安全组
• 如何从数据中心内部和外部解决EC2实例？
• 使用后擦拭EBS卷？
• 简单的方法将自定义32位AMI转换为64位？
• 具有S3redirect的Amazon Cloudfront

 conn eu-west-1-1 left=10.2.0.40 leftsubnet=0.0.0.0/0 right=87.238.85.40 rightsubnet=10.4.0.0/16 auto=add type=tunnel keyexchange=ikev1 authby=secret ikelifetime=28800s keylife=28800s ike=aes128 esp=aes128 

但是这会导致以下错误：

 pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0 

在strongSwan邮件列表中find了一个想法之后，我尝试了为leftsubnet和rightsubnet放置0.0.0.0/0 ，这会导致隧道出现（由AWS Web GUI报告），但是我失去了所有连接服务器（我猜这是创build一个路由到0.0.0.0/0黑洞所有stream量）。

任何人都可以提供任何提示如何调整configuration，以得到这个工作？

是的，我知道我可以在两端使用2个strongSwan，OpenVPN或其他软件VPN，但通过使用AWS的VPNfunction，我只需要担心维护VPN的一端而不是两端。

 conn vpc1 type=tunnel compress=no keyexchange=ikev1 ike=aes128-sha1-modp1024! auth=esp authby=psk left=54.241.138.199 leftid=54.241.138.199 leftsubnet=169.254.254.6/32,10.2.0.0/16 rightsubnet=169.254.254.5/32,10.4.0.0/16 right=87.238.85.44 rightid=87.238.85.44 esp=aes128-sha1-modp1024! auto=route