Intereting Posts
在Apache Windows Server 2012 R2上安装SSL证书
从外部连接转发到局域网中的计算机(Ubuntu-iptables)
Windows目录中的文件数量是否会影响将新文件复制到其中的时间?
SendMail TLS证书 – 可以为不同的主机共享吗?
Lighttpd:子域名会给出404错误
别名扭曲的服务器内容?
什么可能导致Windowslogin拒绝每个用户的凭据?
远程监控服务器的各种方法有哪些?
主板上只有PCI-E x16插槽的PCI-E HBA卡?
我如何使用Hping进行操作系统检测?
有没有人熟悉SuperMicro产品?
Windows 2003服务器上的静态IP设置未保存
如何在命令行上合并ubuntu上的两个ext3分区?
在CentOS 7中安装Google V8,缺less一些文件
如何为linux工作站创build多个“terminal”?
AWS StrongSwan IPSec VPN
最近我一直在玩StrongSwan,作为替代昂贵的亚马逊VPN。
我在运行StrongSwan的远程服务器和Ubuntu EC2计算机之间完全configurationIPSec隧道时遇到了问题。
我的目标是让我们的远程服务器能够VPN到我们的VPC,并在AWS上的私有子网之间进行双向访问。
目前,我可以build立一个隧道。 我可以从EC2机器(运行StrongSwan)到远程OSX服务器。 我可以在我的VPC中的公共和专用子网中的机器之间进行ping操作。
- Jenkins CI主从设置与从服务器的docker
- AWS CLI在第二次运行时会引发“找不到凭据”
- 在AWS CLI上调用CreateInvalidation操作时访问被拒绝
- AWS Storage Gateway卷中的文件系统损坏
- 大型Amazon S3 / Cloudfront日志的Webstats?
目前,我无法从我的OSX服务器ping AWS上运行强大天鹅的EC2实例。 我没有任何iptables设置来转发来自EC2(StrongSwan)机器的stream量到我私有子网中的其他机器。
AWS
VPC: 10.0.0.0/16 Public Subnet: 10.0.1.0/24 Private Subnet: 10.0.2.0/24 Web EIP: 77.77.77.77 (default for VPC IGW) VPN EIP: 66.66.66.66 AWS StrongSwan EC2
Ubuntu running StrongSwan 5.2.2 IP: 10.0.1.233
远程客户端网关 (带静态IP的蜂窝调制解调器+网关组合)
Running StrongSwan 5.2.2 internally for IPSec Public (static) IP: 55.55.55.55 LAN: 10.1.1.0/24 (DHCP Server)
远程客户端服务器 (用于testing的OSX机器)
IP: 10.1.1.1
networking拓扑结构 
公共子网中的安全组已打开,允许所有ICMP,UDP和TCP通信进行testing(忽略上图中的值)。
另外请注意,在StrongSwan EC2实例上禁用src / dst检查
远程网关StrongSwanconfiguration(StrongSwan 5.2.2)
version 2.0 config setup # charondebug="knl 4, asn 4, cfg 4, chd 4, dmn 4, enc 4, esp 4, ike 4, imc 4, imv 4, job 4, lib 4, mgr 4, net 4, pts 4,tls 4, tnc 4" conn %default keyexchange=ikev2 authby=secret conn net-to-net ike=aes256-sha256-modp1536,aes256-sha1-modp1536,aes128-sha256-modp1536,aes128-sha1-modp1536,3des-sha256-modp1536,3des-sha1-modp1536 esp=aes256-sha256_96-modp1536,aes256-sha1-modp1536,aes128-sha256_96-modp1536,aes128-sha1-modp1536,3des-sha256_96-modp1536,3des-sha1-modp1536 mobike=no keyingtries=%forever dpdaction=restart dpddelay=5s dpdtimeout=10s #AWS leftid=%any left=10.0.1.233 leftsubnet=10.0.0.0/16 #CLIENT rightid=%any right=55.55.55.55 rightsubnet=10.1.1.0/24 auto=add
远程网关上的IPSec设置 
eth0运行带有10.1.1.0/24 CIDR块的DHCP服务器。 我的OSX服务器有IP 10.1.1.1(在eth0上)
系统login到StrongSwan EC2
Mar 30 18:43:58 ip-10-0-1-233 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 30 18:43:58 ip-10-0-1-233 charon: 00[CFG] loaded IKE secret for 66.66.66.66 55.55.55.55 Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies) Mar 30 18:43:58 ip-10-0-1-233 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 30 18:43:58 ip-10-0-1-233 charon: 00[JOB] spawning 16 worker threads Mar 30 18:43:58 ip-10-0-1-233 charon: 10[CFG] received stroke: add connection 'net-to-net' Mar 30 18:43:58 ip-10-0-1-233 charon: 10[CFG] added configuration 'net-to-net' Mar 30 18:44:01 ip-10-0-1-233 charon: 00[DMN] signal of type SIGINT received. Shutting down Mar 30 18:44:07 ip-10-0-1-233 charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-44-generic, x86_64) Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading crls from '/etc/ipsec.d/crls' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loading secrets from '/etc/ipsec.secrets' Mar 30 18:44:07 ip-10-0-1-233 charon: 00[CFG] loaded IKE secret for 66.66.66.66 55.55.55.55 Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] loaded plugins: charon test-vectors aes rc2 sha1 sha2 md4 md5 random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem openssl xcbc cmac hmac ctr ccm gcm attr kernel-netlink resolve socket-default stroke updown eap-identity addrblock Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] unable to load 5 plugin features (5 due to unmet dependencies) Mar 30 18:44:07 ip-10-0-1-233 charon: 00[LIB] dropped capabilities, running as uid 0, gid 0 Mar 30 18:44:07 ip-10-0-1-233 charon: 00[JOB] spawning 16 worker threads Mar 30 18:44:07 ip-10-0-1-233 charon: 10[CFG] received stroke: add connection 'net-to-net' Mar 30 18:44:07 ip-10-0-1-233 charon: 10[CFG] added configuration 'net-to-net' Mar 30 18:44:17 ip-10-0-1-233 charon: 11[NET] received packet: from 55.55.55.55[500] to 10.0.1.233[500] (660 bytes) Mar 30 18:44:17 ip-10-0-1-233 charon: 11[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] 55.55.55.55 is initiating an IKE_SA Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] local host is behind NAT, sending keep alives Mar 30 18:44:17 ip-10-0-1-233 charon: 11[IKE] DH group MODP_2048 inacceptable, requesting MODP_1536 Mar 30 18:44:17 ip-10-0-1-233 charon: 11[ENC] generating IKE_SA_INIT response 0 [ N(INVAL_KE) ] Mar 30 18:44:17 ip-10-0-1-233 charon: 11[NET] sending packet: from 10.0.1.233[500] to 55.55.55.55[500] (38 bytes) Mar 30 18:44:17 ip-10-0-1-233 charon: 12[NET] received packet: from 55.55.55.55[500] to 10.0.1.233[500] (596 bytes) Mar 30 18:44:17 ip-10-0-1-233 charon: 12[ENC] parsed IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] Mar 30 18:44:17 ip-10-0-1-233 charon: 12[IKE] 55.55.55.55 is initiating an IKE_SA Mar 30 18:44:17 ip-10-0-1-233 charon: 12[IKE] local host is behind NAT, sending keep alives Mar 30 18:44:17 ip-10-0-1-233 charon: 12[ENC] generating IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(MULT_AUTH) ] Mar 30 18:44:17 ip-10-0-1-233 charon: 12[NET] sending packet: from 10.0.1.233[500] to 55.55.55.55[500] (376 bytes) Mar 30 18:44:18 ip-10-0-1-233 charon: 13[NET] received packet: from 55.55.55.55[4500] to 10.0.1.233[4500] (336 bytes) Mar 30 18:44:18 ip-10-0-1-233 charon: 13[ENC] parsed IKE_AUTH request 1 [ IDi AUTH N(IPCOMP_SUP) SA TSi TSr N(MULT_AUTH) N(EAP_ONLY) ] Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] looking for peer configs matching 10.0.1.233[%any]...55.55.55.55[55.55.55.55] Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] selected peer config 'net-to-net' Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] authentication of '55.55.55.55' with pre-shared key successful Mar 30 18:44:18 ip-10-0-1-233 charon: 13[CFG] no IDr configured, fall back on IP address Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] authentication of '10.0.1.233' (myself) with pre-shared key Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] IKE_SA net-to-net[2] established between 10.0.1.233[10.0.1.233]...55.55.55.55[55.55.55.55] Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] scheduling reauthentication in 10081s Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] maximum IKE_SA lifetime 10621s Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] received IPCOMP_SUPPORTED notify but IPComp is disabled, ignoring Mar 30 18:44:18 ip-10-0-1-233 charon: 13[IKE] CHILD_SA net-to-net{1} established with SPIs c2a08785_i cc1db76f_o and TS 10.0.1.0/24 === 10.1.1.0/24 Mar 30 18:44:18 ip-10-0-1-233 charon: 13[ENC] generating IKE_AUTH response 1 [ IDr AUTH SA TSi TSr N(AUTH_LFT) ] Mar 30 18:44:18 ip-10-0-1-233 charon: 13[NET] sending packet: from 10.0.1.233[4500] to 55.55.55.55[4500] (224 bytes) Mar 30 18:44:23 ip-10-0-1-233 charon: 14[IKE] sending DPD request
远程连接时,AWS端的tpcdump
18:41:14.660917 IP mobile-55-55-55-55.mycingular.net.isakmp > ip-10-0-1-233.ec2.internal.isakmp: isakmp: parent_sa ikev2_init[I] 18:41:14.681096 IP ip-10-0-1-233.ec2.internal.isakmp > mobile-55-55-55-55.mycingular.net.isakmp: isakmp: parent_sa ikev2_init[R] 18:41:15.259862 IP mobile-55-55-55-55.mycingular.net.isakmp > ip-10-0-1-233.ec2.internal.isakmp: isakmp: parent_sa ikev2_init[I] 18:41:15.271718 IP ip-10-0-1-233.ec2.internal.isakmp > mobile-55-55-55-55.mycingular.net.isakmp: isakmp: parent_sa ikev2_init[R] 18:41:15.809157 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[I] 18:41:15.813883 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa ikev2_auth[R] 18:41:20.812881 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: parent_sa inf2 18:41:21.139689 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I] 18:41:21.140103 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R] 18:41:21.289057 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: parent_sa inf2[IR] 18:41:26.088336 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I] 18:41:26.088827 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R] 18:41:31.103016 IP mobile-55-55-55-55.mycingular.net.ipsec-nat-t > ip-10-0-1-233.ec2.internal.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[I] 18:41:31.103931 IP ip-10-0-1-233.ec2.internal.ipsec-nat-t > mobile-55-55-55-55.mycingular.net.ipsec-nat-t: NONESP-encap: isakmp: child_sa inf2[R]
我相信我的设置很接近,但是我错过了一些基本的东西。 任何想法,为什么我的隧道不是双向工作? 我可以通过AWS-> Remote进行ping,但是不能以其他方式进行。 注意:我没有在Ubuntu(StrongSwan)EC2实例上设置ip转发或任何自定义iptable规则。
注意:还有这个由StrongSwan人创build的文档 ,我已经看过并试图用比当前设置less的运气来实现。
事实certificate,我犯了一个错误,在客户端网关出现了一个后路由问题,因此为什么只允许一个方向的stream量。 StrongSwan和AWSconfiguration正确。