服务器 Gind.cn
  1. 服务器 Gind.cn
  3. Vpn通过pfsense连接到Amazon VPC
Intereting Posts
在IIS7中的随机超时 如何“破解”mongo中的一个存在的集合? 在AJP连接上logging传出的Apache端口 ping如何知道我的数据包被过滤? 限制ip偷窃 在Ubuntu 10.0.4上的openldap服务器 如何获得当前xterm的伪装terminal设备? 如何处理来自IP地址的大量连接? MySQLauthentication插件未加载 Server 2012 R2 Hyper-V RAID-1 .htaccess重写规则不工作(CodeIgniter) 在启动时无法进入iLO3(HP ProLiant DL360 G7) networking字节未被注册,但数据包是 在同一台服务器上使用SSL运行Java和PHP应用程序有什么好的设置? testing服务器的字节范围支持?

Vpn通过pfsense连接到Amazon VPC

我试图在我的办公室和我们的亚马逊VPC之间创build一个ipsec隧道。 但是我从来没有使用ipsec,所以我迷路了。

网关/防火墙在FreeBSD 8.3-RELEASE-p16上运行pfsense 2.1.3-RELEASE(i386)。

办公室networking使用192.168.1.0/24和192.168.2.0/24(OpenVPN客户端)。 VPC使用10.0.0.0/24。 VPC网关使用静态路由。

我已经尝试了解如何在不同的指南上创build隧道,但大多数人对ipsec的工作方式感到困惑,或者指南是针对不同版本的pfsense / aws,而且由于我缺乏理解,所以我很难翻译它。 有些指南是关于虚拟IP的,有些则不是,等等。

所以我虚心地问,这里有没有人可以创build一个一步一步的指导,我创buildpfsense的通道,也许试图解释事情如何运作。

这是我从亚马逊configuration指南(凭证和办公室ip混淆) 

IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : xxxx - Virtual Private Gateway : yyyy Inside IP Addresses - Customer Gateway : 169.254.254.62/30 - Virtual Private Gateway : 169.254.254.61/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.254.61 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels. IPSec Tunnel #2 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : xxxx - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : xxxx - Virtual Private Gateway : zzzz Inside IP Addresses - Customer Gateway : 169.254.254.58/30 - Virtual Private Gateway : 169.254.254.57/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.254.57 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.

我在IPSec上configuration了PFSenseconfiguration的AWS。

我不会为您提供点击通过点击指南,但我可以告诉你我们的工作configuration如何看起来像。 用%%embedded的variablesvariables

PH1 

 <phase1> <ikeid>6</ikeid> <interface>lan</interface> <remote-gateway>%%AWS_GW_IP%%</remote-gateway> <mode>main</mode> <protocol>inet</protocol> <myid_type>myaddress</myid_type> <myid_data/> <peerid_type>peeraddress</peerid_type> <peerid_data/> <encryption-algorithm> <name>aes</name> <keylen>128</keylen> </encryption-algorithm> <hash-algorithm>sha1</hash-algorithm> <dhgroup>2</dhgroup> <lifetime>28800</lifetime> <pre-shared-key>%%AWS_PSK%%</pre-shared-key> <private-key/> <certref/> <caref/> <authentication_method>pre_shared_key</authentication_method> <generate_policy/> <proposal_check/> <descr><![CDATA[ VPC AWS ]]></descr> <nat_traversal>off</nat_traversal> <dpd_delay>10</dpd_delay> <dpd_maxfail>2</dpd_maxfail> </phase1>

PH2 

 <phase2> <ikeid>6</ikeid> <mode>tunnel</mode> <localid> <type>network</type> <address>%%YOUR_NETWORK%%</address> <netbits>%%MASK%%</netbits> </localid> <remoteid> <type>network</type> <address>%%VPC_NETWORK%%</address> <netbits>%%MASK%%</netbits> </remoteid> <protocol>esp</protocol> <encryption-algorithm-option> <name>aes</name> <keylen>128</keylen> </encryption-algorithm-option> <hash-algorithm-option>hmac_sha1</hash-algorithm-option> <pfsgroup>2</pfsgroup> <lifetime>3600</lifetime> <pinghost>%%HOST TO CHECK%%</pinghost> <descr><![CDATA[VPC AWS]]></descr> </phase2>

据我所知configuration两个隧道,所以他们冗余工作是不可能的PF。