Intereting Posts

Azure门户重命名资源脱机ADlogin OSX服务器权限怪异太多打开的文件如何查看尚未安装的deb包的更新日志如何在第一次启动时运行一次脚本网站到网站的OpenVPN和pfSense不通过stream量的麻烦哪里可以在Linux上用Plesk上传Debian VPS上的cgi脚本？ centos 5.8 apache 2.2.3服务器PHP 5只能部分工作在特定的服务器上的Dig命令会给出与查询不同的结果，而不会指定NS 无法在Exchange 2013上禁用邮箱通过Apache设置从https到http的基本代理如何阅读有关RAM模块的惠普手册？使用htaccess将所有子页面redirect到另一个子页面 SSD与电池备份写入caching

通过安全VPN连接将VirtualBox fpsense防火墙与AWS VPC连接起来

我想将我们的办公室连接到Amazon AWS VPC，以pipe理驻留在非公有子网内的RDS和EC2实例。我很新，但我的想法是testing设置与fpsense的软件实例，因为这是一个支持的平台，我们想买一个fpsense兼容的路由器为我们的办公室。

我想build立一个从fpsense到AWS VPC的安全IPsec VPN连接，并使得VPC内的实例可以从我们的办公室访问，当前的fpsense防火墙在我的开发人员机器上的VirtualBox虚拟机内运行。

networking设置

External office IP: 88.77.66.55 Office LAN Subnet: 192.168.56.0/24 via VirtualBox fpsense router IP: 192.168.0.100 Amazon VPC Subnet: 10.0.0.0/16 AWS VPN Connection Tunnel: 111.222.333.444

AWS设置

1）使用CIDR 10.0.0.0/16创buildVPC

2）在VPC内部创build一个CIDR为10.0.0.0/16的子网

3）创build客户网关指向外部办公室IP（88.77.66.55），静态路由192.168.56.0/24（Vboxnetworking）

4）创build虚拟专用网关并将其与VPC相关联

5）创build一个VPN连接并将其与客户网关和虚拟专用网关连接

6）下载fpsenseconfiguration

VirtualBox安装

1）添加两张网卡。一个桥接networking和一个仅主机连接

2）安装fpsense图像

fpsense设置

1）启动fpsense

2）从桥接networking分配WAN到IP（变成192.168.0.100）

3）将LAN分配给仅主机networking（192.168.56.1）

4）根据下载的fpsenseconfiguration文件提供的IPsec隧道

5）从fpsense工作来ping VPN隧道

6）在WAN和LAN接口上启用IPv4的所有通信

Office路由器

端口500和4500转发到fpsense IP 192.168.0.100

networking图

 +--------------------+ +-----------------+ +-------------------+ | VPN Connection +--> Virtual Private +--> Amazon VPC | | Tunnel 1 | | Gateway | | | | 111.222.333.444 <--+ <--+ 10.0.0.0/16 | +------+------^------+ +-----------------+ +-------------------+ | | | | | | | | +---------------------+ +------v------+------+ +----------------+ | VirtualBox fpSense | | Customer Gateway +--->Office Router +-------> WAN 192.168.0.100 | | <---+ 88.77.66.55 <-------+ LAN 192.168.0.56 | +--------------------+ +----------------+ +---------------------+

configuration截图

阶段1

阶段2

FW IPsec

FW LAN

FW WLAN

Tunnles

示例日志

 Nov 23 09:55:12 pfSense ipsec_starter[58921]: Starting strongSwan 5.6.0 IPsec [starter]... Nov 23 09:55:12 pfSense ipsec_starter[58921]: no netkey IPsec stack detected Nov 23 09:55:12 pfSense ipsec_starter[58921]: no KLIPS IPsec stack detected Nov 23 09:55:12 pfSense ipsec_starter[58921]: no known IPsec stack detected, ignoring! Nov 23 09:55:12 pfSense charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.6.0, FreeBSD 11.1-RELEASE-p4, amd64) Nov 23 09:55:12 pfSense charon: 00[KNL] unable to set UDP_ENCAP: Invalid argument Nov 23 09:55:12 pfSense charon: 00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed Nov 23 09:55:12 pfSense charon: 00[CFG] loading unbound resolver config from '/etc/resolv.conf' Nov 23 09:55:12 pfSense charon: 00[CFG] loading unbound trust anchors from '/usr/local/etc/ipsec.d/dnssec.keys' Nov 23 09:55:12 pfSense charon: 00[CFG] ipseckey plugin is disabled Nov 23 09:55:12 pfSense charon: 00[CFG] loading ca certificates from '/usr/local/etc/ipsec.d/cacerts' Nov 23 09:55:12 pfSense charon: 00[CFG] loading aa certificates from '/usr/local/etc/ipsec.d/aacerts' Nov 23 09:55:12 pfSense charon: 00[CFG] loading ocsp signer certificates from '/usr/local/etc/ipsec.d/ocspcerts' Nov 23 09:55:12 pfSense charon: 00[CFG] loading attribute certificates from '/usr/local/etc/ipsec.d/acerts' Nov 23 09:55:12 pfSense charon: 00[CFG] loading crls from '/usr/local/etc/ipsec.d/crls' Nov 23 09:55:12 pfSense charon: 00[CFG] loading secrets from '/var/etc/ipsec/ipsec.secrets' Nov 23 09:55:12 pfSense charon: 00[CFG] loaded IKE secret for %any 111.222.333.444 Nov 23 09:55:12 pfSense charon: 00[CFG] opening triplet file /usr/local/etc/ipsec.d/triplets.dat failed: No such file or directory Nov 23 09:55:12 pfSense charon: 00[CFG] loaded 0 RADIUS server configurations Nov 23 09:55:12 pfSense charon: 00[LIB] loaded plugins: charon unbound aes des blowfish rc2 sha2 sha1 md4 md5 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey ipseckey pem openssl fips-prf curve25519 xcbc cmac hmac curl attr kernel-pfkey kernel-pfroute resolve socket-default stroke vici updown eap-identity eap-sim eap-md5 eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap xauth-generic xauth-eap whitelist addrblock Nov 23 09:55:12 pfSense charon: 00[JOB] spawning 16 worker threads Nov 23 09:55:12 pfSense ipsec_starter[59608]: charon (59869) started after 40 ms Nov 23 09:55:12 pfSense charon: 15[CFG] received stroke: add connection 'con1000' Nov 23 09:55:12 pfSense charon: 15[CFG] conn con1000 Nov 23 09:55:12 pfSense charon: 15[CFG] left=192.168.0.100 Nov 23 09:55:12 pfSense charon: 15[CFG] leftsubnet=192.168.56.0/24 Nov 23 09:55:12 pfSense charon: 15[CFG] leftauth=psk Nov 23 09:55:12 pfSense charon: 15[CFG] leftid=192.168.0.100 Nov 23 09:55:12 pfSense charon: 15[CFG] right=111.222.333.444 Nov 23 09:55:12 pfSense charon: 15[CFG] rightsubnet=10.0.0.0/16 Nov 23 09:55:12 pfSense charon: 15[CFG] rightauth=psk Nov 23 09:55:12 pfSense charon: 15[CFG] rightid=111.222.333.444 Nov 23 09:55:12 pfSense charon: 15[CFG] ike=aes128-sha1-modp1024! Nov 23 09:55:12 pfSense charon: 15[CFG] esp=aes128-sha1-modp1024! Nov 23 09:55:12 pfSense charon: 15[CFG] dpddelay=10 Nov 23 09:55:12 pfSense charon: 15[CFG] dpdtimeout=60 Nov 23 09:55:12 pfSense charon: 15[CFG] dpdaction=3 Nov 23 09:55:12 pfSense charon: 15[CFG] sha256_96=no Nov 23 09:55:12 pfSense charon: 15[CFG] mediation=no Nov 23 09:55:12 pfSense charon: 15[CFG] keyexchange=ikev1 Nov 23 09:55:12 pfSense charon: 15[CFG] added configuration 'con1000' Nov 23 09:55:12 pfSense charon: 14[CFG] received stroke: route 'con1000' Nov 23 09:55:12 pfSense charon: 14[CFG] proposing traffic selectors for us: Nov 23 09:55:12 pfSense charon: 14[CFG] 192.168.56.0/24|/0 Nov 23 09:55:12 pfSense charon: 14[CFG] proposing traffic selectors for other: Nov 23 09:55:12 pfSense charon: 14[CFG] 10.0.0.0/16|/0 Nov 23 09:55:12 pfSense charon: 14[CFG] configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ Nov 23 09:55:12 pfSense charon: 14[CHD] CHILD_SA con1000{1} state change: CREATED => ROUTED Nov 23 09:55:12 pfSense ipsec_starter[59608]: 'con1000' routed Nov 23 09:55:12 pfSense ipsec_starter[59608]: Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 connected Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 registered for: list-sa Nov 23 09:55:14 pfSense charon: 14[CFG] vici client 1 requests: list-sas Nov 23 09:55:14 pfSense charon: 15[CFG] vici client 1 disconnected Nov 23 09:55:17 pfSense charon: 15[CFG] received stroke: terminate 'con1000' Nov 23 09:55:17 pfSense charon: 15[CFG] no IKE_SA named 'con1000' found Nov 23 09:55:17 pfSense charon: 15[CFG] received stroke: initiate 'con1000' Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_VENDOR task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_CERT_PRE task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing MAIN_MODE task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_CERT_POST task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing ISAKMP_NATD task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> queueing QUICK_MODE task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating new tasks Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_VENDOR task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_CERT_PRE task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating MAIN_MODE task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_CERT_POST task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> activating ISAKMP_NATD task Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending XAuth vendor ID Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending DPD vendor ID Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending FRAGMENTATION vendor ID Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending NAT-T (RFC 3947) vendor ID Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> initiating Main Mode IKE_SA con1000[1] to 111.222.333.444 Nov 23 09:55:17 pfSense charon: 13[IKE] <con1000|1> IKE_SA con1000[1] state change: CREATED => CONNECTING Nov 23 09:55:17 pfSense charon: 13[CFG] <con1000|1> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024 Nov 23 09:55:17 pfSense charon: 13[ENC] <con1000|1> generating ID_PROT request 0 [ SA VVVVV ] Nov 23 09:55:17 pfSense charon: 13[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes) Nov 23 09:55:17 pfSense charon: 13[CFG] vici client 2 connected Nov 23 09:55:17 pfSense charon: 13[CFG] vici client 2 registered for: list-sa Nov 23 09:55:17 pfSense charon: 12[CFG] vici client 2 requests: list-sas Nov 23 09:55:17 pfSense charon: 12[CFG] vici client 2 disconnected Nov 23 09:55:21 pfSense charon: 06[IKE] <con1000|1> sending retransmit 1 of request message ID 0, seq 1 Nov 23 09:55:21 pfSense charon: 06[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes) Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 connected Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 registered for: list-sa Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 requests: list-sas Nov 23 09:55:23 pfSense charon: 06[CFG] vici client 3 disconnected Nov 23 09:55:28 pfSense charon: 08[CFG] vici client 4 connected Nov 23 09:55:28 pfSense charon: 06[CFG] vici client 4 registered for: list-sa Nov 23 09:55:28 pfSense charon: 10[CFG] vici client 4 requests: list-sas Nov 23 09:55:28 pfSense charon: 10[CFG] vici client 4 disconnected Nov 23 09:55:29 pfSense charon: 10[IKE] <con1000|1> sending retransmit 2 of request message ID 0, seq 1 Nov 23 09:55:29 pfSense charon: 10[NET] <con1000|1> sending packet: from 192.168.0.100[500] to 111.222.333.444[500] (180 bytes)

问题

客户端立即断开，我没有看到一个非常明确的错误信息。我想这个问题是因为fpsense在NAT后面。如果左边的IP地址也是虚拟机的子网IP，例如192.168.56.2？

在日志文件中，leftsubnet和rightsubnet是相同的。 leftsubnet应该是VPC CIDR。该rightsubnet应该是办公室CIDR。也左右看起来不正确。

你从哪里得到连接的configuration（ipsec.conf）？从亚马逊下载或手工创build？