phe*_*mer 6 vpn ipsec amazon-ec2 amazon-web-services strongswan
我正在尝试在 2 个 AWS 区域之间创建 VPN 隧道。我尝试这样做的方法是在 Linux 中设置一个 IPsec 服务器,在一个区域使用 strongSwan,然后在另一个区域设置一个 VPC VPN。
问题是我无法想出一个正确的配置。
AWS 提供以下用于设置 IPsec VPN 的信息:
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : ***********************
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway : 54.241.138.199
- Virtual Private Gateway : 87.238.85.44
Inside IP Addresses
- Customer Gateway : 169.254.254.6/30
- Virtual Private Gateway : 169.254.254.5/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC,
you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.254.5
You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.
本地 strongSwan 端的私有子网是10.2.0.0/16.
远程 VPN 端的私有子网是10.4.0.0/16.
有了这个,我尝试使用如下配置:
conn eu-west-1-1
left=10.2.0.40
leftsubnet=0.0.0.0/0
right=87.238.85.40
rightsubnet=10.4.0.0/16
auto=add
type=tunnel
keyexchange=ikev1
authby=secret
ikelifetime=28800s
keylife=28800s
ike=aes128
esp=aes128
但是,这会导致以下错误:
pluto[1763]: "eu-west-1-1" #12: cannot respond to IPsec SA request because no connection is known for 0.0.0.0/0===10.2.0.40[10.2.0.40]...87.238.85.40[87.238.85.40]===0.0.0.0/0
继一个想法,我的strongSwan邮件列表上找到,我试图把0.0.0.0/0对leftsubnet和rightsubnet,这确实会导致隧道上来(由AWS网络GUI报道),但我失去所有与服务器的连接(我猜它正在创建一条通往 0.0.0.0/0 的路由,该路由会阻塞所有流量)。
任何人都可以提供有关如何调整配置以使其正常工作的任何提示吗?
是的,我知道我只能在两端使用 2 个 strongSwan、OpenVPN 或其他软件 VPN,但是通过使用 AWS 的 VPN 功能,我只需担心维护 VPN 的一端而不是两端。
Jes*_*sse 11
我知道你发布这个已经有一段时间了,但我已经完成了你所描述的,这是一个使用你的值的示例连接块:
conn vpc1
type=tunnel
compress=no
keyexchange=ikev1
ike=aes128-sha1-modp1024!
auth=esp
authby=psk
left=54.241.138.199
leftid=54.241.138.199
leftsubnet=169.254.254.6/32,10.2.0.0/16
rightsubnet=169.254.254.5/32,10.4.0.0/16
right=87.238.85.44
rightid=87.238.85.44
esp=aes128-sha1-modp1024!
auto=route
那你就可以了ipsec up vpc1 ; ipsec route vpc1。
左边是您的本地端,右边是 Amazon VPC VPN 端。希望我已经获得了正确的 IP。
问题是 ipsec 必须在内核中创建正确的 ip xfrm 策略,如果没有正确的设置,它将不知道如何进行隧道。那和加密设置必须是完美的。
我花了很多次尝试,最后与 strongswan 开发人员一起解决了这个问题。注意事项:此连接未正确执行 DPD,有时会掉线。当 service ipsec start 被调用时,它也不会启动+路由。
祝你好运!
| 归档时间: |
|
| 查看次数: |
7789 次 |
| 最近记录: |