하늘빛:

tag-icon tag-icon ubuntu azure ipsec strongswan
하늘빛:

Strongswan이 있는 Ubuntu 14.04 서버를 Microsoft Azure Gateway에 연결하고 싶습니다. Azure와 해당 Ubuntu 서버 간의 연결만 설정하고 싶습니다. Azure에서는 동적 게이트웨이를 구성했습니다.

하늘빛:

가상 네트워크:

10.0.1.0/24(전체 가상 네트워크)
10.0.1.0/27(VM용 서브넷)
10.0.1.32/29(게이트웨이용 서브넷)
1.1.1.1(게이트웨이 IP)

지역 네트워크:

10.0.2.15/32(네트워크)
2.2.2.2(게이트웨이 주소)

Strongswan이 포함된 Ubuntu 서버 14.04:

StrongSwan: Linux StrongSwan U5.1.2/K3.16.0-49-일반

회로망:

10.0.2.15(strongswan이 있는 우분투 서버)
2.2.2.2(NAT가 있는 게이트웨이)

구성:

/etc/ipsec.conf:

conn azure
        type=tunnel
        closeaction=restart
        dpdaction=restart
        ike=aes256-sha1-modp1024
        esp=aes256-sha1
        reauth=no
        keyexchange=ikev2
        mobike=no
        ikelifetime=28800s
        keylife=3600s
        keyingtries=%forever
        leftauth=psk
        left=10.0.2.15             # local instance ip (strongswan)
        leftsubnet=0.0.0.0/0
        leftid=10.0.2.15           # local instance ip (strongswan)
        right=1.1.1.1              # vpn gateway ip (azure)
        rightid=1.1.1.1            # vpn gateway ip (azure)
        rightsubnet=10.0.1.0/24    # private ip segment (azure)
        auto=start

/etc/ipsec.secrests:

10.0.2.15 1.1.1.1 : PSK "secret-pre-shared-key"

시스템로그:

Sep 24 10:34:50 vpn-test charon: 04[CFG] received stroke: add connection 'azure'
Sep 24 10:34:50 vpn-test charon: 04[CFG] added configuration 'azure'
Sep 24 10:34:50 vpn-test charon: 06[CFG] received stroke: initiate 'azure'
Sep 24 10:34:50 vpn-test charon: 06[IKE] initiating IKE_SA azure[1] to 1.1.1.1
Sep 24 10:34:50 vpn-test charon: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
Sep 24 10:34:50 vpn-test charon: 06[NET] sending packet: from 10.0.2.15[500] to 1.1.1.1[500] (1044 bytes)
Sep 24 10:34:50 vpn-test charon: 08[NET] received packet: from 1.1.1.1[500] to 10.0.2.15[500] (865 bytes)
Sep 24 10:34:50 vpn-test charon: 08[ENC] parsed IKE_SA_INIT response 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) V V CERTREQ ]
Sep 24 10:34:50 vpn-test charon: 08[ENC] received unknown vendor ID: 2b:51:69:05:7d:7c:96:fc:bf:b5:e4:61:00:00:00
Sep 24 10:34:50 vpn-test charon: 08[ENC] received unknown vendor ID: 1d:e3:cd:b7:ea:16:b7:e5:be:08:f1
Sep 24 10:34:50 vpn-test charon: 08[IKE] local host is behind NAT, sending keep alives
Sep 24 10:34:50 vpn-test charon: 08[IKE] received 25 cert requests for an unknown ca
Sep 24 10:34:50 vpn-test charon: 08[IKE] authentication of '10.0.2.15' (myself) with pre-shared key
Sep 24 10:34:50 vpn-test charon: 08[IKE] establishing CHILD_SA azure
Sep 24 10:34:50 vpn-test charon: 08[ENC] generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) ]
Sep 24 10:34:50 vpn-test charon: 08[NET] sending packet: from 10.0.2.15[4500] to 1.1.1.1[4500] (316 bytes)
Sep 24 10:34:50 vpn-test charon: 09[NET] received packet: from 1.1.1.1[4500] to 10.0.2.15[4500] (68 bytes)
Sep 24 10:34:50 vpn-test charon: 09[ENC] parsed IKE_AUTH response 1 [ N(AUTH_FAILED) ]
Sep 24 10:34:50 vpn-test charon: 09[IKE] received AUTHENTICATION_FAILED notify error

관련 정보