我需要與供應商建立網站到網站的 IPSec 隧道,我們需要使用其各自的公共 IP 存取位於 LAN 上的彼此的 API 伺服器。我們使用的是 AWS,我設定了一個具有 2 個子網路的 VPC,供應商使用的是 CISCO ASA 防火牆。
幾個星期以來,我一直在用頭撞牆,但毫無結果。
以下是要求:
AWS Subnet 1 10.100.128.0/20 AWS Subnet 2
[Our API server]-----------------------[Ubuntu/StrongSwan]---------[Vendors VPN Gw = 41.x.x.6]-----[Vendor's API Server=41.x.x.233]
| |
13.x.x.115/10.100.133.21 13.x.x.175/10.100.11.25
這是我到目前為止所做的
- 我已經更新了子網路 1 的路由表,使其 Gw 指向 Ubuntu StrongSwan
- 我已將 Ubuntu StrongSwan EC2 執行個體配置為充當 NAT 實例
- 停止來源/目的地檢查
- 允許內核轉發
net.ipv4.ip_forward = 1 - 新增來源NAT
sudo iptables -t nat -A POSTROUTING -s 10.100.133.21 -d 41.x.x.233 -j SNAT --to-source 13.x.x.115 - 新增目標 NAT
sudo iptables -t nat -A PREROUTING -d 13.x.x.115 -j DNAT --to-destination 10.100.133.21 - 偽裝來自 10.100.128.0/20 的其餘流量:
sudo iptables -t nat -A POSTROUTING -s 10.100.128.0/20 -j MASQUERADE
最後,我如下設定隧道
conn %default
# Tunnel properties
type=tunnel
authby=psk
auto=start
keyexchange=ikev2
mobike=no
rekey=yes
reauth=no
compress=no
# Session configuration
ikelifetime=86400s
lifetime=3600s
dpdaction=restart
closeaction=restart
dpddelay=10s
dpdtimeout=30
# keyingtries=1
# Default ph1
# Encryption, hash and authentication
ike=aes256-sha256-ecp256!
# Default ph2
# phase2=esp
# phase2alg=aes256-sha256!
# No pfs
esp=aes256-sha256!
conn TigoPesa-Tunnel
# Us
left=%defaultroute
leftid=10.100.11.25
leftsubnet=13.x.x.115/32
# Them
right=41.x.x.6
rightid=41.x.x.6
rightsubnet=41.x.x.233/32
並將 PSK 配置為ipsec.secrets:
10.100.133.21 41.x.x.6 : PSK "xxxx"
每當我嘗試打開隧道時,以下錯誤總是打我的臉!
initiating IKE_SA TigoPesa-Tunnel[4] to 41.x.x.6
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
sending packet: from 10.100.11.25[500] to 41.x.x.6[500] (272 bytes)
received packet: from 41.x.x.6[500] to 10.100.11.25[500] (447 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) CERTREQ N(FRAG_SUP) V ]
received Cisco Delete Reason vendor ID
received Cisco Copyright (c) 2009 vendor ID
received FRAGMENTATION vendor ID
selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/ECP_256
local host is behind NAT, sending keep alives
received 3 cert requests for an unknown ca
authentication of '10.100.11.25' (myself) with pre-shared key
establishing CHILD_SA TigoPesa-Tunnel{5}
generating IKE_AUTH request 1 [ IDi N(INIT_CONTACT) IDr AUTH SA TSi TSr N(EAP_ONLY) N(MSG_ID_SYN_SUP) ]
sending packet: from 10.100.11.25[4500] to 41.x.x.6[4500] (304 bytes)
received packet: from 41.x.x.6[4500] to 10.100.11.25[4500] (160 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH N(TS_UNACCEPT) ]
authentication of '41.x.x.6' with pre-shared key successful
IKE_SA TigoPesa-Tunnel[4] established between 10.100.11.25[10.100.11.25]...41.x.x.6[41.x.x.6]
scheduling rekeying in 85567s
maximum IKE_SA lifetime 86107s
received TS_UNACCEPTABLE notify, no CHILD_SA built
failed to establish CHILD_SA, keeping IKE_SA
establishing connection 'TigoPesa-Tunnel' failed
有人,請拯救我的日子! (背景為了方便交流,我不是網路工程師,而是軟體工程師)