Я пытаюсь настроить ipsec vpn из наших сетей постоянного тока на наш amazon vpc, поэтому site2site, также известный как сеть, для сетевого подключения. Для этого я установил pfsense 2.2.6 и дал ему общедоступный IP-адрес на интерфейсе WAN и три внутренних подключения «lan», из которых мы можем управлять pfsense и которые могут использоваться в качестве шлюза в каждом из наших vlan для aws. Для начальной настройки я использую 172.24.00.0/16 на aws в качестве внутреннего диапазона (диапазон VPC) и 172.20.20.0/24 на нашем DC в качестве внутреннего диапазона. Все интерфейсы включены и доступны (если я настрою брандмауэр на разрешение пингов и / или другого трафика). Затем я добавил маршруты к некоторым серверам в каждом vlan, которые отправляют трафик для подсети aws на ip pfsense в этом vlan.
Я настроил соединение ipsec в соответствии с http://www.heitorlessa.com/site-to-site-vpn-pfsense-and-amazon-vpc/ и смотрел, как он подключается. Я не видел каких-либо разрешающих правил в брандмауэре после создания и активации ipsec, поэтому я сам добавил некоторые разрешающие правила (разрешите на данный момент все из сетей ipsec и lan, просто чтобы убедиться, что брандмауэр не работает) t блокировать что-либо). К сожалению, через 40 секунд соединение пропало и было создано новое. Это повторяется вечно.
Я играл с настройками фазы 1 и фазы 2, но ничто из того, что я изменил, не улучшило их. Я смотрел на https://doc.pfsense.org/index.php/IPsec_Troubleshooting чтобы попытаться выяснить, в чем проблема, но я не вижу перечисленных здесь симптомов.
Вот вывод журнала одного из подключений:
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> queueing ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_PRE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating MAIN_MODE task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_CERT_POST task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> activating ISAKMP_NATD task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending XAuth vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending Cisco Unity vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending FRAGMENTATION vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> initiating Main Mode IKE_SA con1000[1636] to 52.50.173.75
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1636] state change: CREATED => CONNECTING
Apr 8 08:58:33 charon: 08[CFG] <con1000|1635> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[ENC] <con1000|1635> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1635> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DELETING
Apr 8 08:58:33 charon: 08[IKE] <con1000|1635> IKE_SA con1000[1635] state change: DELETING => DESTROYING
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (124 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ SA V V ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received DPD vendor ID
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> received NAT-T (RFC 3947) vendor ID
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selecting proposal:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposal matches
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> received proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> selected proposal: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (244 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[500] to 78.#.#.#[500] (228 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> remote host is behind NAT
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> reinitiating already active tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> ISAKMP_VENDOR task
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> MAIN_MODE task
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating ID_PROT request 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (76 bytes)
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> parsed ID_PROT response 0 [ ID HASH ]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] established between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> IKE_SA con1000[1636] state change: CONNECTING => ESTABLISHED
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> scheduling reauthentication in 27753s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> maximum IKE_SA lifetime 28293s
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating new tasks
Apr 8 08:58:33 charon: 08[IKE] <con1000|1636> activating QUICK_MODE task
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> configured proposals: ESP:AES_CBC_128/HMAC_SHA1_96/NO_EXT_SEQ
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for us:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.20.20.0/24|/0
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> proposing traffic selectors for other:
Apr 8 08:58:33 charon: 08[CFG] <con1000|1636> 172.24.0.0/16|/0
Apr 8 08:58:33 charon: 08[ENC] <con1000|1636> generating QUICK_MODE request 757313 [ HASH SA No ID ID ]
Apr 8 08:58:33 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:35 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> queueing QUICK_MODE task
Apr 8 08:58:35 charon: 02[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:37 charon: 02[IKE] <con1000|1636> sending retransmit 1 of request message ID 757313, seq 4
Apr 8 08:58:37 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:43 charon: 08[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:58:43 charon: 08[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1175761486 [ HASH N(DPD) ]
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> queueing ISAKMP_DPD task
Apr 8 08:58:43 charon: 08[IKE] <con1000|1636> delaying task initiation, QUICK_MODE exchange in progress
Apr 8 08:58:44 charon: 08[IKE] <con1000|1636> sending retransmit 2 of request message ID 757313, seq 4
Apr 8 08:58:44 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:58:47 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:47 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:58:57 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:58:57 charon: 08[IKE] <con1000|1636> sending retransmit 3 of request message ID 757313, seq 4
Apr 8 08:58:57 charon: 08[NET] <con1000|1636> sending packet: from 78.#.#.#[4500] to 52.50.173.75[4500] (188 bytes)
Apr 8 08:59:09 charon: 02[KNL] creating acquire job for policy 78.#.#.#/32|/0 === 52.50.173.75/32|/0 with reqid {4}
Apr 8 08:59:09 charon: 06[CFG] ignoring acquire, connection attempt pending
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> received packet: from 52.50.173.75[4500] to 78.#.#.#[4500] (92 bytes)
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> parsed INFORMATIONAL_V1 request 1960722943 [ HASH D ]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> received DELETE for IKE_SA con1000[1636]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> deleting IKE_SA con1000[1636] between 78.#.#.#[78.#.#.#]...52.50.173.75[52.50.173.75]
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: ESTABLISHED => DELETING
Apr 8 08:59:13 charon: 02[KNL] <con1000|1636> unable to delete SAD entry with SPI c8583b7b: No such file or directory (2)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> queueing ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating new tasks
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_VENDOR task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_PRE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating MAIN_MODE task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_CERT_POST task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> activating ISAKMP_NATD task
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending XAuth vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending DPD vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending Cisco Unity vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending FRAGMENTATION vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending NAT-T (RFC 3947) vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> sending draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> initiating Main Mode IKE_SA con1000[1637] to 52.50.173.75
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1637] state change: CREATED => CONNECTING
Apr 8 08:59:13 charon: 02[CFG] <con1000|1636> configured proposals: IKE:AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Apr 8 08:59:13 charon: 02[ENC] <con1000|1636> generating ID_PROT request 0 [ SA V V V V V V ]
Apr 8 08:59:13 charon: 02[NET] <con1000|1636> sending packet: from 78.#.#.#[500] to 52.50.173.75[500] (200 bytes)
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DELETING
Apr 8 08:59:13 charon: 02[IKE] <con1000|1636> IKE_SA con1000[1636] state change: DELETING => DESTROYING
Это общая конфигурация aws (замаскированная):
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
================================================================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-<hex>
Your Virtual Private Gateway ID : vgw-<hex>
Your Customer Gateway ID : cgw-<hex>
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <shizzl>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
Надеюсь, это что-то очевидное, что я не замечаю. Я был бы очень признателен за любую помощь или идеи по исправлению этого.
Оказывается, aws не позволяет настраивать туннель, когда подсеть, к которой мы хотим маршрутизировать, не соответствует определенным подсетям на aws vpc. Поскольку в aws определена только подсеть / 24, мы не можем отправить туда / 16. только после того, как мы уменьшим маску маршрутизации до / 24, ipsec vpn будет правильно подключаться. Мы ожидали, что Amazon разрешит это и просто сбросит весь трафик, для которого у него нет подсети. Так не работает.