我必须连接到在 VPC-A 中运行的实例。有防火墙。如果我必须连接到 VPC-A 中的此实例,我必须在虚拟私有网关 (VPC-A) 和客户网关 (VPC-B) 之间建立站点到站点 vpn 连接。我还需要在我们的客户网关(VPC-B)上安装 OPENVPN
为此,我使用 OPENVPN AMI(VPC-B) 在 AWS 中启动了一个实例,并为 ipsec 安装了 strongswan(我找不到 openvpn 的 ipsec 配置,因此安装了 strongswan)。我创建了一个站点到站点 vpn 并下载了 strongswan 配置并使用 ipsec.conf 和 ipsec.secrets 更新了服务器
更新 strongswan 配置后,我可以看到隧道在站点到站点 VPN 上已启动。
下面是 ipsec.conf 和 ipsec.secret 的配置。
cat /etc/ipsec.conf
# basic configuration
config setup
# strictcrlpolicy=yes
uniqueids = no
# Add connections here.
# Sample VPN connections
#conn sample-self-signed
# leftsubnet=10.1.0.0/16
# leftcert=selfCert.der
# leftsendcert=never
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightcert=peerCert.der
# auto=start
#conn sample-with-ca-cert
# leftsubnet=10.1.0.0/16
# leftcert=myCert.pem
# right=192.168.0.2
# rightsubnet=10.2.0.0/16
# rightid="C=CH, O=Linux strongSwan CN=peer name"
# auto=start
conn Tunnel1
auto=start
left=%defaultroute
leftid=18.191.56.181
right=3.133.78.175
type=tunnel
leftauth=psk
rightauth=psk
keyexchange=ikev1
ike=aes128-sha1-modp1024
ikelifetime=8h
esp=aes128-sha1-modp1024
lifetime=1h
keyingtries=%forever
leftsubnet=0.0.0.0/0
rightsubnet=0.0.0.0/0
dpddelay=10s
dpdtimeout=30s
dpdaction=restart
## Please note the following line assumes you only have two tunnels in your Strongswan configuration file. This "mark" value must be unique and may need to be changed based on other entries in your configuration file.
mark=100
## Uncomment the following line to utilize the script from the "Automated Tunnel Healhcheck and Failover" section. Ensure that the integer after "-m" matches the "mark" value above, and <VPC CIDR> is replaced with the CIDR of your VPC
## (e.g. 192.168.1.0/24)
leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel1 -ll 169.254.85.134/30 -lr 169.254.85.133/30 -m 100 -r 10.137.0.0/16"
/etc/ipsec.secret
18.191.56.181 3.133.78.175 : PSK "****************"
ipsec 状态全部
Status of IKE charon daemon (strongSwan 5.6.2, Linux 5.3.0-1023-aws, x86_64):
uptime: 45 minutes, since Oct 07 17:43:47 2021
malloc: sbrk 2564096, mmap 0, used 774176, free 1789920
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
loaded plugins: charon aesni aes rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
Listening IP addresses:
10.137.2.40
172.27.224.1
172.27.228.1
172.27.232.1
172.27.236.1
169.254.85.134
Connections:
Tunnel1: %any...3.133.78.175 IKEv1, dpddelay=10s
Tunnel1: local: [18.191.56.181] uses pre-shared key authentication
Tunnel1: remote: [3.133.78.175] uses pre-shared key authentication
Tunnel1: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL, dpdaction=restart
Security Associations (1 up, 0 connecting):
Tunnel1[1]: ESTABLISHED 45 minutes ago, 10.137.2.40[18.191.56.181]...3.133.78.175[3.133.78.175]
Tunnel1[1]: IKEv1 SPIs: 450645614f4fa426_i* d0f1b2983f5f4217_r, pre-shared key reauthentication in 7 hours
Tunnel1[1]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
Tunnel1{1}: REKEYED, TUNNEL, reqid 1, expires in 14 minutes
Tunnel1{1}: 0.0.0.0/0 === 0.0.0.0/0
Tunnel1{2}: INSTALLED, TUNNEL, reqid 1, ESP in UDP SPIs: c5d860d2_i c808a6a6_o
Tunnel1{2}: AES_CBC_128/HMAC_SHA1_96/MODP_1024, 0 bytes_i, 0 bytes_o, rekeying in 42 minutes
Tunnel1{2}: 0.0.0.0/0 === 0.0.0.0/0
iptables-save:
# Generated by iptables-save v1.6.1 on Thu Oct 7 19:13:53 2021
*nat
:PREROUTING ACCEPT [17:936]
:INPUT ACCEPT [30:1556]
:OUTPUT ACCEPT [273:24458]
:POSTROUTING ACCEPT [273:24458]
:AS0_DPFWD_TCP - [0:0]
:AS0_DPFWD_UDP - [0:0]
:AS0_NAT - [0:0]
:AS0_NAT_POST_REL_EST - [0:0]
:AS0_NAT_PRE - [0:0]
:AS0_NAT_PRE_REL_EST - [0:0]
:AS0_NAT_TEST - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_PRE_REL_EST
-A PREROUTING -d 10.137.2.40/32 -p udp -m udp --dport 1194 -m state --state NEW -j AS0_DPFWD_UDP
-A PREROUTING -d 10.137.2.40/32 -p tcp -m tcp --dport 443 -m state --state NEW -j AS0_DPFWD_TCP
-A POSTROUTING -m state --state RELATED,ESTABLISHED -j AS0_NAT_POST_REL_EST
-A POSTROUTING -m mark --mark 0x2000000/0x2000000 -j AS0_NAT_PRE
-A AS0_DPFWD_TCP -p tcp -j DNAT --to-destination 10.137.2.40:914
-A AS0_DPFWD_TCP -j ACCEPT
-A AS0_DPFWD_UDP -p udp -j DNAT --to-destination 10.137.2.40:916
-A AS0_DPFWD_UDP -j ACCEPT
-A AS0_NAT -o eth0 -j SNAT --to-source 10.137.2.40
-A AS0_NAT -j ACCEPT
-A AS0_NAT_POST_REL_EST -j ACCEPT
-A AS0_NAT_PRE -m mark --mark 0x8000000/0x8000000 -j AS0_NAT
-A AS0_NAT_PRE -d 169.254.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 192.168.0.0/16 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 172.16.0.0/12 -j AS0_NAT_TEST
-A AS0_NAT_PRE -d 10.0.0.0/8 -j AS0_NAT_TEST
-A AS0_NAT_PRE -j AS0_NAT
-A AS0_NAT_PRE_REL_EST -j ACCEPT
-A AS0_NAT_TEST -o as0t+ -j ACCEPT
-A AS0_NAT_TEST -m mark --mark 0x4000000/0x4000000 -j ACCEPT
-A AS0_NAT_TEST -d 172.27.224.0/20 -j ACCEPT
-A AS0_NAT_TEST -j AS0_NAT
COMMIT
# Completed on Thu Oct 7 19:13:53 2021
# Generated by iptables-save v1.6.1 on Thu Oct 7 19:13:53 2021
*mangle
:PREROUTING ACCEPT [262:27823]
:INPUT ACCEPT [3150:274042]
:FORWARD ACCEPT [24:1440]
:OUTPUT ACCEPT [4953:812299]
:POSTROUTING ACCEPT [6007:909412]
:AS0_MANGLE_PRE_REL_EST - [0:0]
:AS0_MANGLE_TUN - [0:0]
-A PREROUTING -m state --state RELATED,ESTABLISHED -j AS0_MANGLE_PRE_REL_EST
-A PREROUTING -i as0t+ -j AS0_MANGLE_TUN
-A INPUT -s 3.133.78.175/32 -d 10.137.2.40/32 -p esp -j MARK --set-xmark 0x64/0xffffffff
-A FORWARD -o Tunnel1 -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A AS0_MANGLE_PRE_REL_EST -j ACCEPT
-A AS0_MANGLE_TUN -j MARK --set-xmark 0x2000000/0xffffffff
-A AS0_MANGLE_TUN -j ACCEPT
COMMIT
# Completed on Thu Oct 7 19:13:53 2021
# Generated by iptables-save v1.6.1 on Thu Oct 7 19:13:53 2021
*filter
:INPUT ACCEPT [35:9711]
:FORWARD ACCEPT [24:1440]
:OUTPUT ACCEPT [19299:1854294]
:AS0_ACCEPT - [0:0]
:AS0_IN - [0:0]
:AS0_IN_NAT - [0:0]
:AS0_IN_POST - [0:0]
:AS0_IN_PRE - [0:0]
:AS0_IN_ROUTE - [0:0]
:AS0_OUT - [0:0]
:AS0_OUT_LOCAL - [0:0]
:AS0_OUT_POST - [0:0]
:AS0_OUT_S2C - [0:0]
:AS0_WEBACCEPT - [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A INPUT -i lo -j AS0_ACCEPT
-A INPUT -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A INPUT -p tcp -m state --state NEW -m tcp --dport 915 -j AS0_ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 914 -j AS0_ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 917 -j AS0_ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 916 -j AS0_ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j AS0_WEBACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 943 -j AS0_WEBACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j AS0_ACCEPT
-A FORWARD -m mark --mark 0x2000000/0x2000000 -j AS0_IN_PRE
-A FORWARD -o as0t+ -j AS0_OUT_S2C
-A OUTPUT -o as0t+ -j AS0_OUT_LOCAL
-A AS0_ACCEPT -j ACCEPT
-A AS0_IN -d 172.27.224.1/32 -j ACCEPT
-A AS0_IN -j AS0_IN_POST
-A AS0_IN_NAT -j MARK --set-xmark 0x8000000/0x8000000
-A AS0_IN_NAT -j ACCEPT
-A AS0_IN_POST -d 10.137.0.0/16 -j ACCEPT
-A AS0_IN_POST -o as0t+ -j AS0_OUT
-A AS0_IN_POST -j DROP
-A AS0_IN_PRE -d 169.254.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 192.168.0.0/16 -j AS0_IN
-A AS0_IN_PRE -d 172.16.0.0/12 -j AS0_IN
-A AS0_IN_PRE -d 10.0.0.0/8 -j AS0_IN
-A AS0_IN_PRE -j DROP
-A AS0_IN_ROUTE -j MARK --set-xmark 0x4000000/0x4000000
-A AS0_IN_ROUTE -j ACCEPT
-A AS0_OUT -j AS0_OUT_POST
-A AS0_OUT_LOCAL -p icmp -m icmp --icmp-type 5 -j DROP
-A AS0_OUT_LOCAL -j ACCEPT
-A AS0_OUT_POST -j DROP
-A AS0_OUT_S2C -j AS0_OUT
-A AS0_WEBACCEPT -j ACCEPT
COMMIT
# Completed on Thu Oct 7 19:13:53 2021
ip route show
default via 10.137.2.1 dev eth0 proto dhcp src 10.137.2.40 metric 100
10.137.0.0/16 dev Tunnel1 scope link metric 100
10.137.2.0/24 dev eth0 proto kernel scope link src 10.137.2.40
10.137.2.1 dev eth0 proto dhcp scope link src 10.137.2.40 metric 100
169.254.85.132/30 dev Tunnel1 proto kernel scope link src 169.254.85.134
172.27.224.0/22 dev as0t0 proto kernel scope link src 172.27.224.1
172.27.228.0/22 dev as0t1 proto kernel scope link src 172.27.228.1
172.27.232.0/22 dev as0t2 proto kernel scope link src 172.27.232.1
172.27.236.0/22 dev as0t3 proto kernel scope link src 172.27.236.1
我面临的问题是,当我配置了所有详细信息后,我无法连接到在 VPC-A 中运行的实例。我还更新了安全组(172.10.192.182)以接受来自 VPC-B 的流量
当我尝试 nc -zvw 1 172.10.192.182 443 它说
nc: connect to 172.10.190.182 port 443 (tcp) timed out: Operation now in progress
请让我知道我在这里缺少什么。任何帮助表示赞赏。谢谢