Networking
IPSec 隧道在第 2 階段失敗
我們正在嘗試在我們的 EC2 實例和遠端 Cisco 3000 系列設備之間建立一條隧道,該隧道在 Phase2 失敗。下面是場景:
FTP 伺服器(ec2-ubuntu) <—->VPN 伺服器(ec2-ubuntu) <——> Cisco 3000 <—> 客戶端伺服器 (E-IP) (E-IP) (對等 IP ) (公共 IP)
要求: 1. 客戶端伺服器應通過 IPSEC 隧道上的彈性 IP 到達 FTP 伺服器。2. 根據客戶提供的詳細資訊,IKE 和 ESP 參數看起來不錯。
================IPSEC Configuration START========= config setup nat_traversal=yes protostack=netkey plutostderrlog=/var/log/pluto.log nhelpers=0 conn example-one authby=secret auto=start type=tunnel left=%defaultroute leftid=107.23.xx.xx leftsourceip=107.23.xx.xx leftsubnet=107.23.xxx.xxx/32 right=144.230.xx.xx rightid=144.230.xx.xx rightsourceip=144.230.xx.xx rightsubnets={144.226.xxx.xx/32 144.226.xxx.xx/32} keyexchange=ike ike=aes256-sha1;modp1024 phase2=esp phase2alg=aes256-sha1;modp1024 aggrmode=no pfs=no =============END================= ==========iptables nat rules on VPN Server ====== iptables -t nat -A PREROUTING -d 107.23.xxx.xxx -j DNAT --to-destination 10.0.10.20 iptables -t nat -A POSTROUTING -d 10.0.10.20 -j SNAT --to-source 107.23.xxx.xxx10.0.10.20 <<—— FTP伺服器的私有IP
107.23.xxx.xxx <<——– FTP伺服器的EIP
Belos 是我的 vpn 伺服器上的 ipsec 狀態。
000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #2: "example-one":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28045s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "example-one" esp.69407810@144.230.xxx.xxx esp.27de4982@10.0.10.26 tun.0@144.230.xxx.xxx tun.0@10.0.10.26 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B 000 #1: "example-one":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2604s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate 000 000 Bare Shunt list: 000以下是冥王星日誌。
Apr 3 12:44:28: adding interface lo/lo ::1:500 Apr 3 12:44:28: | setup callback for interface lo:500 fd 22 Apr 3 12:44:28: | setup callback for interface lo:4500 fd 21 Apr 3 12:44:28: | setup callback for interface lo:500 fd 20 Apr 3 12:44:28: | setup callback for interface eth0:4500 fd 19 Apr 3 12:44:28: | setup callback for interface eth0:500 fd 18 Apr 3 12:44:28: | setup callback for interface eth0:4500 fd 17 Apr 3 12:44:28: | setup callback for interface eth0:500 fd 16 Apr 3 12:44:28: loading secrets from "/etc/ipsec.secrets" Apr 3 12:44:28: loading secrets from "/etc/ipsec.d/example.secrets" Apr 3 12:44:28: "example-one" #1: initiating Main Mode Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [RFC 3947] Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [FRAGMENTATION c0000000] Apr 3 12:44:28: "example-one" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal) Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2 Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I2: sent MI2, expecting MR2 Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [Cisco-Unity] Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [XAUTH] Apr 3 12:44:28: "example-one" #1: ignoring unknown Vendor ID payload [5397e372bf085cf3a0b093e1623498c2] Apr 3 12:44:28: "example-one" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series] Apr 3 12:44:28: "example-one" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3 Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I3: sent MI3, expecting MR3 Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [Dead Peer Detection] Apr 3 12:44:28: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T Apr 3 12:44:28: "example-one" #1: Main mode peer ID is ID_IPV4_ADDR: '144.230.xxx.xxx' Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4 Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024} Apr 3 12:44:28: "example-one" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:effe9287 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no -pfs} Apr 3 12:44:28: "example-one" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=effe9287, length=28 Apr 3 12:44:28: | ISAKMP Notification Payload Apr 3 12:44:28: | 00 00 00 1c 00 00 00 01 03 04 60 00 Apr 3 12:44:28: "example-one" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2 Apr 3 12:44:28: "example-one" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x414c5406 <0x8df53642 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=144.230.xxx.xxx:4500 DPD=passive}下面是tcpdump。
# tcpdump -n -i eth0 esp or udp port 500 or udp port 4500 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes 11:58:42.229262 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: isakmp-nat-keep-alive 11:58:42.229280 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: isakmp-nat-keep-alive 11:58:44.487779 IP 144.230.xxx.xxx.ipsec-nat-t > 10.0.10.26.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E] 11:58:44.487986 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]下面是 sysctl 命令輸出。
sysctl -p net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.lo.rp_filter = 0 net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.ip_forward = 1以下是應用於 VPN 伺服器的 iptable 規則。
iptables -t nat --line-numbers -L Chain PREROUTING (policy ACCEPT) num target prot opt source destination 1 DNAT all -- anywhere ec2-107-23-xxx-xxx.compute-1.amazonaws.com to:10.0.10.20 Chain INPUT (policy ACCEPT) num target prot opt source destination Chain OUTPUT (policy ACCEPT) num target prot opt source destination Chain POSTROUTING (policy ACCEPT) num target prot opt source destination 1 SNAT all -- anywhere ip-10-0-10-20.ec2.internal to:107.23.xxx.xxx 2 MASQUERADE all -- anywhere anywhere iptables -t nat -A PREROUTING -d 107.23.xxx.xxx -j DNAT --to-destination 10.0.10.20 iptables -t nat -A POSTROUTING -d 10.0.10.20 -j SNAT --to-source 107.23.xxx.xxx
以下是使其正常工作的步驟。
- 您需要使用 VPN Server 的介面 ID 更新路由表。這樣您的 FTP 伺服器的所有流量都通過 VPN 主機到達正確的子網,即 {144.226.xxx.xxx/32 eniXXXXXX(您的 VPN 伺服器的介面 id)}
- IPSEC 配置如下
conn test authby=secret auto=start type=tunnel left=%defaultroute leftid=10.0.10.30 #### Private IP of your VPN Server leftsubnet=107.23.xx.xxx/32 ### Public IP of FTP Server leftnexthop=%defaultroute right=144.230.xxx.xxx ### Peer IP of Cisco Device rightid=144.230.xxx.xxx ### Peer IP of Cisco Device rightnexthop=107.23.XXX.XXX ### E IP of your VPN Server rightsubnet=144.226.xxx.xxx/32 ### Right/Client Side Subnet keyexchange=ike ike=aes256-sha1;modp1024 phase2=esp phase2alg=aes256-sha1;modp1024 aggrmode=no pfs=no
- 最後,您需要在防火牆中添加 nat 規則。
iptables -t nat -A PREROUTING -d 107.23.xxx.xxx (FTP 伺服器 IP) -jDNAT –to-destination 10.0.10.32 (你的 FTP 伺服器的私有 ip)
iptables -t nat -A POSTROUTING -s 10.0.10.32 -d 144.26.XXX.XXX(客戶端/右側 IP) -j SNAT –to-source 107.23.XXX.XXX(FTP 伺服器 IP)
筆記:
- 應在 sysctl.conf 中啟用 IPv4 轉發。
- 在機密文件中使用您的私有 IP 即“10.0.10.30(VPN 主機私有 IP)144.23.xxx.xxx(思科對等 IP):”