Amazon VPC 和 Linux 伺服器之間的 IPSec VPN

我正在嘗試使用他們的 VPN 系統和 Linux 伺服器在我們的公司網路和亞馬遜的虛擬私有云之間建立 IPSec VPN 連接。不幸的是，我找到的唯一指南討論瞭如何使用主機 Linux 機器設置隧道並讓該 linux 機器訪問 VPC 實例，但是我在網上找不到關於如何讓實例訪問公司網路的討論（或通過該網路的其餘網際網路）。

網路資訊

Local subnet: 10.3.0.0/25
Remote subnet: 10.4.0.0/16

Tunnel 1:
 Outside IP Addresses:
   - Customer Gateway:        : 199.167.xxx.xxx
   - VPN Gateway              : 205.251.233.121

 Inside IP Addresses
   - Customer Gateway         : 169.254.249.2/30
   - VPN Gateway              : 169.254.249.1/30

Tunnel 2:
 Outside IP Addresses:
   - Customer Gateway:        : 199.167.xxx.xxx
   - VPN Gateway              : 205.251.233.122

 Inside IP Addresses
   - Customer Gateway         : 169.254.249.6/30
   - VPN Gateway              : 169.254.249.5/30

這是我的 /etc/ipsec-tools.conf：

flush;
spdflush;

spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec
  esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;

spdadd 169.254.249.1/30 169.254.249.2/30 any -P in ipsec
  esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;

spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec
  esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;

spdadd 169.254.249.5/30 169.254.249.6/30 any -P in ipsec
  esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;



spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec
  esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;

spdadd 10.4.0.0/16 169.254.249.2/30 any -P in ipsec
  esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;

spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec
  esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;

spdadd 10.4.0.0/16 169.254.249.6/30 any -P in ipsec
  esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;

這是我的 /etc/racoon/racoon.conf：

remote 205.251.233.122 {
       exchange_mode main;
       lifetime time 28800 seconds;
       proposal {
               encryption_algorithm aes128;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
       generate_policy off;
}

remote 205.251.233.121 {
       exchange_mode main;
       lifetime time 28800 seconds;
       proposal {
               encryption_algorithm aes128;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
       generate_policy off;
}

sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
   pfs_group 2;
   lifetime time 3600 seconds;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
   pfs_group 2;
   lifetime time 3600 seconds;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

BGP 工作正常，所以我不會發布這些配置。

這是有效的

• 在 Linux 機器上，我可以 ping 本地端點 (169.254.249.2/169.254.249.6) 及其遠端等效端點 (169.254.249.1/169.254.249.5)。
• 我還可以 ping VPC 中的實例，通過 SSH 訪問它們等。
• 從 VPC 中的遠端實例，我也可以 ping 本地和遠端端點
• 我無法 ping 10.3.0.0/25 子網上的本地伺服器

我假設我遺漏了一些簡單的東西，但我嘗試使用 {local subnet}<->{remote endpoint} 將條目添加到 ipsec-tools.conf 以鏡像 {local endpoint}<->{remote subnet}，但它似乎沒有用。

當我從 {remote instance} ping 到 {local server} 時，ping 超時。數據包在 eth0 介面上可見（即使本地網路在 eth1 上）。

Google幫助不大；它僅顯示嘗試使用 OpenSwan 或遇到類似問題但使用硬體路由器或使用舊工具的人。

弄清楚了。不得不將我的 ipsec-tools.conf 更改為：

flush;
spdflush;

# Generic routing
spdadd 10.4.0.0/16 10.3.0.0/25 any -P in  ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 10.3.0.0/25 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;

# Tunnel 1
spdadd 169.254.249.1/30 169.254.249.2/30 any -P in  ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 169.254.249.1/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;

spdadd 10.4.0.0/16 169.254.249.2/30 any -P in  ipsec esp/tunnel/205.251.233.121-199.167.xxx.xxx/require;
spdadd 169.254.249.2/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.121/require;

# Tunnel 2
spdadd 169.254.249.5/30 169.254.249.6/30 any -P in  ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 169.254.249.5/30 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;

spdadd 10.4.0.0/16 169.254.249.6/30 any -P in  ipsec esp/tunnel/205.251.233.122-199.167.xxx.xxx/require;
spdadd 169.254.249.6/30 10.4.0.0/16 any -P out ipsec esp/tunnel/199.167.xxx.xxx-205.251.233.122/require;

並將我的 racoon.conf 更改為：

path pre_shared_key "/etc/racoon/psk.txt";

remote 205.251.233.122 {
       exchange_mode main;
       lifetime time 28800 seconds;
       proposal {
               encryption_algorithm aes128;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
       generate_policy off;
}

remote 205.251.233.121 {
       exchange_mode main;
       lifetime time 28800 seconds;
       proposal {
               encryption_algorithm aes128;
               hash_algorithm sha1;
               authentication_method pre_shared_key;
               dh_group 2;
       }
       generate_policy off;
}

sainfo address 169.254.249.2/30 any address 169.254.249.1/30 any {
   pfs_group 2;
   lifetime time 3600 seconds;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

sainfo address 169.254.249.6/30 any address 169.254.249.5/30 any {
   pfs_group 2;
   lifetime time 3600 seconds;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

sainfo address 10.3.0.0/25 any address 10.4.0.0/16 any {
   pfs_group 2;
   lifetime time 3600 seconds;
   encryption_algorithm aes128;
   authentication_algorithm hmac_sha1;
   compression_algorithm deflate;
}

但是，據我了解，此配置只會通過第一條隧道（通過 xxx121）路由 10.3.0.0/25 和 10.4.0.0/16 之間的流量。當我弄清楚時，我會更新答案。

好吧，我作弊了 :) 我安裝了亞馬遜官方支持的 Astaro 網關，然後用它來模擬我自己的。您可以通過 SSH 連接到 Astaro 設備，看看他們是如何設置一切的。當然，如果您願意付費，您可以堅持使用 Astaro 裝置。

引用自：https://serverfault.com/questions/399961