Vpn

思科 CSR1000v 和 AWS 上的 Strongswan IPSec 端點之間沒有流量路由

  • March 6, 2015

我正在嘗試在 AWS 上配置 Cisco CSR1000V,以便在另一台 AWS 機器上使用 Strongswan 5.1.2(在 Ubuntu 14.04 上)創建 IPSec VPN。我可以從 Strongswan 端建立 VPN,它似乎已經正確建立了安全關聯,但沒有流量在任一方向路由。可能相關的是我無法從 Cisco 端帶來 VPN。

我試圖將我的配置基於http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc2特定的 IP 地址和網路。所以我有

10.87.189.36 client
  | 
CSR 1000V: Eth0 10.87.50.122 (mapped to Elastic IP 54.154.54.AAA)
          Eth1 10.87.189.50
  |
  |
Strongswan: 172.31.1.1 (mapped to Elastic IP 54.229.30.BBB)
  |
Webserver 172.31.2.33

目的是能夠通過 VPN 從客戶端瀏覽到網路伺服器。客戶端可以連接到外部網際網路,並通過 CSR1000 路由(如https://rbgeek.wordpress.com/2014/09/15/cisco-csr1000v-router-as-nat-i ​​nstance-on- 中所述設置aws/)。我還可以在 Strongswan 機器和另一臺本地執行 Strongswan 4.5.2 的機器之間創建一個 VPN,並按預期查看網路伺服器。

EC2 的 src/dest 檢查在 CSR 和 Strongswan 機器上的所有乙太網埠上被禁用。

連接的 Strongswan 配置是

conn ciscotest                                                                                         
   left=%defaultroute
   leftid=54.229.30.BBB
   leftsubnet=172.31.0.0/16
   leftfirewall=no

   right=54.154.54.AAA
   rightid=%any
   rightsubnet=10.87.189.0/24

   auto=add
   authby=secret

   ike=aes256-sha1-modp1024
   ikelifetime=8h
   aggressive=no

   esp=aes128-sha1
   lifetime=1h
   keyexchange=ikev2

Strongswan 機器上的防火牆和 sysctl

# iptables -t nat -L -v -n
Chain PREROUTING (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain INPUT (policy ACCEPT 4 packets, 220 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 5 packets, 349 bytes)
pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target     prot opt in     out     source               destination
   0     0 ACCEPT     all  --  *      eth0    0.0.0.0/0            172.31.0.0/16        policy match dir out pol ipsec
   5   349 MASQUERADE all  --  *      eth0    0.0.0.0/0            172.31.0.0/16

# sysctl -p
net.ipv4.ip_forward = 1

Cisco機器上的配置

version 15.5
service timestamps debug datetime msec
service timestamps log datetime msec
no platform punt-keepalive disable-kernel-core
platform console virtual
!
hostname ip-10-87-50-122
!
boot-start-marker
boot-end-marker
!
subscriber templating
!
multilink bundle-name authenticated

!
redundancy
!
crypto ikev2 proposal ikev2proposal 
encryption aes-cbc-256
integrity sha1
group 2
!
crypto ikev2 policy ikev2policy 
match fvrf any
proposal ikev2proposal
!
crypto ikev2 keyring keys
peer strongswan
 address 54.229.30.BBB
 pre-shared-key local ----------------
 pre-shared-key remote ----------------
!
!
!
crypto ikev2 profile ikev2profile
match identity remote address 54.229.30.BBB 255.255.255.255 
authentication remote pre-share
authentication local pre-share
keyring local keys
!
crypto isakmp policy 10
authentication pre-share
group 2
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac 
mode tunnel
!
crypto map cmap 10 ipsec-isakmp 
set peer 54.229.30.BBB
set transform-set TS 
set ikev2-profile ikev2profile
match address cryptoacl
!
interface GigabitEthernet1
ip address dhcp
ip nat outside
negotiation auto
crypto map cmap
!
interface GigabitEthernet2
ip address 10.87.189.50 255.255.255.0
ip nat inside
negotiation auto
!
virtual-service csr_mgmt
ip shared host-interface GigabitEthernet1
activate
!
ip nat inside source list NATList interface GigabitEthernet1 overload
ip forward-protocol nd
!
ip access-list extended NATList
permit ip 10.87.189.0 0.0.0.255 any
ip access-list extended cryptoacl
permit ip 10.87.189.0 0.0.0.255 172.31.2.0 0.0.0.255
permit ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255

從 Strongswan 端建立連接時:

# ipsec up ciscotest
initiating IKE_SA ciscotest[17] to 54.154.54.AAA
generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ]
sending packet: from 172.31.1.1[500] to 54.154.54.AAA[500] (1044 bytes)
received packet: from 54.154.54.AAA[500] to 172.31.1.1[500] (336 bytes)
parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ]
received Cisco Delete Reason vendor ID
received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44
local host is behind NAT, sending keep alives
remote host is behind NAT
authentication of '54.229.30.BBB' (myself) with pre-shared key
establishing CHILD_SA ciscotest
generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ]
sending packet: from 172.31.1.1[4500] to 54.154.54.AAA[4500] (332 bytes)
received packet: from 54.154.54.AAA[4500] to 172.31.1.1[4500] (252 bytes)
parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ]
authentication of '10.87.50.122' with pre-shared key successful
IKE_SA ciscotest[17] established between 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
scheduling reauthentication in 27954s
maximum IKE_SA lifetime 28494s
received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding
connection 'ciscotest' established successfully

# ipsec status ciscotest
Security Associations (1 up, 0 connecting):
  ciscotest[17]: ESTABLISHED 19 seconds ago, 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122]
  ciscotest{15}:  INSTALLED, TUNNEL, ESP in UDP SPIs: c42a57f8_i 1cc99de5_o
  ciscotest{15}:   172.31.0.0/16 === 10.87.189.0/24

在思科端

Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled)

No Active Message Discriminator.



No Inactive Message Discriminator.


   Console logging: level debugging, 2479 messages logged, xml disabled,
                    filtering disabled
   Monitor logging: level debugging, 0 messages logged, xml disabled,
                    filtering disabled
   Buffer logging:  level debugging, 2486 messages logged, xml disabled,
                   filtering disabled
   Exception Logging: size (4096 bytes)
   Count and timestamp logging messages: disabled
   Persistent logging: disabled

No active filter modules.

   Trap logging: level informational, 62 message lines logged
       Logging Source-Interface:       VRF Name:

Log Buffer (4096 bytes):
edur= 0s and 0kb, 
   spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0
*Feb 18 15:41:34.873: Crypto mapdb : proxy_match
   src addr     : 10.87.189.0
   dst addr     : 172.31.0.0
   protocol     : 0
   src port     : 0
   dst port     : 0
*Feb 18 15:41:34.873: (ipsec_process_proposal)Map Accepted: cmap, 10
*Feb 18 15:41:34.873: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED.

*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get peer's preshared key for 54.229.30.BBB
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generate my authentication data
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Use preshared key for id 10.87.50.122, key len 5
*Feb 18 15:41:34.873: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data
*Feb 18 15:41:34.873: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generating IKE_AUTH message
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Constructing IDr payload: '10.87.50.122' of type 'IPv4 address'
*Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), 
Num. transforms: 3
  AES-CBC   SHA96   Don't use ESN
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Building packet for encryption.  
Payload contents: 
VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) 

*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 54.229.30.BBB:4500/From 10.87.50.122:4500/VRF i0:f0] 
Initiator SPI : D88218943FE3BDCA - Responder SPI : D5D0EFB19DDB3A57 Message id: 1
IKEv2 IKE_AUTH Exchange RESPONSE 
Payload contents: 
ENCR 

*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Session with IKE ID PAIR (54.229.30.BBB, 10.87.50.122) is UP
*Feb 18 15:41:34.874: IKEv2:IKEv2 MIB tunnel started, tunnel index 1
*Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Load IPSEC key material
*Feb 18 15:41:34.874: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database
*Feb 18 15:41:34.874: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Feb 18 15:41:34.874: Crypto mapdb : proxy_match
   src addr     : 10.87.189.0
   dst addr     : 172.31.0.0
   protocol     : 256
   src port     : 0
   dst port     : 0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (crypto_ipsec_create_ipsec_sas) Map found cmap, 10
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
 (sa) sa_dest= 10.87.50.122, sa_proto= 50, 
   sa_spi= 0x1CC99DE5(482975205), 
   sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2017
   sa_lifetime(k/sec)= (4608000/3600),
 (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
   local_proxy= 10.87.189.0/255.255.255.0/256/0,
   remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created,
 (sa) sa_dest= 54.229.30.BBB, sa_proto= 50, 
   sa_spi= 0xC42A57F8(3291109368), 
   sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2018
   sa_lifetime(k/sec)= (4608000/3600),
 (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0,
   local_proxy= 10.87.189.0/255.255.255.0/256/0,
   remote_proxy= 172.31.0.0/255.255.0.0/256/0
*Feb 18 15:41:35.064: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Checking for duplicate IKEv2 SA
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):No duplicate IKEv2 SA found
*Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Starting timer (8 sec) to delete negotiation context

上面的 Cisco 文章建議從 Cisco 命令行我應該能夠做到

ping 172.31.2.33 source gigabitethernet 2 

從 Cisco 端啟動 VPN 但這只是說明沒有響應。我可以在客戶端和 Cisco 機器之間雙向 ping,同樣可以在 Strongswan 和 Web 伺服器之間雙向 ping。但是,無論是當時還是一旦從上面的 Strongswan 端建立起來,似乎都沒有流量通過它們之間的 VPN。


編輯:來自 CSR1000 的更多診斷

ip-10-87-50-122#show crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: GigabitEthernet1
Session status: DOWN
Peer: 54.229.30.BBB port 500 fvrf: (none) ivrf: (none)
     Desc: (none)
     Phase1_id: (none)
 IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.2.0/255.255.255.0
       Active SAs: 0, origin: crypto map
       Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
       Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: GigabitEthernet1
Profile: ikev2profile
Uptime: 00:00:41
Session status: UP-ACTIVE


Peer: 54.229.30.#show crypto ipsec sa

interface: GigabitEthernet1
   Crypto map tag: cmap, local addr 10.87.50.122

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.31.2.0/255.255.255.0/0/0)
  current_peer 54.229.30.BBB port 500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
    plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
    current outbound spi: 0x0(0)
    PFS (Y/N): N, DH group: none

    inbound esp sas:

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:

    outbound ah sas:

    outbound pcp sas:

  protected vrf: (none)
  local  ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0)
  remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0)
  current_peer 54.229.30.BBB port 4500
    PERMIT, flags={origin_is_acl,}
   #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
   #pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310
   #pkts compressed: 0, #pkts decompressed: 0
   #pkts not compressed: 0, #pkts compr. failed: 0
   #pkts not decompressed: 0, #pkts decompress failed: 0
   #send errors 0, #recv errors 0

    local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB
    plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1
    current outbound spi: 0xC3012269(3271631465)
    PFS (Y/N): N, DH group: none

    inbound esp sas:
     spi: 0x1CB79056(481792086)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: cmap
       sa timing: remaining key lifetime (k/sec): (4608000/3504)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE(ACTIVE)

    inbound ah sas:

    inbound pcp sas:

    outbound esp sas:
     spi: 0xC3012269(3271631465)
       transform: esp-aes esp-sha-hmac ,
       in use settings ={Tunnel UDP-Encaps, }
       conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: cmap
       sa timing: remaining key lifetime (k/sec): (4608000/3504)
       IV size: 16 bytes
       replay detection support: Y
       Status: ACTIVE(ACTIVE)

    outbound ah sas:

    outbound pcp sas:

port 4500 fvrf: (none) ivrf: (none)
     Phase1_id: 54.229.30.BBB
     Desc: (none)
 Session ID: 21  
 IKEv2 SA: local 10.87.50.122/4500 remote 54.229.30.BBB/4500 Active
         Capabilities:N connid:2 lifetime:23:59:19
 IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.0.0/255.255.0.0
       Active SAs: 2, origin: crypto map
       Inbound:  #pkts dec'ed 310 drop 0 life (KB/Sec) 4608000/3558
       Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3558




#show crypto ikev2 sa detailed
IPv4 Crypto IKEv2  SA

Tunnel-id Local                 Remote                fvrf/ivrf            Status
2         10.87.50.122/4500     54.229.30.BBB/4500    none/none            READY  
     Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
     Life/Active Time: 86400/126 sec
     CE id: 1021, Session-id: 8
     Status Description: Negotiation done
     Local spi: DEB67BE7456C5407       Remote spi: 1C2A344A8A10262E
     Local id: 10.87.50.122
     Remote id: 54.229.30.BBB
     Local req msg id:  0              Remote req msg id:  2         
     Local next msg id: 0              Remote next msg id: 2         
     Local req queued:  0              Remote req queued:  2         
     Local window:      5              Remote window:      1         
     DPD configured for 0 seconds, retry 0
     Fragmentation not configured.
     Extended Authentication not configured.
     NAT-T is detected inside
     Cisco Trust Security SGT is disabled
     Initiator of SA : No

IPv6 Crypto IKEv2  SA

編輯 2:ping 範例,因為它不適合下面回复的評論。

ip-10-87-50-96#ping 172.31.1.1 source gigabitEthernet 2 repeat 2
Type escape sequence to abort.
Sending 2, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds:
Packet sent with a source address of 10.87.189.59
..
Success rate is 0 percent (0/2)

無論 VPN 是未啟動的還是由 Strongswan 啟動的,輸出都是相同的。

所以問題原來是訪問控制列表試圖應用 NAT 而不是路由到 VPN。使用

ip access-list extended NATList
deny   ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255 log
permit ip 10.87.189.0 0.0.0.255 any log
ip access-list extended cryptoacl
permit ip host 10.87.189.36 host 172.31.2.33

修復。

引用自:https://serverfault.com/questions/669625