思科 CSR1000v 和 AWS 上的 Strongswan IPSec 端點之間沒有流量路由
我正在嘗試在 AWS 上配置 Cisco CSR1000V,以便在另一台 AWS 機器上使用 Strongswan 5.1.2(在 Ubuntu 14.04 上)創建 IPSec VPN。我可以從 Strongswan 端建立 VPN,它似乎已經正確建立了安全關聯,但沒有流量在任一方向路由。可能相關的是我無法從 Cisco 端帶來 VPN。
我試圖將我的配置基於http://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/117258-config-l2l.html#anc2特定的 IP 地址和網路。所以我有
10.87.189.36 client | CSR 1000V: Eth0 10.87.50.122 (mapped to Elastic IP 54.154.54.AAA) Eth1 10.87.189.50 | | Strongswan: 172.31.1.1 (mapped to Elastic IP 54.229.30.BBB) | Webserver 172.31.2.33
目的是能夠通過 VPN 從客戶端瀏覽到網路伺服器。客戶端可以連接到外部網際網路,並通過 CSR1000 路由(如https://rbgeek.wordpress.com/2014/09/15/cisco-csr1000v-router-as-nat-i nstance-on- 中所述設置aws/)。我還可以在 Strongswan 機器和另一臺本地執行 Strongswan 4.5.2 的機器之間創建一個 VPN,並按預期查看網路伺服器。
EC2 的 src/dest 檢查在 CSR 和 Strongswan 機器上的所有乙太網埠上被禁用。
連接的 Strongswan 配置是
conn ciscotest left=%defaultroute leftid=54.229.30.BBB leftsubnet=172.31.0.0/16 leftfirewall=no right=54.154.54.AAA rightid=%any rightsubnet=10.87.189.0/24 auto=add authby=secret ike=aes256-sha1-modp1024 ikelifetime=8h aggressive=no esp=aes128-sha1 lifetime=1h keyexchange=ikev2
Strongswan 機器上的防火牆和 sysctl
# iptables -t nat -L -v -n Chain PREROUTING (policy ACCEPT 4 packets, 220 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 4 packets, 220 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 5 packets, 349 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- * eth0 0.0.0.0/0 172.31.0.0/16 policy match dir out pol ipsec 5 349 MASQUERADE all -- * eth0 0.0.0.0/0 172.31.0.0/16 # sysctl -p net.ipv4.ip_forward = 1
Cisco機器上的配置
version 15.5 service timestamps debug datetime msec service timestamps log datetime msec no platform punt-keepalive disable-kernel-core platform console virtual ! hostname ip-10-87-50-122 ! boot-start-marker boot-end-marker ! subscriber templating ! multilink bundle-name authenticated ! redundancy ! crypto ikev2 proposal ikev2proposal encryption aes-cbc-256 integrity sha1 group 2 ! crypto ikev2 policy ikev2policy match fvrf any proposal ikev2proposal ! crypto ikev2 keyring keys peer strongswan address 54.229.30.BBB pre-shared-key local ---------------- pre-shared-key remote ---------------- ! ! ! crypto ikev2 profile ikev2profile match identity remote address 54.229.30.BBB 255.255.255.255 authentication remote pre-share authentication local pre-share keyring local keys ! crypto isakmp policy 10 authentication pre-share group 2 ! crypto ipsec transform-set TS esp-aes esp-sha-hmac mode tunnel ! crypto map cmap 10 ipsec-isakmp set peer 54.229.30.BBB set transform-set TS set ikev2-profile ikev2profile match address cryptoacl ! interface GigabitEthernet1 ip address dhcp ip nat outside negotiation auto crypto map cmap ! interface GigabitEthernet2 ip address 10.87.189.50 255.255.255.0 ip nat inside negotiation auto ! virtual-service csr_mgmt ip shared host-interface GigabitEthernet1 activate ! ip nat inside source list NATList interface GigabitEthernet1 overload ip forward-protocol nd ! ip access-list extended NATList permit ip 10.87.189.0 0.0.0.255 any ip access-list extended cryptoacl permit ip 10.87.189.0 0.0.0.255 172.31.2.0 0.0.0.255 permit ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255
從 Strongswan 端建立連接時:
# ipsec up ciscotest initiating IKE_SA ciscotest[17] to 54.154.54.AAA generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) ] sending packet: from 172.31.1.1[500] to 54.154.54.AAA[500] (1044 bytes) received packet: from 54.154.54.AAA[500] to 172.31.1.1[500] (336 bytes) parsed IKE_SA_INIT response 0 [ SA KE No V V N(NATD_S_IP) N(NATD_D_IP) ] received Cisco Delete Reason vendor ID received unknown vendor ID: 46:4c:45:58:56:50:4e:2d:53:55:50:50:4f:52:54:45:44 local host is behind NAT, sending keep alives remote host is behind NAT authentication of '54.229.30.BBB' (myself) with pre-shared key establishing CHILD_SA ciscotest generating IKE_AUTH request 1 [ IDi AUTH SA TSi TSr N(MOBIKE_SUP) N(NO_ADD_ADDR) N(EAP_ONLY) ] sending packet: from 172.31.1.1[4500] to 54.154.54.AAA[4500] (332 bytes) received packet: from 54.154.54.AAA[4500] to 172.31.1.1[4500] (252 bytes) parsed IKE_AUTH response 1 [ V IDr AUTH SA TSi TSr N(SET_WINSIZE) N(ESP_TFC_PAD_N) N(NON_FIRST_FRAG) ] authentication of '10.87.50.122' with pre-shared key successful IKE_SA ciscotest[17] established between 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122] scheduling reauthentication in 27954s maximum IKE_SA lifetime 28494s received ESP_TFC_PADDING_NOT_SUPPORTED, not using ESPv3 TFC padding connection 'ciscotest' established successfully # ipsec status ciscotest Security Associations (1 up, 0 connecting): ciscotest[17]: ESTABLISHED 19 seconds ago, 172.31.1.1[54.229.30.BBB]...54.154.54.AAA[10.87.50.122] ciscotest{15}: INSTALLED, TUNNEL, ESP in UDP SPIs: c42a57f8_i 1cc99de5_o ciscotest{15}: 172.31.0.0/16 === 10.87.189.0/24
在思科端
Syslog logging: enabled (0 messages dropped, 9 messages rate-limited, 0 flushes, 0 overruns, xml disabled, filtering disabled) No Active Message Discriminator. No Inactive Message Discriminator. Console logging: level debugging, 2479 messages logged, xml disabled, filtering disabled Monitor logging: level debugging, 0 messages logged, xml disabled, filtering disabled Buffer logging: level debugging, 2486 messages logged, xml disabled, filtering disabled Exception Logging: size (4096 bytes) Count and timestamp logging messages: disabled Persistent logging: disabled No active filter modules. Trap logging: level informational, 62 message lines logged Logging Source-Interface: VRF Name: Log Buffer (4096 bytes): edur= 0s and 0kb, spi= 0x0(0), conn_id= 0, keysize= 128, flags= 0x0 *Feb 18 15:41:34.873: Crypto mapdb : proxy_match src addr : 10.87.189.0 dst addr : 172.31.0.0 protocol : 0 src port : 0 dst port : 0 *Feb 18 15:41:34.873: (ipsec_process_proposal)Map Accepted: cmap, 10 *Feb 18 15:41:34.873: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Callback received for the validate proposal - PASSED. *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK' *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get peer's preshared key for 54.229.30.BBB *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generate my authentication data *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Use preshared key for id 10.87.50.122, key len 5 *Feb 18 15:41:34.873: IKEv2:[IKEv2 -> Crypto Engine] Generate IKEv2 authentication data *Feb 18 15:41:34.873: IKEv2:[Crypto Engine -> IKEv2] IKEv2 authentication data generation PASSED *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Get my authentication method *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):My authentication method is 'PSK' *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Generating IKE_AUTH message *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):Constructing IDr payload: '10.87.50.122' of type 'IPv4 address' *Feb 18 15:41:34.873: IKEv2:(SESSION ID = 9,SA ID = 1):ESP Proposal: 1, SPI size: 4 (IPSec negotiation), Num. transforms: 3 AES-CBC SHA96 Don't use ESN *Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Building packet for encryption. Payload contents: VID IDr AUTH SA TSi TSr NOTIFY(SET_WINDOW_SIZE) NOTIFY(ESP_TFC_NO_SUPPORT) NOTIFY(NON_FIRST_FRAGS) *Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Sending Packet [To 54.229.30.BBB:4500/From 10.87.50.122:4500/VRF i0:f0] Initiator SPI : D88218943FE3BDCA - Responder SPI : D5D0EFB19DDB3A57 Message id: 1 IKEv2 IKE_AUTH Exchange RESPONSE Payload contents: ENCR *Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):IKEV2 SA created; inserting SA into database. SA lifetime timer (86400 sec) started *Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Session with IKE ID PAIR (54.229.30.BBB, 10.87.50.122) is UP *Feb 18 15:41:34.874: IKEv2:IKEv2 MIB tunnel started, tunnel index 1 *Feb 18 15:41:34.874: IKEv2:(SESSION ID = 9,SA ID = 1):Load IPSEC key material *Feb 18 15:41:34.874: IKEv2:(SA ID = 1):[IKEv2 -> IPsec] Create IPsec SA into IPsec database *Feb 18 15:41:34.874: IPSEC(key_engine): got a queue event with 1 KMI message(s) *Feb 18 15:41:34.874: Crypto mapdb : proxy_match src addr : 10.87.189.0 dst addr : 172.31.0.0 protocol : 256 src port : 0 dst port : 0 *Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (crypto_ipsec_create_ipsec_sas) Map found cmap, 10 *Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created, (sa) sa_dest= 10.87.50.122, sa_proto= 50, sa_spi= 0x1CC99DE5(482975205), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2017 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0, local_proxy= 10.87.189.0/255.255.255.0/256/0, remote_proxy= 172.31.0.0/255.255.0.0/256/0 *Feb 18 15:41:34.874: IPSEC:(SESSION ID = 9) (create_sa) sa created, (sa) sa_dest= 54.229.30.BBB, sa_proto= 50, sa_spi= 0xC42A57F8(3291109368), sa_trans= esp-aes esp-sha-hmac , sa_conn_id= 2018 sa_lifetime(k/sec)= (4608000/3600), (identity) local= 10.87.50.122:0, remote= 54.229.30.BBB:0, local_proxy= 10.87.189.0/255.255.255.0/256/0, remote_proxy= 172.31.0.0/255.255.0.0/256/0 *Feb 18 15:41:35.064: IKEv2:(SA ID = 1):[IPsec -> IKEv2] Creation of IPsec SA into IPsec database PASSED *Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Checking for duplicate IKEv2 SA *Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):No duplicate IKEv2 SA found *Feb 18 15:41:35.064: IKEv2:(SESSION ID = 9,SA ID = 1):Starting timer (8 sec) to delete negotiation context
上面的 Cisco 文章建議從 Cisco 命令行我應該能夠做到
ping 172.31.2.33 source gigabitethernet 2
從 Cisco 端啟動 VPN 但這只是說明沒有響應。我可以在客戶端和 Cisco 機器之間雙向 ping,同樣可以在 Strongswan 和 Web 伺服器之間雙向 ping。但是,無論是當時還是一旦從上面的 Strongswan 端建立起來,似乎都沒有流量通過它們之間的 VPN。
編輯:來自 CSR1000 的更多診斷
ip-10-87-50-122#show crypto session detail Crypto session current status Code: C - IKE Configuration mode, D - Dead Peer Detection K - Keepalives, N - NAT-traversal, T - cTCP encapsulation X - IKE Extended Authentication, F - IKE Fragmentation R - IKE Auto Reconnect Interface: GigabitEthernet1 Session status: DOWN Peer: 54.229.30.BBB port 500 fvrf: (none) ivrf: (none) Desc: (none) Phase1_id: (none) IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.2.0/255.255.255.0 Active SAs: 0, origin: crypto map Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0 Interface: GigabitEthernet1 Profile: ikev2profile Uptime: 00:00:41 Session status: UP-ACTIVE Peer: 54.229.30.#show crypto ipsec sa interface: GigabitEthernet1 Crypto map tag: cmap, local addr 10.87.50.122 protected vrf: (none) local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.31.2.0/255.255.255.0/0/0) current_peer 54.229.30.BBB port 500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB plaintext mtu 1500, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1 current outbound spi: 0x0(0) PFS (Y/N): N, DH group: none inbound esp sas: inbound ah sas: inbound pcp sas: outbound esp sas: outbound ah sas: outbound pcp sas: protected vrf: (none) local ident (addr/mask/prot/port): (10.87.189.0/255.255.255.0/0/0) remote ident (addr/mask/prot/port): (172.31.0.0/255.255.0.0/0/0) current_peer 54.229.30.BBB port 4500 PERMIT, flags={origin_is_acl,} #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0 #pkts decaps: 310, #pkts decrypt: 310, #pkts verify: 310 #pkts compressed: 0, #pkts decompressed: 0 #pkts not compressed: 0, #pkts compr. failed: 0 #pkts not decompressed: 0, #pkts decompress failed: 0 #send errors 0, #recv errors 0 local crypto endpt.: 10.87.50.122, remote crypto endpt.: 54.229.30.BBB plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet1 current outbound spi: 0xC3012269(3271631465) PFS (Y/N): N, DH group: none inbound esp sas: spi: 0x1CB79056(481792086) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2019, flow_id: CSR:19, sibling_flags FFFFFFFF80000048, crypto map: cmap sa timing: remaining key lifetime (k/sec): (4608000/3504) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) inbound ah sas: inbound pcp sas: outbound esp sas: spi: 0xC3012269(3271631465) transform: esp-aes esp-sha-hmac , in use settings ={Tunnel UDP-Encaps, } conn id: 2020, flow_id: CSR:20, sibling_flags FFFFFFFF80000048, crypto map: cmap sa timing: remaining key lifetime (k/sec): (4608000/3504) IV size: 16 bytes replay detection support: Y Status: ACTIVE(ACTIVE) outbound ah sas: outbound pcp sas: port 4500 fvrf: (none) ivrf: (none) Phase1_id: 54.229.30.BBB Desc: (none) Session ID: 21 IKEv2 SA: local 10.87.50.122/4500 remote 54.229.30.BBB/4500 Active Capabilities:N connid:2 lifetime:23:59:19 IPSEC FLOW: permit ip 10.87.189.0/255.255.255.0 172.31.0.0/255.255.0.0 Active SAs: 2, origin: crypto map Inbound: #pkts dec'ed 310 drop 0 life (KB/Sec) 4608000/3558 Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4608000/3558 #show crypto ikev2 sa detailed IPv4 Crypto IKEv2 SA Tunnel-id Local Remote fvrf/ivrf Status 2 10.87.50.122/4500 54.229.30.BBB/4500 none/none READY Encr: AES-CBC, keysize: 256, PRF: SHA1, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK Life/Active Time: 86400/126 sec CE id: 1021, Session-id: 8 Status Description: Negotiation done Local spi: DEB67BE7456C5407 Remote spi: 1C2A344A8A10262E Local id: 10.87.50.122 Remote id: 54.229.30.BBB Local req msg id: 0 Remote req msg id: 2 Local next msg id: 0 Remote next msg id: 2 Local req queued: 0 Remote req queued: 2 Local window: 5 Remote window: 1 DPD configured for 0 seconds, retry 0 Fragmentation not configured. Extended Authentication not configured. NAT-T is detected inside Cisco Trust Security SGT is disabled Initiator of SA : No IPv6 Crypto IKEv2 SA
編輯 2:ping 範例,因為它不適合下面回复的評論。
ip-10-87-50-96#ping 172.31.1.1 source gigabitEthernet 2 repeat 2 Type escape sequence to abort. Sending 2, 100-byte ICMP Echos to 172.31.1.1, timeout is 2 seconds: Packet sent with a source address of 10.87.189.59 .. Success rate is 0 percent (0/2)
無論 VPN 是未啟動的還是由 Strongswan 啟動的,輸出都是相同的。
所以問題原來是訪問控制列表試圖應用 NAT 而不是路由到 VPN。使用
ip access-list extended NATList deny ip 10.87.189.0 0.0.0.255 172.31.0.0 0.0.255.255 log permit ip 10.87.189.0 0.0.0.255 any log ip access-list extended cryptoacl permit ip host 10.87.189.36 host 172.31.2.33
修復。