VPN IPSec StrongSwan da AWS

Navegue suas respostas
5

Eu estive brincando com o StrongSwan recentemente como um substituto do Amazons VPN, que custa dinheiro.

Estou tendo problemas para configurar completamente um túnel IPSec entre um servidor remoto e uma máquina Ubuntu EC2 executando o StrongSwan.

Meu objetivo é que nosso servidor remoto consiga VPN em nosso VPC e tenha acesso bidirecional entre a sub-rede privada na AWS.

Atualmente, posso conseguir um túnel estabelecido. Eu posso fazer ping da máquina EC2 (executando StrongSwan) para o servidor OSX remoto. Eu posso pingar entre máquinas nas sub-redes públicas e privadas no meu VPC.

Atualmente, não consigo fazer ping do meu servidor OSX para a instância do EC2 no AWS que está executando um cisne strong. Eu não tenho nenhuma configuração iptables para encaminhar o tráfego da máquina EC2 (StrongSwan) para as outras máquinas na minha sub-rede privada.

AWS 

VPC: 10.0.0.0/16
Public Subnet: 10.0.1.0/24
Private Subnet: 10.0.2.0/24
Web EIP: 77.77.77.77 (default for VPC IGW)
VPN EIP: 66.66.66.66

AWS StrongSwan EC2 

Ubuntu running StrongSwan 5.2.2
IP: 10.0.1.233

Gateway de cliente remoto (combinação de modem celular + gateway com IP estático) 

Running StrongSwan 5.2.2 internally for IPSec
Public (static) IP: 55.55.55.55
LAN: 10.1.1.0/24 (DHCP Server)

Servidor de Cliente Remoto (Máquina OSX para teste) 

IP: 10.1.1.1

Topologia de rede

Osgruposdesegurançanasub-redePúblicaestãoabertospermitindotodootráfegoICMP,UDPeTCPparateste(ignoreosvaloresnaimagemacima).

Observetambémqueaverificaçãosrc/dstestádesabilitadanainstânciadoStrongSwanEC2

GatewayremotoStrongSwanConfig(StrongSwan5.2.2)

version2.0configsetup#charondebug="knl 4, asn 4, cfg 4, chd 4, dmn 4, enc 4, esp 4, ike 4, imc 4, imv 4, job 4, lib 4, mgr 4, net 4, pts 4,tls 4, tnc 4"

conn %default
    keyexchange=ikev2
    authby=secret

conn net-to-net
    ike=aes256-sha256-modp1536,aes256-sha1-modp1536,aes128-sha256-modp1536,aes128-sha1-modp1536,3des-sha256-modp1536,3des-sha1-modp1536
    esp=aes256-sha256_96-modp1536,aes256-sha1-modp1536,aes128-sha256_96-modp1536,aes128-sha1-modp1536,3des-sha256_96-modp1536,3des-sha1-modp1536
    mobike=no
    keyingtries=%forever
    dpdaction=restart
    dpddelay=5s
    dpdtimeout=10s
    #AWS
    leftid=%any
    left=10.0.1.233
    leftsubnet=10.0.0.0/16
    #CLIENT
    rightid=%any
    right=55.55.55.55
    rightsubnet=10.1.1.0/24
    auto=add

configurações IPSec no gateway remoto

Oeth0estáexecutandooservidorDHCPcomobloco10.1.1.0/24CIDR.MeuservidorOSXtemIP10.1.1.1(emeth0)

LogsdosistemanoStrongSwanEC2

Mar3018:43:58ip-10-0-1-233charon:00[CFG]loadingsecretsfrom'/etc/ipsec.secrets'Mar3018:43:58ip-10-0-1-233charon:00[CFG]loadedIKEsecretfor66.66.66.6655.55.55.55Mar3018:43:58ip-10-0-1-233charon:00[LIB]loadedplugins:charontest-vectorsaesrc2sha1sha2md4md5randomnoncex509revocationconstraintspkcs1pkcs7pkcs8pkcs12pemopensslxcbccmachmacctrccmgcmattrkernel-netlinkresolvesocket-defaultstrokeupdowneap-identityaddrblockMar3018:43:58ip-10-0-1-233charon:00[LIB]unabletoload5pluginfeatures(5duetounmetdependencies)Mar3018:43:58ip-10-0-1-233charon:00[LIB]droppedcapabilities,runningasuid0,gid0Mar3018:43:58ip-10-0-1-233charon:00[JOB]spawning16workerthreadsMar3018:43:58ip-10-0-1-233charon:10[CFG]receivedstroke:addconnection'net-to-net'Mar3018:43:58ip-10-0-1-233charon:10[CFG]addedconfiguration'net-to-net'Mar3018:44:01ip-10-0-1-233charon:00[DMN]signaloftypeSIGINTreceived.ShuttingdownMar3018:44:07ip-10-0-1-233charon:00[DMN]StartingIKEcharondaemon(strongSwan5.1.2,Linux3.13.0-44-generic,x86_64)Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingcacertificatesfrom'/etc/ipsec.d/cacerts'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingaacertificatesfrom'/etc/ipsec.d/aacerts'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingocspsignercertificatesfrom'/etc/ipsec.d/ocspcerts'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingattributecertificatesfrom'/etc/ipsec.d/acerts'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingcrlsfrom'/etc/ipsec.d/crls'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadingsecretsfrom'/etc/ipsec.secrets'Mar3018:44:07ip-10-0-1-233charon:00[CFG]loadedIKEsecretfor66.66.66.6655.55.55.55Mar3018:44:07ip-10-0-1-233charon:00[LIB]loadedplugins:charontest-vectorsaesrc2sha1sha2md4md5randomnoncex509revocationconstraintspkcs1pkcs7pkcs8pkcs12pemopensslxcbccmachmacctrccmgcmattrkernel-netlinkresolvesocket-defaultstrokeupdowneap-identityaddrblockMar3018:44:07ip-10-0-1-233charon:00[LIB]unabletoload5pluginfeatures(5duetounmetdependencies)Mar3018:44:07ip-10-0-1-233charon:00[LIB]droppedcapabilities,runningasuid0,gid0Mar3018:44:07ip-10-0-1-233charon:00[JOB]spawning16workerthreadsMar3018:44:07ip-10-0-1-233charon:10[CFG]receivedstroke:addconnection'net-to-net'Mar3018:44:07ip-10-0-1-233charon:10[CFG]addedconfiguration'net-to-net'Mar3018:44:17ip-10-0-1-233charon:11[NET]receivedpacket:from55.55.55.55[500]to10.0.1.233[500](660bytes)Mar3018:44:17ip-10-0-1-233charon:11[ENC]parsedIKE_SA_INITrequest0[SAKENoN(NATD_S_IP)N(NATD_D_IP)]Mar3018:44:17ip-10-0-1-233charon:11[IKE]55.55.55.55isinitiatinganIKE_SAMar3018:44:17ip-10-0-1-233charon:11[IKE]localhostisbehindNAT,sendingkeepalivesMar3018:44:17ip-10-0-1-233charon:11[IKE]DHgroupMODP_2048inacceptable,requestingMODP_1536Mar3018:44:17ip-10-0-1-233charon:11[ENC]generatingIKE_SA_INITresponse0[N(INVAL_KE)]Mar3018:44:17ip-10-0-1-233charon:11[NET]sendingpacket:from10.0.1.233[500]to55.55.55.55[500](38bytes)Mar3018:44:17ip-10-0-1-233charon:12[NET]receivedpacket:from55.55.55.55[500]to10.0.1.233[500](596bytes)Mar3018:44:17ip-10-0-1-233charon:12[ENC]parsedIKE_SA_INITrequest0[SAKENoN(NATD_S_IP)N(NATD_D_IP)]Mar3018:44:17ip-10-0-1-233charon:12[IKE]55.55.55.55isinitiatinganIKE_SAMar3018:44:17ip-10-0-1-233charon:12[IKE]localhostisbehindNAT,sendingkeepalivesMar3018:44:17ip-10-0-1-233charon:12[ENC]generatingIKE_SA_INITresponse0[SAKENoN(NATD_S_IP)N(NATD_D_IP)N(MULT_AUTH)]Mar3018:44:17ip-10-0-1-233charon:12[NET]sendingpacket:from10.0.1.233[500]to55.55.55.55[500](376bytes)Mar3018:44:18ip-10-0-1-233charon:13[NET]receivedpacket:from55.55.55.55[4500]to10.0.1.233[4500](336bytes)Mar3018:44:18ip-10-0-1-233charon:13[ENC]parsedIKE_AUTHrequest1[IDiAUTHN(IPCOMP_SUP)SATSiTSrN(MULT_AUTH)N(EAP_ONLY)]Mar3018:44:18ip-10-0-1-233charon:13[CFG]lookingforpeerconfigsmatching10.0.1.233[%any]...55.55.55.55[55.55.55.55]Mar3018:44:18ip-10-0-1-233charon:13[CFG]selectedpeerconfig'net-to-net'Mar3018:44:18ip-10-0-1-233charon:13[IKE]authenticationof'55.55.55.55'withpre-sharedkeysuccessfulMar3018:44:18ip-10-0-1-233charon:13[CFG]noIDrconfigured,fallbackonIPaddressMar3018:44:18ip-10-0-1-233charon:13[IKE]authenticationof'10.0.1.233'(myself)withpre-sharedkeyMar3018:44:18ip-10-0-1-233charon:13[IKE]IKE_SAnet-to-net[2]establishedbetween10.0.1.233[10.0.1.233]...55.55.55.55[55.55.55.55]Mar3018:44:18ip-10-0-1-233charon:13[IKE]schedulingreauthenticationin10081sMar3018:44:18ip-10-0-1-233charon:13[IKE]maximumIKE_SAlifetime10621sMar3018:44:18ip-10-0-1-233charon:13[IKE]receivedIPCOMP_SUPPORTEDnotifybutIPCompisdisabled,ignoringMar3018:44:18ip-10-0-1-233charon:13[IKE]CHILD_SAnet-to-net{1}establishedwithSPIsc2a08785_icc1db76f_oandTS10.0.1.0/24===10.1.1.0/24Mar3018:44:18ip-10-0-1-233charon:13[ENC]generatingIKE_AUTHresponse1[IDrAUTHSATSiTSrN(AUTH_LFT)]Mar3018:44:18ip-10-0-1-233charon:13[NET]sendingpacket:from10.0.1.233[4500]to55.55.55.55[4500](224bytes)Mar3018:44:23ip-10-0-1-233charon:14[IKE]sendingDPDrequest

tpcdumpnoladodaAWSquandooremoteseconecta

18:41:14.660917IPmobile-55-55-55-55.mycingular.net.isakmp>ip-10-0-1-233.ec2.internal.isakmp:isakmp:parent_saikev2_init[I]18:41:14.681096IPip-10-0-1-233.ec2.internal.isakmp>mobile-55-55-55-55.mycingular.net.isakmp:isakmp:parent_saikev2_init[R]18:41:15.259862IPmobile-55-55-55-55.mycingular.net.isakmp>ip-10-0-1-233.ec2.internal.isakmp:isakmp:parent_saikev2_init[I]18:41:15.271718IPip-10-0-1-233.ec2.internal.isakmp>mobile-55-55-55-55.mycingular.net.isakmp:isakmp:parent_saikev2_init[R]18:41:15.809157IPmobile-55-55-55-55.mycingular.net.ipsec-nat-t>ip-10-0-1-233.ec2.internal.ipsec-nat-t:NONESP-encap:isakmp:child_saikev2_auth[I]18:41:15.813883IPip-10-0-1-233.ec2.internal.ipsec-nat-t>mobile-55-55-55-55.mycingular.net.ipsec-nat-t:NONESP-encap:isakmp:child_saikev2_auth[R]18:41:20.812881IPip-10-0-1-233.ec2.internal.ipsec-nat-t>mobile-55-55-55-55.mycingular.net.ipsec-nat-t:NONESP-encap:isakmp:parent_sainf218:41:21.139689IPmobile-55-55-55-55.mycingular.net.ipsec-nat-t>ip-10-0-1-233.ec2.internal.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[I]18:41:21.140103IPip-10-0-1-233.ec2.internal.ipsec-nat-t>mobile-55-55-55-55.mycingular.net.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[R]18:41:21.289057IPmobile-55-55-55-55.mycingular.net.ipsec-nat-t>ip-10-0-1-233.ec2.internal.ipsec-nat-t:NONESP-encap:isakmp:parent_sainf2[IR]18:41:26.088336IPmobile-55-55-55-55.mycingular.net.ipsec-nat-t>ip-10-0-1-233.ec2.internal.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[I]18:41:26.088827IPip-10-0-1-233.ec2.internal.ipsec-nat-t>mobile-55-55-55-55.mycingular.net.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[R]18:41:31.103016IPmobile-55-55-55-55.mycingular.net.ipsec-nat-t>ip-10-0-1-233.ec2.internal.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[I]18:41:31.103931IPip-10-0-1-233.ec2.internal.ipsec-nat-t>mobile-55-55-55-55.mycingular.net.ipsec-nat-t:NONESP-encap:isakmp:child_sainf2[R]

Euacreditoqueminhaconfiguraçãoestápróxima,masestousentindofaltadealgofundamental.Algumaidéiadeporquemeutúnelnãoestáfuncionandodeformabidirecional?EupossopingardaAWS->Remoto,masnãoocontrário.Nota:EunãotenhooipforwardingouqualquerconfiguraçãopersonalizadaderegrasdeiptablenainstânciadoUbuntu(StrongSwan)EC2.

Nota:Hátambém este documento criado pelo pessoal do StrongSwan que eu vi e tentou implementar com menos sorte do que a minha configuração atual.

    
por anders 30.03.2015 / 21:00

1 resposta

2

Acontece que eu cometi um erro e havia um problema de pós-roteamento no gateway do cliente, por isso o tráfego só estava sendo permitido em uma direção. StrongSwan e AWS foram configurados corretamente.

    
por 06.04.2015 / 21:39

Tags

Como configurar o Monit para uso com o Puma Ruby Web Server? Permitir que usuários do domínio modifiquem as configurações da impressora local Windows 7 através da Diretiva de Grupo