Estava tentando criar uma rede VPN road warrior. Como a internet em nosso escritório é lenta, estamos executando-a através de um VPC com um AD e um Servidor de Arquivos replicados. Atualmente, há um Amazon VPC VPN para o escritório que se conecta ao VPC. Na VPC, temos um servidor OpenSwan, que permite a VPN na rede da AWS. Estou com problemas para fazer o roteamento de volta ao escritório, para permitir uma única conexão VPN para ambos. Além disso, a internet não funciona quando roteada através do Openswan. Portanto, as rotas devem ser adicionadas manualmente no Mac OS X. Alguém sabe a configuração correta para ter cada conexão e fornecer internet se o usuário quiser? Além disso, como o OpenSwan pode fornecer rotas?
(10.1.5.0) IPSEC VPN < -OpenSwan CentOS Server- > (172.16.1.0) Sub-rede Amazon VPC < -Meraki / VPN VPC > (192.168.1.0) Na Rede do Office
Configuração atual do OpenSwan
# basic configuration
config setup
# plutodebug / klipsdebug = "all", "none" or a combation from below:
# "raw crypt parsing emitting control klips pfkey natt x509 private"
# eg: plutodebug="control parsing"
#
# ONLY enable plutodebug=all or klipsdebug=all if you are a developer !!
#
# NAT-TRAVERSAL support, see README.NAT-Traversal
nat_traversal=yes
#virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
# If we consider that we have an internal interface on subnet 192.168.22.0/24,
# we need to had here we had %v4:!192.168.22.0/24
virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
#
# enable this if you see "failed to find any available worker"
nhelpers=0
protostack=netkey
oe=no
conn L2TP-PSK-CLIENTS
#
# Configuration for one user with any type of IPsec/L2TP client
# including the updated Windows 2000/XP (MS KB Q818043), but
# excluding the non-updated Windows 2000/XP.
#
#
# Use a Preshared Key. Disable Perfect Forward Secrecy.
#
# PreSharedSecret needs to be specified in /etc/ipsec.secrets as
# YourIPAddress %any: "sharedsecret"
authby=secret
pfs=no
auto=add
keyingtries=3
# we cannot rekey for %any, let client rekey
rekey=no
type=transport
#
left=172.16.1.53
leftnexthop=172.16.1.1
#leftsubnets={172.16.0.0/12,192.168.1.0/24}
leftsubnet=0.0.0.0/0
#leftsubnet=172.16.0.0/12
# or you can use: left=YourIPAddress
# leftnexthop=YourGatewayIPAddress
#
# For updated Windows 2000/XP clients,
# to support old clients as well, use leftprotoport=17/%any
leftprotoport=17/%any
#
# The remote user.
right=%any
rightsubnet=0.0.0.0/0
rightnexthop=172.16.1.1
# Using the magic port of "0" means "any one single port". This is
# a work around required for Apple OSX clients that use a randomly
# high port, but propose "0" instead of their port.
rightprotoport=0/%any
Tabelas atuais de rotas do Openswan
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.5.1.11 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
172.16.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 172.16.1.1 0.0.0.0 UG 0 0 0 eth0
Versão do Openswan:
openswan-2.6.43
Tabela de roteamento VPC
Destination Target
172.16.0.0/16 local
0.0.0.0/0 igw-xxxxxxxx
10.5.1.0/24 eni-xxxxxx / i-xxxxxx (openswan)
192.168.0.0/16 vgw-xxxxxxx
Tags vpn openswan amazon-vpc centos6