Туннель IPSec не работает на этапе 2
Мы пытаемся установить туннель между нашим экземпляром EC2 и удаленным устройством Cisco серии 3000, где он дает сбой для фазы 2. Ниже приведен сценарий:
FTP-сервер (ec2-ubuntu) <----> VPN-сервер (ec2-ubuntu) <------> Cisco 3000 <---> Клиентские серверы
Мы пытаемся установить туннель между нашим экземпляром EC2 и удаленным устройством Cisco серии 3000, где он не работает на этапе 2. Ниже приведен сценарий:
FTP-сервер (ec2-ubuntu) <----> VPN-сервер (ec2-ubuntu) <------> Cisco 3000 <---> Клиентские серверы
Мы пытаемся установить туннель между нашим экземпляром EC2 и удаленным устройством Cisco серии 3000, где он не работает на этапе 2. Ниже приведен сценарий:
FTP-сервер (ec2-ubuntu) <----> VPN-сервер (ec2-ubuntu) <------> Cisco 3000 <---> Клиентские серверы (E-IP) (E-IP) (Peer IP) (Public IP)
Требование: 1. Клиентские серверы должны подключаться к FTP-серверу через эластичный IP-адрес через туннель IPSEC. 2. Параметры IKE и ESP выглядят нормально на основе сведений, предоставленных клиентом.
================IPSEC Configuration START=========
config setup
nat_traversal=yes
protostack=netkey
plutostderrlog=/var/log/pluto.log
nhelpers=0
conn example-one
authby=secret
auto=start
type=tunnel
left=%defaultroute
leftid=107.23.xx.xx
leftsourceip=107.23.xx.xx
leftsubnet=107.23.xxx.xxx/32
right=144.230.xx.xx
rightid=144.230.xx.xx
rightsourceip=144.230.xx.xx
rightsubnets={144.226.xxx.xx/32 144.226.xxx.xx/32}
keyexchange=ike
ike=aes256-sha1;modp1024
phase2=esp
phase2alg=aes256-sha1;modp1024
aggrmode=no
pfs=no
=============END=================
==========iptables nat rules on VPN Server ======
iptables -t nat -A PREROUTING -d 107.23.xxx.xxx -j DNAT --to-destination 10.0.10.20
iptables -t nat -A POSTROUTING -d 10.0.10.20 -j SNAT --to-source 107.23.xxx.xxx
10.0.10.20 << ------ Частный IP-адрес FTP-сервера
107.23.xxx.xxx << ------ - EIP FTP-сервера
Belos - это статус ipsec на моем vpn-сервере.
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000 #2: "example-one":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 28045s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate
000 #2: "example-one" esp.69407810@144.230.xxx.xxx esp.27de4982@10.0.10.26 tun.0@144.230.xxx.xxx tun.0@10.0.10.26 ref=0 refhim=4294901761 Traffic: ESPout=0B ESPin=0B! ESPmax=4194303B
000 #1: "example-one":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2604s; newest ISAKMP; lastdpd=-1s(seq in:0 out:0); idle; import:admin initiate
000
000 Bare Shunt list:
000
Ниже приведены журналы pluto.
Apr 3 12:44:28: adding interface lo/lo ::1:500
Apr 3 12:44:28: | setup callback for interface lo:500 fd 22
Apr 3 12:44:28: | setup callback for interface lo:4500 fd 21
Apr 3 12:44:28: | setup callback for interface lo:500 fd 20
Apr 3 12:44:28: | setup callback for interface eth0:4500 fd 19
Apr 3 12:44:28: | setup callback for interface eth0:500 fd 18
Apr 3 12:44:28: | setup callback for interface eth0:4500 fd 17
Apr 3 12:44:28: | setup callback for interface eth0:500 fd 16
Apr 3 12:44:28: loading secrets from "/etc/ipsec.secrets"
Apr 3 12:44:28: loading secrets from "/etc/ipsec.d/example.secrets"
Apr 3 12:44:28: "example-one" #1: initiating Main Mode
Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [RFC 3947]
Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [FRAGMENTATION c0000000]
Apr 3 12:44:28: "example-one" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [Cisco-Unity]
Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [XAUTH]
Apr 3 12:44:28: "example-one" #1: ignoring unknown Vendor ID payload [5397e372bf085cf3a0b093e1623498c2]
Apr 3 12:44:28: "example-one" #1: ignoring Vendor ID payload [Cisco VPN 3000 Series]
Apr 3 12:44:28: "example-one" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal) sender port 500: I am behind NAT
Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Apr 3 12:44:28: "example-one" #1: received Vendor ID payload [Dead Peer Detection]
Apr 3 12:44:28: | protocol/port in Phase 1 ID Payload is 17/0. accepted with port_floating NAT-T
Apr 3 12:44:28: "example-one" #1: Main mode peer ID is ID_IPV4_ADDR: '144.230.xxx.xxx'
Apr 3 12:44:28: "example-one" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Apr 3 12:44:28: "example-one" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP1024}
Apr 3 12:44:28: "example-one" #2: initiating Quick Mode PSK+ENCRYPT+TUNNEL+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW {using isakmp#1 msgid:effe9287 proposal=AES(12)_256-SHA1(2)_000 pfsgroup=no
-pfs}
Apr 3 12:44:28: "example-one" #2: ignoring informational payload IPSEC_RESPONDER_LIFETIME, msgid=effe9287, length=28
Apr 3 12:44:28: | ISAKMP Notification Payload
Apr 3 12:44:28: | 00 00 00 1c 00 00 00 01 03 04 60 00
Apr 3 12:44:28: "example-one" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Apr 3 12:44:28: "example-one" #2: STATE_QUICK_I2: sent QI2, IPsec SA established tunnel mode {ESP/NAT=>0x414c5406 <0x8df53642 xfrm=AES_256-HMAC_SHA1 NATOA=none NATD=144.230.xxx.xxx:4500 DPD=passive}
Ниже приведены данные tcpdump.
# tcpdump -n -i eth0 esp or udp port 500 or udp port 4500
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
11:58:42.229262 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: isakmp-nat-keep-alive
11:58:42.229280 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: isakmp-nat-keep-alive
11:58:44.487779 IP 144.230.xxx.xxx.ipsec-nat-t > 10.0.10.26.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
11:58:44.487986 IP 10.0.10.26.ipsec-nat-t > 144.230.xxx.xxx.ipsec-nat-t: NONESP-encap: isakmp: phase 2/others ? inf[E]
И ниже представлены выходные данные команды sysctl.
sysctl -p
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.ip_forward = 1
Ниже приведены правило iptable, примененное к VPN-серверу.
iptables -t nat --line-numbers -L
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT all -- anywhere ec2-107-23-xxx-xxx.compute-1.amazonaws.com to:10.0.10.20
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
1 SNAT all -- anywhere ip-10-0-10-20.ec2.internal to:107.23.xxx.xxx
2 MASQUERADE all -- anywhere anywhere
iptables -t nat -A PREROUTING -d 107.23.xxx.xxx -j DNAT --to-destination 10.0.10.20
iptables -t nat -A POSTROUTING -d 10.0.10.20 -j SNAT --to-source 107.23.xxx.xxx
ຂ້າງລຸ່ມນີ້ແມ່ນບາດກ້າວຕ່າງໆເພື່ອເຮັດວຽກນີ້.
ທ່ານຕ້ອງການປັບປຸງຕາຕະລາງເສັ້ນທາງດ້ວຍ ID ຂອງອິນເຕີເຟດຂອງທ່ານ. VPN Server. ເພື່ອໃຫ້ການຈາລະຈອນທັງ ໝົດ ຈາກ FTP Server ຂອງທ່ານໄປເຖິງ subnet ທີ່ຖືກຕ້ອງຜ່ານ VPN Host i.e {144.226.xxx.xxx/32 eniXXXXXX (id ຂອງອິນເຕີເຟດຂອງ VPN Server ຂອງທ່ານ)}
ການຕັ້ງຄ່າ IPSEC ຈະຄ້າຍຄືກັບລຸ່ມນີ້
ການທົດສອບຕົວຈິງ authby = ຄວາມລັບ auto = ເລີ່ມຕົ້ນ type = ອຸໂມງ left =% defaultroute leftid = 10.0.10.30 #### IP ສ່ວນຕົວຂອງ Server VPN ຂອງທ່ານ leftsubnet = 107.23.xx.xxx / 32 ### IP ສາທາລະນະຂອງ FTP Server leftnexthop =% defaultroute right = 144.230.xxx.xxx ### ມິດສະຫາຍ IP ຂອງອຸປະກອນ Cisco rightid = 144.230.xxx.xxx ### Peer IP ຂອງ Cisco Device rightnexthop = 107.23.XXX.XXX ### E IP ຂອງ VPN Server ຂອງທ່ານ rightsubnet = 144.226.xxx.xxx / 32 ### ສິດທິ / Client Side Subnet keyexchange = ike ike = aes256-sha1; modp1024 phase2 = esp phase2alg = aes256-sha1; modp1024 aggrmode = ບໍ່ pfs = ບໍ່
ສຸດທ້າຍທ່ານ ຈຳ ເປັນຕ້ອງເພີ່ມກົດລະບຽບ nat ໃນ firewall ຂອງທ່ານ.
iptables -t nat -A PREROUTING -d 107.23.xxx.xxx (FTP Server IP) -jDNAT - ໄປຫາຈຸດ ໝາຍ 10.0.10.32 (ip ສ່ວນຕົວຂອງ ເຄື່ອງແມ່ຂ່າຍ FTP ຂອງທ່ານ)
iptables -t nat -A POSTROUTING -s 10.0.10.32 -d 144.26.XXX.XXX (ລູກຄ້າ / IP ເບື້ອງຂວາ) -j SNAT - ໄປຫາແຫຼ່ງ 107.23.XXX.XXX (FTP Server IP)
ໝາຍ ເຫດ:
- ການສົ່ງຕໍ່ IPv4 ຄວນຖືກເປີດໃຊ້ໃນ sysctl.conf.
- ໃນເອກະສານລັບໃຊ້ ip ສ່ວນຕົວຂອງທ່ານເຊັ່ນ: "10.0.10.30 (IP host ເອກະຊົນ IP) 144.23.xxx.xxx (Cisco Peer IP): "