[英]Unable to Setup an site-to-site vpn connection between strongswan and AWS VPN Gateway
I have been trying to setup a site to site vpn connection between aws and my on-prem network.我一直在尝试在 aws 和我的本地网络之间建立一个站点到站点的 vpn 连接。 We have a dedicated strongswan vpn gateway in our on-prem network and aws managed vpn gateway on the aws side.
我们在我们的本地网络中有一个专用的 strongswan vpn 网关,在 aws 端有 aws 管理的 vpn 网关。 Whatever I do I am unable to setup the tunnel.
无论我做什么,我都无法设置隧道。 Here is my strongswan config.
这是我的strongswan配置。
conn Tunnel1
type=tunnel
auto=add
keyexchange=ikev2
authby=psk
leftid=<Outside-tunnel-ip>
leftsubnet=<AWS CIDR>
right=<Outside-tunnel-ip>
rightsubnet=<ON-PREM CIDR>
aggressive=no
ikelifetime=28800s
lifetime=3600s
margintime=270s
rekey=yes
rekeyfuzz=100%
fragmentation=yes
replay_window=1024
dpddelay=30s
dpdtimeout=120s
dpdaction=restart
ike=aes256-sha256-modp2048!
esp=aes256-sha256-modp2048!
keyingtries=%forever
mark=100
leftupdown="/etc/ipsec.d/aws-updown.sh -ln Tunnel1 -ll <tunnel inside ip> -lr <tunnel outside ip> -m 100 -r <aws_vpc_id>"
I have made sure the configuration I have on aws side matches with configuration on strongswan side.我已确保我在 aws 端的配置与 strongswan 端的配置相匹配。 But I still can't establish the tunnel.
但我仍然无法建立隧道。
Logs from strongswan daemon.来自 strongswan 守护进程的日志。
ipsec[164912]: Starting strongSwan 5.9.5 IPsec [starter]...
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-1004-aws, x86_64)
charon: 00[LIB] providers loaded by OpenSSL: legacy default
charon: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
charon: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
charon: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
charon: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
charon: 00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
charon: 00[CFG] loaded IKE secret for <outside tunnel ip left> <outside tunnel ip right>
charon: 00[LIB] loaded plugins: charon aesni aes rc2 sha2 sha1 md5 mgf1 random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl fips-prf gmp agent xcbc hmac gcm drbg attr kernel-netlink resolve socket-default connmark stroke updown eap-mschapv2 xauth-generic counters
charon: 00[LIB] dropped capabilities, running as uid 0, gid 0
charon: 00[JOB] spawning 16 worker threads
ipsec[164912]: charon (164916) started after 20 ms
charon: 05[CFG] received stroke: add connection 'Tunnel1'
charon: 05[CFG] added configuration 'Tunnel1'
Make sure you have the rightsubnet=<AWS_internal_network> and left_subnet=<AWS_internal_network>确保您有 rightsubnet=<AWS_internal_network> 和 left_subnet=<AWS_internal_network>
On libreswan I also added: leftsourceip=<CGW_internal_ip> rightsourceip=<VGW_internal_ip>在 libreswan 上,我还添加了:leftsourceip=<CGW_internal_ip> rightsourceip=<VGW_internal_ip>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.