Amazon web services AWS带VYOS的区域间VPN
我正在尝试在两个AWS地区(俄勒冈州和爱尔兰)之间设置VPN。在俄勒冈州,我使用了AWS VPN服务,在爱尔兰,我使用了市场上的vyos EC2实例。 在俄勒冈州,我启动了一个实例,并为ICMP请求打开了它的安全组(测试为0.0.0.0/0)。我的Vyos实例的安全组也已打开 VPN两边都有,但我有一个奇怪的问题 测试1: 从俄勒冈州EC2 Ping到EC2 Vyos:正在工作 测试2: 从EC2 Vyos Ping到EC2 Oregon:不工作 但如果我在俄勒冈州EC2上启动wireshark,我看到了ICMP请求,问题似乎出现在ICMP回复上:Amazon web services AWS带VYOS的区域间VPN,amazon-web-services,vpn,Amazon Web Services,Vpn,我正在尝试在两个AWS地区(俄勒冈州和爱尔兰)之间设置VPN。在俄勒冈州,我使用了AWS VPN服务,在爱尔兰,我使用了市场上的vyos EC2实例。 在俄勒冈州,我启动了一个实例,并为ICMP请求打开了它的安全组(测试为0.0.0.0/0)。我的Vyos实例的安全组也已打开 VPN两边都有,但我有一个奇怪的问题 测试1: 从俄勒冈州EC2 Ping到EC2 Vyos:正在工作 测试2: 从EC2 Vyos Ping到EC2 Oregon:不工作 但如果我在俄勒冈州EC2上启动wireshark
11.609958 169.254.12.138 -> 10.10.2.45 ICMP 98 Echo (ping) request id=0x2f3d, seq=1/256, ttl=63
11.929702 10.0.1.177 -> 10.10.2.45 ICMP 71 Time-to-live exceeded (Time to live exceeded in transit)
12.610213 169.254.12.138 -> 10.10.2.45 ICMP 98 Echo (ping) request id=0x2f3d, seq=2/512, ttl=63
12.929659 10.0.1.177 -> 10.10.2.45 ICMP 71 Time-to-live exceeded (Time to live exceeded in transit)
13.610111 169.254.12.138 -> 10.10.2.45 ICMP 98 Echo (ping) request id=0x2f3d, seq=3/768, ttl=63
13.929952 10.0.1.177 -> 10.10.2.45 ICMP 71 Time-to-live exceeded (Time to live exceeded in transit)
IPs Informations:
10.0.1.177: EC2-Vyos
10.10.2.45: EC2-Oregon
169.254.12.138: The IP of my vti1 in the Vyos conf
interfaces {
ethernet eth0 {
address dhcp
duplex auto
hw-id 0a:14:25:f4:8f:e9
smp_affinity auto
speed auto
}
loopback lo {
}
vti vti0 {
address 169.254.12.62/30
description "VPC tunnel 1"
mtu 1436
}
vti vti1 {
address 169.254.12.138/30
description "VPC tunnel 2"
mtu 1436
}
}
protocols {
bgp 65000 {
neighbor 169.254.12.61 {
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
neighbor 169.254.12.137 {
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
network 10.0.0.0/16 {
}
}
static {
route 10.0.0.0/16 {
next-hop 10.0.1.1 {
}
}
}
}
service {
ssh {
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name VyOS-AMI
login {
user vyos {
authentication {
encrypted-password "*"
public-keys aws_key-XXXXXX {
key AAAAB3....
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group AWS {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group AWS {
dead-peer-detection {
action restart
interval 15
timeout 30
}
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 52.XX.XXX.113 {
authentication {
id 52.XX.XXX.132
mode pre-shared-secret
pre-shared-secret 7bRiFaXXXXXX
remote-id 52.XX.XXX.113
}
connection-type initiate
description "VPC tunnel 1"
ike-group AWS
local-address 10.0.1.177
vti {
bind vti0
esp-group AWS
}
}
peer 54.186.XXX.33 {
authentication {
id 52.XX.XXX.132
mode pre-shared-secret
pre-shared-secret AT2Q4XXXXXXXXXX
remote-id 54.XXX.XXX.33
}
connection-type initiate
description "VPC tunnel 2"
ike-group AWS
local-address 10.0.1.177
vti {
bind vti1
esp-group AWS
}
}
}
}
}
您可以在此repo上找到整个配置过程(工作过程)最后,随着Vyos的升级,我的问题得到了解决。(事实证明,这个问题源于VyOS的bug编号和,已在中修复。) 解决方案(在Vyos实例上,而不是在“配置”模式下): 现在我可以通过VPN连接ping和访问。唯一仍然不起作用的是test2,Vyos实例无法通过VPN ping,但这对我来说并不重要,所有其他实例都可以通过它访问
我创建了一个存储库,其过程是设置AWS跨区域VPN:俄勒冈州的VPN中是否禁用了源/目标检查?否,我已在我的Vyos实例上禁用,而不是在俄勒冈州的EC2实例上禁用。EC2实例意味着俄勒冈州的VPN实例?或者俄勒冈州的其他测试实例?
interfaces {
ethernet eth0 {
address dhcp
duplex auto
hw-id 0a:14:25:f4:8f:e9
smp_affinity auto
speed auto
}
loopback lo {
}
vti vti0 {
address 169.254.12.62/30
description "VPC tunnel 1"
mtu 1436
}
vti vti1 {
address 169.254.12.138/30
description "VPC tunnel 2"
mtu 1436
}
}
protocols {
bgp 65000 {
neighbor 169.254.12.61 {
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
neighbor 169.254.12.137 {
remote-as 7224
soft-reconfiguration {
inbound
}
timers {
holdtime 30
keepalive 30
}
}
network 10.0.0.0/16 {
}
}
static {
route 10.0.0.0/16 {
next-hop 10.0.1.1 {
}
}
}
}
service {
ssh {
disable-password-authentication
port 22
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
host-name VyOS-AMI
login {
user vyos {
authentication {
encrypted-password "*"
public-keys aws_key-XXXXXX {
key AAAAB3....
type ssh-rsa
}
}
level admin
}
}
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
}
package {
auto-sync 1
repository community {
components main
distribution helium
password ""
url http://packages.vyos.net/vyos
username ""
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone UTC
}
vpn {
ipsec {
esp-group AWS {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group AWS {
dead-peer-detection {
action restart
interval 15
timeout 30
}
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 2
encryption aes128
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal enable
site-to-site {
peer 52.XX.XXX.113 {
authentication {
id 52.XX.XXX.132
mode pre-shared-secret
pre-shared-secret 7bRiFaXXXXXX
remote-id 52.XX.XXX.113
}
connection-type initiate
description "VPC tunnel 1"
ike-group AWS
local-address 10.0.1.177
vti {
bind vti0
esp-group AWS
}
}
peer 54.186.XXX.33 {
authentication {
id 52.XX.XXX.132
mode pre-shared-secret
pre-shared-secret AT2Q4XXXXXXXXXX
remote-id 54.XXX.XXX.33
}
connection-type initiate
description "VPC tunnel 2"
ike-group AWS
local-address 10.0.1.177
vti {
bind vti1
esp-group AWS
}
}
}
}
}
add system image http://packages.vyos.net/iso/release/1.1.5/vyos-1.1.5-amd64.iso
(Press Enter and answer Yes at each question).
reboot