Привет, у меня есть Sonicwall и экземпляр OpenSwan за моим VPC в AWS. У меня проблемы с подключением VPN. Я следовал этому руководству:https://www.sonicwall.com/en-us/support/knowledge-base/170504906528100
Дополнительные шаги
net.ipv4.ip_forward = 1
Экземпляр AWS - отключить проверку источника.
Проверенные группы безопасности - UDP 500 и UDP 4500.
Сетевой ACL - разрешить любые входящие и исходящие
Журналы: на Sonicwall (182.57.3.179):
17:52:06 Sep 21 358 VPN Inform IKE Initiator: Start Aggressive Mode negotiation (Phase 1) 182.57.3.179, 500 17.221.128.14, 500 udp VPN Policy: AWS
VPN OPENSWAN [Show Details] [Click to disable this kind of events]
17:52:06 Sep 21 403 VPN Inform IKE negotiation aborted due to Timeout
17:53:18 Sep 21 930 VPN Inform IKE Initiator: Remote party Timeout - Retransmitting IKE Request.
В экземпляре OpenSwan (17.221.128.14) ipsec barf:
+ sed -n '2243,$p' /var/log/secure
Sep 21 21:49:59 ip-172-31-16-12 ipsec__plutorun: Starting Pluto subsystem...
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: nss directory plutomain: /etc/ipsec.d
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS Initialized
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:25537
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: LEAK_DETECTIVE support [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: OCF support for IKE [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAref support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAbind support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: HAVE_STATSD notification support not compiled in
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Setting NAT-Traversal port-4500 floating to on
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: port floating activation criteria nat_t=1/port_float=1
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NAT-Traversal support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: starting up 1 cryptographic helpers
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: started helper (thread) pid=139735991080704 (fd:8)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Using Linux 2.6 IPsec interface code on 4.9.43-17.39.amzn1.x86_64 (experimental code)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/cacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/aacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/crls'
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: added connection description "SonicWall"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: listening for IKE messages
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo ::1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: loading secrets from "/etc/ipsec.secrets"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: "SonicWall": We cannot identify ourselves with either end of this connection.
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring unknown Vendor ID payload [5b362bc820f60007]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [Dead Peer Detection]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [XAUTH]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.154:500: initial Aggressive Mode message from 182.57.3.154 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE
Похоже, 173.57.3.154(Sonicwall) общается с OpenSwan, но не устанавливает туннель.
К вашему сведению - я использовал AWS VPC VPN с Sonicwall. Однако я использую этот экземпляр только для целей тестирования, а экземпляр OpenSwan дешевле, чем соединение VPC-VPN. Плюс я могу включить / выключить инстансы. Опять же, это среда тестирования между AWS и Sonicwall. Я открыт для всех предложений.