《分享》Cyberoam與AWS的IPsec VPN串接 | |
翔偉丟了一個Cyberoam與AWS進行IPsec VPN串接的工作給我,
這工作價值一萬台幣,但我沒有賺下來。
工作失敗的地方在於IPsec明明已經顯示通了,
但Cyberoam端的User就是連不到對端AWS的主機...
工作當天業主邀請了我和AWS人員到現場一起處理問題,
由於業主的環境太複雜,所以我先以Cyberoam本身與AWS串通來做測試,
若Cyberoam到AWS沒問題,那麼透過Cyberoam routing到AWS的user應該也沒問題才對。
但事情不如預期,Cyberoam明明已經通了,但在兩端加入了user網段後,user始終到不了AWS。
AWS人員說,AWS是支援多網段的IPsec串接的,而且AWS可以連到user,
然而棘手的是user卻是始終到達不了對端AWS。
測試中發現,在原本已經通的Cyberoam對AWS連線中,再加入user網段會造成Cyberoam無法連到對端,
可見得AWS不支援在單一IPsec VPN連線中,帶入對端多重網段。
這部分測試結果與AWS人員的說法有極大落差。
但改成多條一對一的IPsec連線,以分開Cyberoam與user的網段後,
不僅user網段持續不通,連Cyberoam對AWS也偶發性的時好時壞,問題愈來愈麻煩,
這難倒是Cyberoam的韌體問題嗎!?
最後想了個爛招,在user連入AWS時進行NAT,統一以Cyberoam IP去連,
通是通了,但在NAT後,AWS端就無法分辨出user各自的IP,
這不是個理想的解法...
因時間關係,無法配合繼續偵錯,
最後翔偉找了新竹的大師兄處理此案。
而大師兄也不負眾望,還真的解決了順子解決不了的問題!
問題關鍵如下:
Local Subnet: <local_subnet> <local_subnet_mask>
! Enter your local network CIDR in the Address tab.
! Please ensure that you do not specify multiple local network entries here. If you specify more than one entry, the VPN will function erratically.
! Please note - When using a policy-based VPN configuration, AWS limits the number of security associations to a single pair (one inbound and one outbound).
! Policy-based VPNs that are configured with more than one security association will drop existing VPN tunnel connections when initiating a VPN tunnel connection that uses a different security association.
! This problem will be perceived as intermittent packet loss or connectivity failure as new VPN connections with one security association interrupt VPN tunnel connections established with a different security association.
! To overcome this issue - Limit the number of encryption domains (networks) that are allowed access to the virtual private cloud (VPC) and consolidate. Or
! Configure the policy to allow "any" network (0.0.0.0/0) from behind the customer gateway to the VPC CIDR. Essentially, this allows any network behind the customer gateway with a destination of the AWS VPC to pass through the tunnel, which will only create a single security association.
! When possible, implement a traffic filter on the customer gateway to block unwanted traffic to the VPC.
如上AWS原廠文件指出,AWS VPN 僅接受一組VPN 進出,
如果有二個VPN同時要進出時,因應安全考量將會自動停用已啟用的VPN,亦即同一時間僅能一組VPN連線。
如果客端有需要多個內部IP 區段進入VPN時, 建議客端整合多個IP區段到同一個設定區段。
原來問題始終是在AWS上!
在發現不能一對多,改成一對一多條串接時,
AWS工程師們從頭到尾都沒有說他們不支援多條VPN的同時串接!
(我看AWS自己也不知道AWS有這種限制!?)
大師兄果然讓人佩服∼
懂得去查AWS原廠文件,藉以釐清問題,這點比埋頭苦幹的我強多了!
大師兄不虧是大師兄,果然有一套!
♥順子老婆的網拍,請多關照∼
If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!
|