VPN 문제-AWS 및 Sonicwall

안녕하세요. AWS에서 VPC 뒤에 Sonicwall과 OpenSwan 인스턴스가 있습니다. VPN 연결에 문제가 있습니다. 나는이 가이드를 따라 갔다 : https://www.sonicwall.com/en-us/support/knowledge-base/170504906528100

추가 단계

net.ipv4.ip_forward = 1

AWS 인스턴스-소스 확인을 비활성화합니다.

확인 된 보안 그룹-UDP 500 및 UDP 4500.

네트워크 ACL-인바운드 및 아웃 바운드 허용

로그 : On Sonicwall (182.57.3.179) :

17:52:06 Sep 21 358 VPN Inform  IKE Initiator: Start Aggressive Mode negotiation (Phase 1)  182.57.3.179, 500   17.221.128.14, 500  udp VPN Policy: AWS
VPN OPENSWAN    [Show Details] [Click to disable this kind of events]
17:52:06 Sep 21 403 VPN Inform  IKE negotiation aborted due to Timeout

17:53:18 Sep 21 930 VPN Inform  IKE Initiator: Remote party Timeout - Retransmitting IKE Request.

OpenSwan 인스턴스 (17.221.128.14) ipsec barf :

+ sed -n '2243,$p' /var/log/secure
Sep 21 21:49:59 ip-172-31-16-12 ipsec__plutorun: Starting Pluto subsystem...
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: nss directory plutomain: /etc/ipsec.d
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS Initialized
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Starting Pluto (Openswan Version 2.6.37; Vendor ID OEu\134d\134jy\134\134ap) pid:25537
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: LEAK_DETECTIVE support [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: OCF support for IKE [disabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAref support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: SAbind support [disabled]: Protocol not available
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: NSS support [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: HAVE_STATSD notification support not compiled in
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Setting NAT-Traversal port-4500 floating to on
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]:    port floating activation criteria nat_t=1/port_float=1
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]:    NAT-Traversal support  [enabled]
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: starting up 1 cryptographic helpers
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: started helper (thread) pid=139735991080704 (fd:8)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Using Linux 2.6 IPsec interface code on 4.9.43-17.39.amzn1.x86_64 (experimental code)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_8: Ok (ret=0)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_ccm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_8: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_12: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_add(): ERROR: Algorithm already exists
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: ike_alg_register_enc(): Activating aes_gcm_16: FAILED (ret=-17)
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/cacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/aacerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/ocspcerts': /
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Could not change to directory '/etc/ipsec.d/crls'
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: Non-fips mode set in /proc/sys/crypto/fips_enabled
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: added connection description "SonicWall"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: listening for IKE messages
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface eth0/eth0 172.31.16.12:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo 127.0.0.1:4500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: adding interface lo/lo ::1:500
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: loading secrets from "/etc/ipsec.secrets"
Sep 21 21:49:59 ip-172-31-16-12 pluto[25537]: "SonicWall": We cannot identify ourselves with either end of this connection.
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 1 (TZ 170 Standard?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring unknown Vendor ID payload [5b362bc820f60007]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: ignoring Vendor ID payload [Sonicwall 2 (3.1.0.12-86s?)]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [Dead Peer Detection]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.179:500: received Vendor ID payload [XAUTH]
Sep 21 21:50:06 ip-172-31-16-12 pluto[25537]: packet from 182.57.3.154:500: initial Aggressive Mode message from 182.57.3.154 but no (wildcard) connection has been configured with policy=PSK+AGGRESSIVE

173.57.3.154 (Sonicwall)와 같은 소리가 OpenSwan과 대화 중이지만 터널을 설정하지 않았습니다.

참고로 Sonicwall과 함께 AWS VPC VPN을 사용했습니다. 그러나 테스트 목적으로 만 인스턴스를 사용하며 OpenSwan 인스턴스는 VPC-VPN 연결보다 저렴합니다. 또한 인스턴스를 켜거나 끌 수 있습니다. 다시 이것은 AWS와 Sonicwall 간의 테스트 환경입니다. 나는 모든 제안에 열려 있습니다.