Abstract
- 「Windows10/Android等のVPN接続標準機能を使って、AWSにリモートアクセスVPN接続をしたい」という話です。
- 今回はAWS側のVPNサーバとして「VyOS」を採用。
- あらかじめ申し上げておきます。この方式はまだ成功しておりません...世界中の方々が悩んでいる模様。
- Windows7のレジストリ変更/Microsoftサイトも効かず(ただ、これは別の方式(近日公開)で絶大な効果をもたらす!!)
- ひとつトリッキーなソリューションがあるが、まだ未トライ(グローバルIPをプライベートIPのように使う(?)点がグレーに見える)
- なんとなく、「Double NAT」というルート原因が立ちはだかっていそう...
- また、VyOSは「異なるユーザによる同時VPN接続ができない」説があり、Point-to-Site VPNとしては、小生はOpenVPNやWindowsVPNやSoftEtherを推奨する次第。(小生はやったことないですが、strongSwanも候補?)
- もの凄い猛者様は、CentOS上にL2TPを組み上げてしまうみたいです。
ここまでやって、詰んでいます。。。
この辺り:
を参考にさせていただきつつ、下記の設定をしましたが、成功しておりません...
configure
set system time-zone Asia/Tokyo
set interfaces ethernet eth0 address '10.0.11.250/24'
set interfaces ethernet eth1 address '10.0.12.250/24'
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn l2tp remote-access outside-address 10.0.11.250 # Elastic IPアドレスも試してみた
set vpn l2tp remote-access outside-nexthop 0.0.0.0
(delete vpn l2tp remote-access outside-nexthop)
set vpn l2tp remote-access client-ip-pool start 192.168.110.1
set vpn l2tp remote-access client-ip-pool stop 192.168.110.100
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret XXXXXXXX
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username XXXXXXXX password XXXXXXXX
set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '192.168.110.0/24'
set nat source rule 110 translation address masquerade
(delete nat source rule 110)
こんなエラーが発生中
どうやっても、VyOSサーバから下記のエラーが消し去れません...
messages
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [RFC 3947]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [FRAGMENTATION]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [Vid-Initial-Contact]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [IKE CGA version 1]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: NAT-Traversal: Result using RFC 3947: both are NATed
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Peer ID is ID_IPV4_ADDR: 'ZZZ.ZZZ.ZZZ.ZZZ'
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX #66: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sent MR3, ISAKMP SA established
MMM DD HH:MM:46 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: cannot respond to IPsec SA request because no connection is known for GGG.GGG.GGG.GGG/32===YYY.YYY.YYY.YYY:4500[YYY.YYY.YYY.YYY]:17/1701...XXX.XXX.XXX.XXX:4500[ZZZ.ZZZ.ZZZ.ZZZ]:17/%any===ZZZ.ZZZ.ZZZ.ZZZ/32
MMM DD HH:MM:46 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_ID_INFORMATION to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:47 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:47 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:48 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:48 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:51 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:51 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:58 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:58 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:13 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:13 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:28 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:28 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: received Delete SA payload: deleting ISAKMP State #66
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [RFC 3947]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [FRAGMENTATION]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [Vid-Initial-Contact]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [IKE CGA version 1]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: NAT-Traversal: Result using RFC 3947: both are NATed
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Peer ID is ID_IPV4_ADDR: 'ZZZ.ZZZ.ZZZ.ZZZ'
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX #67: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: sent MR3, ISAKMP SA established
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: cannot respond to IPsec SA request because no connection is known for GGG.GGG.GGG.GGG/32===YYY.YYY.YYY.YYY:4500[YYY.YYY.YYY.YYY]:17/1701...XXX.XXX.XXX.XXX:4500[ZZZ.ZZZ.ZZZ.ZZZ]:17/%any===ZZZ.ZZZ.ZZZ.ZZZ/32
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: sending encrypted notification INVALID_ID_INFORMATION to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: received Delete SA payload: deleting ISAKMP State #67
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
一旦、Step back...また戻ってくる日は来るか???
(戻ってきたときのための、備忘録★)