LoginSignup
1
3

More than 5 years have passed since last update.

@coga2000

[AWS] Point-to-Site VPN接続 (powered by VyOS)

Last updated at Posted at 2017-08-03

Abstract

  • 「Windows10/Android等のVPN接続標準機能を使って、AWSにリモートアクセスVPN接続をしたい」という話です。
  • 今回はAWS側のVPNサーバとして「VyOS」を採用。
  • あらかじめ申し上げておきます。この方式はまだ成功しておりません...世界中の方々が悩んでいる模様。
  • Windows7のレジストリ変更Microsoftサイトも効かず(ただ、これは別の方式(近日公開)で絶大な効果をもたらす!!)
  • ひとつトリッキーなソリューションがあるが、まだ未トライ(グローバルIPをプライベートIPのように使う(?)点がグレーに見える)
  • なんとなく、「Double NAT」というルート原因が立ちはだかっていそう...
  • また、VyOSは「異なるユーザによる同時VPN接続ができない」説があり、Point-to-Site VPNとしては、小生はOpenVPNやWindowsVPNやSoftEtherを推奨する次第。(小生はやったことないですが、strongSwanも候補?)
  • もの凄い猛者様は、CentOS上にL2TPを組み上げてしまうみたいです。

ここまでやって、詰んでいます。。。

この辺り:

を参考にさせていただきつつ、下記の設定をしましたが、成功しておりません...

configure
set system time-zone Asia/Tokyo

set interfaces ethernet eth0 address '10.0.11.250/24'
set interfaces ethernet eth1 address '10.0.12.250/24'

set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-traversal enable
set vpn ipsec nat-networks allowed-network 0.0.0.0/0

set vpn l2tp remote-access outside-address 10.0.11.250 # Elastic IPアドレスも試してみた
set vpn l2tp remote-access outside-nexthop 0.0.0.0
(delete vpn l2tp remote-access outside-nexthop)

set vpn l2tp remote-access client-ip-pool start 192.168.110.1
set vpn l2tp remote-access client-ip-pool stop 192.168.110.100
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret XXXXXXXX
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access authentication local-users username XXXXXXXX password XXXXXXXX

set nat source rule 110 outbound-interface 'eth0'
set nat source rule 110 source address '192.168.110.0/24'
set nat source rule 110 translation address masquerade
(delete nat source rule 110)

こんなエラーが発生中

どうやっても、VyOSサーバから下記のエラーが消し去れません...

messages
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [RFC 3947]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [FRAGMENTATION]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [Vid-Initial-Contact]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [IKE CGA version 1]
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: NAT-Traversal: Result using RFC 3947: both are NATed
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[107] XXX.XXX.XXX.XXX #66: Peer ID is ID_IPV4_ADDR: 'ZZZ.ZZZ.ZZZ.ZZZ'
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX #66: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:45 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sent MR3, ISAKMP SA established
MMM DD HH:MM:46 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: cannot respond to IPsec SA request because no connection is known for GGG.GGG.GGG.GGG/32===YYY.YYY.YYY.YYY:4500[YYY.YYY.YYY.YYY]:17/1701...XXX.XXX.XXX.XXX:4500[ZZZ.ZZZ.ZZZ.ZZZ]:17/%any===ZZZ.ZZZ.ZZZ.ZZZ/32
MMM DD HH:MM:46 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_ID_INFORMATION to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:47 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:47 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:48 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:48 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:51 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:51 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:58 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:58 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:13 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:13 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:28 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: Quick Mode I1 message is unacceptable because it uses a previously used Message ID 0x01000000 (perhaps this is a duplicated packet)
MMM DD HH:MM:28 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: sending encrypted notification INVALID_MESSAGE_ID to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500 #66: received Delete SA payload: deleting ISAKMP State #66
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[108] XXX.XXX.XXX.XXX:4500: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [01528bbbc00696121849ab9a1c5b2a5100000001]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000009]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: received Vendor ID payload [RFC 3947]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [FRAGMENTATION]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [MS-Negotiation Discovery Capable]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [Vid-Initial-Contact]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: packet from XXX.XXX.XXX.XXX:500: ignoring Vendor ID payload [IKE CGA version 1]
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: responding to Main Mode from unknown peer XXX.XXX.XXX.XXX
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (256), HMAC_SHA1, ECP_384] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (128), HMAC_SHA1, ECP_256] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [AES_CBC (256), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Oakley Transform [3DES_CBC (192), HMAC_SHA1, MODP_2048] refused due to strict flag
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: NAT-Traversal: Result using RFC 3947: both are NATed
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[109] XXX.XXX.XXX.XXX #67: Peer ID is ID_IPV4_ADDR: 'ZZZ.ZZZ.ZZZ.ZZZ'
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX #67: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: sent MR3, ISAKMP SA established
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: cannot respond to IPsec SA request because no connection is known for GGG.GGG.GGG.GGG/32===YYY.YYY.YYY.YYY:4500[YYY.YYY.YYY.YYY]:17/1701...XXX.XXX.XXX.XXX:4500[ZZZ.ZZZ.ZZZ.ZZZ]:17/%any===ZZZ.ZZZ.ZZZ.ZZZ/32
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: sending encrypted notification INVALID_ID_INFORMATION to XXX.XXX.XXX.XXX:4500
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500 #67: received Delete SA payload: deleting ISAKMP State #67
MMM DD HH:MM:43 VyOS-AMI pluto[3082]: "remote-access-mac-zzz"[110] XXX.XXX.XXX.XXX:4500: deleting connection "remote-access-mac-zzz" instance with peer XXX.XXX.XXX.XXX {isakmp=#0/ipsec=#0}

一旦、Step back...また戻ってくる日は来るか???
(戻ってきたときのための、備忘録★)

1
3
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
1
3