思いっきり上記内容を参考にさせてもらって環境構築した際のメモです。
- ここでは、
Amazon Linux 2 AMI (HVM) - Kernel 4.14, SSD Volume Type - ami-09662e4f2b2fb67f9
を使用しています
- EC2にElasticIPを割り当てている前提としています。
環境構築のための前準備
EPELリポジトリを追加
[ip-172-31-27-101 ~]$ sudo amazon-linux-extras install -y epel
Installing epel-release
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel
12 metadata files removed
4 sqlite files removed
0 metadata files removed
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
amzn2-core | 3.7 kB 00:00:00
amzn2extra-docker | 3.0 kB 00:00:00
amzn2extra-epel | 3.0 kB 00:00:00
(1/7): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00:00
(2/7): amzn2-core/2/x86_64/updateinfo | 452 kB 00:00:00
(3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00
(4/7): amzn2extra-docker/2/x86_64/updateinfo | 5.9 kB 00:00:00
(5/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00
(6/7): amzn2extra-docker/2/x86_64/primary_db | 86 kB 00:00:00
(7/7): amzn2-core/2/x86_64/primary_db | 60 MB 00:00:01
Resolving Dependencies
--> Running transaction check
---> Package epel-release.noarch 0:7-11 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
============================================================================================================================================================
Package Arch Version Repository Size
============================================================================================================================================================
Installing:
epel-release noarch 7-11 amzn2extra-epel 15 k
Transaction Summary
============================================================================================================================================================
Install 1 Package
Total download size: 15 k
Installed size: 24 k
Downloading packages:
epel-release-7-11.noarch.rpm | 15 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : epel-release-7-11.noarch 1/1
Verifying : epel-release-7-11.noarch 1/1
Installed:
epel-release.noarch 0:7-11
Complete!
0 ansible2 available \
[ =2.4.2 =2.4.6 =2.8 =stable ]
(省略)
libreswan xl2tpd をインストール
[ip-172-31-27-101 ~]$ sudo yum -y install libreswan xl2tpd
Loaded plugins: extras_suggestions, langpacks, priorities, update-motd
209 packages excluded due to repository priority protections
Resolving Dependencies
--> Running transaction check
---> Package libreswan.x86_64 0:3.25-4.8.amzn2.0.1 will be installed
--> Processing Dependency: unbound-libs >= 1.6.6 for package: libreswan-3.25-4.8.amzn2.0.1.x86_64
--> Processing Dependency: libunbound.so.2()(64bit) for package: libreswan-3.25-4.8.amzn2.0.1.x86_64
--> Processing Dependency: libldns.so.1()(64bit) for package: libreswan-3.25-4.8.amzn2.0.1.x86_64
---> Package xl2tpd.x86_64 0:1.3.15-1.el7 will be installed
--> Processing Dependency: ppp >= 2.4.5-18 for package: xl2tpd-1.3.15-1.el7.x86_64
--> Running transaction check
---> Package ldns.x86_64 0:1.6.16-10.amzn2.0.2 will be installed
---> Package ppp.x86_64 0:2.4.5-33.amzn2.0.3 will be installed
---> Package unbound-libs.x86_64 0:1.7.3-15.amzn2.0.4 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
(中略)
Installed:
libreswan.x86_64 0:3.25-4.8.amzn2.0.1 xl2tpd.x86_64 0:1.3.15-1.el7
Dependency Installed:
ldns.x86_64 0:1.6.16-10.amzn2.0.2 ppp.x86_64 0:2.4.5-33.amzn2.0.3 unbound-libs.x86_64 0:1.7.3-15.amzn2.0.4
Complete!
IPSec に関する環境構築
ipsec 再起動
[ip-172-31-27-101 ~]$ sudo systemctl restart ipsec
ipsec verify
で [OK] となっていない項目を確認する
[ip-172-31-27-101 ~]$ ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 4.14.268-205.500.amzn2.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
ICMP default/accept_redirects [NOT DISABLED]
Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects!
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [FAILED]
Checking rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/all/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/default/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED]
/proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED]
rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [UNKNOWN]
(run ipsec verify as root to test ipsec.secrets)
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD]
problem with include filename '/etc/ipsec.d': Permission denied
ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
/etc/sysctl.conf へ以下を追記
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0
net.ipv4.conf.eth0.send_redirects=0
net.ipv4.conf.ip_vti0.send_redirects=0
net.ipv4.conf.lo.send_redirects=0
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.eth0.accept_redirects=0
net.ipv4.conf.ip_vti0.accept_redirects=0
net.ipv4.conf.lo.accept_redirects=0
net.ipv4.ip_forward=1
net.ipv4.conf.all.rp_filter=0
net.ipv4.conf.default.rp_filter=0
net.ipv4.conf.eth0.rp_filter=0
net.ipv4.conf.ip_vti0.rp_filter=0
sysctl -p で反映
[ip-172-31-27-101 ~]$ sudo sysctl -p
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0
net.ipv4.conf.ip_vti0.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.ip_vti0.accept_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.ip_forward = 1
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.ip_vti0.rp_filter = 0
空ファイルの /etc/ipsec.d/vpn.conf を作成
[ip-172-31-27-101 ~]$ sudo touch /etc/ipsec.d/vpn.conf
ipsec verify の結果がOKになっていることを確認する
[ip-172-31-27-101 ~]$ sudo ipsec verify
Verifying installed system and configuration files
Version check and ipsec on-path [OK]
Libreswan 3.25 (netkey) on 4.14.268-205.500.amzn2.x86_64
Checking for IPsec support in kernel [OK]
NETKEY: Testing XFRM related proc values
ICMP default/send_redirects [OK]
ICMP default/accept_redirects [OK]
XFRM larval drop [OK]
Pluto ipsec.conf syntax [OK]
Two or more interfaces found, checking IP forwarding [OK]
Checking rp_filter [OK]
Checking that pluto is running [OK]
Pluto listening for IKE on udp 500 [OK]
Pluto listening for IKE/NAT-T on udp 4500 [OK]
Pluto ipsec.secret syntax [OK]
Checking 'ip' command [OK]
Checking 'iptables' command [OK]
Checking 'prelink' command does not interfere with FIPS [OK]
Checking for obsolete ipsec.conf options [OK]
/etc/ipsec.d/vpn.conf に設定を記述
conn L2TP
authby=secret
pfs=no
auto=add
keyingtries=3
dpddelay=30
dpdtimeout=120
dpdaction=clear
keyexchange=ike
phase2=esp
encapsulation=yes
rekey=yes
ikelifetime=1h
keylife=1h
type=transport
left=%defaultroute
leftid=<EC2インスタンスに紐づけたElasticIP>
right=<接続先のVPNサーバのIPアドレス>
rightid=<接続先のVPNサーバのプライベートIPアドレス>
/etc/ipsec.d/vpn.secrets に事前共有キーを記述
<EC2インスタンスに紐づけたElasticIP> <接続先のVPNサーバのプライベートIPアドレス> : PSK "<事前共有キー>"
ipsecを再起動してからIPSecの接続確立・ステータスの確認
[ip-172-31-27-101 ~]$ sudo systemctl restart ipsec
[ip-172-31-27-101 ~]$
[ip-172-31-27-101 ~]$ sudo ipsec auto --up L2TP
002 "L2TP"
104 "L2TP"
106 "L2TP"
108 "L2TP"
(中略)
003 "L2TP"
004 "L2TP"
[ip-172-31-27-101 ~]$
[ip-172-31-27-101 ~]$ sudo ipsec status
000 using kernel interface: netkey
000 interface lo/lo ::1@500
(中略)
000 "L2TP": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<N/A>
000
000 Total IPsec connections: loaded 1, active 1
000
000 State Information: DDoS cookies not required, Accepting new IKE connections
000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0)
000 IPsec SAs: total(1), authenticated(1), anonymous(0)
000
000
000
000
000
000 Bare Shunt list:
000
うまくいっていれば ipsec status の表示結果で active の値が1(以上)になる
L2TP (xl2tpd) に関する環境構築
/etc/xl2tpd/xl2tpd.conf の編集
- [lns default] のセクションの設定値を; でコメントアウト
- [lac L2TP] のセクションに関して下記の内容を追記
[lns default]
;ip range = 192.168.1.128-192.168.1.254
;local ip = 192.168.1.99
;require chap = yes
;refuse pap = yes
;require authentication = yes
;name = LinuxVPNserver
;ppp debug = yes
;pppoptfile = /etc/ppp/options.xl2tpd
;length bit = yes
[lac L2TP]
lns = <接続先のVPNサーバのIPアドレス>
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd.client
length bit = yes
autodial = yes
redial = yes
redial timeout = 10
max redials = 6
/etc/ppp/options.xl2tpd.client に以下の内容を記述する
user <接続用のユーザID>
debug
noauth
mtu 1280 <環境に合わせる>
mru 1280 <環境に合わせる>
/etc/ppp/chap-secrets に接続用のユーザID・パスワードを記述する
"<接続用のユーザID>" * "<接続用のパスワード>" *
VPNクライアントでの接続
xl2tpd と ipsec を停止
[ip-172-31-27-101 ~]$ sudo systemctl stop xl2tpd && sudo systemctl stop ipsec
xl2tpd と ipsec を起動・接続確立
[ip-172-31-27-101 ~]$ sudo systemctl start ipsec && sudo systemctl start xl2tpd && sudo ipsec auto --up L2TP
002 "L2TP"
104 "L2TP"
106 "L2TP"
108 "L2TP"
002 "L2TP"
004 "L2TP"
003 "L2TP"
002 "L2TP"
117 "L2TP"
003 "L2TP"
003 "L2TP"
(省略)
I/Fに(ifconfigの結果に) ppp0 が追加されていることを確認
[ip-172-31-27-101 ~]$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001
inet 172-31-27-101 netmask 255.255.240.0 broadcast xxx.xx.xx.xxx
inet6 fe80::4af:f7ff:fe9c:8a34 prefixlen 64 scopeid 0x20<link>
ether 06:af:f7:9c:8a:34 txqueuelen 1000 (Ethernet)
RX packets 42270 bytes 17254656 (16.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 44723 bytes 10391861 (9.9 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(中略)
ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280
inet xx.x.x.X netmask 255.255.255.255 destination xx.x.x.x
ppp txqueuelen 3 (Point-to-Point Protocol)
RX packets 7 bytes 67 (67.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18 bytes 261 (261.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route add で実際に通信したいIPアドレスへのスタティックルートを追加する (ppp0 経由で通信するように設定)
[ip-172-31-27-101 ~]$ sudo route add -net <通信したいIPアドレス> netmask 255.255.255.255 dev ppp0
接続したいIPアドレスへのping が通ることを確認 (ICMPに応答してくれる前提)
[ip-172-31-27-101 ~]$ ping -c 3 <通信したいIPアドレス>
PING xx.xxx.x.xx (xx.xxx.x.xx) 56(84) bytes of data.
64 bytes from xx.xxx.x.xx: icmp_seq=1 ttl=126 time=169 ms
64 bytes from xx.xxx.x.xx: icmp_seq=2 ttl=126 time=169 ms
64 bytes from xx.xxx.x.xx: icmp_seq=3 ttl=126 time=169 ms
これでVPN接続して、対象のIPアドレスへ通信ができる状態になっています
VPN切断
xl2tpd, ipsec を停止します
[ip-172-31-27-101 ~]$ sudo systemctl stop xl2tpd && sudo systemctl stop ipsec
これで、通信したいIPアドレスに対するrouteも消えます
参考にしたサイト・ページ
fsck.jp