思いっきり上記内容を参考にさせてもらって環境構築した際のメモです。
- ここでは、
Amazon Linux 2 AMI (HVM) - Kernel 4.14, SSD Volume Type - ami-09662e4f2b2fb67f9
を使用しています - EC2にElasticIPを割り当てている前提としています。
環境構築のための前準備
EPELリポジトリを追加
[ip-172-31-27-101 ~]$ sudo amazon-linux-extras install -y epel Installing epel-release Loaded plugins: extras_suggestions, langpacks, priorities, update-motd Cleaning repos: amzn2-core amzn2extra-docker amzn2extra-epel 12 metadata files removed 4 sqlite files removed 0 metadata files removed Loaded plugins: extras_suggestions, langpacks, priorities, update-motd amzn2-core | 3.7 kB 00:00:00 amzn2extra-docker | 3.0 kB 00:00:00 amzn2extra-epel | 3.0 kB 00:00:00 (1/7): amzn2-core/2/x86_64/group_gz | 2.5 kB 00:00:00 (2/7): amzn2-core/2/x86_64/updateinfo | 452 kB 00:00:00 (3/7): amzn2extra-epel/2/x86_64/primary_db | 1.8 kB 00:00:00 (4/7): amzn2extra-docker/2/x86_64/updateinfo | 5.9 kB 00:00:00 (5/7): amzn2extra-epel/2/x86_64/updateinfo | 76 B 00:00:00 (6/7): amzn2extra-docker/2/x86_64/primary_db | 86 kB 00:00:00 (7/7): amzn2-core/2/x86_64/primary_db | 60 MB 00:00:01 Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:7-11 will be installed --> Finished Dependency Resolution Dependencies Resolved ============================================================================================================================================================ Package Arch Version Repository Size ============================================================================================================================================================ Installing: epel-release noarch 7-11 amzn2extra-epel 15 k Transaction Summary ============================================================================================================================================================ Install 1 Package Total download size: 15 k Installed size: 24 k Downloading packages: epel-release-7-11.noarch.rpm | 15 kB 00:00:00 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : epel-release-7-11.noarch 1/1 Verifying : epel-release-7-11.noarch 1/1 Installed: epel-release.noarch 0:7-11 Complete! 0 ansible2 available \ [ =2.4.2 =2.4.6 =2.8 =stable ] (省略)
libreswan xl2tpd をインストール
[ip-172-31-27-101 ~]$ sudo yum -y install libreswan xl2tpd Loaded plugins: extras_suggestions, langpacks, priorities, update-motd 209 packages excluded due to repository priority protections Resolving Dependencies --> Running transaction check ---> Package libreswan.x86_64 0:3.25-4.8.amzn2.0.1 will be installed --> Processing Dependency: unbound-libs >= 1.6.6 for package: libreswan-3.25-4.8.amzn2.0.1.x86_64 --> Processing Dependency: libunbound.so.2()(64bit) for package: libreswan-3.25-4.8.amzn2.0.1.x86_64 --> Processing Dependency: libldns.so.1()(64bit) for package: libreswan-3.25-4.8.amzn2.0.1.x86_64 ---> Package xl2tpd.x86_64 0:1.3.15-1.el7 will be installed --> Processing Dependency: ppp >= 2.4.5-18 for package: xl2tpd-1.3.15-1.el7.x86_64 --> Running transaction check ---> Package ldns.x86_64 0:1.6.16-10.amzn2.0.2 will be installed ---> Package ppp.x86_64 0:2.4.5-33.amzn2.0.3 will be installed ---> Package unbound-libs.x86_64 0:1.7.3-15.amzn2.0.4 will be installed --> Finished Dependency Resolution Dependencies Resolved (中略) Installed: libreswan.x86_64 0:3.25-4.8.amzn2.0.1 xl2tpd.x86_64 0:1.3.15-1.el7 Dependency Installed: ldns.x86_64 0:1.6.16-10.amzn2.0.2 ppp.x86_64 0:2.4.5-33.amzn2.0.3 unbound-libs.x86_64 0:1.7.3-15.amzn2.0.4 Complete!
IPSec に関する環境構築
ipsec 再起動
[ip-172-31-27-101 ~]$ sudo systemctl restart ipsec
ipsec verify
で [OK] となっていない項目を確認する
[ip-172-31-27-101 ~]$ ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 4.14.268-205.500.amzn2.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/send_redirects or NETKEY will act on or cause sending of bogus ICMP redirects! ICMP default/accept_redirects [NOT DISABLED] Disable /proc/sys/net/ipv4/conf/*/accept_redirects or NETKEY will act on or cause sending of bogus ICMP redirects! XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [FAILED] Checking rp_filter [ENABLED] /proc/sys/net/ipv4/conf/all/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/default/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/eth0/rp_filter [ENABLED] /proc/sys/net/ipv4/conf/ip_vti0/rp_filter [ENABLED] rp_filter is not fully aware of IPsec and should be disabled Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [UNKNOWN] (run ipsec verify as root to test ipsec.secrets) Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OBSOLETE KEYWORD] problem with include filename '/etc/ipsec.d': Permission denied ipsec verify: encountered 13 errors - see 'man ipsec_verify' for help
/etc/sysctl.conf へ以下を追記
# Disable /proc/sys/net/ipv4/conf/*/send_redirects net.ipv4.conf.all.send_redirects=0 net.ipv4.conf.default.send_redirects=0 net.ipv4.conf.eth0.send_redirects=0 net.ipv4.conf.ip_vti0.send_redirects=0 net.ipv4.conf.lo.send_redirects=0 # Disable /proc/sys/net/ipv4/conf/*/accept_redirects net.ipv4.conf.all.accept_redirects=0 net.ipv4.conf.default.accept_redirects=0 net.ipv4.conf.eth0.accept_redirects=0 net.ipv4.conf.ip_vti0.accept_redirects=0 net.ipv4.conf.lo.accept_redirects=0 # Two or more interfaces found, checking IP forwarding [FAILED] net.ipv4.ip_forward=1 # Checking rp_filter net.ipv4.conf.all.rp_filter=0 net.ipv4.conf.default.rp_filter=0 net.ipv4.conf.eth0.rp_filter=0 net.ipv4.conf.ip_vti0.rp_filter=0
sysctl -p で反映
[ip-172-31-27-101 ~]$ sudo sysctl -p net.ipv4.conf.all.send_redirects = 0 net.ipv4.conf.default.send_redirects = 0 net.ipv4.conf.eth0.send_redirects = 0 net.ipv4.conf.ip_vti0.send_redirects = 0 net.ipv4.conf.lo.send_redirects = 0 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.default.accept_redirects = 0 net.ipv4.conf.eth0.accept_redirects = 0 net.ipv4.conf.ip_vti0.accept_redirects = 0 net.ipv4.conf.lo.accept_redirects = 0 net.ipv4.ip_forward = 1 net.ipv4.conf.all.rp_filter = 0 net.ipv4.conf.default.rp_filter = 0 net.ipv4.conf.eth0.rp_filter = 0 net.ipv4.conf.ip_vti0.rp_filter = 0
空ファイルの /etc/ipsec.d/vpn.conf を作成
[ip-172-31-27-101 ~]$ sudo touch /etc/ipsec.d/vpn.conf
ipsec verify の結果がOKになっていることを確認する
[ip-172-31-27-101 ~]$ sudo ipsec verify Verifying installed system and configuration files Version check and ipsec on-path [OK] Libreswan 3.25 (netkey) on 4.14.268-205.500.amzn2.x86_64 Checking for IPsec support in kernel [OK] NETKEY: Testing XFRM related proc values ICMP default/send_redirects [OK] ICMP default/accept_redirects [OK] XFRM larval drop [OK] Pluto ipsec.conf syntax [OK] Two or more interfaces found, checking IP forwarding [OK] Checking rp_filter [OK] Checking that pluto is running [OK] Pluto listening for IKE on udp 500 [OK] Pluto listening for IKE/NAT-T on udp 4500 [OK] Pluto ipsec.secret syntax [OK] Checking 'ip' command [OK] Checking 'iptables' command [OK] Checking 'prelink' command does not interfere with FIPS [OK] Checking for obsolete ipsec.conf options [OK]
/etc/ipsec.d/vpn.conf に設定を記述
conn L2TP authby=secret pfs=no auto=add keyingtries=3 dpddelay=30 dpdtimeout=120 dpdaction=clear keyexchange=ike phase2=esp encapsulation=yes rekey=yes ikelifetime=1h keylife=1h type=transport left=%defaultroute leftid=<EC2インスタンスに紐づけたElasticIP> right=<接続先のVPNサーバのIPアドレス> rightid=<接続先のVPNサーバのプライベートIPアドレス>
/etc/ipsec.d/vpn.secrets に事前共有キーを記述
<EC2インスタンスに紐づけたElasticIP> <接続先のVPNサーバのプライベートIPアドレス> : PSK "<事前共有キー>"
ipsecを再起動してからIPSecの接続確立・ステータスの確認
[ip-172-31-27-101 ~]$ sudo systemctl restart ipsec [ip-172-31-27-101 ~]$ [ip-172-31-27-101 ~]$ sudo ipsec auto --up L2TP 002 "L2TP" #1: initiating Main Mode 104 "L2TP" #1: STATE_MAIN_I1: initiate 106 "L2TP" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "L2TP" #1: STATE_MAIN_I3: sent MI3, expecting MR3 (中略) 003 "L2TP" #2: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support 004 "L2TP" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0xaf309107 <0x68c3363a xfrm=AES_CBC_128-HMAC_SHA1_96 NATOA=xx.xx.xxx.xxx NATD=xxx.xx.xx.xx:4500 DPD=active} [ip-172-31-27-101 ~]$ [ip-172-31-27-101 ~]$ sudo ipsec status 000 using kernel interface: netkey 000 interface lo/lo ::1@500 (中略) 000 "L2TP": ESP algorithm newest: AES_CBC_128-HMAC_SHA1_96; pfsgroup=<N/A> 000 000 Total IPsec connections: loaded 1, active 1 000 000 State Information: DDoS cookies not required, Accepting new IKE connections 000 IKE SAs: total(1), half-open(0), open(0), authenticated(1), anonymous(0) 000 IPsec SAs: total(1), authenticated(1), anonymous(0) 000 000 #1: "L2TP":4500 STATE_MAIN_I4 (ISAKMP SA established); EVENT_SA_REPLACE in 2562s; newest ISAKMP; nodpd; idle; import:admin initiate 000 #2: "L2TP":4500 STATE_QUICK_I2 (sent QI2, IPsec SA established); EVENT_SA_REPLACE in 2803s; newest IPSEC; eroute owner; isakmp#1; idle; import:admin initiate 000 #2: "L2TP" esp.af309107@xxx.xx.x.xxx esp.68c3363a@172.31.27.101 ref=0 refhim=0 Traffic: ESPin=0B ESPout=0B! ESPmax=4194303B 000 000 Bare Shunt list: 000
うまくいっていれば ipsec status の表示結果で active の値が1(以上)になる
L2TP (xl2tpd) に関する環境構築
/etc/xl2tpd/xl2tpd.conf の編集
- [lns default] のセクションの設定値を; でコメントアウト
- [lac L2TP] のセクションに関して下記の内容を追記
[lns default] ;ip range = 192.168.1.128-192.168.1.254 ;local ip = 192.168.1.99 ;require chap = yes ;refuse pap = yes ;require authentication = yes ;name = LinuxVPNserver ;ppp debug = yes ;pppoptfile = /etc/ppp/options.xl2tpd ;length bit = yes [lac L2TP] lns = <接続先のVPNサーバのIPアドレス> ppp debug = yes pppoptfile = /etc/ppp/options.xl2tpd.client length bit = yes autodial = yes redial = yes redial timeout = 10 max redials = 6
/etc/ppp/options.xl2tpd.client に以下の内容を記述する
user <接続用のユーザID> debug noauth mtu 1280 <環境に合わせる> mru 1280 <環境に合わせる>
/etc/ppp/chap-secrets に接続用のユーザID・パスワードを記述する
# Secrets for authentication using CHAP # client server secret IP addresses "<接続用のユーザID>" * "<接続用のパスワード>" *
VPNクライアントでの接続
xl2tpd と ipsec を停止
[ip-172-31-27-101 ~]$ sudo systemctl stop xl2tpd && sudo systemctl stop ipsec
xl2tpd と ipsec を起動・接続確立
[ip-172-31-27-101 ~]$ sudo systemctl start ipsec && sudo systemctl start xl2tpd && sudo ipsec auto --up L2TP 002 "L2TP" #1: initiating Main Mode 104 "L2TP" #1: STATE_MAIN_I1: initiate 106 "L2TP" #1: STATE_MAIN_I2: sent MI2, expecting MR2 108 "L2TP" #1: STATE_MAIN_I3: sent MI3, expecting MR3 002 "L2TP" #1: Peer ID is ID_IPV4_ADDR: 'xx.x.x.x' 004 "L2TP" #1: STATE_MAIN_I4: ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha2_256 group=MODP2048} 003 "L2TP" #1: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support 002 "L2TP" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEV1_ALLOW+IKEV2_ALLOW+SAREF_TRACK+IKE_FRAG_ALLOW+ESN_NO {using isakmp#1 msgid:3bfc33d8 proposal=defaults pfsgroup=no-pfs} 117 "L2TP" #2: STATE_QUICK_I1: initiate 003 "L2TP" #2: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others 003 "L2TP" #2: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support (省略)
I/Fに(ifconfigの結果に) ppp0 が追加されていることを確認
[ip-172-31-27-101 ~]$ ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 9001 inet 172-31-27-101 netmask 255.255.240.0 broadcast xxx.xx.xx.xxx inet6 fe80::4af:f7ff:fe9c:8a34 prefixlen 64 scopeid 0x20<link> ether 06:af:f7:9c:8a:34 txqueuelen 1000 (Ethernet) RX packets 42270 bytes 17254656 (16.4 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 44723 bytes 10391861 (9.9 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 (中略) ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1280 inet xx.x.x.X netmask 255.255.255.255 destination xx.x.x.x ppp txqueuelen 3 (Point-to-Point Protocol) RX packets 7 bytes 67 (67.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 18 bytes 261 (261.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
route add で実際に通信したいIPアドレスへのスタティックルートを追加する (ppp0 経由で通信するように設定)
[ip-172-31-27-101 ~]$ sudo route add -net <通信したいIPアドレス> netmask 255.255.255.255 dev ppp0
接続したいIPアドレスへのping が通ることを確認 (ICMPに応答してくれる前提)
[ip-172-31-27-101 ~]$ ping -c 3 <通信したいIPアドレス> PING xx.xxx.x.xx (xx.xxx.x.xx) 56(84) bytes of data. 64 bytes from xx.xxx.x.xx: icmp_seq=1 ttl=126 time=169 ms 64 bytes from xx.xxx.x.xx: icmp_seq=2 ttl=126 time=169 ms 64 bytes from xx.xxx.x.xx: icmp_seq=3 ttl=126 time=169 ms
これでVPN接続して、対象のIPアドレスへ通信ができる状態になっています
VPN切断
xl2tpd, ipsec を停止します
[ip-172-31-27-101 ~]$ sudo systemctl stop xl2tpd && sudo systemctl stop ipsec
これで、通信したいIPアドレスに対するrouteも消えます