Unifi라우터에서 Manual Ipsec Site to Site vpn을 구성중입니다.
A 사이트는 공인 ip를 받고 B 사이트는 상단의 공유기에서 사설ip를 받습니다. (superDMZ등 공인IP할당 불가)
구글 검색해보니 한쪽의 WAN IP대역이 사설이여도 SITE TO SITE VPN이 가능고 하는데 아래의 구성으로는 현재 불가능하여 로그와 함께 첨부합니다..
어디가 문제인걸까요?
A사이트와 마찬가지로 공인IP를 받는 C사이트의 장비와는 AUTO/MANUAL IPSEC VAN 성공했습니다.
#Site A(WAN: Public IP) 로그
WAN : #.#.#.# / LAN : 192.168.1.1
ubnt@ubnt:~$ show vpn log tail
Dec 21 21:42:23 00[DMN] Starting IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64)
Dec 21 21:53:05 07[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[1] to @.@.@.@
Dec 21 21:53:07 04[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[1] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]
Dec 21 21:53:37 13[KNL] creating acquire job for policy #.#.#.#/32[ipencap] === @.@.@.@/32[ipencap] with reqid {4}
Dec 21 21:53:37 13[IKE] initiating Main Mode IKE_SA peer-@.@.@.@-tunnel-vti[2] to @.@.@.@
Dec 21 21:53:39 03[IKE] deleting IKE_SA peer-@.@.@.@-tunnel-vti[2] between #.#.#.#[#.#.#.#]...@.@.@.@[%any]
ubnt@ubnt:~$ sudo ipsec statusall
Status of IKE charon daemon (strongSwan 5.2.2, Linux 3.10.107-UBNT, mips64):
uptime: 12 minutes, since Dec 21 21:43:27 2022
malloc: sbrk 376832, mmap 0, used 272000, free 104832
worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 0
loaded plugins: charon ldap sqlite pkcs11 aes des sha1 sha2 md5 random nonce x 509 revocation constraints pubkey pkcs1 pkcs8 pem openssl agent xcbc cmac ctr cc m gcm curl attr kernel-netlink resolve socket-default stroke vici updown eap-ide ntity eap-md5 eap-mschapv2 eap-radius eap-tls xauth-generic xauth-eap addrblock
Listening IP addresses:
#.#.#.#
192.168.10.1
Connections:
peer-@.@.@.@-tunnel-vti: #.#.#.#...@.@.@.@ IKEv1
peer-@.@.@.@-tunnel-vti: local: [#.#.#.#] uses pre-shared key authentication
peer-@.@.@.@-tunnel-vti: remote: [@.@.@.@] uses pre-shared key a uthentication
peer-@.@.@.@-tunnel-vti: child: 0.0.0.0/0 === 0.0.0.0/0 TUNNEL
remote-access: #.#.#.#...%any IKEv1, dpddelay=15s
remote-access: local: [#.#.#.#] uses pre-shared key authentication
remote-access: remote: uses pre-shared key authentication
remote-access: child: dynamic[udp/l2f] === dynamic[udp] TRANSPORT, dpdaction= clear
Routed Connections:
peer-@.@.@.@-tunnel-vti{4}: ROUTED, TUNNEL
peer-@.@.@.@-tunnel-vti{4}: 0.0.0.0/0 === 0.0.0.0/0
Security Associations (0 up, 0 connecting):
none
show configuration commands
set vpn ipsec auto-firewall-nat-exclude enable
set vpn ipsec esp-group ESP_@.@.@.@ compression disable
set vpn ipsec esp-group ESP_@.@.@.@ lifetime 3600
set vpn ipsec esp-group ESP_@.@.@.@ mode tunnel
set vpn ipsec esp-group ESP_@.@.@.@ pfs enable
set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 encryption aes128
set vpn ipsec esp-group ESP_@.@.@.@ proposal 1 hash sha1
set vpn ipsec ike-group IKE_@.@.@.@ ikev2-reauth no
set vpn ipsec ike-group IKE_@.@.@.@ key-exchange ikev1
set vpn ipsec ike-group IKE_@.@.@.@ lifetime 28800
set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 dh-group 14
set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 encryption aes128
set vpn ipsec ike-group IKE_@.@.@.@ proposal 1 hash sha1
set vpn ipsec ipsec-interfaces interface eth0
set vpn ipsec nat-networks allowed-network 0.0.0.0/0
set vpn ipsec nat-traversal enable
set vpn ipsec site-to-site peer @.@.@.@ authentication mode pre-shared-secret
set vpn ipsec site-to-site peer @.@.@.@ authentication pre-shared-secret PASSWORD
set vpn ipsec site-to-site peer @.@.@.@ connection-type initiate
set vpn ipsec site-to-site peer @.@.@.@ ike-group IKE_@.@.@.@
set vpn ipsec site-to-site peer @.@.@.@ ikev2-reauth inherit
set vpn ipsec site-to-site peer @.@.@.@ local-address #.#.#.#
set vpn ipsec site-to-site peer @.@.@.@ vti bind vti64
set vpn ipsec site-to-site peer @.@.@.@ vti esp-group ESP_@.@.@.@
#Site B(WAN: Private IP) 로그
WAN : @.@.@.@ / LAN : 192.168.1.1
show vpn log tail
Dec 21 21:24:56 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:04 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:12 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:19 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:27 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:36 05[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:43 02[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:51 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:25:59 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:26:07 12[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:26:15 16[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
Dec 21 21:26:23 08[IKE] initiating IKE_SA peer-#.#.#.#-tunnel-0[2] to #.#.#.#
show configuration commands
set vpn ipsec site-to-site peer #.#.#.# authentication id @.@.@.@
set vpn ipsec site-to-site peer #.#.#.# authentication mode pre-shared-secret
set vpn ipsec site-to-site peer #.#.#.# authentication pre-shared-secret PASSWORD
set vpn ipsec site-to-site peer #.#.#.# connection-type initiate
set vpn ipsec site-to-site peer #.#.#.# ike-group IKE_#.#.#.#
set vpn ipsec site-to-site peer #.#.#.# ikev2-reauth inherit
set vpn ipsec site-to-site peer #.#.#.# local-address @.@.@.@
set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-nat-networks disable
set vpn ipsec site-to-site peer #.#.#.# tunnel 0 allow-public-networks disable
set vpn ipsec site-to-site peer #.#.#.# tunnel 0 esp-group ESP_#.#.#.#
set vpn ipsec site-to-site peer #.#.#.# tunnel 0 local prefix 192.168.1.0/24
set vpn ipsec site-to-site peer #.#.#.# tunnel 0 remote prefix 192.168.10.0/24