本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
對與 Yamaha 客戶閘道裝置的 AWS Site-to-Site VPN 連線進行故障診斷
當您對 Yamaha 客戶閘道裝置的連線進行疑難排解時,請考慮以下四件事:IKE、、IPsec通道和 BGP。您可以按任何順序對這些區域進行故障診斷,但我們建議您從 IKE(網路堆疊底部) 開始並向上移動。
注意
在 Yamaha 路由器上,在 的第 2 階段中使用的proxy ID設定預設為IKE停用。這可能會導致連線至 Site-to-Site 時發生問題VPN。如果您的路由器上未設定 proxy ID ,請參閱 AWS提供的範例組態檔案,以便 Yamaha 正確設定。
IKE
執行下列命令。回應顯示已正確IKE設定的客戶閘道裝置。
#show ipsec sa gateway 1
sgw flags local-id remote-id # of sa
--------------------------------------------------------------------------
1 U K YOUR_LOCAL_NETWORK_ADDRESS 72.21.209.225 i:2 s:1 r:1
您應該會看到一行包含通道中所指定遠端閘道的 remote-id 值。您可以省略通道編號來列出所有安全關聯 (SAs)。
如需進一步疑難排解,請執行下列命令,以啟用提供診斷資訊的DEBUG層級日誌訊息。
#syslog debug on#ipsec ike log message-info payload-info key-info
若要取消記錄的項目,請執行下列命令。
#no ipsec ike log#no syslog debug on
IPsec
執行下列命令。回應顯示已正確IPsec設定的客戶閘道裝置。
#show ipsec sa gateway 1 detail
SA[1] Duration: 10675s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: 6b ce fd 8a d5 30 9b 02 0c f3 87 52 4a 87 6e 77
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[2] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: a6 67 47 47
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[3] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: receive
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 6b 98 69 2b
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[4] Duration: 10681s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: e8 45 55 38 90 45 3f 67 a8 74 ca 71 ba bb 75 ee
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
對於每個通道界面,您應該都會同時看到 receive sas 和 send
sas。
如需進一步故障診斷,請使用下列命令啟用除錯。
#syslog debug on#ipsec ike log message-info payload-info key-info
執行下列命令以停用除錯。
#no ipsec ike log#no syslog debug on
通道
首先,請檢查您有沒有必要的防火牆規則。如需規則清單,請參閱AWS Site-to-Site VPN 客戶閘道裝置的防火牆規則。
如果您的防火牆規則設定正確,則繼續使用下列命令來進行故障診斷。
#show status tunnel 1
TUNNEL[1]:
Description:
Interface type: IPsec
Current status is Online.
from 2011/08/15 18:19:45.
5 hours 7 minutes 58 seconds connection.
Received: (IPv4) 3933 packets [244941 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 3933 packets [241407 octets]
(IPv6) 0 packet [0 octet]
請確定 current status值為線上,且Interface type為 IPsec。確定均於這兩個通道界面上執行此命令。若要解決此處的任何問題,請檢閱組態。
BGP
執行下列命令。
#show status bgp neighbor
BGP neighbor is 169.254.255.1, remote AS 7224, local AS 65000, external link
BGP version 0, remote router ID 0.0.0.0
BGP state = Active
Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Connection established 0; dropped 0
Last reset never
Local host: unspecified
Foreign host: 169.254.255.1, Foreign port: 0
BGP neighbor is 169.254.255.5, remote AS 7224, local AS 65000, external link
BGP version 0, remote router ID 0.0.0.0
BGP state = Active
Last read 00:00:00, hold time is 0, keepalive interval is 0 seconds
Received 0 messages, 0 notifications, 0 in queue
Sent 0 messages, 0 notifications, 0 in queue
Connection established 0; dropped 0
Last reset never
Local host: unspecified
Foreign host: 169.254.255.5, Foreign port:應會列出兩個鄰近項目。每一個都應該會看到 BGP state 的數值為 Active。
如果對BGP等,請確認您的客戶閘道裝置正在將預設路由 (0.0.0.0/0) 公告至 VPC。
#show status bgp neighbor169.254.255.1advertised-routes
Total routes: 1
*: valid route
Network Next Hop Metric LocPrf Path
* default 0.0.0.0 0 IGP此外,請確定您VPC從虛擬私有閘道收到與 對應的字首。
#show ip route
Destination Gateway Interface Kind Additional Info.
default ***.***.***.*** LAN3(DHCP) static
10.0.0.0/16 169.254.255.1 TUNNEL[1] BGP path=10124