在AWS 上創建的EC2 有一個奇怪的問題，似乎是由於Security group 的conntrack 造成的，即使修改為允許所有UDP 流量也不行。

當self-hosted ipsec-vpn 和地端連結建立後，此時從地端無法ping 通雲端，也無法開始傳輸，但tunnel 已經建立，看狀態都是正常，

當從雲端的EC2 對地端發送一個ping 包之後，流量才開始傳輸，也就是說，首發流量必須由EC2 發起。

問題是否真的由security group 引起我沒有確認，因為我沒有什麼頭緒，但首發流量由EC2發起就能解決，看起來就是security group 的問題。解決這個問題倒是簡單，ping 一下。

在VPC 內使用VPN 服務建立的ipsec tunnel 則沒有這個問題，當然，由於那是managed service，我們不能明確AWS 到底在裡面搞了什麼，說不定他也是在底層的EC2 上ping 了一下。

所以問了AI，寫個定時ping 的script

sudo vi /usr/local/bin/multi-ping.sh

#!/bin/bash

# List of hosts to ping
HOSTS=(
    "10.1.1.2"
    "10.1.2.2"
    "10.1.3.3"
)

# Ping interval in seconds
INTERVAL=60

while true; do
    for host in "${HOSTS[@]}"; do
        timestamp=$(date '+%Y-%m-%d %H:%M:%S')
        ping -c 1 $host | while read pong; do
            echo "[$timestamp] $host - $pong" >> /tmp/multi-ping.log
        done
    done
    sleep $INTERVAL
done

然後創建一個service

sudo vi /etc/systemd/system/multi-ping.service

[Unit]
Description=Multiple Host Ping Service
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
ExecStart=/usr/local/bin/multi-ping.sh
Restart=always
RestartSec=30

[Install]
WantedBy=multi-user.target

啟動他

sudo systemctl daemon-reload
sudo systemctl enable multi-ping
sudo systemctl start multi-ping

看一下log

[2025-04-03 00:44:25] 10.1.1.2 - 64 bytes from 10.1.1.2: icmp_seq=1 ttl=63 time=48.9 ms
[2025-04-03 00:44:25] 10.1.1.2 - 
[2025-04-03 00:44:25] 10.1.1.2 - --- 10.1.1.2 ping statistics ---
[2025-04-03 00:44:25] 10.1.1.2 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.1.2 - rtt min/avg/max/mdev = 48.931/48.931/48.931/0.000 ms
[2025-04-03 00:44:25] 10.1.3.3 - PING 10.1.3.3 (10.1.3.3) 56(84) bytes of data.
[2025-04-03 00:44:25] 10.1.3.3 - 64 bytes from 10.1.3.3: icmp_seq=1 ttl=63 time=301 ms
[2025-04-03 00:44:25] 10.1.3.3 - 
[2025-04-03 00:44:25] 10.1.3.3 - --- 10.1.3.3 ping statistics ---
[2025-04-03 00:44:25] 10.1.3.3 - 1 packets transmitted, 1 received, 0% packet loss, time 0ms
[2025-04-03 00:44:25] 10.1.3.3 - rtt min/avg/max/mdev = 301.351/301.351/301.351/0.000 ms

這個問題困擾我很久了，Amazon Linux 2023 ARM64 的repo 中軟體太過稀有，以至於很多的軟體都要從Redhat9 的binary 去獲取。

為什麼是ARM64？感覺是個趨勢吧，畢竟是這麼“節儉”的公司，不會亂花錢去做到目前的Graviton 4。

但問題是，官方並沒有明確Amazon Linux 2023 對應到哪一個版本的Fedora 或者RHEL，這就有點玄學的意思，自己試？我試了幾個版本，失敗。

直接從source code 來compile 算了。

dnf install gcc make openssl-devel -y 
mkdir src && cd src
wget https://download.strongswan.org/strongswan-6.0.0.tar.gz
tar zxf strongswan-6.0.0.tar.gz && cd strongswan-6.0.0
./configure --prefix=/usr/local/strongswan --enable-libipsec --enable-stroke && make && make install
sudo tee /etc/systemd/system/strongswan.service > /dev/null <<EOL
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon
After=network.target
[Service]
ExecStart=/usr/local/strongswan/sbin/ipsec start --nofork
ExecStop=/usr/local/strongswan/sbin/ipsec stop
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOL

寫入幾個微小的配置檔。

sudo tee /usr/local/strongswan/etc/ipsec.secrets > /dev/null <<EOL
2100:ab16:796:5a00:bg29:6r8d:4dca:b02a [email protected] : PSK "86f6g7da3316a95b0f4e6416f4f0b15c44083a8b4c2da0dee8ac"
EOL
sudo tee /usr/local/strongswan/etc/ipsec.conf > /dev/null <<EOL
config setup
    uniqueids=never
    charondebug="cfg 2, dmn 2, ike 3, net 2"
conn Someone2AWS-v6
        authby=secret
        left=2100:ab16:796:5a00:bg29:6r8d:4dca:b02a
        leftid=2100:ab16:796:5a00:bg29:6r8d:4dca:b02a
        leftsubnet=10.4.0.0/16
        right=2406:520:88:5cb::1
        #right=host.domain.org
        [email protected]
        rightsubnet=10.1.3.0/24
        ike=aes128gcm128-sha256-modp2048!
        esp=aes128gcm128-modp2048!
        keyingtries=0
        ikelifetime=8h
        lifetime=1h
        auto=start
EOL

嘗試啟動

systemctl stop strongswan
systemctl disable strongswan
systemctl daemon-reload
systemctl enable strongswan
systemctl restart strongswan
systemctl status strongswan

把ipsec command link 一下

ln -s /usr/local/strongswan/sbin/ipsec /usr/sbin/ipsec
ipsec status

查看一下log 是否正常

journalctl -u strongswan --since -1min

還需要對防火牆進行一點點改動，打開相應的port 和forward

dnf install firewalld -y
systemctl enable firewalld
systemctl start firewalld
firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-service=ipsec --permanent
firewall-cmd --zone=public --add-service=ssh --permanent
firewall-cmd --permanent --zone=public --add-interface=ens5
firewall-cmd --reload

Update 20250429

cd src
curl -O https://download.strongswan.org/strongswan-6.0.1.tar.gz
tar zxf strongswan-6.0.1.tar.gz
cd strongswan-6.0.1
dnf install systemd-devel
./configure --enable-systemd && make && make install
rm /etc/systemd/system/strongswan.service
sudo tee /etc/systemd/system/strongswan.service > /dev/null <<EOL
[Unit]
Description=strongSwan IPsec IKEv1/IKEv2 daemon using swanctl
After=network-online.target
Documentation=man:charon-systemd(8) man:swanctl(8)

[Service]
Type=notify
ExecStart=/usr/local/sbin/charon-systemd
ExecStartPost=/usr/local/sbin/swanctl --load-all
ExecReload=/usr/local/sbin/swanctl --reload
Restart=on-abnormal

[Install]
WantedBy=multi-user.target
EOL

是時候拋棄ipsec command了，啟用systemd 和swanctl

一個使用swanctl 的conf

connections {
    AWS2BuyVM {
        local_addrs = 2605:6600:10:e95:62cb:d245:1888:eeee
        local {
            id = 2605:6600:10:e95:62cb:d245:1888:eeee
            auth = psk
        }
        remote {
            auth = psk
            id = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        }
        remote_addrs = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        children {
            AWS2BuyVM {
                local_ts = 10.30.96.0/24
                remote_ts = 10.2.0.0/16,10.3.0.0/16,10.4.0.0/16,10.5.0.0/16
                esp_proposals = aes128gcm128-modp2048
                life_time = 1h
                start_action = route
            }
        }
        version = 2
        proposals = aes128gcm128-sha256-modp2048
        rekey_time = 8h
        keyingtries = 0
    }
}

secrets {
    ike-AWS2BuyVM {
        id-local = 2605:6600:10:e95:62cb:d245:1888:eeee
        id-remote = 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb
        secret = "0000000000000000_r"
    }
}

查看一下連結的情況：

swanctl --list-sas
BuyVM2AWS: #17, ESTABLISHED, IKEv2, 6e00f87f2e29ab73_i* b801ad6c15b17e01_r
  local  '2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb' @ 2406:da16:7e3:5a00:ca98:6f8d:4cfe:bbbb[4500]
  remote '2605:6600:10:e95:62cb:d245:1888:eeee' @ 2605:6600:10:e95:62cb:d245:1888:eeee[4500]
  AES_GCM_16-128/PRF_HMAC_SHA2_256/MODP_2048
  established 85s ago, rekeying in 26399s
  BuyVM2AWS: #7, reqid 5, INSTALLED, TUNNEL, ESP:AES_GCM_16-128
    installed 86s ago, rekeying in 2873s, expires in 3515s
    in  ce702c32,   4620 bytes,    55 packets,    31s ago
    out c273aa68,   4872 bytes,    58 packets,    12s ago
    local  10.2.0.0/16 10.3.0.0/16 10.4.0.0/16 10.5.0.0/16
    remote 10.30.96.0/24