rtx# show status tunnel 1
TUNNEL[1]:
Description:
Interface type: IPsec
Current status is Online.
from 2021/01/02 20:38:10.
15 hours 3 minutes 43 seconds connection.
Received: (IPv4) 12378 packets [782025 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 12091 packets [740159 octets]
(IPv6) 0 packet [0 octet]
rtx#
rtx# show status tunnel 2
TUNNEL[2]:
Description:
Interface type: IPsec
Current status is Online.
from 2021/01/02 20:34:25.
15 hours 7 minutes 38 seconds connection.
Received: (IPv4) 14017 packets [942791 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 16045 packets [1147258 octets]
(IPv6) 0 packet [0 octet]
2つの BGP ネイバーは Established 。
rtx# show status bgp neighbor
BGP neighbor is 169.254.140.1, remote AS 64512, local AS 65000, external link
BGP version 4, remote router ID 169.254.140.1
BGP state = Established, up for 00:46:42
Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds
Received 283 messages, 0 notifications, 0 in queue
Sent 285 messages, 0 notifications, 0 in queue
Connection established 3; dropped 2
Last reset 01:31:55
Local host: 169.254.140.2, Local port: 179
Foreign host: 169.254.140.1, Foreign port: 39273
BGP neighbor is 169.254.65.129, remote AS 64512, local AS 65000, external link
BGP version 4, remote router ID 169.254.65.129
BGP state = Established, up for 04:36:03
Last read 00:00:03, hold time is 30, keepalive interval is 10 seconds
Received 1658 messages, 0 notifications, 0 in queue
Sent 1661 messages, 0 notifications, 0 in queue
Connection established 2; dropped 1
Last reset 05:21:17
Local host: 169.254.65.130, Local port: 179
Foreign host: 169.254.65.129, Foreign port: 42405
[root@awx-try ~]# ping 10.0.1.10
PING 10.0.1.10 (10.0.1.10) 56(84) bytes of data.
64 bytes from 10.0.1.10: icmp_seq=1 ttl=252 time=9.76 ms
64 bytes from 10.0.1.10: icmp_seq=2 ttl=252 time=9.45 ms
64 bytes from 10.0.1.10: icmp_seq=3 ttl=252 time=9.45 ms
64 bytes from 10.0.1.10: icmp_seq=4 ttl=252 time=8.87 ms
[root@testsv ~]#
[root@testsv ~]# ping 10.2.1.10
PING 10.2.1.10 (10.2.1.10) 56(84) bytes of data.
64 bytes from 10.2.1.10: icmp_seq=1 ttl=252 time=8.44 ms
64 bytes from 10.2.1.10: icmp_seq=2 ttl=252 time=10.1 ms
64 bytes from 10.2.1.10: icmp_seq=3 ttl=252 time=8.29 ms
64 bytes from 10.2.1.10: icmp_seq=4 ttl=252 time=8.16 ms
最初は鍵長などを疑ったのですが、結局 CSR 生成時に Common Name を空してしまったためという凡ミスです。
対処
Common Name を指定して CSR の再生成と、証明書の再生成してインポートし直したところ無事にインポートされました。
Common Name には ALBのDNS名(例: hogehoge-elb-xxxxxxxxxx.us-east-2.elb.amazonaws.com )を指定しました。
# CSR の生成
$ openssl req -new-key ./server.key -out ./server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code)[]:JP
State or Province Name (full name)[]:
Locality Name (eg, city)[]:
Organization Name (eg, company)[]:
Organizational Unit Name (eg, section)[]:
Common Name (eg, fully qualified host name)[]: ★ここに ALB の DNS 名を指定
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
# 証明書の生成
$ openssl x509 -in server.csr -days365-req-signkey server.key -out server.crt
Signature ok
subject=/C=JP/CN=hogehoge-elb-xxxxxxxxxx.us-east-2.elb.amazonaws.com
Getting Private key