tech.guitarrapc.cóm

Technical updates

(RTX810構築シリーズ 2/7) Yamaha RTX810 でAmazon VPC と Hardware VPN を構築してみよう

前回のL2TP/IPsecを利用したリモートアクセスVPNの次は、 Amazon VPCとのLAN間VPNです。

さっそく見てみましょう。

前提

今回も、 グローバルIP (固定IP) を1つという設定でやってみましょう。 また、AWSにてVPCとVPCに1つsubnetとInstanceがある環境に対してHardware VPNを追加する過程で作成します。*1

固定グローバルIP : x.x.x.x
RTX810 LAN側IP : 192.168.100.254

Amazon VPC : Private VPC
VPC CIDR : 10.0.0.0/16 (vpc-d123123123)
接続先 VPC Subnet : 10.0.3.0/24
接続先 VPC Instance : 10.0.3.150/24

Amazon 側設定

VPC設定確認

まずは、接続するVPCのidとCIDRを確認しておきます。

  1. AWS Management Consoleで接続
  2. VPCへ
  3. Your VPCs > 設定したいVPCを確認 ( VPC idCIDRをメモ) *2
  4. 必要に応じて、 Virrual Private Clouds > Route Tablesで接続が必要なVPC Subnetと本当にそのVPC idが紐づいているか確認

Customer Gateway

VPNで接続する、自身の環境の固定グローバルIPを設定します。

  1. Customer Gatewayへ
  2. Create Customer Gatewayで作成
Routing : Staticで作成
IP Address : x.x.x.x (接続する自身の固定グローバルIPを入力)

Virtual Private Gateway

VPNで接続する、接続先のVPCを設定します。

  1. Virtual Private Gatewayへ
  2. Create Virtual Private Gateway
  3. Yes. Createを選択してGatewayを作成
  4. 接続するVPCをAttach
作成した Virtual Private Gateway を選択して、Attach to VPCを選択
接続したい VPC を選択する。 (今回の場合 10.0.0.0/16 の vpc-d123123123)

VPN Connections

作成したCustomer GatewayとVirtual Private Gatewayを紐づけます。

  1. VPN Connectionsへ
  2. Create VPN Connections
  3. 紐づけるCustomer GatewayとVirtual Private Gatewayを選択
  4. Use Dynamic Routing (requires BGP) を選択

VPN Configuration の Download : VPN Connections

作成したVPN Connectionsと接続するためのIPsec設定を、ダウンロードします。

これを利用することで、 自身の環境でのIPsec入力が大幅に簡略化されます。

  1. VPN Connectionsへ
  2. Downloadを選択
Vendor > Yamaha を選択
Platform > RTX Routers
Software > 選択されているものしかないはず (Rev10.xx.x)

以上で、AWS側の設定はいったん終わりです。 (また設定しに来ますのでそのままで)

Yamaha RTX810 側設定

続いて、 AWS VPCで作成した設定をRTX 810に投入します。

tunnel 1の L2TP設定を tunnel 3にずらす

まずは、前回作成したL2TP設定を3番にずらしておきましょう *3

  1. RTX 810にログイン
  2. 以下のコマンドを実行して、 L2TP設定をずらす

まずtunnel 1の設定を削除します。

# tunnel 1の削除
pp select anonymous # Accept L2TP VPN
no pp bind tunnel1

tunnel select 1
 no tunnel encapsulation l2tp # declare l2tp vpn
 no ipsec tunnel 1
 no ipsec sa policy 1 1 esp aes-cbc sha-hmac # use esp as aes and sha-hmac (you cannot use sha256-hmac with iPhone)
 no ipsec ike keepalive use 1 off
 no ipsec ike local address 1 192.168.100.254 # Router address
 no ipsec ike nat-traversal 1 on # required if assgin private address
 no ipsec ike pre-shared-key 1 text hogehoge # password for l2tp
 no ipsec ike remote address 1 any # accept any address
 no l2tp tunnel disconnect time off # do not disconnect while connecting
 no l2tp keepalive use on 10 3 # send keepalive packet while 10 second for 3 down detection
 no l2tp keepalive log on
 no l2tp syslog on
 no ip tunnel tcp mss limit auto # limit for TCP session MSS
 tunnel disable 1

no ipsec transport 1 1 udp 1701 # ipsec transport mode for tunnel 1
no ipsec auto refresh on

続いてtunnel 3の設定を追加します。

# tunnel 3の紐づけ
tunnel select 3
 tunnel encapsulation l2tp
 ipsec tunnel 3
  ipsec sa policy 3 3 esp aes-cbc sha-hmac
  ipsec ike keepalive use 3 off
  ipsec ike local address 3 192.168.100.254
  ipsec ike nat-traversal 3 on
  ipsec ike pre-shared-key 3 text hogehoge
  ipsec ike remote address 3 any
 l2tp tunnel auth off
 l2tp tunnel disconnect time off
 l2tp keepalive use on 10 3
 l2tp keepalive log on
 l2tp syslog on
 ip tunnel tcp mss limit auto
 tunnel enable 3

ipsec transport 3 3 udp 1701 # ipsec transport mode for tunnel 3
ipsec auto refresh on

pp select anonymous # Accept L2TP VPN
 pp bind tunnel3

保存します。

save

AWS VPC - Hardware VPN config 投入

downloadしたconfigのまま投入します。 (調整は後でできるので)

例えば次のようなconfigです。

# Amazon Web Services
# Virtual Private Cloud

# AWS utilizes unique identifiers to manage the configuration of
# a VPN Connection. Each VPN Connection is assigned an identifier and is
# associated with two other identifiers, namely the
# Customer Gateway Identifier and Virtual Private Gateway Identifier.
#
# Your VPN Connection ID            : vpn-hogehoge
# Your Virtual Private Gateway ID           : vgw-fugafuga
# Your Customer Gateway ID          : cgw-piyopiyo
#
#
# This configuration consists of two tunnels. Both tunnels must be
# configured on your Customer Gateway.
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------


# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
      tunnel select 1
    ipsec ike encryption 1 aes-cbc
    ipsec ike group 1 modp1024
    ipsec ike hash 1 sha

# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
       ipsec ike pre-shared-key 1 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #201, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#

        ipsec tunnel 201
        ipsec sa policy 201 1 esp aes-cbc  sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

     ipsec ike duration ipsec-sa 1 3600
        ipsec ike pfs 1 on

# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
    ipsec tunnel outer df-bit clear

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

        ipsec ike keepalive use 1 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway.  If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
    ipsec ike local address 1 x.x.x.x(接続する自身の固定グローバルIP)
    ipsec ike remote address 1 接続先id1
    ip tunnel address 発行されたBGP Local Address
    ip tunnel remote address 発行されたBGP Remote Address

   # This option causes the router to reduce the Maximum Segment Size of
    # TCP packets to prevent packet fragmentation

   ip tunnel tcp mss limit 1387
    tunnel enable 1
    tunnel select none
        ipsec auto refresh on

# --------------------------------------------------------------------------------


# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
    bgp use on
    bgp autonomous-system 65000
    bgp neighbor 1 10124 発行されたBGP Remote Address hold-time=30 local-address=発行されたBGP Local Address

# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#

    bgp import filter 1 equal 0.0.0.0/0
    bgp import 10124 static filter 1
# --------------------------------------------------------------------------------
# IPSec Tunnel #2
# --------------------------------------------------------------------------------


# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
      tunnel select 2
    ipsec ike encryption 2 aes-cbc
    ipsec ike group 2 modp1024
    ipsec ike hash 2 sha

# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
       ipsec ike pre-shared-key 2 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #202, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#

        ipsec tunnel 202
        ipsec sa policy 202 2 esp aes-cbc  sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

     ipsec ike duration ipsec-sa 2 3600
        ipsec ike pfs 2 on

# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
    ipsec tunnel outer df-bit clear

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

        ipsec ike keepalive use 2 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway.  If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
    ipsec ike local address 2 x.x.x.x(接続する自身の固定グローバルIP)
    ipsec ike remote address 2 接続先id2
    ip tunnel address 発行されたBGP Local Address2
    ip tunnel remote address 発行されたBGP Remote Address2

   # This option causes the router to reduce the Maximum Segment Size of
    # TCP packets to prevent packet fragmentation

   ip tunnel tcp mss limit 1387
    tunnel enable 2
    tunnel select none
        ipsec auto refresh on

# --------------------------------------------------------------------------------


# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
    bgp use on
    bgp autonomous-system 65000
    bgp neighbor 2 10124 発行されたBGP Remote Address2 hold-time=30 local-address=発行されたBGP Local Address2

# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#

    bgp import filter 1 equal 0.0.0.0/0
    bgp import 10124 static filter 1

    bgp configure refresh


# Additional Notes and Questions
#  - Amazon Virtual Private Cloud Getting Started Guide:
#       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
#  - Amazon Virtual Private Cloud Network Administrator Guide:
#       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
#  - Yamaha router's manual:
#    http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
#  - XSL Version: 2009-07-15-1119716


tunnel select 1
 tunnel name "Amazon VPC tunnel 1"

tunnel select 2
 tunnel name "Amazon VPC tunnel 2"

VPNの調整

少しだけ調整します。

1つは、 VPCに名称を付けます。

tunnel select 1
 tunnel name "Amazon VPC tunnel 1"

tunnel select 2
 tunnel name "Amazon VPC tunnel 2"

もう1つは、 keepaliveコマンドが、dpdからhearbeatになってしまうため、再度dpdを指定します。

Heartbeatでは、 IP TunnelがUP/Downを30秒ごとに繰り返すため、必ず修正しましょう。

tunnel select 1
ipsec ike keepalive use 1 on dpd 10 3

tunnel select 2
ipsec ike keepalive use 2 on dpd 10 3

VPNの route table設定

Web Console >[詳細設定と情報]>[VPN接続の設定]>[VPN接続設定の修正(TUNNEL[01])]に行くとわかりますが、VPNには接続までのその他の経路が入っていません。

このために、Web Console上でVPN設定に変更を加えようとすると経路設定を求められます。

必要に応じて設定してもいいですが、いったんは不要です。

設定確認 (RTX810編)

まずは、手元で設定を確認します。

IPsecの動作確認

まずは、 IPsec状態から。

configにあった接続先idが存在しています。

# show ipsec sa
Total: isakmp:2 send:2 recv:2

sa   sgw isakmp connection   dir  life[s] remote-id
-----------------------------------------------------------------------------
1     1    -    isakmp       -    24148   接続先id1
2     2    -    isakmp       -    24149   接続先id2
7     1    1    tun[001]esp  send 1657    接続先id1
8     1    1    tun[001]esp  recv 1657    接続先id1
9     2    2    tun[002]esp  send 1658    接続先id2
10    2    2    tun[002]esp  recv 1658    接続先id2

#

BGPの動作確認

BGP接続を確認します。

# show status bgp neighbor
BGP neighbor is 発行されたBGP Remote Address, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address
  BGP state = Established, up for 01:20:49
  Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds
  Received 724 messages, 0 notifications, 0 in queue
  Sent 748 messages, 25 notifications, 0 in queue
  Connection established 26; dropped 25
  Last reset 01:20:56
Local host: 発行されたBGP Local Address, Local port: 1079
Foreign host: 発行されたBGP Remote Address, Foreign port: 179

BGP neighbor is 発行されたBGP Remote Address2, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address2
  BGP state = Established, up for 01:20:44
  Last read 00:00:02, hold time is 30, keepalive interval is 10 seconds
  Received 627 messages, 0 notifications, 0 in queue
  Sent 642 messages, 23 notifications, 0 in queue
  Connection established 23; dropped 22
  Last reset 01:20:56
Local host: 発行されたBGP Local Address2, Local port: 1080
Foreign host: 発行されたBGP Remote Address2, Foreign port: 179

#

経路確認

routeを確認します。

# show ip route
宛先ネットワーク           ゲートウェイ                      インタフェース   種別     付加情報
default                    -                                PP[01]      static
10.0.0.0/16                発行されたBGP Remote Address      TUNNEL[2]   BGP       path=10124
BGPホップ/30               -                                TUNNEL[2]   implicit
BGPホップ/30               -                                TUNNEL[1]   implicit
192.168.11.0/24            192.168.100.254                   LAN1        implicit
発行されたRemote id/32      -                               PP[01]      temporary
発行されたRemote id/32      -                               PP[01]      temporary
z.z.z.z/32                  -                              PP[01]      temporary
#

web console の確認

目で見て確認できるのでいいですね。

設定確認 (AWS編)

pingの前にVPC先でどのVPC Subnetにルーティングするかroute tableで設定が必要です。

つまり、 VPC > VPC SubnetのRoute Tableに対するtargetとして作成したVPNを設定しないとルーティングされません。route propagationではtarget設定不可なので要注意。

試しに、VPNがつながった状態で、route設定せずにpingを試すと....。

PS> ping 10.0.3.100
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

と、当然宛先がないのでロストします。

Route Tables 設定

  1. Virtual Private Cloudへ
  2. Route Tablesへ
  3. 設定したいRoute Table idを選択 (VPCとAssociateされたVPC Subnetで確認します)
  4. Routesに追加
Destination : VPN 接続先の自分の Subnet (この例では 192.168.100.0/32)
Target : 作成した vgw-hogehogehoge

これで、 手元の192.168.100.0/32から対象のVPC Subnet (10.0.3.0/32) へのpingがルーティングされたことを確認できます。

PS> ping 10.0.3.100

Pinging 10.0.3.100 with 32 bytes of data:
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=11ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 12ms, Average = 11ms

VPN Status

最後に、AWS側のVPN Statusを確認してください。

なお、IPsec設定はconfig投入で自動的に2本作られ、冗長化されます。 BGPパケットをRTX810側で止めるこることで、確認もできますよ。

FAQ

BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合

route tableの設定もできているなら、残るはAWSならVPC の Network ACLか、Secutiry Groups設定です。

一時的にICMPを許可してあげてください。 (デフォルト全て遮断のため、明示的にPassを与える)

あるいは、 OSのICMPの可能性もあるので、 iptablesかFirewallでICMPを許可してみるのもいいでしょう。 (そもそもVPC内部のInstance同士でpingがつながるならOSの可能性はありません)

まとめ

IPsec接続では、IKEなどでいくつか気を付けることがありますが、 AWSからダウンロードしたconfigでそこは設定されているのであまり意識する必要はありません。 もちろん、追加設定したほうがいい点もありますが、おおよそいい感じです。

*1:だいたいみなさんが、VPCとまとめて新規に作っていらっしゃるようで、この設定がない

*2:今回は、vpc-d123123123の10.0.0.0/16

*3:AWSで作成したconfigurationがtunnel select 1なため