前回の L2TP/IPsec を利用したリモートアクセスVPNの次は、 Amazon VPCとの LAN間VPNです。

さっそく見てみましょう。

前提

今回も、グローバルIP (固定IP) を1つという設定でやってみましょう。また、事前に AWS上に、VPC と VPCに 1つ subnet と Instanceがある環境に対して、 Hardware VPN を追加する過程で作成します。*1

固定グローバルIP : x.x.x.x
RTX810 LAN側IP : 192.168.100.254

Amazon VPC : Private VPC
VPC CIDR : 10.0.0.0/16 (vpc-d123123123)
接続先 VPC Subnet : 10.0.3.0/24
接続先 VPC Instance : 10.0.3.150/24

Amazon 側設定

VPC設定確認

まずは、接続する VPC の idと CIDRを確認しておきます。

AWS Management Console で接続
VPC へ
Your VPCs > 設定したい VPCを確認 ( VPC id と CIDR をメモ) *2
必要に応じて、 Virrual Private Clouds > Route Tablesで接続が必要な VPC Subnet と本当にその VPC id が紐づいているか確認。

Customer Gateway

VPNで接続する、自身の環境の固定グローバルIPを設定します。

Customer Gateway へ
Create Customer Gatewayで作成

Routing : Staticで作成
IP Address : x.x.x.x (接続する自身の固定グローバルIPを入力)

Virtual Private Gateway

VPNで接続する、接続先の VPC を設定します。

Virtual Private Gatewayへ
Create Virtual Private Gateway
Yes. Createを選択して Gateway を作成
接続するVPCをAttach

作成した Virtual Private Gateway を選択して、Attach to VPCを選択
接続したい VPC を選択する。 (今回の場合 10.0.0.0/16 の vpc-d123123123)

VPN Connections

作成した Customer Gateway と Virtual Private Gateway を紐づけます。

VPN Connectionsへ
Create VPN Connections
紐づける Customer Gateway と Virtual Private Gateway を選択
Use Dynamic Routing (requires BGP) を選択します。

VPN Configuration の Download : VPN Connections

作成した VPN Connections と接続するための IPsec 設定を、ダウンロードします。

これを利用することで、自身の環境での IPsec 入力が大幅に簡略化されます。

VPN Connectionsへ
Download を選択

Vendor > Yamaha を選択
Platform > RTX Routers
Software > 選択されているものしかないはず (Rev10.xx.x)

以上で、AWS側の設定はいったん終わりです。 (また設定しに来ますのでそのままで)

Yamaha RTX810 側設定

続いて、 AWS VPCで作成した設定を RTX 810 に投入します。

tunnel 1の L2TP設定を tunnel 3にずらす

まずは、前回作成した L2TP設定を 3番にずらしておきましょう *3

RTX 810 にログイン (Webでも Consoleでも)
以下のコマンドを実行して、 L2TP設定をずらす

まず tunnel 1の設定を削除します。

# tunnel 1の削除
pp select anonymous # Accept L2TP VPN
no pp bind tunnel1 

tunnel select 1
 no tunnel encapsulation l2tp # declare l2tp vpn
 no ipsec tunnel 1
 no ipsec sa policy 1 1 esp aes-cbc sha-hmac # use esp as aes and sha-hmac (you cannot use sha256-hmac with iPhone)
 no ipsec ike keepalive use 1 off
 no ipsec ike local address 1 192.168.100.254 # Router address
 no ipsec ike nat-traversal 1 on # required if assgin private address
 no ipsec ike pre-shared-key 1 text hogehoge # password for l2tp
 no ipsec ike remote address 1 any # accept any address
 no l2tp tunnel disconnect time off # do not disconnect while connecting
 no l2tp keepalive use on 10 3 # send keepalive packet while 10 second for 3 down detection
 no l2tp keepalive log on
 no l2tp syslog on
 no ip tunnel tcp mss limit auto # limit for TCP session MSS
 tunnel disable 1

no ipsec transport 1 1 udp 1701 # ipsec transport mode for tunnel 1
no ipsec auto refresh on

続いて tunnel 3の設定を追加します。

# tunnel 3の紐づけ
tunnel select 3
 tunnel encapsulation l2tp
 ipsec tunnel 3
  ipsec sa policy 3 3 esp aes-cbc sha-hmac
  ipsec ike keepalive use 3 off
  ipsec ike local address 3 192.168.100.254
  ipsec ike nat-traversal 3 on
  ipsec ike pre-shared-key 3 text hogehoge
  ipsec ike remote address 3 any
 l2tp tunnel auth off 
 l2tp tunnel disconnect time off
 l2tp keepalive use on 10 3
 l2tp keepalive log on
 l2tp syslog on
 ip tunnel tcp mss limit auto
 tunnel enable 3

ipsec transport 3 3 udp 1701 # ipsec transport mode for tunnel 3
ipsec auto refresh on

pp select anonymous # Accept L2TP VPN
 pp bind tunnel3

保存します。

save

AWS VPC - Hardware VPN config 投入

download した config のまま投入します。 (調整は後でできるので)

例えば次のようなconfigです。

# Amazon Web Services
# Virtual Private Cloud

# AWS utilizes unique identifiers to manage the configuration of
# a VPN Connection. Each VPN Connection is assigned an identifier and is
# associated with two other identifiers, namely the
# Customer Gateway Identifier and Virtual Private Gateway Identifier.
#
# Your VPN Connection ID : vpn-hogehoge
# Your Virtual Private Gateway ID : vgw-fugafuga
# Your Customer Gateway ID : cgw-piyopiyo
#
#
# This configuration consists of two tunnels. Both tunnels must be
# configured on your Customer Gateway.
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------

# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
tunnel select 1
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha

# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 1 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #201, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#

ipsec tunnel 201
ipsec sa policy 201 1 esp aes-cbc sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

ipsec ike duration ipsec-sa 1 3600
ipsec ike pfs 1 on

# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
ipsec tunnel outer df-bit clear

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

ipsec ike keepalive use 1 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 1 x.x.x.x(接続する自身の固定グローバルIP)
ipsec ike remote address 1 接続先id1
ip tunnel address 発行されたBGP Local Address
ip tunnel remote address 発行されたBGP Remote Address

# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation

ip tunnel tcp mss limit 1387
tunnel enable 1
tunnel select none
ipsec auto refresh on

# --------------------------------------------------------------------------------

# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 1 10124 発行されたBGP Remote Address hold-time=30 local-address=発行されたBGP Local Address

# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#

bgp import filter 1 equal 0.0.0.0/0
bgp import 10124 static filter 1
# --------------------------------------------------------------------------------
# IPSec Tunnel #2
# --------------------------------------------------------------------------------

# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
tunnel select 2
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha

# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 2 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #202, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#

ipsec tunnel 202
ipsec sa policy 202 2 esp aes-cbc sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

ipsec ike duration ipsec-sa 2 3600
ipsec ike pfs 2 on

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

ipsec ike keepalive use 2 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 2 x.x.x.x(接続する自身の固定グローバルIP)
ipsec ike remote address 2 接続先id2
ip tunnel address 発行されたBGP Local Address2
ip tunnel remote address 発行されたBGP Remote Address2

# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation

ip tunnel tcp mss limit 1387
tunnel enable 2
tunnel select none
ipsec auto refresh on

# --------------------------------------------------------------------------------

# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 2 10124 発行されたBGP Remote Address2 hold-time=30 local-address=発行されたBGP Local Address2

bgp import filter 1 equal 0.0.0.0/0
bgp import 10124 static filter 1

bgp configure refresh

# Additional Notes and Questions
# - Amazon Virtual Private Cloud Getting Started Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
# - Amazon Virtual Private Cloud Network Administrator Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
# - Yamaha router's manual:
# http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
# - XSL Version: 2009-07-15-1119716

tunnel select 1
tunnel name "Amazon VPC tunnel 1"

tunnel select 2
tunnel name "Amazon VPC tunnel 2"

VPNの調整

少しだけ調整します。

1つは、 VPCに名称を付けます。

tunnel select 1
 tunnel name "Amazon VPC tunnel 1"

tunnel select 2
 tunnel name "Amazon VPC tunnel 2"

もう一つは、 keepalive コマンドが、dpdから hearbeatになってしまうため、再度 dpdを指定します。

heartbeat では、 IP Tunnel が UP/Down を 30秒ごとに繰り返すため、必ず修正しましょう。

tunnel select 1
ipsec ike keepalive use 1 on dpd 10 3

tunnel select 2
ipsec ike keepalive use 2 on dpd 10 3

VPNの route table設定

Web Console > [詳細設定と情報] ＞ [VPN接続の設定] ＞ [VPN接続設定の修正(TUNNEL[01])] に行くとわかりますが、VPNには接続までのその他の経路が入っていません。

このために、Web Console上で VPN 設定に変更を加えようとすると経路設定を求められます。

必要に応じて設定してもいいですが、いったんは不要です。

設定確認 (RTX810編)

まずは、手元で設定を確認します。

IPsecの動作確認

まずは、 IPsec状態から。

configにあった接続先idが存在しています。

# show ipsec sa
Total: isakmp:2 send:2 recv:2

sa   sgw isakmp connection   dir  life[s] remote-id
-----------------------------------------------------------------------------
1     1    -    isakmp       -    24148   接続先id1
2     2    -    isakmp       -    24149   接続先id2
7     1    1    tun[001]esp  send 1657    接続先id1
8     1    1    tun[001]esp  recv 1657    接続先id1
9     2    2    tun[002]esp  send 1658    接続先id2
10    2    2    tun[002]esp  recv 1658    接続先id2

#

BGPの動作確認

BGP接続を確認します。

# show status bgp neighbor
BGP neighbor is 発行されたBGP Remote Address, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address
  BGP state = Established, up for 01:20:49
  Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds
  Received 724 messages, 0 notifications, 0 in queue
  Sent 748 messages, 25 notifications, 0 in queue
  Connection established 26; dropped 25
  Last reset 01:20:56
Local host: 発行されたBGP Local Address, Local port: 1079
Foreign host: 発行されたBGP Remote Address, Foreign port: 179

BGP neighbor is 発行されたBGP Remote Address2, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address2
  BGP state = Established, up for 01:20:44
  Last read 00:00:02, hold time is 30, keepalive interval is 10 seconds
  Received 627 messages, 0 notifications, 0 in queue
  Sent 642 messages, 23 notifications, 0 in queue
  Connection established 23; dropped 22
  Last reset 01:20:56
Local host: 発行されたBGP Local Address2, Local port: 1080
Foreign host: 発行されたBGP Remote Address2, Foreign port: 179

#

経路確認

route を確認します。

# show ip route
宛先ネットワーク           ゲートウェイ                      インタフェース   種別     付加情報
default                    -                                PP[01]      static  
10.0.0.0/16                発行されたBGP Remote Address      TUNNEL[2]   BGP       path=10124
BGPホップ/30               -                                TUNNEL[2]   implicit  
BGPホップ/30               -                                TUNNEL[1]   implicit  
192.168.11.0/24            192.168.100.254                   LAN1        implicit  
発行されたRemote id/32      -                               PP[01]      temporary  
発行されたRemote id/32      -                               PP[01]      temporary  
z.z.z.z/32                  -                              PP[01]      temporary  
#

web console の確認

目で見て確認できるのでいいですね。

設定確認 (AWS編)

pingの前に VPC先でどの VPC Subnet にルーティングするか route tableで設定が必要です。

つまり、 VPC > VPC Subnet の Route Table に対するtargetとして作成したVPNを設定しないとルーティングされません。*4

試しに、VPNがつながった状態で、route設定せずにpingを試すと.....

PS D:\> ping 10.0.3.100
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

と、当然宛先がないのでロストします。

Route Tables 設定

Virtual Private Cloud へ
Route Tables へ
設定したいRoute Table idを選択 (VPC と Associate された VPC Subnetで確認します)
Routes に追加します。

Destination : VPN 接続先の自分の Subnet (この例では 192.168.100.0/32)
Target : 作成した vgw-hogehogehoge

これで、手元の 192.168.100.0/32 から対象の VPC Subnet (10.0.3.0/32) への ping がルーティングされたことを確認できます。

PS D:\> ping 10.0.3.100

Pinging 10.0.3.100 with 32 bytes of data:
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=11ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 12ms, Average = 11ms

VPN Status

最後に、AWS側の VPN Statusを確認してください。

なお、IPsec設定はconfig投入で自動的に2本作られ、冗長化されます。 BGPパケットを RTX810側で止めるこることで、確認もできますよ。

BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合

route tableの設定もできているなら、残るは AWSなら VPC の Network ACLか、Secutiry Groups設定です。

一時的に ICMPを許可してあげてください。 (デフォルト全て遮断のため、明示的に Passを与える)

あるいは、 OSの ICMPの可能性もあるので、 iptables か Firewall で ICMPを許可してみるのもいいでしょう。 (そもそも VPC内部のInstance 同士で PingがつながるならOSの可能性はありません)

まとめ

IPsec 接続では、IKEなどでいくつか気を付けることがありますが、 AWSからダウンロードした configでそこは設定されているのであまり意識する必要はありません。もちろん、追加設定したほうがいい点もありますが、おおよそいい感じかと思います。

*1:だいたいみなさんが、VPCとまとめて新規に作っていらっしゃるようで、この設定がない

*2:今回は、vpc-d123123123 の 10.0.0.0/16

*3:AWSで作成したconfigurationが tunnel select 1 なため

*4:route propagationでは target 設定不可なので要注意。

tech.guitarrapc.cóm

C#, PowerShell, Swift, Unity, Cloud, Serverless Technical Update and Features

(RTX810構築シリーズ 2/7) Yamaha RTX810 でAmazon VPC と Hardware VPN を構築してみよう

前提