前回のL2TP/IPsecを利用したリモートアクセスVPNの次は、 Amazon VPCとのLAN間VPNです。
さっそく見てみましょう。
前提
今回も、 グローバルIP (固定IP) を1つという設定でやってみましょう。 また、AWSにてVPCとVPCに1つsubnetとInstanceがある環境に対してHardware VPNを追加する過程で作成します。*1
固定グローバルIP : x.x.x.x RTX810 LAN側IP : 192.168.100.254 Amazon VPC : Private VPC VPC CIDR : 10.0.0.0/16 (vpc-d123123123) 接続先 VPC Subnet : 10.0.3.0/24 接続先 VPC Instance : 10.0.3.150/24
Amazon 側設定
VPC設定確認
まずは、接続するVPCのidとCIDRを確認しておきます。
- AWS Management Consoleで接続
- VPCへ
- Your VPCs > 設定したいVPCを確認 (
VPC idとCIDRをメモ) *2 - 必要に応じて、 Virrual Private Clouds > Route Tablesで接続が必要なVPC Subnetと本当にそのVPC idが紐づいているか確認
Customer Gateway
VPNで接続する、自身の環境の固定グローバルIPを設定します。
- Customer Gatewayへ
- Create Customer Gatewayで作成
Routing : Staticで作成 IP Address : x.x.x.x (接続する自身の固定グローバルIPを入力)
Virtual Private Gateway
VPNで接続する、接続先のVPCを設定します。
- Virtual Private Gatewayへ
- Create Virtual Private Gateway
Yes. Createを選択してGatewayを作成- 接続するVPCをAttach
作成した Virtual Private Gateway を選択して、Attach to VPCを選択 接続したい VPC を選択する。 (今回の場合 10.0.0.0/16 の vpc-d123123123)
VPN Connections
作成したCustomer GatewayとVirtual Private Gatewayを紐づけます。
- VPN Connectionsへ
- Create VPN Connections
- 紐づけるCustomer GatewayとVirtual Private Gatewayを選択
- Use Dynamic Routing (requires BGP) を選択
VPN Configuration の Download : VPN Connections
作成したVPN Connectionsと接続するためのIPsec設定を、ダウンロードします。
これを利用することで、 自身の環境でのIPsec入力が大幅に簡略化されます。
- VPN Connectionsへ
- Downloadを選択
Vendor > Yamaha を選択 Platform > RTX Routers Software > 選択されているものしかないはず (Rev10.xx.x)
以上で、AWS側の設定はいったん終わりです。 (また設定しに来ますのでそのままで)
Yamaha RTX810 側設定
続いて、 AWS VPCで作成した設定をRTX 810に投入します。
tunnel 1の L2TP設定を tunnel 3にずらす
まずは、前回作成したL2TP設定を3番にずらしておきましょう *3
- RTX 810にログイン
- 以下のコマンドを実行して、 L2TP設定をずらす
まずtunnel 1の設定を削除します。
# tunnel 1の削除 pp select anonymous # Accept L2TP VPN no pp bind tunnel1 tunnel select 1 no tunnel encapsulation l2tp # declare l2tp vpn no ipsec tunnel 1 no ipsec sa policy 1 1 esp aes-cbc sha-hmac # use esp as aes and sha-hmac (you cannot use sha256-hmac with iPhone) no ipsec ike keepalive use 1 off no ipsec ike local address 1 192.168.100.254 # Router address no ipsec ike nat-traversal 1 on # required if assgin private address no ipsec ike pre-shared-key 1 text hogehoge # password for l2tp no ipsec ike remote address 1 any # accept any address no l2tp tunnel disconnect time off # do not disconnect while connecting no l2tp keepalive use on 10 3 # send keepalive packet while 10 second for 3 down detection no l2tp keepalive log on no l2tp syslog on no ip tunnel tcp mss limit auto # limit for TCP session MSS tunnel disable 1 no ipsec transport 1 1 udp 1701 # ipsec transport mode for tunnel 1 no ipsec auto refresh on
続いてtunnel 3の設定を追加します。
# tunnel 3の紐づけ tunnel select 3 tunnel encapsulation l2tp ipsec tunnel 3 ipsec sa policy 3 3 esp aes-cbc sha-hmac ipsec ike keepalive use 3 off ipsec ike local address 3 192.168.100.254 ipsec ike nat-traversal 3 on ipsec ike pre-shared-key 3 text hogehoge ipsec ike remote address 3 any l2tp tunnel auth off l2tp tunnel disconnect time off l2tp keepalive use on 10 3 l2tp keepalive log on l2tp syslog on ip tunnel tcp mss limit auto tunnel enable 3 ipsec transport 3 3 udp 1701 # ipsec transport mode for tunnel 3 ipsec auto refresh on pp select anonymous # Accept L2TP VPN pp bind tunnel3
保存します。
save
AWS VPC - Hardware VPN config 投入
downloadしたconfigのまま投入します。 (調整は後でできるので)
例えば次のようなconfigです。
# Amazon Web Services
# Virtual Private Cloud
# AWS utilizes unique identifiers to manage the configuration of
# a VPN Connection. Each VPN Connection is assigned an identifier and is
# associated with two other identifiers, namely the
# Customer Gateway Identifier and Virtual Private Gateway Identifier.
#
# Your VPN Connection ID : vpn-hogehoge
# Your Virtual Private Gateway ID : vgw-fugafuga
# Your Customer Gateway ID : cgw-piyopiyo
#
#
# This configuration consists of two tunnels. Both tunnels must be
# configured on your Customer Gateway.
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
tunnel select 1
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 1 text AWSで発行された事前共有キーが入ってます
# #2: IPSec Configuration
# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.
# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #201, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#
ipsec tunnel 201
ipsec sa policy 201 1 esp aes-cbc sha-hmac
# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.
ipsec ike duration ipsec-sa 1 3600
ipsec ike pfs 1 on
# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
ipsec tunnel outer df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.
ipsec ike keepalive use 1 on dpd 10 3
# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 1 x.x.x.x(接続する自身の固定グローバルIP)
ipsec ike remote address 1 接続先id1
ip tunnel address 発行されたBGP Local Address
ip tunnel remote address 発行されたBGP Remote Address
# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation
ip tunnel tcp mss limit 1387
tunnel enable 1
tunnel select none
ipsec auto refresh on
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 1 10124 発行されたBGP Remote Address hold-time=30 local-address=発行されたBGP Local Address
# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#
bgp import filter 1 equal 0.0.0.0/0
bgp import 10124 static filter 1
# --------------------------------------------------------------------------------
# IPSec Tunnel #2
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
tunnel select 2
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 2 text AWSで発行された事前共有キーが入ってます
# #2: IPSec Configuration
# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.
# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #202, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#
ipsec tunnel 202
ipsec sa policy 202 2 esp aes-cbc sha-hmac
# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.
ipsec ike duration ipsec-sa 2 3600
ipsec ike pfs 2 on
# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
ipsec tunnel outer df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.
ipsec ike keepalive use 2 on dpd 10 3
# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 2 x.x.x.x(接続する自身の固定グローバルIP)
ipsec ike remote address 2 接続先id2
ip tunnel address 発行されたBGP Local Address2
ip tunnel remote address 発行されたBGP Remote Address2
# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation
ip tunnel tcp mss limit 1387
tunnel enable 2
tunnel select none
ipsec auto refresh on
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# Your Customer Gateway may announce a default route (0.0.0.0/0),
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 2 10124 発行されたBGP Remote Address2 hold-time=30 local-address=発行されたBGP Local Address2
# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#
bgp import filter 1 equal 0.0.0.0/0
bgp import 10124 static filter 1
bgp configure refresh
# Additional Notes and Questions
# - Amazon Virtual Private Cloud Getting Started Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
# - Amazon Virtual Private Cloud Network Administrator Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
# - Yamaha router's manual:
# http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
# - XSL Version: 2009-07-15-1119716
tunnel select 1
tunnel name "Amazon VPC tunnel 1"
tunnel select 2
tunnel name "Amazon VPC tunnel 2"
VPNの調整
少しだけ調整します。
1つは、 VPCに名称を付けます。
tunnel select 1 tunnel name "Amazon VPC tunnel 1" tunnel select 2 tunnel name "Amazon VPC tunnel 2"
もう1つは、 keepaliveコマンドが、dpdからhearbeatになってしまうため、再度dpdを指定します。
Heartbeatでは、 IP TunnelがUP/Downを30秒ごとに繰り返すため、必ず修正しましょう。
tunnel select 1 ipsec ike keepalive use 1 on dpd 10 3 tunnel select 2 ipsec ike keepalive use 2 on dpd 10 3
VPNの route table設定
Web Console >[詳細設定と情報]>[VPN接続の設定]>[VPN接続設定の修正(TUNNEL[01])]に行くとわかりますが、VPNには接続までのその他の経路が入っていません。
このために、Web Console上でVPN設定に変更を加えようとすると経路設定を求められます。
必要に応じて設定してもいいですが、いったんは不要です。
設定確認 (RTX810編)
まずは、手元で設定を確認します。
IPsecの動作確認
まずは、 IPsec状態から。
configにあった接続先idが存在しています。
# show ipsec sa Total: isakmp:2 send:2 recv:2 sa sgw isakmp connection dir life[s] remote-id ----------------------------------------------------------------------------- 1 1 - isakmp - 24148 接続先id1 2 2 - isakmp - 24149 接続先id2 7 1 1 tun[001]esp send 1657 接続先id1 8 1 1 tun[001]esp recv 1657 接続先id1 9 2 2 tun[002]esp send 1658 接続先id2 10 2 2 tun[002]esp recv 1658 接続先id2 #
BGPの動作確認
BGP接続を確認します。
# show status bgp neighbor BGP neighbor is 発行されたBGP Remote Address, remote AS 10124, local AS 65000, external link BGP version 4, remote router ID 発行されたBGP Remote Address BGP state = Established, up for 01:20:49 Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds Received 724 messages, 0 notifications, 0 in queue Sent 748 messages, 25 notifications, 0 in queue Connection established 26; dropped 25 Last reset 01:20:56 Local host: 発行されたBGP Local Address, Local port: 1079 Foreign host: 発行されたBGP Remote Address, Foreign port: 179 BGP neighbor is 発行されたBGP Remote Address2, remote AS 10124, local AS 65000, external link BGP version 4, remote router ID 発行されたBGP Remote Address2 BGP state = Established, up for 01:20:44 Last read 00:00:02, hold time is 30, keepalive interval is 10 seconds Received 627 messages, 0 notifications, 0 in queue Sent 642 messages, 23 notifications, 0 in queue Connection established 23; dropped 22 Last reset 01:20:56 Local host: 発行されたBGP Local Address2, Local port: 1080 Foreign host: 発行されたBGP Remote Address2, Foreign port: 179 #
経路確認
routeを確認します。
# show ip route 宛先ネットワーク ゲートウェイ インタフェース 種別 付加情報 default - PP[01] static 10.0.0.0/16 発行されたBGP Remote Address TUNNEL[2] BGP path=10124 BGPホップ/30 - TUNNEL[2] implicit BGPホップ/30 - TUNNEL[1] implicit 192.168.11.0/24 192.168.100.254 LAN1 implicit 発行されたRemote id/32 - PP[01] temporary 発行されたRemote id/32 - PP[01] temporary z.z.z.z/32 - PP[01] temporary #
web console の確認
目で見て確認できるのでいいですね。
設定確認 (AWS編)
pingの前にVPC先でどのVPC Subnetにルーティングするかroute tableで設定が必要です。
つまり、 VPC > VPC SubnetのRoute Tableに対するtargetとして作成したVPNを設定しないとルーティングされません。route propagationではtarget設定不可なので要注意。
試しに、VPNがつながった状態で、route設定せずにpingを試すと....。
PS> ping 10.0.3.100
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 10.0.3.100:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
と、当然宛先がないのでロストします。
Route Tables 設定
- Virtual Private Cloudへ
- Route Tablesへ
- 設定したいRoute Table idを選択 (VPCとAssociateされたVPC Subnetで確認します)
- Routesに追加
Destination : VPN 接続先の自分の Subnet (この例では 192.168.100.0/32) Target : 作成した vgw-hogehogehoge
これで、 手元の192.168.100.0/32から対象のVPC Subnet (10.0.3.0/32) へのpingがルーティングされたことを確認できます。
PS> ping 10.0.3.100
Pinging 10.0.3.100 with 32 bytes of data:
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=11ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Ping statistics for 10.0.3.100:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 11ms, Maximum = 12ms, Average = 11ms
VPN Status
最後に、AWS側のVPN Statusを確認してください。
なお、IPsec設定はconfig投入で自動的に2本作られ、冗長化されます。 BGPパケットをRTX810側で止めるこることで、確認もできますよ。
FAQ
BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合
route tableの設定もできているなら、残るはAWSならVPC の Network ACLか、Secutiry Groups設定です。
一時的にICMPを許可してあげてください。 (デフォルト全て遮断のため、明示的にPassを与える)
あるいは、 OSのICMPの可能性もあるので、 iptablesかFirewallでICMPを許可してみるのもいいでしょう。 (そもそもVPC内部のInstance同士でpingがつながるならOSの可能性はありません)
まとめ
IPsec接続では、IKEなどでいくつか気を付けることがありますが、 AWSからダウンロードしたconfigでそこは設定されているのであまり意識する必要はありません。 もちろん、追加設定したほうがいい点もありますが、おおよそいい感じです。
