前回の L2TP/IPsec
を利用したリモートアクセスVPNの次は、 Amazon VPCとの LAN間VPNです。
さっそく見てみましょう。
目次
- 目次
- 前提
- Amazon 側設定
- Yamaha RTX810 側設定
- 設定確認 (RTX810編)
- 設定確認 (AWS編)
- VPN Status
- BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合
- まとめ
前提
今回も、 グローバルIP (固定IP) を1つという設定でやってみましょう。 また、事前に AWS上に、VPC と VPCに 1つ subnet と Instanceがある環境に対して、 Hardware VPN を追加する過程で作成します。*1
固定グローバルIP : x.x.x.x RTX810 LAN側IP : 192.168.100.254 Amazon VPC : Private VPC VPC CIDR : 10.0.0.0/16 (vpc-d123123123) 接続先 VPC Subnet : 10.0.3.0/24 接続先 VPC Instance : 10.0.3.150/24
Amazon 側設定
VPC設定確認
まずは、接続する VPC の idと CIDRを確認しておきます。
- AWS Management Console で接続
- VPC へ
- Your VPCs > 設定したい VPCを確認 (
VPC id
とCIDR
をメモ) *2 - 必要に応じて、 Virrual Private Clouds > Route Tablesで 接続が必要な VPC Subnet と本当にその VPC id が紐づいているか確認
Customer Gateway
VPNで接続する、自身の環境の固定グローバルIPを設定します。
- Customer Gateway へ
- Create Customer Gatewayで作成
Routing : Staticで作成 IP Address : x.x.x.x (接続する自身の固定グローバルIPを入力)
Virtual Private Gateway
VPNで接続する、接続先の VPC を設定します。
- Virtual Private Gatewayへ
- Create Virtual Private Gateway
Yes. Create
を選択して Gateway を作成- 接続するVPCをAttach
作成した Virtual Private Gateway を選択して、Attach to VPCを選択 接続したい VPC を選択する。 (今回の場合 10.0.0.0/16 の vpc-d123123123)
VPN Connections
作成した Customer Gateway と Virtual Private Gateway を紐づけます。
- VPN Connectionsへ
- Create VPN Connections
- 紐づける Customer Gateway と Virtual Private Gateway を選択
- Use Dynamic Routing (requires BGP) を選択します
VPN Configuration の Download : VPN Connections
作成した VPN Connections と接続するための IPsec 設定を、ダウンロードします。
これを利用することで、 自身の環境での IPsec 入力が大幅に簡略化されます。
- VPN Connectionsへ
- Download を選択
Vendor > Yamaha を選択 Platform > RTX Routers Software > 選択されているものしかないはず (Rev10.xx.x)
以上で、AWS側の設定はいったん終わりです。 (また設定しに来ますのでそのままで)
Yamaha RTX810 側設定
続いて、 AWS VPCで作成した設定を RTX 810 に投入します。
tunnel 1の L2TP設定を tunnel 3にずらす
まずは、前回作成した L2TP設定を 3番にずらしておきましょう *3
- RTX 810 にログイン (Webでも Consoleでも)
- 以下のコマンドを実行して、 L2TP設定をずらす
まず tunnel 1の設定を削除します。
# tunnel 1の削除 pp select anonymous # Accept L2TP VPN no pp bind tunnel1 tunnel select 1 no tunnel encapsulation l2tp # declare l2tp vpn no ipsec tunnel 1 no ipsec sa policy 1 1 esp aes-cbc sha-hmac # use esp as aes and sha-hmac (you cannot use sha256-hmac with iPhone) no ipsec ike keepalive use 1 off no ipsec ike local address 1 192.168.100.254 # Router address no ipsec ike nat-traversal 1 on # required if assgin private address no ipsec ike pre-shared-key 1 text hogehoge # password for l2tp no ipsec ike remote address 1 any # accept any address no l2tp tunnel disconnect time off # do not disconnect while connecting no l2tp keepalive use on 10 3 # send keepalive packet while 10 second for 3 down detection no l2tp keepalive log on no l2tp syslog on no ip tunnel tcp mss limit auto # limit for TCP session MSS tunnel disable 1 no ipsec transport 1 1 udp 1701 # ipsec transport mode for tunnel 1 no ipsec auto refresh on
続いて tunnel 3の設定を追加します。
# tunnel 3の紐づけ tunnel select 3 tunnel encapsulation l2tp ipsec tunnel 3 ipsec sa policy 3 3 esp aes-cbc sha-hmac ipsec ike keepalive use 3 off ipsec ike local address 3 192.168.100.254 ipsec ike nat-traversal 3 on ipsec ike pre-shared-key 3 text hogehoge ipsec ike remote address 3 any l2tp tunnel auth off l2tp tunnel disconnect time off l2tp keepalive use on 10 3 l2tp keepalive log on l2tp syslog on ip tunnel tcp mss limit auto tunnel enable 3 ipsec transport 3 3 udp 1701 # ipsec transport mode for tunnel 3 ipsec auto refresh on pp select anonymous # Accept L2TP VPN pp bind tunnel3
保存します。
save
AWS VPC - Hardware VPN config 投入
download した config のまま 投入します。 (調整は後でできるので)
例えば次のようなconfigです。
# Amazon Web Services # Virtual Private Cloud # AWS utilizes unique identifiers to manage the configuration of # a VPN Connection. Each VPN Connection is assigned an identifier and is # associated with two other identifiers, namely the # Customer Gateway Identifier and Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-hogehoge # Your Virtual Private Gateway ID : vgw-fugafuga # Your Customer Gateway ID : cgw-piyopiyo # # # This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway. # # -------------------------------------------------------------------------------- # IPSec Tunnel #1 # -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A policy is established for the supported ISAKMP encryption, # authentication, Diffie-Hellman, lifetime, and key parameters. # tunnel select 1 ipsec ike encryption 1 aes-cbc ipsec ike group 1 modp1024 ipsec ike hash 1 sha # This line stores the Pre Shared Key used to authenticate the # tunnel endpoints. # ipsec ike pre-shared-key 1 text AWSで発行された事前共有キーが入ってます # #2: IPSec Configuration # The IPSec policy defines the encryption, authentication, and IPSec # mode parameters. # Note that there are a global list of IPSec policies, each identified by # sequence number. This policy is defined as #201, which may conflict with # an existing policy using the same number. If so, we recommend changing # the sequence number to avoid conflicts. # ipsec tunnel 201 ipsec sa policy 201 1 esp aes-cbc sha-hmac # The IPSec profile references the IPSec policy and further defines # the Diffie-Hellman group and security association lifetime. ipsec ike duration ipsec-sa 1 3600 ipsec ike pfs 1 on # Additional parameters of the IPSec configuration are set here. Note that # these parameters are global and therefore impact other IPSec # associations. # This option instructs the router to clear the "Don't Fragment" # bit from packets that carry this bit and yet must be fragmented, enabling # them to be fragmented. # ipsec tunnel outer df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. ipsec ike keepalive use 1 on dpd 10 3 # -------------------------------------------------------------------------------- # #3: Tunnel Interface Configuration # # A tunnel interface is configured to be the logical interface associated # with the tunnel. All traffic routed to the tunnel interface will be # encrypted and transmitted to the VPC. Similarly, traffic from the VPC # will be logically received on this interface. # # The address of the interface is configured with the setup for your # Customer Gateway. If the address changes, the Customer Gateway and VPN # Connection must be recreated with Amazon VPC. # ipsec ike local address 1 x.x.x.x(接続する自身の固定グローバルIP) ipsec ike remote address 1 接続先id1 ip tunnel address 発行されたBGP Local Address ip tunnel remote address 発行されたBGP Remote Address # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation ip tunnel tcp mss limit 1387 tunnel enable 1 tunnel select none ipsec auto refresh on # -------------------------------------------------------------------------------- # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the 'network' and 'default-originate' statements. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # bgp use on bgp autonomous-system 65000 bgp neighbor 1 10124 発行されたBGP Remote Address hold-time=30 local-address=発行されたBGP Local Address # To advertise additional prefixes to Amazon VPC, copy the 'network' statement and # identify the prefix you wish to advertise. Make sure the # prefix is present in the routing table of the device with a valid next-hop. # For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC # # bgp import filter 1 equal 10.0.0.0/16 # bgp import filter 1 equal 192.168.0.0/16 # bgp import filter 1 equal 0.0.0.0/0 bgp import 10124 static filter 1 # -------------------------------------------------------------------------------- # IPSec Tunnel #2 # -------------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A policy is established for the supported ISAKMP encryption, # authentication, Diffie-Hellman, lifetime, and key parameters. # tunnel select 2 ipsec ike encryption 2 aes-cbc ipsec ike group 2 modp1024 ipsec ike hash 2 sha # This line stores the Pre Shared Key used to authenticate the # tunnel endpoints. # ipsec ike pre-shared-key 2 text AWSで発行された事前共有キーが入ってます # #2: IPSec Configuration # The IPSec policy defines the encryption, authentication, and IPSec # mode parameters. # Note that there are a global list of IPSec policies, each identified by # sequence number. This policy is defined as #202, which may conflict with # an existing policy using the same number. If so, we recommend changing # the sequence number to avoid conflicts. # ipsec tunnel 202 ipsec sa policy 202 2 esp aes-cbc sha-hmac # The IPSec profile references the IPSec policy and further defines # the Diffie-Hellman group and security association lifetime. ipsec ike duration ipsec-sa 2 3600 ipsec ike pfs 2 on # Additional parameters of the IPSec configuration are set here. Note that # these parameters are global and therefore impact other IPSec # associations. # This option instructs the router to clear the "Don't Fragment" # bit from packets that carry this bit and yet must be fragmented, enabling # them to be fragmented. # ipsec tunnel outer df-bit clear # This option enables IPSec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. ipsec ike keepalive use 2 on dpd 10 3 # -------------------------------------------------------------------------------- # #3: Tunnel Interface Configuration # # A tunnel interface is configured to be the logical interface associated # with the tunnel. All traffic routed to the tunnel interface will be # encrypted and transmitted to the VPC. Similarly, traffic from the VPC # will be logically received on this interface. # # The address of the interface is configured with the setup for your # Customer Gateway. If the address changes, the Customer Gateway and VPN # Connection must be recreated with Amazon VPC. # ipsec ike local address 2 x.x.x.x(接続する自身の固定グローバルIP) ipsec ike remote address 2 接続先id2 ip tunnel address 発行されたBGP Local Address2 ip tunnel remote address 発行されたBGP Remote Address2 # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation ip tunnel tcp mss limit 1387 tunnel enable 2 tunnel select none ipsec auto refresh on # -------------------------------------------------------------------------------- # -------------------------------------------------------------------------------- # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the 'network' and 'default-originate' statements. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (65000) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # bgp use on bgp autonomous-system 65000 bgp neighbor 2 10124 発行されたBGP Remote Address2 hold-time=30 local-address=発行されたBGP Local Address2 # To advertise additional prefixes to Amazon VPC, copy the 'network' statement and # identify the prefix you wish to advertise. Make sure the # prefix is present in the routing table of the device with a valid next-hop. # For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC # # bgp import filter 1 equal 10.0.0.0/16 # bgp import filter 1 equal 192.168.0.0/16 # bgp import filter 1 equal 0.0.0.0/0 bgp import 10124 static filter 1 bgp configure refresh # Additional Notes and Questions # - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide # - Amazon Virtual Private Cloud Network Administrator Guide: # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide # - Yamaha router's manual: # http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html # - XSL Version: 2009-07-15-1119716 tunnel select 1 tunnel name "Amazon VPC tunnel 1" tunnel select 2 tunnel name "Amazon VPC tunnel 2"
VPNの調整
少しだけ調整します。
1つは、 VPCに名称を付けます。
tunnel select 1 tunnel name "Amazon VPC tunnel 1" tunnel select 2 tunnel name "Amazon VPC tunnel 2"
もう1つは、 keepalive コマンドが、dpdから hearbeatになってしまうため、再度 dpdを指定します。
heartbeat では、 IP Tunnel が UP/Down を 30秒ごとに繰り返すため、必ず修正しましょう。
tunnel select 1 ipsec ike keepalive use 1 on dpd 10 3 tunnel select 2 ipsec ike keepalive use 2 on dpd 10 3
VPNの route table設定
Web Console > [詳細設定と情報] > [VPN接続の設定] > [VPN接続設定の修正(TUNNEL[01])] に行くとわかりますが、VPNには 接続までのその他の経路
が入っていません。
このために、Web Console上で VPN 設定に変更を加えようとすると経路設定を求められます。
必要に応じて設定してもいいですが、いったんは不要です。
設定確認 (RTX810編)
まずは、手元で設定を確認します。
IPsecの動作確認
まずは、 IPsec状態から。
configにあった 接続先idが存在しています。
# show ipsec sa Total: isakmp:2 send:2 recv:2 sa sgw isakmp connection dir life[s] remote-id ----------------------------------------------------------------------------- 1 1 - isakmp - 24148 接続先id1 2 2 - isakmp - 24149 接続先id2 7 1 1 tun[001]esp send 1657 接続先id1 8 1 1 tun[001]esp recv 1657 接続先id1 9 2 2 tun[002]esp send 1658 接続先id2 10 2 2 tun[002]esp recv 1658 接続先id2 #
BGPの動作確認
BGP接続を確認します。
# show status bgp neighbor BGP neighbor is 発行されたBGP Remote Address, remote AS 10124, local AS 65000, external link BGP version 4, remote router ID 発行されたBGP Remote Address BGP state = Established, up for 01:20:49 Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds Received 724 messages, 0 notifications, 0 in queue Sent 748 messages, 25 notifications, 0 in queue Connection established 26; dropped 25 Last reset 01:20:56 Local host: 発行されたBGP Local Address, Local port: 1079 Foreign host: 発行されたBGP Remote Address, Foreign port: 179 BGP neighbor is 発行されたBGP Remote Address2, remote AS 10124, local AS 65000, external link BGP version 4, remote router ID 発行されたBGP Remote Address2 BGP state = Established, up for 01:20:44 Last read 00:00:02, hold time is 30, keepalive interval is 10 seconds Received 627 messages, 0 notifications, 0 in queue Sent 642 messages, 23 notifications, 0 in queue Connection established 23; dropped 22 Last reset 01:20:56 Local host: 発行されたBGP Local Address2, Local port: 1080 Foreign host: 発行されたBGP Remote Address2, Foreign port: 179 #
経路確認
route を確認します。
# show ip route 宛先ネットワーク ゲートウェイ インタフェース 種別 付加情報 default - PP[01] static 10.0.0.0/16 発行されたBGP Remote Address TUNNEL[2] BGP path=10124 BGPホップ/30 - TUNNEL[2] implicit BGPホップ/30 - TUNNEL[1] implicit 192.168.11.0/24 192.168.100.254 LAN1 implicit 発行されたRemote id/32 - PP[01] temporary 発行されたRemote id/32 - PP[01] temporary z.z.z.z/32 - PP[01] temporary #
web console の確認
目で見て確認できるのでいいですね。
設定確認 (AWS編)
pingの前に VPC先でどの VPC Subnet にルーティングするか route tableで設定が必要です。
つまり、 VPC > VPC Subnet の Route Table に対するtargetとして作成したVPNを設定しないとルーティングされません。
*4
試しに、VPNがつながった状態で、route設定せずにpingを試すと....。
PS D:\> ping 10.0.3.100 Request timed out. Request timed out. Request timed out. Request timed out. Ping statistics for 10.0.3.100: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
と、当然宛先がないのでロストします。
Route Tables 設定
- Virtual Private Cloud へ
- Route Tables へ
- 設定したいRoute Table idを選択 (VPC と Associate された VPC Subnetで確認します)
- Routes に 追加します
Destination : VPN 接続先の自分の Subnet (この例では 192.168.100.0/32) Target : 作成した vgw-hogehogehoge
これで、 手元の 192.168.100.0/32 から 対象の VPC Subnet (10.0.3.0/32) への ping がルーティングされたことを確認できます。
PS D:\> ping 10.0.3.100 Pinging 10.0.3.100 with 32 bytes of data: Reply from 10.0.3.100: bytes=32 time=12ms TTL=125 Reply from 10.0.3.100: bytes=32 time=12ms TTL=125 Reply from 10.0.3.100: bytes=32 time=11ms TTL=125 Reply from 10.0.3.100: bytes=32 time=12ms TTL=125 Ping statistics for 10.0.3.100: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 11ms, Maximum = 12ms, Average = 11ms
VPN Status
最後に、AWS側の VPN Statusを確認してください。
なお、IPsec設定はconfig投入で自動的に2本作られ、冗長化されます。 BGPパケットを RTX810側で止めるこることで、確認もできますよ。
BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合
route tableの設定もできているなら、残るは AWSなら VPC の Network ACLか、Secutiry Groups
設定です。
一時的に ICMPを許可してあげてください。 (デフォルト全て遮断のため、明示的に Passを与える)
あるいは、 OSの ICMPの可能性もあるので、 iptables か Firewall で ICMPを許可してみるのもいいでしょう。 (そもそも VPC内部のInstance 同士で PingがつながるならOSの可能性はありません)
まとめ
IPsec 接続では、IKEなどでいくつか気を付けることがありますが、 AWSからダウンロードした configでそこは設定されているのであまり意識する必要はありません。 もちろん、追加設定したほうがいい点もありますが、おおよそいい感じかと思います。