tech.guitarrapc.cóm

Technical updates

(RTX810構築シリーズ 2/7) Yamaha RTX810 でAmazon VPC と Hardware VPN を構築してみよう

前回の L2TP/IPsec を利用したリモートアクセスVPNの次は、 Amazon VPCとの LAN間VPNです。

さっそく見てみましょう。

目次

前提

今回も、 グローバルIP (固定IP) を1つという設定でやってみましょう。 また、事前に AWS上に、VPC と VPCに 1つ subnet と Instanceがある環境に対して、 Hardware VPN を追加する過程で作成します。*1

固定グローバルIP : x.x.x.x
RTX810 LAN側IP : 192.168.100.254

Amazon VPC : Private VPC
VPC CIDR : 10.0.0.0/16 (vpc-d123123123)
接続先 VPC Subnet : 10.0.3.0/24
接続先 VPC Instance : 10.0.3.150/24

Amazon 側設定

VPC設定確認

まずは、接続する VPC の idと CIDRを確認しておきます。

  1. AWS Management Console で接続
  2. VPC へ
  3. Your VPCs > 設定したい VPCを確認 ( VPC idCIDR をメモ) *2
  4. 必要に応じて、 Virrual Private Clouds > Route Tablesで 接続が必要な VPC Subnet と本当にその VPC id が紐づいているか確認

Customer Gateway

VPNで接続する、自身の環境の固定グローバルIPを設定します。

  1. Customer Gateway へ
  2. Create Customer Gatewayで作成
Routing : Staticで作成
IP Address : x.x.x.x (接続する自身の固定グローバルIPを入力)

Virtual Private Gateway

VPNで接続する、接続先の VPC を設定します。

  1. Virtual Private Gatewayへ
  2. Create Virtual Private Gateway
  3. Yes. Createを選択して Gateway を作成
  4. 接続するVPCをAttach
作成した Virtual Private Gateway を選択して、Attach to VPCを選択
接続したい VPC を選択する。 (今回の場合 10.0.0.0/16 の vpc-d123123123)

VPN Connections

作成した Customer Gateway と Virtual Private Gateway を紐づけます。

  1. VPN Connectionsへ
  2. Create VPN Connections
  3. 紐づける Customer Gateway と Virtual Private Gateway を選択
  4. Use Dynamic Routing (requires BGP) を選択します

VPN Configuration の Download : VPN Connections

作成した VPN Connections と接続するための IPsec 設定を、ダウンロードします。

これを利用することで、 自身の環境での IPsec 入力が大幅に簡略化されます。

  1. VPN Connectionsへ
  2. Download を選択
Vendor > Yamaha を選択
Platform > RTX Routers
Software > 選択されているものしかないはず (Rev10.xx.x)

以上で、AWS側の設定はいったん終わりです。 (また設定しに来ますのでそのままで)

Yamaha RTX810 側設定

続いて、 AWS VPCで作成した設定を RTX 810 に投入します。

tunnel 1の L2TP設定を tunnel 3にずらす

まずは、前回作成した L2TP設定を 3番にずらしておきましょう *3

  1. RTX 810 にログイン (Webでも Consoleでも)
  2. 以下のコマンドを実行して、 L2TP設定をずらす

まず tunnel 1の設定を削除します。

# tunnel 1の削除
pp select anonymous # Accept L2TP VPN
no pp bind tunnel1 

tunnel select 1
 no tunnel encapsulation l2tp # declare l2tp vpn
 no ipsec tunnel 1
 no ipsec sa policy 1 1 esp aes-cbc sha-hmac # use esp as aes and sha-hmac (you cannot use sha256-hmac with iPhone)
 no ipsec ike keepalive use 1 off
 no ipsec ike local address 1 192.168.100.254 # Router address
 no ipsec ike nat-traversal 1 on # required if assgin private address
 no ipsec ike pre-shared-key 1 text hogehoge # password for l2tp
 no ipsec ike remote address 1 any # accept any address
 no l2tp tunnel disconnect time off # do not disconnect while connecting
 no l2tp keepalive use on 10 3 # send keepalive packet while 10 second for 3 down detection
 no l2tp keepalive log on
 no l2tp syslog on
 no ip tunnel tcp mss limit auto # limit for TCP session MSS
 tunnel disable 1

no ipsec transport 1 1 udp 1701 # ipsec transport mode for tunnel 1
no ipsec auto refresh on

続いて tunnel 3の設定を追加します。

# tunnel 3の紐づけ
tunnel select 3
 tunnel encapsulation l2tp
 ipsec tunnel 3
  ipsec sa policy 3 3 esp aes-cbc sha-hmac
  ipsec ike keepalive use 3 off
  ipsec ike local address 3 192.168.100.254
  ipsec ike nat-traversal 3 on
  ipsec ike pre-shared-key 3 text hogehoge
  ipsec ike remote address 3 any
 l2tp tunnel auth off 
 l2tp tunnel disconnect time off
 l2tp keepalive use on 10 3
 l2tp keepalive log on
 l2tp syslog on
 ip tunnel tcp mss limit auto
 tunnel enable 3

ipsec transport 3 3 udp 1701 # ipsec transport mode for tunnel 3
ipsec auto refresh on

pp select anonymous # Accept L2TP VPN
 pp bind tunnel3

保存します。

save

AWS VPC - Hardware VPN config 投入

download した config のまま 投入します。 (調整は後でできるので)

例えば次のようなconfigです。

# Amazon Web Services
# Virtual Private Cloud

# AWS utilizes unique identifiers to manage the configuration of 
# a VPN Connection. Each VPN Connection is assigned an identifier and is 
# associated with two other identifiers, namely the 
# Customer Gateway Identifier and Virtual Private Gateway Identifier.
#
# Your VPN Connection ID            : vpn-hogehoge
# Your Virtual Private Gateway ID           : vgw-fugafuga
# Your Customer Gateway ID          : cgw-piyopiyo
#
#
# This configuration consists of two tunnels. Both tunnels must be 
# configured on your Customer Gateway.
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------


# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption, 
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
      tunnel select 1 
    ipsec ike encryption 1 aes-cbc
    ipsec ike group 1 modp1024
    ipsec ike hash 1 sha

# This line stores the Pre Shared Key used to authenticate the 
# tunnel endpoints.
#
       ipsec ike pre-shared-key 1 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by 
# sequence number. This policy is defined as #201, which may conflict with
# an existing policy using the same number. If so, we recommend changing 
# the sequence number to avoid conflicts.
#

        ipsec tunnel 201
        ipsec sa policy 201 1 esp aes-cbc  sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

     ipsec ike duration ipsec-sa 1 3600
        ipsec ike pfs 1 on

# Additional parameters of the IPSec configuration are set here. Note that 
# these parameters are global and therefore impact other IPSec 
# associations.
# This option instructs the router to clear the "Don't Fragment" 
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
    ipsec tunnel outer df-bit clear

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

        ipsec ike keepalive use 1 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#  
# A tunnel interface is configured to be the logical interface associated  
# with the tunnel. All traffic routed to the tunnel interface will be 
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your 
# Customer Gateway.  If the address changes, the Customer Gateway and VPN 
# Connection must be recreated with Amazon VPC.
#
    ipsec ike local address 1 x.x.x.x(接続する自身の固定グローバルIP)
    ipsec ike remote address 1 接続先id1
    ip tunnel address 発行されたBGP Local Address
    ip tunnel remote address 発行されたBGP Remote Address

   # This option causes the router to reduce the Maximum Segment Size of
    # TCP packets to prevent packet fragmentation

   ip tunnel tcp mss limit 1387
    tunnel enable 1
    tunnel select none
        ipsec auto refresh on

# --------------------------------------------------------------------------------


# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#                                                                                     
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway    
# will announce the prefix corresponding to your VPC.
#            
# Your Customer Gateway may announce a default route (0.0.0.0/0), 
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the 
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
    bgp use on
    bgp autonomous-system 65000
    bgp neighbor 1 10124 発行されたBGP Remote Address hold-time=30 local-address=発行されたBGP Local Address

# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and 
# identify the prefix you wish to advertise. Make sure the 
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#

    bgp import filter 1 equal 0.0.0.0/0
    bgp import 10124 static filter 1
# --------------------------------------------------------------------------------
# IPSec Tunnel #2
# --------------------------------------------------------------------------------


# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption, 
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
      tunnel select 2 
    ipsec ike encryption 2 aes-cbc
    ipsec ike group 2 modp1024
    ipsec ike hash 2 sha

# This line stores the Pre Shared Key used to authenticate the 
# tunnel endpoints.
#
       ipsec ike pre-shared-key 2 text AWSで発行された事前共有キーが入ってます

# #2: IPSec Configuration

# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.

# Note that there are a global list of IPSec policies, each identified by 
# sequence number. This policy is defined as #202, which may conflict with
# an existing policy using the same number. If so, we recommend changing 
# the sequence number to avoid conflicts.
#

        ipsec tunnel 202
        ipsec sa policy 202 2 esp aes-cbc  sha-hmac

# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.

     ipsec ike duration ipsec-sa 2 3600
        ipsec ike pfs 2 on

# Additional parameters of the IPSec configuration are set here. Note that 
# these parameters are global and therefore impact other IPSec 
# associations.
# This option instructs the router to clear the "Don't Fragment" 
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
    ipsec tunnel outer df-bit clear

# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.

        ipsec ike keepalive use 2 on dpd 10 3

# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#  
# A tunnel interface is configured to be the logical interface associated  
# with the tunnel. All traffic routed to the tunnel interface will be 
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your 
# Customer Gateway.  If the address changes, the Customer Gateway and VPN 
# Connection must be recreated with Amazon VPC.
#
    ipsec ike local address 2 x.x.x.x(接続する自身の固定グローバルIP)
    ipsec ike remote address 2 接続先id2
    ip tunnel address 発行されたBGP Local Address2
    ip tunnel remote address 発行されたBGP Remote Address2

   # This option causes the router to reduce the Maximum Segment Size of
    # TCP packets to prevent packet fragmentation

   ip tunnel tcp mss limit 1387
    tunnel enable 2
    tunnel select none
        ipsec auto refresh on

# --------------------------------------------------------------------------------


# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#                                                                                     
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway    
# will announce the prefix corresponding to your VPC.
#            
# Your Customer Gateway may announce a default route (0.0.0.0/0), 
# which can be done with the 'network' and 'default-originate' statements.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the 
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
    bgp use on
    bgp autonomous-system 65000
    bgp neighbor 2 10124 発行されたBGP Remote Address2 hold-time=30 local-address=発行されたBGP Local Address2

# To advertise additional prefixes to Amazon VPC, copy the 'network' statement and 
# identify the prefix you wish to advertise. Make sure the 
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#

    bgp import filter 1 equal 0.0.0.0/0
    bgp import 10124 static filter 1

    bgp configure refresh 


# Additional Notes and Questions
#  - Amazon Virtual Private Cloud Getting Started Guide: 
#       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
#  - Amazon Virtual Private Cloud Network Administrator Guide: 
#       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
#  - Yamaha router's manual:
#    http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
#  - XSL Version: 2009-07-15-1119716


tunnel select 1
 tunnel name "Amazon VPC tunnel 1"

tunnel select 2
 tunnel name "Amazon VPC tunnel 2"

VPNの調整

少しだけ調整します。

1つは、 VPCに名称を付けます。

tunnel select 1
 tunnel name "Amazon VPC tunnel 1"

tunnel select 2
 tunnel name "Amazon VPC tunnel 2"

もう1つは、 keepalive コマンドが、dpdから hearbeatになってしまうため、再度 dpdを指定します。

heartbeat では、 IP Tunnel が UP/Down を 30秒ごとに繰り返すため、必ず修正しましょう。

tunnel select 1
ipsec ike keepalive use 1 on dpd 10 3

tunnel select 2
ipsec ike keepalive use 2 on dpd 10 3

VPNの route table設定

Web Console > [詳細設定と情報] > [VPN接続の設定] > [VPN接続設定の修正(TUNNEL[01])] に行くとわかりますが、VPNには 接続までのその他の経路が入っていません。

このために、Web Console上で VPN 設定に変更を加えようとすると経路設定を求められます。

必要に応じて設定してもいいですが、いったんは不要です。

設定確認 (RTX810編)

まずは、手元で設定を確認します。

IPsecの動作確認

まずは、 IPsec状態から。

configにあった 接続先idが存在しています。

# show ipsec sa
Total: isakmp:2 send:2 recv:2

sa   sgw isakmp connection   dir  life[s] remote-id
-----------------------------------------------------------------------------
1     1    -    isakmp       -    24148   接続先id1
2     2    -    isakmp       -    24149   接続先id2
7     1    1    tun[001]esp  send 1657    接続先id1
8     1    1    tun[001]esp  recv 1657    接続先id1
9     2    2    tun[002]esp  send 1658    接続先id2
10    2    2    tun[002]esp  recv 1658    接続先id2

# 

BGPの動作確認

BGP接続を確認します。

# show status bgp neighbor
BGP neighbor is 発行されたBGP Remote Address, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address
  BGP state = Established, up for 01:20:49
  Last read 00:00:01, hold time is 30, keepalive interval is 10 seconds
  Received 724 messages, 0 notifications, 0 in queue
  Sent 748 messages, 25 notifications, 0 in queue
  Connection established 26; dropped 25
  Last reset 01:20:56
Local host: 発行されたBGP Local Address, Local port: 1079
Foreign host: 発行されたBGP Remote Address, Foreign port: 179

BGP neighbor is 発行されたBGP Remote Address2, remote AS 10124, local AS 65000, external link
  BGP version 4, remote router ID 発行されたBGP Remote Address2
  BGP state = Established, up for 01:20:44
  Last read 00:00:02, hold time is 30, keepalive interval is 10 seconds
  Received 627 messages, 0 notifications, 0 in queue
  Sent 642 messages, 23 notifications, 0 in queue
  Connection established 23; dropped 22
  Last reset 01:20:56
Local host: 発行されたBGP Local Address2, Local port: 1080
Foreign host: 発行されたBGP Remote Address2, Foreign port: 179

# 

経路確認

route を確認します。

# show ip route
宛先ネットワーク           ゲートウェイ                      インタフェース   種別     付加情報
default                    -                                PP[01]      static  
10.0.0.0/16                発行されたBGP Remote Address      TUNNEL[2]   BGP       path=10124
BGPホップ/30               -                                TUNNEL[2]   implicit  
BGPホップ/30               -                                TUNNEL[1]   implicit  
192.168.11.0/24            192.168.100.254                   LAN1        implicit  
発行されたRemote id/32      -                               PP[01]      temporary  
発行されたRemote id/32      -                               PP[01]      temporary  
z.z.z.z/32                  -                              PP[01]      temporary  
# 

web console の確認

目で見て確認できるのでいいですね。

設定確認 (AWS編)

pingの前に VPC先でどの VPC Subnet にルーティングするか route tableで設定が必要です。

つまり、 VPC > VPC Subnet の Route Table に対するtargetとして作成したVPNを設定しないとルーティングされません。*4

試しに、VPNがつながった状態で、route設定せずにpingを試すと....。

PS D:\> ping 10.0.3.100
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

と、当然宛先がないのでロストします。

Route Tables 設定

  1. Virtual Private Cloud へ
  2. Route Tables へ
  3. 設定したいRoute Table idを選択 (VPC と Associate された VPC Subnetで確認します)
  4. Routes に 追加します
Destination : VPN 接続先の自分の Subnet (この例では 192.168.100.0/32)
Target : 作成した vgw-hogehogehoge

これで、 手元の 192.168.100.0/32 から 対象の VPC Subnet (10.0.3.0/32) への ping がルーティングされたことを確認できます。

PS D:\> ping 10.0.3.100

Pinging 10.0.3.100 with 32 bytes of data:
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125
Reply from 10.0.3.100: bytes=32 time=11ms TTL=125
Reply from 10.0.3.100: bytes=32 time=12ms TTL=125

Ping statistics for 10.0.3.100:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 11ms, Maximum = 12ms, Average = 11ms

VPN Status

最後に、AWS側の VPN Statusを確認してください。

なお、IPsec設定はconfig投入で自動的に2本作られ、冗長化されます。 BGPパケットを RTX810側で止めるこることで、確認もできますよ。

BGP間の通信は問題ないのにpingやTCP疎通が確認できない場合

route tableの設定もできているなら、残るは AWSなら VPC の Network ACLか、Secutiry Groups設定です。

一時的に ICMPを許可してあげてください。 (デフォルト全て遮断のため、明示的に Passを与える)

あるいは、 OSの ICMPの可能性もあるので、 iptables か Firewall で ICMPを許可してみるのもいいでしょう。 (そもそも VPC内部のInstance 同士で PingがつながるならOSの可能性はありません)

まとめ

IPsec 接続では、IKEなどでいくつか気を付けることがありますが、 AWSからダウンロードした configでそこは設定されているのであまり意識する必要はありません。 もちろん、追加設定したほうがいい点もありますが、おおよそいい感じかと思います。

*1:だいたいみなさんが、VPCとまとめて新規に作っていらっしゃるようで、この設定がない

*2:今回は、vpc-d123123123 の 10.0.0.0/16

*3:AWSで作成したconfigurationが tunnel select 1 なため

*4:route propagationでは target 設定不可なので要注意。