Amazon VPC VPN

2014.12.25

Amazon Web Services Amazon VPC VPN

2

1. .............................................................................. 4

1.1. ...................................................................................................... 4

1.2. ........................................................................................................ 4

1.3. AWS VPN ............................................................................ 4

2. ............................................................................................ 5

2.1. (Customer Gateway) ............................................ 5

2.2. ............................................................................... 6

3. ............................................................................................ 8

3.1. AWS ............................................................ 9

3.1.1. VPC ................................................................ 10

3.1.2. Virtual Private Gateway ............................................................ 12

3.1.3. VPN Connection ....................................................................... 13

3.1.4. Customer Gateway ............... 15

3.1.5. .............................................................. 16

3.2. Customer Gateway ........................................................................ 18

3.2.1. IKE ........................................................................................ 18

3.2.2. IPsec ...................................................................................... 20

3.2.3. Tunnel ............................................................... 22

3.2.4. ............................................................................... 23

3.3. ................................................................................................. 24

4. .......................................................................................... 26

Amazon Web Services Amazon VPC VPN

3

Amazon Web Services Amazon VPC VPN

4

1.

1.1.

VPN(Virtual Private Network)

Amazon VPC(Virtual Private Cloud) AWS

Customer Gateway

VGW(Virtual Private Gateway) AWS

1.2.

Amazon Web Services Amazon VPC(Virtual Private Cloud)

VPN(Virtual Private Network)

1.3. AWS VPN

Amazon VPC VPN VPN

Amazon Virtual Private Gateway

Amazon Web Services Amazon VPC VPN

5

2. VPN

2.1. (Customer Gateway)

VPN (Customer Gateway)

AWS

https://aws.amazon.com/jp/vpc/faqs/#C9

IPsec

IKE 1

IKE 1 AES 128-bit

IKE 1 Pre-Shared Key

IKE 1 SHA-1

IKE 1DH 2

IKE 1lifetime 28800

IPsec 2

IPsec 2 AES 128-bit

IPsec 2 HMAC

Amazon Web Services Amazon VPC VPN

6

IPsec 2 SHA-1

IPsec 2PFS 2

IPsec 2lifetime 3600

IPSec Dead Peer Detection

IP

NAT IPsec NAT

BGP(Border Gateway Protocol)

Static BGP

BGP

BGP MD5

2.2.

VPN

AWS VPN IP #A AWS

AWS VPN IP #B

Customer Gateway VPN IP

IP

A (/30)

VGW Customer Gateway

IP

B

AS (BGP ) AS 64512~65534

Amazon Web Services Amazon VPC VPN

7

BGP (BGP ) BGP 6

VPC

Amazon Web Services Amazon VPC VPN

8

3.

Customer Gateway VPC

Amazon Web Services Amazon VPC VPN

9

AWS VPN #A 72.21.209.225 AWS

IP

AWS VPN #B 72.21.209.193

Customer Gateway 203.0.113.100

A 169.254.255.0/30

AWS A 169.254.255.1

Customer Gateway

A

169.264.255.2

B 169.254.255.4/30

AWS B 169.254.255.5

Customer Gateway

B

169.254.255.6

AS 65001 AS 64512~65534

BGP aws99999 6

192.168.10.0/24

3.1. AWS

AWS

VPC

AWS

Amazon Web Services Amazon VPC VPN

10

VGW(Virtual Gateway)

AWS VPN Virtual Gateway VPC

Customer Gateway

VPN Customer Gateway

VPN Connection

VPN VPN

VGW

3.1.1. VPC

[Services]-[VPC]VPC Dashboard

Create VPC

Create VPCName tag VPC CIDR block VPC

Amazon Web Services Amazon VPC VPN

11

VPC

VPC DashboardSubnets

Create Subnet

Create subnet

Name tag VPC

VPC VPC

Availability Zone

CIDR block(VPC

)

Yes, Create

Amazon Web Services Amazon VPC VPN

12

3.1.2. Virtual Private Gateway

[Services]-[VPC]VPC Connection

Virtual Private GatewayCreate Virtual Private Gateway

Create Virtual Private GatewayName tag VGWYes, Create

Amazon Web Services Amazon VPC VPN

13

VGW VGWAttach to VPC

Attach to VPCVPC VPC Yes, Attach

VGW Status attachingattached

3.1.3. VPN Connection

[Services]-[VPC]VPC Connections

VPN ConnectionsCreate VPN Connection

(BGP Static)

Create VPN ConnectionRouting OptionsDynamic (Requires BGP)

Name tag VPN

Amazon Web Services Amazon VPC VPN

14

Virtual Private Gateway VGW

Customer GatewayNew

IP Address Customer Gateway IP

BGP ASN AS

Yes Create

Create VPN ConnectionRouting OptionsStatic

Name tag VPN

Virtual Private Gateway VGW

Customer GatewayNew

IP Address Customer Gateway IP

Static IP Prefixes

Yes Create

Amazon Web Services Amazon VPC VPN

15

VPN Connection

3.1.4. Customer Gateway

Customer Gateway

AWS VPN IP IPsec

VPN Connection Download Configuration

VenderPlatformSoftware

Amazon Web Services Amazon VPC VPN

16

3.1.5.

[Services]-[VPC]Subnets

Route Table

Route Table: rtb- ID

RoutesEdit

Amazon Web Services Amazon VPC VPN

17

DestinationTarget VGW ID

VGW Save

Amazon Web Services Amazon VPC VPN

18

3.2. Customer Gateway

AWS documentation Amazon

Virtual Private Cloud Network Administrator Guide

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco.html

3.2.1. IKE

VPN IKE()

Tunnel #A

!

crypto isakmp policy 200

encryption aes 128

authentication pre-share

group 2

lifetime 28800

hash sha

exit

!

crypto keyring keyring-vpn-xxxxxxxx-0

pre-shared-key address 72.21.209.225 key plain-text-password1

exit

!

crypto isakmp profile isakmp-vpn-xxxxxxxx-0

match identity address 72.21.209.225

keyring keyring-vpn-xxxxxxxx-0

exit

!

Tunnnel #B

!

crypto isakmp policy 201

Amazon Web Services Amazon VPC VPN

19

encryption aes 128

authentication pre-share

group 2

lifetime 28800

hash sha

exit

!

crypto keyring keyring-vpn-xxxxxxxx-1

pre-shared-key address 72.21.209.193 key plain-text-password2

exit

!

crypto isakmp profile isakmp-vpn-xxxxxxxx-1

match identity address 72.21.209.193

keyring keyring-vpn-xxxxxxxx-1

exit

!

Amazon Web Services Amazon VPC VPN

20

3.2.2. IPsec

VPN IPsec

Tunnel #A

!

crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx-0 esp-aes 128 esp-sha-hmac

mode tunnel

exit

!

crypto ipsec profile ipsec-vpn-xxxxxxxx-0

set pfs group2

set security-association lifetime seconds 3600

set transform-set ipsec-prop-vpn-xxxxxxxx-0

exit

!

crypto ipsec df-bit clear

!

crypto isakmp keepalive 10 10 on-demand

!

crypto ipsec security-association replay window-size 128

!

Tunnel #B

!

crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx-1 esp-aes 128 esp-sha-hmac

mode tunnel

exit

!

crypto ipsec profile ipsec-vpn-xxxxxxxx-1

set pfs group2

set security-association lifetime seconds 3600

set transform-set ipsec-prop-vpn-xxxxxxxx-1

Amazon Web Services Amazon VPC VPN

21

exit

!

crypto ipsec df-bit clear

!

crypto isakmp keepalive 10 10 on-demand

!

Amazon Web Services Amazon VPC VPN

22

3.2.3. Tunnel

Tunnel IP Tunnel

Tunnel #A

!

interface Tunnel1

ip address 169.254.255.2 255.255.255.252

ip virtual-reassembly

tunnel source 203.0.113.100

tunnel destination 72.21.209.225

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-0

! This option causes the router to reduce the Maximum Segment Size of

! TCP packets to prevent packet fragmentation.

ip tcp adjust-mss 1396

no shutdown

exit

!

Tunnel #B

!

interface Tunnel2

ip address 169.254.255.6 255.255.255.252

ip virtual-reassembly

tunnel source 203.0.113.100

tunnel destination 72.21.209.193

tunnel mode ipsec ipv4

tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-1

! This option causes the router to reduce the Maximum Segment Size of

! TCP packets to prevent packet fragmentation.

ip tcp adjust-mss 1396

Amazon Web Services Amazon VPC VPN

23

no shutdown

!

3.2.4.

BGP Static

!

router bgp 65001

neighbor 169.254.255.1 remote-as 7224

neighbor 169.254.255.1 activate

neighbor 169.254.255.1 timers 10 30 30

address-family ipv4 unicast

neighbor 169.254.255.1 remote-as 7224

neighbor 169.254.255.1 timers 10 30 30

neighbor 169.254.255.1 default-originate

neighbor 169.254.255.1 activate

neighbor 169.254.255.1 soft-reconfiguration inbound

network 0.0.0.0

exit

exit

!

!

ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100

ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200

!

ip sla 100

icmp-echo 169.254.255.1 source-interface Tunnel1

timeout 1000

Amazon Web Services Amazon VPC VPN

24

frequency 5

exit

ip sla schedule 100 life forever start-time now

track 100 ip sla 100 reachability

!

ip sla 200

icmp-echo 169.254.255.5 source-interface Tunnel2

timeout 1000

frequency 5

exit

ip sla schedule 200 life forever start-time now

track 200 ip sla 200 reachability

!

3.3.

AWS [VPC]-[VPN Connections] VPN

Tunnel DtailsStateUP

Amazon Web Services Amazon VPC VPN

25

VPC EC2 ping

Amazon Web Services Amazon VPC VPN

26

4. VPN

Amazon Virtual Private Cloud

http://docs.aws.amazon.com/ja_jp/AmazonVPC/latest/UserGuide/VPC_Introduction.html

Amazon Virtual Private Cloud

http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide

AWS Black Belt Tech Amazon VPC

http://www.slideshare.net/AmazonWebServicesJapan/aws-black-belt-tech-amazon-vpc