Upload
amazon-web-services-japan
View
3.171
Download
3
Embed Size (px)
Citation preview
Amazon VPC VPN
2014.12.25
Amazon Web Services Amazon VPC VPN
2
1. .............................................................................. 4
1.1. ...................................................................................................... 4
1.2. ........................................................................................................ 4
1.3. AWS VPN ............................................................................ 4
2. ............................................................................................ 5
2.1. (Customer Gateway) ............................................ 5
2.2. ............................................................................... 6
3. ............................................................................................ 8
3.1. AWS ............................................................ 9
3.1.1. VPC ................................................................ 10
3.1.2. Virtual Private Gateway ............................................................ 12
3.1.3. VPN Connection ....................................................................... 13
3.1.4. Customer Gateway ............... 15
3.1.5. .............................................................. 16
3.2. Customer Gateway ........................................................................ 18
3.2.1. IKE ........................................................................................ 18
3.2.2. IPsec ...................................................................................... 20
3.2.3. Tunnel ............................................................... 22
3.2.4. ............................................................................... 23
3.3. ................................................................................................. 24
4. .......................................................................................... 26
Amazon Web Services Amazon VPC VPN
3
Amazon Web Services Amazon VPC VPN
4
1.
1.1.
VPN(Virtual Private Network)
Amazon VPC(Virtual Private Cloud) AWS
Customer Gateway
VGW(Virtual Private Gateway) AWS
1.2.
Amazon Web Services Amazon VPC(Virtual Private Cloud)
VPN(Virtual Private Network)
1.3. AWS VPN
Amazon VPC VPN VPN
Amazon Virtual Private Gateway
Amazon Web Services Amazon VPC VPN
5
2. VPN
2.1. (Customer Gateway)
VPN (Customer Gateway)
AWS
https://aws.amazon.com/jp/vpc/faqs/#C9
IPsec
IKE 1
IKE 1 AES 128-bit
IKE 1 Pre-Shared Key
IKE 1 SHA-1
IKE 1DH 2
IKE 1lifetime 28800
IPsec 2
IPsec 2 AES 128-bit
IPsec 2 HMAC
Amazon Web Services Amazon VPC VPN
6
IPsec 2 SHA-1
IPsec 2PFS 2
IPsec 2lifetime 3600
IPSec Dead Peer Detection
IP
NAT IPsec NAT
BGP(Border Gateway Protocol)
Static BGP
BGP
BGP MD5
2.2.
VPN
AWS VPN IP #A AWS
AWS VPN IP #B
Customer Gateway VPN IP
IP
A (/30)
VGW Customer Gateway
IP
B
AS (BGP ) AS 64512~65534
Amazon Web Services Amazon VPC VPN
7
BGP (BGP ) BGP 6
VPC
Amazon Web Services Amazon VPC VPN
8
3.
Customer Gateway VPC
Amazon Web Services Amazon VPC VPN
9
AWS VPN #A 72.21.209.225 AWS
IP
AWS VPN #B 72.21.209.193
Customer Gateway 203.0.113.100
A 169.254.255.0/30
AWS A 169.254.255.1
Customer Gateway
A
169.264.255.2
B 169.254.255.4/30
AWS B 169.254.255.5
Customer Gateway
B
169.254.255.6
AS 65001 AS 64512~65534
BGP aws99999 6
192.168.10.0/24
3.1. AWS
AWS
VPC
AWS
Amazon Web Services Amazon VPC VPN
10
VGW(Virtual Gateway)
AWS VPN Virtual Gateway VPC
Customer Gateway
VPN Customer Gateway
VPN Connection
VPN VPN
VGW
3.1.1. VPC
[Services]-[VPC]VPC Dashboard
Create VPC
Create VPCName tag VPC CIDR block VPC
Amazon Web Services Amazon VPC VPN
11
VPC
VPC DashboardSubnets
Create Subnet
Create subnet
Name tag VPC
VPC VPC
Availability Zone
CIDR block(VPC
)
Yes, Create
Amazon Web Services Amazon VPC VPN
12
3.1.2. Virtual Private Gateway
[Services]-[VPC]VPC Connection
Virtual Private GatewayCreate Virtual Private Gateway
Create Virtual Private GatewayName tag VGWYes, Create
Amazon Web Services Amazon VPC VPN
13
VGW VGWAttach to VPC
Attach to VPCVPC VPC Yes, Attach
VGW Status attachingattached
3.1.3. VPN Connection
[Services]-[VPC]VPC Connections
VPN ConnectionsCreate VPN Connection
(BGP Static)
Create VPN ConnectionRouting OptionsDynamic (Requires BGP)
Name tag VPN
Amazon Web Services Amazon VPC VPN
14
Virtual Private Gateway VGW
Customer GatewayNew
IP Address Customer Gateway IP
BGP ASN AS
Yes Create
Create VPN ConnectionRouting OptionsStatic
Name tag VPN
Virtual Private Gateway VGW
Customer GatewayNew
IP Address Customer Gateway IP
Static IP Prefixes
Yes Create
Amazon Web Services Amazon VPC VPN
15
VPN Connection
3.1.4. Customer Gateway
Customer Gateway
AWS VPN IP IPsec
VPN Connection Download Configuration
VenderPlatformSoftware
Amazon Web Services Amazon VPC VPN
16
3.1.5.
[Services]-[VPC]Subnets
Route Table
Route Table: rtb- ID
RoutesEdit
Amazon Web Services Amazon VPC VPN
17
DestinationTarget VGW ID
VGW Save
Amazon Web Services Amazon VPC VPN
18
3.2. Customer Gateway
AWS documentation Amazon
Virtual Private Cloud Network Administrator Guide
http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco.html
3.2.1. IKE
VPN IKE()
Tunnel #A
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
!
crypto keyring keyring-vpn-xxxxxxxx-0
pre-shared-key address 72.21.209.225 key plain-text-password1
exit
!
crypto isakmp profile isakmp-vpn-xxxxxxxx-0
match identity address 72.21.209.225
keyring keyring-vpn-xxxxxxxx-0
exit
!
Tunnnel #B
!
crypto isakmp policy 201
Amazon Web Services Amazon VPC VPN
19
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
!
crypto keyring keyring-vpn-xxxxxxxx-1
pre-shared-key address 72.21.209.193 key plain-text-password2
exit
!
crypto isakmp profile isakmp-vpn-xxxxxxxx-1
match identity address 72.21.209.193
keyring keyring-vpn-xxxxxxxx-1
exit
!
Amazon Web Services Amazon VPC VPN
20
3.2.2. IPsec
VPN IPsec
Tunnel #A
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx-0 esp-aes 128 esp-sha-hmac
mode tunnel
exit
!
crypto ipsec profile ipsec-vpn-xxxxxxxx-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-xxxxxxxx-0
exit
!
crypto ipsec df-bit clear
!
crypto isakmp keepalive 10 10 on-demand
!
crypto ipsec security-association replay window-size 128
!
Tunnel #B
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx-1 esp-aes 128 esp-sha-hmac
mode tunnel
exit
!
crypto ipsec profile ipsec-vpn-xxxxxxxx-1
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-xxxxxxxx-1
Amazon Web Services Amazon VPC VPN
21
exit
!
crypto ipsec df-bit clear
!
crypto isakmp keepalive 10 10 on-demand
!
Amazon Web Services Amazon VPC VPN
22
3.2.3. Tunnel
Tunnel IP Tunnel
Tunnel #A
!
interface Tunnel1
ip address 169.254.255.2 255.255.255.252
ip virtual-reassembly
tunnel source 203.0.113.100
tunnel destination 72.21.209.225
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1396
no shutdown
exit
!
Tunnel #B
!
interface Tunnel2
ip address 169.254.255.6 255.255.255.252
ip virtual-reassembly
tunnel source 203.0.113.100
tunnel destination 72.21.209.193
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-xxxxxxxx-1
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1396
Amazon Web Services Amazon VPC VPN
23
no shutdown
!
3.2.4.
BGP Static
!
router bgp 65001
neighbor 169.254.255.1 remote-as 7224
neighbor 169.254.255.1 activate
neighbor 169.254.255.1 timers 10 30 30
address-family ipv4 unicast
neighbor 169.254.255.1 remote-as 7224
neighbor 169.254.255.1 timers 10 30 30
neighbor 169.254.255.1 default-originate
neighbor 169.254.255.1 activate
neighbor 169.254.255.1 soft-reconfiguration inbound
network 0.0.0.0
exit
exit
!
!
ip route 10.0.0.0 255.255.0.0 Tunnel1 track 100
ip route 10.0.0.0 255.255.0.0 Tunnel2 track 200
!
ip sla 100
icmp-echo 169.254.255.1 source-interface Tunnel1
timeout 1000
Amazon Web Services Amazon VPC VPN
24
frequency 5
exit
ip sla schedule 100 life forever start-time now
track 100 ip sla 100 reachability
!
ip sla 200
icmp-echo 169.254.255.5 source-interface Tunnel2
timeout 1000
frequency 5
exit
ip sla schedule 200 life forever start-time now
track 200 ip sla 200 reachability
!
3.3.
AWS [VPC]-[VPN Connections] VPN
Tunnel DtailsStateUP
Amazon Web Services Amazon VPC VPN
25
VPC EC2 ping
Amazon Web Services Amazon VPC VPN
26
4. VPN
Amazon Virtual Private Cloud
http://docs.aws.amazon.com/ja_jp/AmazonVPC/latest/UserGuide/VPC_Introduction.html
Amazon Virtual Private Cloud
http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide
AWS Black Belt Tech Amazon VPC
http://www.slideshare.net/AmazonWebServicesJapan/aws-black-belt-tech-amazon-vpc