SEIL側のVPNコンフィグを直接設定する手順（BGP）

IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <IKE PSKey>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2

#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: ,
- DPD Interval : 10
- DPD Retries : 3
(中略)
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1396 bytes
- Clear Don’t Fragment Bit : enabled
- Fragmentation : Before encryption
(中略)
Outside IP Addresses:
- Customer Gateway : <Outside Customer Gateway>
- Virtual Private Gateway : <Outside Virtual Private Gateway>
Inside IP Addresses
- Customer Gateway : <Inside Customer Gateway>/30
- Virtual Private Gateway : <Inside Virturl Private Gateway>/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes

ike interval 40s phase1-timeout 01m phase2-timeout 02m20s dpd-interval 10 dpd-maxfail 3
ike auto-initiation enable
ike preshared-key add "<Outside Virtual Private Gateway>" "<IKE PSKey>"
ike proposal add IKEP01 encryption aes128 hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 08h
ike peer add tun1 address <Outside Virtual Private Gateway> exchange-mode main proposals IKEP01 dpd enable tunnel-interface enable
ipsec security-association proposal add SAP01 pfs-group modp1024 authentication-algorithm hmac-sha1 encryption-algorithm aes128 lifetime-of-time 01h
ipsec security-association add tun1 tunnel-interface ipsec0 ipv6 block ike SAP01 esp enable
interface ipsec0 tunnel <Outside Customer Gateway> <Outside Virtual Private Gateway>
interface ipsec0 mtu 1436
interface ipsec0 tcp-mss 1396
interface ipsec0 add <Inside Customer Gateway>/30 remote <Inside Virturl Private Gateway>

#4: Border Gateway Protocol (BGP) Configuration:
BGP Configuration Options:
- Customer Gateway ASN : <Customer Gateway ASN>
- Virtual Private Gateway ASN : <Virtual Private Gateway ASN>
- Neighbor IP Address : <Neighbor IP Address>
- Neighbor Hold Time : 30

route dynamic bgp my-as-number <Customer Gateway ASN>
route dynamic bgp router-id <Outside Customer Gateway>
route dynamic bgp enable
route dynamic bgp neighbor add <Outside Virtual Private Gateway> remote-as <Virtual Private Gateway ASN> hold-timer 30 enable
route dynamic bgp network add 192.168.0.0/24(VPC側に通知するSEIL配下のプライベートIPアドレス)

# show status route
Flags: C ? Connected, M ? Miscellaneous, B ? BGP, O ? OSPF, R ? RIP, S ? Static * ? System route, ! ? inconsistent
Destination Gateway Interface Flags Dist.
default     pppoe0  pppoe0    S*       1
10.0.0.0/16 <Neighbor IP Address> ipsec0    B*      20 /* VPC 側の経路 */
….

ike interval 40s phase1-timeout 01m phase2-timeout 02m20s dpd-interval 10 dpd-maxfail 3 ike auto-initiation enable
ike preshared-key add "<IPSec Tunnel #1に記述してあるVirtual Private GatewayのOutside IP Address>" "<IPSec Tunnel #1に記述してあるPre-Shared Key>"
ike preshared-key add "<IPSec Tunnel #2に記述してあるVirtual Private GatewayのOutside IP Address>" "<IPSec Tunnel #2に記述してあるPre-Shared Key>"
ike proposal add IKEP01 encryption aes128 hash sha1 authentication preshared-key dhgroup modp1024 lifetime-of-time 08h
ike peer add tun1 address <IPSec Tunnel #1に記述してあるVirtual Private GatewayのOutside IP Address> exchange-mode main proposals IKEP01 dpd enable tunnel-interface enable
ike peer add tun2 address <IPSec Tunnel #2に記述してあるVirtual Private GatewayのOutside IP Address> exchange-mode main proposals IKEP01 dpd enable tunnel-interface enable
ipsec security-association proposal add SAP01 pfs-group modp1024 authentication-algorithm hmac-sha1 encryption-algorithm aes128 lifetime-of-time 01h
ipsec security-association add tun1 tunnel-interface ipsec0 ipv6 block ike SAP01 esp enable
ipsec security-association add tun2 tunnel-interface ipsec1 ipv6 block ike SAP01 esp enable

interface ipsec0 tunnel <IPSec Tunnel #1に記述してあるCustomer GatewayのOutside IP Address> <IPSec Tunnel #1に記述してあるVirtual Private GatewayのOutside IP Address>
interface ipsec0 mtu 1436
interface ipsec0 tcp-mss 1396
interface ipsec0 add <IPSec Tunnel #1に記述してあるCustomer GatewayのInside IP Address> remote <IPSec Tunnel #1に記述してあるVirtual Private GatewayのInside IP Address>
interface ipsec1 tunnel <IPSec Tunnel #2に記述してあるCustomer GatewayのOutside IP Address> <IPSec Tunne2 #2に記述してあるVirtual Private Gateway の Outside IP Address>
interface ipsec1 mtu 1436
interface ipsec1 tcp-mss 1396
interface ipsec1 add <IPSec Tunnel #2に記述してあるCustomer GatewayのInside IP Address> remote <IPSec Tunnel #2に記述してあるVirtual Private GatewayのInside IP Address>

route dynamic bgp my-as-number <BGP Configuration Optionsに記述してあるCustomer Gateway ASN>
route dynamic bgp router-id <Outside IP Addresses の中にあるCustomer Gatewayのアドレス>
route dynamic bgp enable
route dynamic bgp neighbor add <IPSec Tunnel #1に記述してあるVirtual Private GatewayのInside IP Address> remote-as <BGP Configuration Optionsに記述してあるVirtual Private Gateway ASN> hold-timer 30 enable
route dynamic bgp neighbor add <IPSec Tunnel #2に記述してあるVirtual Private GatewayのInside IP Address> remote-as <BGP Configuration Optionsに記述してあるVirtual Private Gateway ASN> hold-timer 30 enable
route dynamic bgp network add 192.168.0.0/24(SEILが管理しているプライベートIPアドレスをVPC側に通知)