SEIL側のVPNコンフィグを直接設定する手順(静的経路)

Amazon Wev Service(AWS)Management Console から取得した設定情報ファイルを参考に、 SEILからAmazon VPCへ接続するためのVPNコンフィグを設定する手順を説明します。

Amazon VPCとの経路制御手段を静的経路とする場合の設定例です。
  1. ダウンロードした設定情報ファイルの内容(IPsec/IKE関連)を確認する
    IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : <IKE PSKey>
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2

#2: IPsec Configuration
Configure the IPsec SA as follows:
- Protocol                 : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 3600 seconds
- Mode                     : tunnel
- Perfect Forward Secrecy  : Diffie-Hellman Group 2
- DPD Interval             : 10
- DPD Retries              : 3
- TCP MSS Adjustment       : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation            : Before encryption

#3: Tunnel Interface Configuration
Outside IP Addresses:
- Customer Gateway:        : <Outside Customer Gateway>
- Virtual Private Gateway  : <Outside Virtual Private Gateway #1>
Inside IP Addresses
- Customer Gateway         : <Inside Customer Gateway #1>/30
- Virtual Private Gateway  : <Inside Virturl Private Gateway #1>/30  
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU     : 1427 bytes

# IPsec Tunnel #2
================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method    : Pre-Shared Key 
- Pre-Shared Key           : plain-text-password2
- Authentication Algorithm : sha1
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPsec Configuration
Configure the IPsec SA as follows:
- Protocol                 : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 3600 seconds
- Mode                     : tunnel
- Perfect Forward Secrecy  : Diffie-Hellman Group 2
- DPD Interval             : 10
- DPD Retries              : 3
- TCP MSS Adjustment       : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation            : Before encryption

#3: Tunnel Interface Configuration
Outside IP Addresses:
- Customer Gateway:        : <Outside Customer Gateway>
- Virtual Private Gateway  : <Outside Virtual Private Gateway #2>
Inside IP Addresses
- Customer Gateway         : <Inside Customer Gateway #2>/30
- Virtual Private Gateway  : <Inside Virturl Private Gateway #2>/30  
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU     : 1427 bytes
  2. 設定情報ファイルのパラメータにあわせてIPsec/IKEを設定する
    ike auto-initiation enable
ike interval 40s phase1-timeout 01m phase2-timeout 02m20s dpd-interval 10 dpd-maxfail 3
ike preshared-key add <Outside Virtual Private Gateway #1> "plain-text-password1"
ike preshared-key add <Outside Virtual Private Gateway #2> "plain-text-password2"
ike proposal add IKEP01 encryption aes128 hash sha1 authentication preshared-key dh-group modp1024 lifetime-of-time 08h
ike peer add TUNNEL01 address <Outside Virtual Private Gateway #1> exchange-mode main proposals IKEP01 dpd enable tunnel-interface enable
ike peer add TUNNEL02 address <Outside Virtual Private Gateway #2> exchange-mode main proposals IKEP01 dpd enable tunnel-interface enable
interface ipsec1 tunnel <Outside Customer Gateway> <Outside Virtual Private Gateway #1>
interface ipsec1 mtu 1427
interface ipsec1 tcp-mss 1387
interface ipsec1 add <Inside Customer Gateway #1>/30 remote <Inside Virturl Private Gateway #1>
interface ipsec2 tunnel <Outside Customer Gateway> <Outside Virtual Private Gateway #2>
interface ipsec2 mtu 1427
interface ipsec2 tcp-mss 1387
interface ipsec2 add <Inside Customer Gateway #2>/30 remote <Inside Virturl Private Gateway #2>
ipsec security-association proposal add SAP01 pfs-group modp1024 authentication-algorithm hmac-sha1 encryption-algorithm aes128 lifetime-of-time 01h
ipsec security-association add TUNNEL01 tunnel-interface ipsec1 ipv6 block ike SAP01 esp enable
ipsec security-association add TUNNEL02 tunnel-interface ipsec2 ipv6 block ike SAP01 esp enable
  3. 設定情報ファイルのパラメータにあわせて静的経路監視を設定する
    route add <VPC Network Address>/24 <Inside Virturl Private Gateway #1> distance 10 keepalive on send-interval 30 down-count 3
route add <VPC Network Address>/24 <Inside Virturl Private Gateway #2> distance 20
    • <VPC Network Address> は、Amazon VPC上の仮想ホストが属するネットワークのネットワークアドレスを指定してください。
    • デフォルト経路など、インターネット通信のための経路は環境に合わせて別途設定する必要があります。
    以上の設定で、Amazon VPCと接続することができます。

以上で設定は終了です。

SEIL配下のネットワークとAmazon VPC上のネットワーク間の疎通性などを確認して下さい。