LoginSignup
0
0

More than 1 year has passed since last update.

@daimatsu(daimatsu)

あえてVyattaのテンプレ使わずに、AWS Site to Site VPNの動的ルーティング(BGP)を設定する

Posted at

AWS Site to Site VPN を設定する際、Vyattaの動的ルーティング(BGP)用の設定ファイルテンプレートをダウンロードして楽に設定することもできるが、あえて手動で設定してみる。

Vyattaと書いてますが、VyOS1.3を使っています。

まず、Genericでテンプレートをダウンロードしておく。以降、設定値は基本的にこのファイルから拾っていく。

image.png

IKEの設定

ここはコピペでOK

set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'

IPsecの設定

ここはコピペでOK

set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'

IPsecのPeerの設定

for Peer1

項目 設定値(Genericテンプレートから拾う)
Peer1 IP IPSec Tunnel #1 > #3: Tunnel Interface Configuration > Outside IP Addresses > Virtual Private Gateway
Pre shared key1 IPSec Tunnel #1 > #1: Internet Key Exchange Configuration > Pre-Shared Key
Router Interface IP 自分のルーターのInterfaceに割り当てられてるIP(EC2だったらそのPrivate IP) 
set vpn ipsec site-to-site peer <<Peer1 IP>> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <<Peer1 IP>> authentication pre-shared-secret '<<Pre shared key1>>'
set vpn ipsec site-to-site peer <<Peer1 IP>> description 'VPC tunnel 1'
set vpn ipsec site-to-site peer <<Peer1 IP>> ike-group 'AWS'
set vpn ipsec site-to-site peer <<Peer1 IP>> local-address '<<Router Interface IP>>'
set vpn ipsec site-to-site peer <<Peer1 IP>> vti bind 'vti0'
set vpn ipsec site-to-site peer <<Peer1 IP>> vti esp-group 'AWS'

for Peer2

項目 設定値(Genericテンプレートから拾う)
Peer2 IP IPSec Tunnel #2 > #3: Tunnel Interface Configuration > Outside IP Addresses > Virtual Private Gateway
Pre shared key2 IPSec Tunnel #2 > #1: Internet Key Exchange Configuration > Pre-Shared Key
Router Interface IP 自分のルーターのInterfaceに割り当てられてるIP(EC2だったらそのPrivate IP) 
set vpn ipsec site-to-site peer <<Peer2 IP>> authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer <<Peer2 IP>> authentication pre-shared-secret '<<Pre shared key2>>'
set vpn ipsec site-to-site peer <<Peer2 IP>> description 'VPC tunnel 2'
set vpn ipsec site-to-site peer <<Peer2 IP>> ike-group 'AWS'
set vpn ipsec site-to-site peer <<Peer2 IP>> local-address '<<Router Interface IP>>'
set vpn ipsec site-to-site peer <<Peer2 IP>> vti bind 'vti1'
set vpn ipsec site-to-site peer <<Peer2 IP>> vti esp-group 'AWS'

Tunnel Interfaceの設定

for Tunnel1

項目 設定値(Genericテンプレートから拾う)
Tunnel1 IP CIDR IPSec Tunnel #1 > #3: Tunnel Interface Configuration > Inside IP Addresses > Customer Gateway 
set interfaces vti vti0 address '<<Tunnel1 IP CIDR>>'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'

for Tunnel2

項目 設定値(Genericテンプレートから拾う)
Tunnel2 IP CIDR IPSec Tunnel #2 > #3: Tunnel Interface Configuration > Inside IP Addresses > Customer Gateway 
set interfaces vti vti1 address '<<Tunnel2 IP CIDR>>'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'

BGP の設定

for Peer1

項目 設定値(Genericテンプレートから拾う)
Neighbor1 IP IPSec Tunnel #1 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Neighbor IP Address
VGW ASN IPSec Tunnel #1 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Virtual Private Gateway ASN
CGW ASN IPSec Tunnel #1 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Customer Gateway AS 
set protocols bgp <<CGW ASN>> neighbor <<Neighbor1 IP>> remote-as '<<VGW ASN>>'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor1 IP>> address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor1 IP>> timers holdtime '30'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor1 IP>> timers keepalive '10'

for Peer2

項目 設定値(Genericテンプレートから拾う)
Neighbor2 IP IPSec Tunnel #2 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Neighbor IP Address
VGW ASN IPSec Tunnel #2 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Virtual Private Gateway ASN
CGW ASN IPSec Tunnel #2 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Customer Gateway AS 
set protocols bgp <<CGW ASN>> neighbor <<Neighbor2 IP>> remote-as '<<VGW ASN>>'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor2 IP>> address-family ipv4-unicast soft-reconfiguration 'inbound'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor2 IP>> timers holdtime '30'
set protocols bgp <<CGW ASN>> neighbor <<Neighbor2 IP>> timers keepalive '10'

(Optional) AWSに注入する経路(例 : 192.168.0.0/16)

項目 設定値(Genericテンプレートから拾う)
CGW ASN IPSec Tunnel #1 > #4: Border Gateway Protocol (BGP) Configuration > BGP Configuration Options > Customer Gateway AS 
set protocols bgp <<CGW ASN>> address-family ipv4-unicast network 192.168.0.0/16

確認

IKE確認

StateがupになってればOK

$ show vpn ike sa 
Peer ID / IP                            Local ID / IP               
------------                            -------------
34.218.54.59                            172.31.53.30                           

    Description: VPC tunnel 1

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes128   sha1_96 2(MODP_1024)   no     3600    28800  

 
Peer ID / IP                            Local ID / IP               
------------                            -------------
52.39.144.177                           172.31.53.30                           

    Description: VPC tunnel 2

    State  IKEVer  Encrypt  Hash    D-H Group      NAT-T  A-Time  L-Time
    -----  ------  -------  ----    ---------      -----  ------  ------
    up     IKEv2   aes128   sha1_96 2(MODP_1024)   no     3600    28800

IPsec確認

同じくStateがupになっていればOK

$ show vpn ipsec sa 
Connection                     State    Uptime    Bytes In/Out    Packets In/Out    Remote address    Remote ID    Proposal
-----------------------------  -------  --------  --------------  ----------------  ----------------  -----------  ----------------------------------
peer-34.218.54.59-tunnel-vti   up       13m14s    5K/9K           82/160            34.218.54.59      N/A          AES_CBC_128/HMAC_SHA1_96/MODP_1024
peer-52.39.144.177-tunnel-vti  up       13m14s    5K/9K           82/160            52.39.144.177     N/A          AES_CBC_128/HMAC_SHA1_96/MODP_1024

BGP確認

Peerが2つあるかどうか

$ show ip bgp summary 

IPv4 Unicast Summary:
BGP router identifier 172.31.53.30, local AS number 65001 vrf-id 0
BGP table version 2
RIB entries 3, using 576 bytes of memory
Peers 2, using 43 KiB of memory

Neighbor        V         AS   MsgRcvd   MsgSent   TblVer  InQ OutQ  Up/Down State/PfxRcd   PfxSnt
169.254.109.145 4      64512        90        89        0    0    0 00:14:17            1        2
169.254.151.165 4      64512        90        89        0    0    0 00:14:17            1        2

経路Advertise確認

BGPで 192.168.0.0/16 がadvertiseされてるかどうか

$ show ip bgp neighbors 169.254.109.145 advertised-routes 
BGP table version is 2, local router ID is 172.31.53.30, vrf id 0
Default local pref 100, local AS 65001
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.31.0.0/16    0.0.0.0                                0 64512 i
*> 192.168.0.0/16   0.0.0.0                  0         32768 i

$ show ip bgp neighbors 169.254.151.165 advertised-routes 
BGP table version is 2, local router ID is 172.31.53.30, vrf id 0
Default local pref 100, local AS 65001
Status codes:  s suppressed, d damped, h history, * valid, > best, = multipath,
               i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes:  i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*> 172.31.0.0/16    0.0.0.0                                0 64512 i
*> 192.168.0.0/16   0.0.0.0                  0         32768 i

経路確認

今回VPCのCIDRは 172.31.0.0/16 なのでその経路があればOK

$ show ip route bgp
Codes: K - kernel route, C - connected, S - static, R - RIP,
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
       F - PBR, f - OpenFabric,
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup

B>* 172.31.0.0/16 [20/100] via 169.254.151.165, vti1, weight 1, 00:17:52

VPCの経路伝搬の設定がONになっていれば、このように 192.168.0.0/16 が伝搬する。
image.png

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0