Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

aws vpc間通信時の設定メモ

More than 5 years have passed since last update.

aws vpc間通信時の設定メモ

やりたいこと

・VPC間をVPNで接続する
・VPCのprivateサブネットから対向のVPCのprivateサブネットへの通信を行う

環境

VPCを二つ用意

準備
VPC A 10.0.0.0/16
VPC B 172.16.0.0/16

※VPCのregionは問いません。
※tokyo-oregonでもいいし、tokyo-tokyoでもOK

各VPC内にサブネットを用意

準備
publicサブネット
 10.0.100.0/24
 172.16.100.0/24
privateサブネット
 10.0.200.0/24
 172.16.200.0/24

各publicサブネットにVyOS(ver1.05)を用意

準備
VPC A にあるVyOSを「VyOS A」とする
VPC B にあるVyOSを「VyOS B」とする

VyOSにはeniを2つをアタッチしておく。

準備
VyOS A
 public:eth0 10.0.100.100/24 
 private:eth1 10.0.200.200/24

VyOS B
 public:eth0 172.16.100.100/24 
 private:eth1 172.16.200.200/24

※eniのsource dest.をすべて「無効化」にしておく。

VyOS A,BのPublicのeni(eth0)にEIPを付与する

準備
VyOS A - eth0:XXX.XXX.XXX.XXX
VyOS B - eth0:YYY.YYY.YYY.YYY

各privateサブネットに疎通確認用のEC2(なんでもよい)を用意

準備
AmazonLinux A 10.0.200.10
AmazonLinux B 172.16.200.10

SecurityGroup

準備
VyOS A
 ・SSH ※source:自分の端末からのSSH接続
 ・ESP (IP Protocol 50) ※source:YYY.YYY.YYY.YYY(VyOS BのEIP)
 ・UDP port500 ※source:YYY.YYY.YYY.YYY(VyOS BのEIP)
 ・ALL traffic ※source:10.0.200.10(AmazonLinux A)

VyOS B
 ・SSH ※source:自分の端末からのSSH接続
 ・ESP (IP Protocol 50) ※source:XXX.XXX.XXX.XXX(VyOS AのEIP)
 ・UDP port500 ※source:XXX.XXX.XXX.XXX(VyOS AのEIP)
 ・ALL traffic ※source:172.16.200.10(AmazonLinux B)

AmazonLinux A (疎通確認用なのでざっくり)
 ・ALL traffic ※source:10.0.0.0/16(VPC A)
 ・ALL traffic ※source:172.16.0.0/16(VPC B)

AmazonLinux B (疎通確認用なのでざっくり)
 ・ALL traffic ※source:10.0.0.0/16(VPC A)
 ・ALL traffic ※source:172.16.0.0/16(VPC B)

RouteTable

準備
各privateサブネットのroutetableに
対向VPC(10.0.0.0/16 or 172.16.0.0/16)へのrouteを記載
targetに同一VPC内のpublicサブネットのVyOSのeth1(eni-XXXXXXXX)を指定

ここからVyOS内の設定

eniを認識させる

VyOS-A_/etc/network/interfaces
以下追記
auto eth1
iface eth1 inet static
address 10.0.200.200
netmask 255.255.255.0
VyOS-B_/etc/network/interfaces
以下追記
auto eth1
iface eth1 inet static
address 172.16.200.200
netmask 255.255.255.0

それぞれnetworkingを再起動

$sudo service networking restart

(EC2を再起動するとEIPに接続できなくなる?事象が発生したので、rc.localに以下を追記した。どなたか、詳しい方がいらっしゃいましたら仕組みを教えてください。)

/etc/rc.local
service networking restart

VPN 設定

VyOS-A_config
configure

#事前準備
MY_EIP=XXX.XXX.XXX.XXX
MY_ETH0=10.0.100.100
MY_ETH1=10.0.200.200
MY_CIDR=/24
MY_NETMASK=255.255.255.0
MY_ID=vyatta1000
ANOTHER_EIP=YYY.YYY.YYY.YYY
ANOTHER_NETWORK=172.16.0.0/16
ANOTHER_ID=vyatta2000
SHEARD_KEY=pass12345

set vpn ipsec ipsec-interfaces interface eth0
set interfaces ethernet eth1 address $MY_ETH1$MY_CIDR
set vpn ipsec ike-group ike lifetime 3600
set vpn ipsec ike-group ike proposal 1 encryption aes128
set vpn ipsec ike-group ike proposal 1 hash sha1
set vpn ipsec esp-group esp lifetime 1800
set vpn ipsec esp-group esp proposal 1 encryption aes128
set vpn ipsec esp-group esp proposal 1 hash sha1
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication pre-shared-secret $SHEARD_KEY
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication id @$MY_ID
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication remote-id @$ANOTHER_ID
set interfaces vti vti0
set vpn ipsec site-to-site peer $ANOTHER_EIP vti bind vti0
set vpn ipsec site-to-site peer $ANOTHER_EIP ike-group ike
set vpn ipsec site-to-site peer $ANOTHER_EIP vti esp-group esp
set vpn ipsec site-to-site peer $ANOTHER_EIP local-address $MY_ETH0
set protocols static interface-route $ANOTHER_NETWORK next-hop-interface vti0

commit
save
VyOS-A_config
configure

#事前準備
MY_EIP=YYY.YYY.YYY.YYY
MY_ETH0=172.16.100.100
MY_ETH1=172.16.200.200
MY_CIDR=/24
MY_NETMASK=255.255.255.0
MY_ID=vyatta2000
ANOTHER_EIP=XXX.XXX.XXX.XXX
ANOTHER_NETWORK=10.0.0.0/16
ANOTHER_ID=vyatta1000
SHEARD_KEY=pass12345

set vpn ipsec ipsec-interfaces interface eth0
set interfaces ethernet eth1 address $MY_ETH1$MY_CIDR
set vpn ipsec ike-group ike lifetime 3600
set vpn ipsec ike-group ike proposal 1 encryption aes128
set vpn ipsec ike-group ike proposal 1 hash sha1
set vpn ipsec esp-group esp lifetime 1800
set vpn ipsec esp-group esp proposal 1 encryption aes128
set vpn ipsec esp-group esp proposal 1 hash sha1
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication mode pre-shared-secret
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication pre-shared-secret $SHEARD_KEY
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication id @$MY_ID
set vpn ipsec site-to-site peer $ANOTHER_EIP authentication remote-id @$ANOTHER_ID
set interfaces vti vti0
set vpn ipsec site-to-site peer $ANOTHER_EIP vti bind vti0
set vpn ipsec site-to-site peer $ANOTHER_EIP ike-group ike
set vpn ipsec site-to-site peer $ANOTHER_EIP vti esp-group esp
set vpn ipsec site-to-site peer $ANOTHER_EIP local-address $MY_ETH0
set protocols static interface-route $ANOTHER_NETWORK next-hop-interface vti0

commit
save

あとは疎通確認をして終わり。

参考

http://blog.serverworks.co.jp/tech/2013/12/04/vyatta_site-to-site/
http://qiita.com/mell3210/items/7d7ac159a93a7c630a9c
http://sig9.hatenablog.com/entry/2015/08/09/214338

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away