0
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?

More than 1 year has passed since last update.

YAMAHA NVR700W から AWS Transit Gateway経由で IPSec VPN接続してみてみた

Last updated at Posted at 2020-08-21

#■ 目的
AWS の Transit Gateway(TGW)を使用すれば、複数の VPC および Direct Connect(DX) や IPSec VPNを使用してオンプレミスネットワークを相互接続できます。
TransitImage.png
ということで、Transit Gateway(TGW)経由で、On-Premises や他Cloudへ接続してみてみたいので、
まずは、Transit Gateway で On-Premises と2つの AWS VPCへ IPSec VPN 接続してみてみます。

#■ 構成
構成図AWS.png
事前にVPCやEC2インスタンスを作成しておきます。
ここでは、Transit GatewayとIPSec VPN接続部分を設定します

#■ Transit Gateway作成

##● Trangit Gateway作成
(1) Trangit Gateway画面
[サービス] > [VPC] > [Trangit Gateway] をクリックし、[Create Transit Gateway]をクリック
01_TransitGW作成01.png

(2) Create Transit Gateway設定画面
以下内容を設定し、[Create Transit Gateway]をクリック

・Amazon Side ASN: ここでは他と重複しないPrivate ASN 64512 を設定
・DNS support: チェックする
・VPN ECMP support: チェックする
・Default table associateion: チェックする
・Default route table propagation: チェックする

01_TransitGW作成02.png

(3) Create Transit Gateway request succeeded
[Close]をクリック
01_TransitGW作成03.png

(4) Transit Gateway作成完了
"state" が"avalable"になれば作成完了
01_TransitGW作成04.png

#■ Transit Gateway接続

##● Transit Gateway - VPN接続
(1) Transit Gateway接続画面
左ペインから[Transit Gateway接続]をクリックし、[Create Transit Gateway Attach]をクリック
02_TransitGW接続作成01.png

(2) Create Transit Gateway Attachment設定画面
以下内容を設定し、[Create Attachment]をクリック

・Transit Gateway ID: 作成したTransit Gateway を選択
・Attachment type: [VPN]を選択
・Customer Gateway: [New]を選択
・IP Address: On-Premises側CPE(YAMAHA ルーター)のPublic IPを設定
・BGP ASN: On-Premises側CPE(YAMAHA ルーター)のBGP ASN "65000" を設定
・Routing option: Dynamic (requires BGP)を選択

02_TransitGW接続作成02.png

(3) Create Transit Gateway Attachment request succeeded
[Close]をクリック
02_TransitGW接続作成03.png

(4) Transit Gateway接続完了
"state" が"avalable"になれば作成完了
02_TransitGW接続作成04-YAMAHA確認.png

##● Transit Gateway - VPC接続
今回、2つのVPC(172.31.0.0/16と172.32.0.0/16)を接続するので、以下手順を二回実施

(1) Transit Gateway接続画面
左ペインから[Transit Gateway接続]をクリックし、[Create Transit Gateway Attach]をクリック
04_TransitGWアタッチメント01.png

(2) Create Transit Gateway Attachment設定画面
以下内容を設定し、[Create Attachment]をクリック

・Transit Gateway ID: 作成したTransit Gateway を選択
・Attachment type: [VPC]を選択
・DNS supported: [enable]
・VPC ID: 接続するVPCを選択
・Subnet IDs: VPC-172.31.0.0/16内にあるSubnetを選択

04_TransitGWアタッチメント02-1.png

(3) Create Transit Gateway Attachment request succeeded
[Close]をクリック
04_TransitGWアタッチメント03.png

(4) Transit Gateway接続完了
"state" が "available"になれば作成完了
04_TransitGWアタッチメント06_03.png

#■ VPN接続作成

(1) サイト間のVPN接続
左ペインから、[サイト間のVPN接続]をクリックし、[VPN接続の作成]をクリック
03_VPN接続01.png

(2) VPN接続の作成
以下内容を設定し、[Create Attachment]をクリック

・Trangit Gateway Type: [Transit Gateway]を選択
・Trangit Gateway ID: 作成したTrangit Gatewayを選択
・カスタマーゲートウェイ: [既存]を選択
・Customer Gateway ID: Create Transit Gateway Attachmentで作成したustomer Gatewayを選択
・ルーテングオプション: [動的(BGPが必要)]を選択
・Tunnel Insede Ip Version: [IPv4]を選択

03_VPN接続02.png

(3) 設定のダウンロード
[設定のダウンロード]をクリック
03_VPN接続05.png

(4) 設定のダウンロード破面
以下内容を設定し、[ダウンロード]をクリック

・ベンダー: [Yamaha]を選択
・プラットフォーム: [RTX Router]を選択
・ソフトウェア: [Rev 10]以上を選択

03_VPN接続06.png

(5) 設定ファイル確認
ダウンロードしたファイルを確認して、必要に応じて修正

	# Amazon Web Services
	# Virtual Private Cloud

	# AWS utilizes unique identifiers to manage the configuration of 
	# a VPN Connection. Each VPN Connection is assigned an identifier and is 
	# associated with two other identifiers, namely the 
	# Customer Gateway Identifier and Virtual Private Gateway Identifier.
	#
	# Your VPN Connection ID  		    : vpn-0235b882c3da03565
	# Your Virtual Private Gateway ID           : 
	# Your Customer Gateway ID 		    : cgw-01dd21a44b2318a59
	#
	#
	# This configuration consists of two tunnels. Both tunnels must be 
	# configured on your Customer Gateway.
	#


	# --------------------------------------------------------------------------------
	# IPSec Tunnel #1
	# --------------------------------------------------------------------------------


	# #1: Internet Key Exchange (IKE) Configuration
	#
	# A policy is established for the supported ISAKMP encryption, 
	# authentication, Diffie-Hellman, lifetime, and key parameters.
	#
	# Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
	# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
	# You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
	# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
	#
	# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
	# The address of the external interface for your customer gateway must be a static address.
	# Your customer gateway may reside behind a device performing network address translation (NAT).
	# To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
	#
		tunnel select 1 
		ipsec ike encryption 1 aes-cbc
		ipsec ike group 1 modp1024
		ipsec ike hash 1 sha

	# This line stores the Pre Shared Key used to authenticate the 
	# tunnel endpoints.
	#
			ipsec ike pre-shared-key 1 text Password01

	# #2: IPSec Configuration

	# The IPSec policy defines the encryption, authentication, and IPSec
	# mode parameters.
	# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
	# Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
	# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
	#
	# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
	#
	# Note that there are a global list of IPSec policies, each identified by 
	# sequence number. This policy is defined as #201, which may conflict with
	# an existing policy using the same number. If so, we recommend changing 
	# the sequence number to avoid conflicts.
	#

			ipsec tunnel 201
			ipsec sa policy 201 1 esp aes-cbc  sha-hmac

	# The IPSec profile references the IPSec policy and further defines
	# the Diffie-Hellman group and security association lifetime.

		ipsec ike duration ipsec-sa 1 3600
			ipsec ike pfs 1 on

	# Additional parameters of the IPSec configuration are set here. Note that 
	# these parameters are global and therefore impact other IPSec 
	# associations.
	# This option instructs the router to clear the "Don't Fragment" 
	# bit from packets that carry this bit and yet must be fragmented, enabling
	# them to be fragmented.
	#
		ipsec tunnel outer df-bit clear

	# This option enables IPSec Dead Peer Detection, which causes periodic
	# messages to be sent to ensure a Security Association remains operational.

			ipsec ike keepalive use 1 on dpd 10 3

	# --------------------------------------------------------------------------------
	# #3: Tunnel Interface Configuration
	#  
	# A tunnel interface is configured to be the logical interface associated  
	# with the tunnel. All traffic routed to the tunnel interface will be 
	# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
	# will be logically received on this interface.
	#
	# The address of the interface is configured with the setup for your 
	# Customer Gateway.  If the address changes, the Customer Gateway and VPN 
	# Connection must be recreated with Amazon VPC.
	#
		ipsec ike local address 1 100.100.100.101

	# If you are using NAT(IP masquerade) on this device, then you should specify the private IP address for the argument:
	# ipsec ike local address  <CGW local IP address>
	# Please specify the same local IP address for the 'nat descriptor masquerade' commands:
	# nat descriptor address inner 1  <CGW local IP address range>  
	# nat descriptor masquerade static 1 1 <CGW local IP address>  udp 500 
	# nat descriptor masquerade static 1 2 <CGW local IP address>  esp * 
	#
	# For more information, please refer: http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
	# 
		ipsec ike remote address 1 200.200.200.201
		ip tunnel address 169.254.154.138/30
		ip tunnel remote address 169.254.154.137
	
		ipsec ike local id 1 0.0.0.0/0
		ipsec ike remote id 1 0.0.0.0/0
	
	# This option causes the router to reduce the Maximum Segment Size of
		# TCP packets to prevent packet fragmentation

	ip tunnel tcp mss limit 1379
		tunnel enable 1
		tunnel select none
			ipsec auto refresh on

	# --------------------------------------------------------------------------------


	# --------------------------------------------------------------------------------
	# #4: Border Gateway Protocol (BGP) Configuration
	#                                                                                     
	# BGP is used within the tunnel to exchange prefixes between the
	# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway    
	# will announce the prefix corresponding to your VPC.
	# 
	# The BGP timers are adjusted to provide more rapid detection of outages.
	#
	# The local BGP Autonomous System Number (ASN) (65000) is configured
	# as part of your Customer Gateway. If the ASN must be changed, the 
	# Customer Gateway and VPN Connection will need to be recreated with AWS.
	#
		bgp use on
		bgp autonomous-system 65000
		bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138

	# To advertise additional prefixes to Amazon VPC, copy the 'import filter' statement and 
	# identify the prefix you wish to advertise. Make sure the 
	# prefix is present in the routing table of the device with a valid next-hop.
	# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
	#
	# bgp import filter 1 equal 10.0.0.0/16
	# bgp import filter 1 equal 192.168.0.0/16
	#

		bgp import filter 1 equal 0.0.0.0/0
		bgp import 64512 static filter 1
		bgp configure refresh 

	# --------------------------------------------------------------------------------
	# IPSec Tunnel #2
	# --------------------------------------------------------------------------------


	# #1: Internet Key Exchange (IKE) Configuration
	#
	# A policy is established for the supported ISAKMP encryption, 
	# authentication, Diffie-Hellman, lifetime, and key parameters.
	#
	# Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
	# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
	# You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
	# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
	#
	# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
	# The address of the external interface for your customer gateway must be a static address.
	# Your customer gateway may reside behind a device performing network address translation (NAT).
	# To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
	#
		tunnel select 2 
		ipsec ike encryption 2 aes-cbc
		ipsec ike group 2 modp1024
		ipsec ike hash 2 sha

	# This line stores the Pre Shared Key used to authenticate the 
	# tunnel endpoints.
	#
			ipsec ike pre-shared-key 2 text Password02

	# #2: IPSec Configuration

	# The IPSec policy defines the encryption, authentication, and IPSec
	# mode parameters.
	# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
	# Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
	# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
	#
	# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
	#
	# Note that there are a global list of IPSec policies, each identified by 
	# sequence number. This policy is defined as #202, which may conflict with
	# an existing policy using the same number. If so, we recommend changing 
	# the sequence number to avoid conflicts.
	#

			ipsec tunnel 202
			ipsec sa policy 202 2 esp aes-cbc  sha-hmac

	# The IPSec profile references the IPSec policy and further defines
	# the Diffie-Hellman group and security association lifetime.

		ipsec ike duration ipsec-sa 2 3600
			ipsec ike pfs 2 on

	# Additional parameters of the IPSec configuration are set here. Note that 
	# these parameters are global and therefore impact other IPSec 
	# associations.
	# This option instructs the router to clear the "Don't Fragment" 
	# bit from packets that carry this bit and yet must be fragmented, enabling
	# them to be fragmented.
	#
		ipsec tunnel outer df-bit clear

	# This option enables IPSec Dead Peer Detection, which causes periodic
	# messages to be sent to ensure a Security Association remains operational.

			ipsec ike keepalive use 2 on dpd 10 3

	# --------------------------------------------------------------------------------
	# #3: Tunnel Interface Configuration
	#  
	# A tunnel interface is configured to be the logical interface associated  
	# with the tunnel. All traffic routed to the tunnel interface will be 
	# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
	# will be logically received on this interface.
	#
	# The address of the interface is configured with the setup for your 
	# Customer Gateway.  If the address changes, the Customer Gateway and VPN 
	# Connection must be recreated with Amazon VPC.
	#
		ipsec ike local address 2 100.100.100.101

	# If you are using NAT(IP masquerade) on this device, then you should specify the private IP address for the argument:
	# ipsec ike local address  <CGW local IP address>
	# Please specify the same local IP address for the 'nat descriptor masquerade' commands:
	# nat descriptor address inner 1  <CGW local IP address range>  
	# nat descriptor masquerade static 1 1 <CGW local IP address>  udp 500 
	# nat descriptor masquerade static 1 2 <CGW local IP address>  esp * 
	#
	# For more information, please refer: http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
	# 
		ipsec ike remote address 2 200.200.200.202
		ip tunnel address 169.254.141.154/30
		ip tunnel remote address 169.254.141.153
	
		ipsec ike local id 2 0.0.0.0/0
		ipsec ike remote id 2 0.0.0.0/0
	
	# This option causes the router to reduce the Maximum Segment Size of
		# TCP packets to prevent packet fragmentation

	ip tunnel tcp mss limit 1379
		tunnel enable 2
		tunnel select none
			ipsec auto refresh on

	# --------------------------------------------------------------------------------


	# --------------------------------------------------------------------------------
	# #4: Border Gateway Protocol (BGP) Configuration
	#                                                                                     
	# BGP is used within the tunnel to exchange prefixes between the
	# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway    
	# will announce the prefix corresponding to your VPC.
	# 
	# The BGP timers are adjusted to provide more rapid detection of outages.
	#
	# The local BGP Autonomous System Number (ASN) (65000) is configured
	# as part of your Customer Gateway. If the ASN must be changed, the 
	# Customer Gateway and VPN Connection will need to be recreated with AWS.
	#
		bgp use on
		bgp autonomous-system 65000
		bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154

	# To advertise additional prefixes to Amazon VPC, copy the 'import filter' statement and 
	# identify the prefix you wish to advertise. Make sure the 
	# prefix is present in the routing table of the device with a valid next-hop.
	# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
	#
	# bgp import filter 1 equal 10.0.0.0/16
	# bgp import filter 1 equal 192.168.0.0/16
	#

		bgp import filter 1 equal 0.0.0.0/0
		bgp import 64512 static filter 1
		bgp configure refresh 



	# Additional Notes and Questions
			
	#  - Amazon Virtual Private Cloud Getting Started Guide: 
	#       http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
	#  - Amazon Virtual Private Cloud Network Administrator Guide: 
	#       http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
	#  - Yamaha router's manual:
	#	 http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
	#  - Yamaha router's NAT settings in IPsec:
	#        http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
	#  - XSL Version: 2009-07-15-1119716

#■ YAMAHA NVR700W 設定

##● 初期設定確認
YAMAHA NVR700WをInternet接続できるように事前設定しておきます

# show config
	# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
	# MAC Address : 00:a0:de:b3:32, 00:a0:de:b3:33
	# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
	# main:  NVR700W ver=00 serial=TESTSERIAL
	# Reporting Date: Aug 16 18:01:51 2020
	console character en.ascii
	ip route default gateway pdp wan1
	ip lan1 address 192.168.0.1/24
	ip wan1 address pdp
	ip wan1 nat descriptor 31000
	wan1 bind wwan 1
	wwan select 1
	description wwan Sim
	wwan always-on on
	wwan auth accept chap
	wwan auth myname sim@pass sim
	wwan auto connect on
	wwan disconnect time off
	wwan disconnect input time off
	wwan disconnect output time off
	wwan access-point name sim.jp
	wwan access limit length off
	wwan access limit time off
	wwan enable 1
	ip filter 500000 restrict * * * * *
	nat descriptor type 31000 masquerade
	nat descriptor address outer 31000 primary
	telnetd host lan
	dhcp service server
	dhcp server rfc2131 compliant except remain-silent
	dhcp scope 1 192.168.0.2-192.168.0.191/24
	dns host lan1
	dns server pdp wan1
	dns server select 500401 pdp wan1 any .
	dns private address spoof on
	dns private name setup.netvolante.jp
	analog supplementary-service pseudo call-waiting
	analog extension dial prefix sip prefix="9#"
	statistics traffic on
	wwan-module use on

##● IPSec VPN設定
ダウンロードしたファイルから、以下情報をYAMAHA NVR700Wへ設定

(1) Tunnel1設定

	tunnel select 1 
	ipsec ike encryption 1 aes-cbc
	ipsec ike group 1 modp1024
	ipsec ike hash 1 sha
	ipsec ike pre-shared-key 1 text Password01
	ipsec tunnel 201
	ipsec sa policy 201 1 esp aes-cbc  sha-hmac
	ipsec ike duration ipsec-sa 1 3600
	ipsec ike pfs 1 on
	ipsec tunnel outer df-bit clear
	ipsec ike keepalive use 1 on dpd 10 3
	ipsec ike local address 1 100.100.100.101
	ipsec ike remote address 1 200.200.200.201
	ip tunnel address 169.254.154.138/30
	ip tunnel remote address 169.254.154.137
	ipsec ike local id 1 0.0.0.0/0
	ipsec ike remote id 1 0.0.0.0/0
	ip tunnel tcp mss limit 1379
	tunnel enable 1
	tunnel select none
	ipsec auto refresh on

(2) Tunnel2設定

	tunnel select 2 
	ipsec ike encryption 2 aes-cbc
	ipsec ike group 2 modp1024
	ipsec ike hash 2 sha
	ipsec ike pre-shared-key 2 text PassoPasswordwrd02
	ipsec tunnel 202
	ipsec sa policy 202 2 esp aes-cbc  sha-hmac
	ipsec ike duration ipsec-sa 2 3600
	ipsec ike pfs 2 on
	ipsec tunnel outer df-bit clear
	ipsec ike keepalive use 2 on dpd 10 3
	ipsec ike local address 2 100.100.100.101
	ipsec ike remote address 2 200.200.200.202
	ip tunnel address 169.254.141.154/30
	ip tunnel remote address 169.254.141.153
	ipsec ike local id 2 0.0.0.0/0
	ipsec ike remote id 2 0.0.0.0/0
	ip tunnel tcp mss limit 1379
	tunnel enable 2
	tunnel select none
	ipsec auto refresh on

(3) BGP設定

	bgp use on
	bgp autonomous-system 65000
	bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138
	bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154
	bgp import filter 1 equal 0.0.0.0/0
	bgp import 64512 static filter 1
	bgp configure refresh 

##● IPSec設定反映

# ipsec auto refresh on
# show ipsec sa
	Total: isakmp:2 send:2 recv:2

	sa    sgw isakmp connection    dir  life[s] remote-id
	----------------------------------------------------------------------------
	1     1    -     isakmp        -    28736   200.200.200.201
	2     1    1     tun[0001]esp  send 3538    200.200.200.201
	3     1    1     tun[0001]esp  recv 3538    200.200.200.201
	4     2    -     isakmp        -    28762   200.200.200.202
	5     2    4     tun[0002]esp  send 3564    200.200.200.202
	6     2    4     tun[0002]esp  recv 3564    200.200.200.202

##● BGP設定反映

# bgp configure refresh

##● BGP伝搬確認
AWS側CIDRが受信されていることを確認

# show ip route
	Destination         Gateway          Interface       Kind  Additional Info.
	default             100.100.100.100   WAN1(PDP)    static
	169.254.141.152/30  -                 TUNNEL[2]  implicit
	169.254.154.136/30  -                 TUNNEL[1]  implicit
	172.31.0.0/16       169.254.141.153   TUNNEL[2]       BGP  path=64512
	172.32.0.0/16       169.254.141.153   TUNNEL[2]       BGP  path=64512
	192.168.0.0/24    192.168.0.1          LAN1  implicit
	100.0.0.0/8         100.100.100.101        WAN1  implicit

#■ IPSec 接続ステータス確認
##● YAMAHA NVR700W画面
接続状態が、UPしていることを確認
06_YAMAHA-VPN接続確認.png

#■ AWS Route Table 設定
VPCからTransitGWを経由して外部へ通信できるようにRoute Tableを設定

##● VPC-172.31.0.0 Route設定
以下のように、OnPremises(192.168.0.0/24), 他VPC-172.32.0.0等へ通信がTransitGWを経由して通るようにRouteを設定
07_RouteTable設定01.png

##● VPC-172.32.0.0 Route設定
以下のように、OnPremises(192.168.0.0/24), 他VPC-172.31.0.0等へ通信がTransitGWを経由して通るようにRouteを設定
07_RouteTable設定02.png

#■ 接続確認
##● On-Premises --> AWS Instance01

###・ping疎通確認

[onp@MacBook:~] $ ping 172.31 -c 3
	PING 172.31.0.11 (172.31.0.11) 56(84) bytes of data.
	64 bytes from 172.31.0.11: icmp_seq=1 ttl=61 time=218 ms
	64 bytes from 172.31.0.11: icmp_seq=2 ttl=61 time=218 ms
	64 bytes from 172.31.0.11: icmp_seq=3 ttl=61 time=217 ms

	--- 172.31.0.11 ping statistics ---
	3 packets transmitted, 3 received, 0% packet loss, time 1999ms
	rtt min/avg/max/mdev = 217.963/218.257/218.808/0.665 ms

###・traceroute経路確認

[onp@MacBook:~] $ sudo traceroute -I 172.31.0.11
	traceroute to 172.31.0.11 (172.31.0.11), 30 hops max, 60 byte packets
	1  setup.netvolante.jp (192.168.0.1)  0.261 ms  0.285 ms  0.225 ms
	2  * * *
	3  172.31.0.11 (172.31.0.11)  253.438 ms  253.383 ms  257.427 ms

###・ssh接続確認

[onp@MacBook:~] $ ssh -i AWS_EC2.pem ec2-user@172.31.0.11 hostname
	ip-172-31-0-11.ec2.internal

##● On-Premises --> AWS Instance02

###・ping疎通確認

[onp@MacBook:~] $ ping 172.32.0.22 -c 3
	PING 172.32.0.22 (172.32.0.22) 56(84) bytes of data.
	64 bytes from 172.32.0.22: icmp_seq=1 ttl=252 time=230 ms
	64 bytes from 172.32.0.22: icmp_seq=2 ttl=252 time=219 ms
	64 bytes from 172.32.0.22: icmp_seq=3 ttl=252 time=219 ms

	--- 172.32.0.22 ping statistics ---
	3 packets transmitted, 3 received, 0% packet loss, time 2002ms
	rtt min/avg/max/mdev = 219.414/223.145/230.588/5.276 ms

###・traceroute経路確認

[onp@MacBook:~] $ sudo traceroute -I 172.32.0.22
	traceroute to 172.32.0.22 (172.32.0.22), 30 hops max, 60 byte packets
	1  setup.netvolante.jp (192.168.0.1)  0.398 ms  0.273 ms  0.241 ms
	2  * * *
	3  172.32.0.22 (172.32.0.22)  242.235 ms  242.222 ms  248.701 ms

###・ssh接続確認

[onp@MacBook:~] $ ssh -i AWS_EC2.pem ec2-user@172.32.0.22 hostname
	ip-172-32-0-22.ec2.internal

#■ Yamaha NVR700W最終config

# show config

	# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
	# MAC Address : 00:a0:de:b3:32, 00:a0:de:b3:33
	# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
	# main:  NVR700W ver=00 serial=TESTSERIAL
	# Reporting Date: Aug 20 22:01:02 2020
	console character en.ascii
	ip route default gateway pdp wan1
	ip lan1 address 192.168.0.1/24
	ip wan1 address pdp
	ip wan1 nat descriptor 31000
	wan1 bind wwan 1
	wwan select 1
	description wwan Sim
	wwan always-on on
	wwan auth accept chap
	wwan auth myname sim@pass sim
	wwan auto connect on
	wwan disconnect time off
	wwan disconnect input time off
	wwan disconnect output time off
	wwan access-point name sim.jp
	wwan access limit length off
	wwan access limit time off
	wwan enable 1
	tunnel select 1
	ipsec tunnel 201
	ipsec sa policy 201 1 esp aes-cbc sha-hmac
	ipsec ike duration ipsec-sa 1 3600
	ipsec ike encryption 1 aes-cbc
	ipsec ike group 1 modp1024
	ipsec ike hash 1 sha
	ipsec ike keepalive use 1 on dpd 10 3
	ipsec ike local address 1 100.100.100.101
	ipsec ike local id 1 0.0.0.0/0
	ipsec ike pfs 1 on
	ipsec ike pre-shared-key 1 text Password01
	ipsec ike remote address 1 200.200.200.201
	ipsec ike remote id 1 0.0.0.0/0
	ipsec tunnel outer df-bit clear
	ip tunnel address 169.254.154.138/30
	ip tunnel remote address 169.254.154.137
	ip tunnel tcp mss limit 1379
	tunnel enable 1
	tunnel select 2
	ipsec tunnel 202
	ipsec sa policy 202 2 esp aes-cbc sha-hmac
	ipsec ike duration ipsec-sa 2 3600
	ipsec ike encryption 2 aes-cbc
	ipsec ike group 2 modp1024
	ipsec ike hash 2 sha
	ipsec ike keepalive use 2 on dpd 10 3
	ipsec ike local address 2 100.100.100.101
	ipsec ike local id 2 0.0.0.0/0
	ipsec ike pfs 2 on
	ipsec ike pre-shared-key 2 text Password02
	ipsec ike remote address 2 200.200.200.202
	ipsec ike remote id 2 0.0.0.0/0
	ipsec tunnel outer df-bit clear
	ip tunnel address 169.254.141.154/30
	ip tunnel remote address 169.254.141.153
	ip tunnel tcp mss limit 1379
	tunnel enable 2
	ip filter 500000 restrict * * * * *
	nat descriptor type 31000 masquerade
	nat descriptor address outer 31000 primary
	bgp use on
	bgp autonomous-system 65000
	bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138
	bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154
	bgp import filter 1 equal 0.0.0.0/0
	bgp import 64512 static filter 1
	ipsec auto refresh on
	telnetd host lan
	dhcp service server
	dhcp server rfc2131 compliant except remain-silent
	dhcp scope 1 192.168.0.2-192.168.0.191/24
	dns host lan1
	dns server pdp wan1
	dns server select 500401 pdp wan1 any .
	dns private address spoof on
	dns private name setup.netvolante.jp
	analog supplementary-service pseudo call-waiting
	analog extension dial prefix sip prefix="9#"
	statistics traffic on
	wwan-module use on

■ Transit GatewayとOCI接続

TGWから足を一本出して、他Network,他Cloudへ接続できるので、Oracle Cloud(OCI)へ接続してみてみます。
・手順: AWS Transit Gateway経由でオンプレミスとOracle Cloudを接続してみてみた

#■ 参考
“共有型”AWS DirectConnectでも使えるAWS Transit Gateway
AWS Transit Gateway - Awsstatic

0
3
1

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
0
3

Delete article

Deleted articles cannot be recovered.

Draft of this article would be also deleted.

Are you sure you want to delete this article?