#■ 目的
AWS の Transit Gateway(TGW)を使用すれば、複数の VPC および Direct Connect(DX) や IPSec VPNを使用してオンプレミスネットワークを相互接続できます。
ということで、Transit Gateway(TGW)経由で、On-Premises や他Cloudへ接続してみてみたいので、
まずは、Transit Gateway で On-Premises と2つの AWS VPCへ IPSec VPN 接続してみてみます。
#■ 構成
事前にVPCやEC2インスタンスを作成しておきます。
ここでは、Transit GatewayとIPSec VPN接続部分を設定します
#■ Transit Gateway作成
##● Trangit Gateway作成
(1) Trangit Gateway画面
[サービス] > [VPC] > [Trangit Gateway] をクリックし、[Create Transit Gateway]をクリック
(2) Create Transit Gateway設定画面
以下内容を設定し、[Create Transit Gateway]をクリック
・Amazon Side ASN: ここでは他と重複しないPrivate ASN 64512 を設定
・DNS support: チェックする
・VPN ECMP support: チェックする
・Default table associateion: チェックする
・Default route table propagation: チェックする
(3) Create Transit Gateway request succeeded
[Close]をクリック
(4) Transit Gateway作成完了
"state" が"avalable"になれば作成完了
#■ Transit Gateway接続
##● Transit Gateway - VPN接続
(1) Transit Gateway接続画面
左ペインから[Transit Gateway接続]をクリックし、[Create Transit Gateway Attach]をクリック
(2) Create Transit Gateway Attachment設定画面
以下内容を設定し、[Create Attachment]をクリック
・Transit Gateway ID: 作成したTransit Gateway を選択
・Attachment type: [VPN]を選択
・Customer Gateway: [New]を選択
・IP Address: On-Premises側CPE(YAMAHA ルーター)のPublic IPを設定
・BGP ASN: On-Premises側CPE(YAMAHA ルーター)のBGP ASN "65000" を設定
・Routing option: Dynamic (requires BGP)を選択
(3) Create Transit Gateway Attachment request succeeded
[Close]をクリック
(4) Transit Gateway接続完了
"state" が"avalable"になれば作成完了
##● Transit Gateway - VPC接続
今回、2つのVPC(172.31.0.0/16と172.32.0.0/16)を接続するので、以下手順を二回実施
(1) Transit Gateway接続画面
左ペインから[Transit Gateway接続]をクリックし、[Create Transit Gateway Attach]をクリック
(2) Create Transit Gateway Attachment設定画面
以下内容を設定し、[Create Attachment]をクリック
・Transit Gateway ID: 作成したTransit Gateway を選択
・Attachment type: [VPC]を選択
・DNS supported: [enable]
・VPC ID: 接続するVPCを選択
・Subnet IDs: VPC-172.31.0.0/16内にあるSubnetを選択
(3) Create Transit Gateway Attachment request succeeded
[Close]をクリック
(4) Transit Gateway接続完了
"state" が "available"になれば作成完了
#■ VPN接続作成
(1) サイト間のVPN接続
左ペインから、[サイト間のVPN接続]をクリックし、[VPN接続の作成]をクリック
(2) VPN接続の作成
以下内容を設定し、[Create Attachment]をクリック
・Trangit Gateway Type: [Transit Gateway]を選択
・Trangit Gateway ID: 作成したTrangit Gatewayを選択
・カスタマーゲートウェイ: [既存]を選択
・Customer Gateway ID: Create Transit Gateway Attachmentで作成したustomer Gatewayを選択
・ルーテングオプション: [動的(BGPが必要)]を選択
・Tunnel Insede Ip Version: [IPv4]を選択
(3) 設定のダウンロード
[設定のダウンロード]をクリック
(4) 設定のダウンロード破面
以下内容を設定し、[ダウンロード]をクリック
・ベンダー: [Yamaha]を選択
・プラットフォーム: [RTX Router]を選択
・ソフトウェア: [Rev 10]以上を選択
(5) 設定ファイル確認
ダウンロードしたファイルを確認して、必要に応じて修正
# Amazon Web Services
# Virtual Private Cloud
# AWS utilizes unique identifiers to manage the configuration of
# a VPN Connection. Each VPN Connection is assigned an identifier and is
# associated with two other identifiers, namely the
# Customer Gateway Identifier and Virtual Private Gateway Identifier.
#
# Your VPN Connection ID : vpn-0235b882c3da03565
# Your Virtual Private Gateway ID :
# Your Customer Gateway ID : cgw-01dd21a44b2318a59
#
#
# This configuration consists of two tunnels. Both tunnels must be
# configured on your Customer Gateway.
#
# --------------------------------------------------------------------------------
# IPSec Tunnel #1
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
# Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
# You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
#
# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
# The address of the external interface for your customer gateway must be a static address.
# Your customer gateway may reside behind a device performing network address translation (NAT).
# To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
#
tunnel select 1
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 1 text Password01
# #2: IPSec Configuration
# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.
# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
# Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
#
# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
#
# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #201, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#
ipsec tunnel 201
ipsec sa policy 201 1 esp aes-cbc sha-hmac
# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.
ipsec ike duration ipsec-sa 1 3600
ipsec ike pfs 1 on
# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
ipsec tunnel outer df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.
ipsec ike keepalive use 1 on dpd 10 3
# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 1 100.100.100.101
# If you are using NAT(IP masquerade) on this device, then you should specify the private IP address for the argument:
# ipsec ike local address <CGW local IP address>
# Please specify the same local IP address for the 'nat descriptor masquerade' commands:
# nat descriptor address inner 1 <CGW local IP address range>
# nat descriptor masquerade static 1 1 <CGW local IP address> udp 500
# nat descriptor masquerade static 1 2 <CGW local IP address> esp *
#
# For more information, please refer: http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
#
ipsec ike remote address 1 200.200.200.201
ip tunnel address 169.254.154.138/30
ip tunnel remote address 169.254.154.137
ipsec ike local id 1 0.0.0.0/0
ipsec ike remote id 1 0.0.0.0/0
# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation
ip tunnel tcp mss limit 1379
tunnel enable 1
tunnel select none
ipsec auto refresh on
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138
# To advertise additional prefixes to Amazon VPC, copy the 'import filter' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#
bgp import filter 1 equal 0.0.0.0/0
bgp import 64512 static filter 1
bgp configure refresh
# --------------------------------------------------------------------------------
# IPSec Tunnel #2
# --------------------------------------------------------------------------------
# #1: Internet Key Exchange (IKE) Configuration
#
# A policy is established for the supported ISAKMP encryption,
# authentication, Diffie-Hellman, lifetime, and key parameters.
#
# Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
# You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
#
# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
# The address of the external interface for your customer gateway must be a static address.
# Your customer gateway may reside behind a device performing network address translation (NAT).
# To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
#
tunnel select 2
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
# This line stores the Pre Shared Key used to authenticate the
# tunnel endpoints.
#
ipsec ike pre-shared-key 2 text Password02
# #2: IPSec Configuration
# The IPSec policy defines the encryption, authentication, and IPSec
# mode parameters.
# Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
# Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
# NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
#
# Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
#
# Note that there are a global list of IPSec policies, each identified by
# sequence number. This policy is defined as #202, which may conflict with
# an existing policy using the same number. If so, we recommend changing
# the sequence number to avoid conflicts.
#
ipsec tunnel 202
ipsec sa policy 202 2 esp aes-cbc sha-hmac
# The IPSec profile references the IPSec policy and further defines
# the Diffie-Hellman group and security association lifetime.
ipsec ike duration ipsec-sa 2 3600
ipsec ike pfs 2 on
# Additional parameters of the IPSec configuration are set here. Note that
# these parameters are global and therefore impact other IPSec
# associations.
# This option instructs the router to clear the "Don't Fragment"
# bit from packets that carry this bit and yet must be fragmented, enabling
# them to be fragmented.
#
ipsec tunnel outer df-bit clear
# This option enables IPSec Dead Peer Detection, which causes periodic
# messages to be sent to ensure a Security Association remains operational.
ipsec ike keepalive use 2 on dpd 10 3
# --------------------------------------------------------------------------------
# #3: Tunnel Interface Configuration
#
# A tunnel interface is configured to be the logical interface associated
# with the tunnel. All traffic routed to the tunnel interface will be
# encrypted and transmitted to the VPC. Similarly, traffic from the VPC
# will be logically received on this interface.
#
# The address of the interface is configured with the setup for your
# Customer Gateway. If the address changes, the Customer Gateway and VPN
# Connection must be recreated with Amazon VPC.
#
ipsec ike local address 2 100.100.100.101
# If you are using NAT(IP masquerade) on this device, then you should specify the private IP address for the argument:
# ipsec ike local address <CGW local IP address>
# Please specify the same local IP address for the 'nat descriptor masquerade' commands:
# nat descriptor address inner 1 <CGW local IP address range>
# nat descriptor masquerade static 1 1 <CGW local IP address> udp 500
# nat descriptor masquerade static 1 2 <CGW local IP address> esp *
#
# For more information, please refer: http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
#
ipsec ike remote address 2 200.200.200.202
ip tunnel address 169.254.141.154/30
ip tunnel remote address 169.254.141.153
ipsec ike local id 2 0.0.0.0/0
ipsec ike remote id 2 0.0.0.0/0
# This option causes the router to reduce the Maximum Segment Size of
# TCP packets to prevent packet fragmentation
ip tunnel tcp mss limit 1379
tunnel enable 2
tunnel select none
ipsec auto refresh on
# --------------------------------------------------------------------------------
# --------------------------------------------------------------------------------
# #4: Border Gateway Protocol (BGP) Configuration
#
# BGP is used within the tunnel to exchange prefixes between the
# Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
# will announce the prefix corresponding to your VPC.
#
# The BGP timers are adjusted to provide more rapid detection of outages.
#
# The local BGP Autonomous System Number (ASN) (65000) is configured
# as part of your Customer Gateway. If the ASN must be changed, the
# Customer Gateway and VPN Connection will need to be recreated with AWS.
#
bgp use on
bgp autonomous-system 65000
bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154
# To advertise additional prefixes to Amazon VPC, copy the 'import filter' statement and
# identify the prefix you wish to advertise. Make sure the
# prefix is present in the routing table of the device with a valid next-hop.
# For example, the following two lines will advertise 192.168.0.0/16 and 10.0.0.0/16 to Amazon VPC
#
# bgp import filter 1 equal 10.0.0.0/16
# bgp import filter 1 equal 192.168.0.0/16
#
bgp import filter 1 equal 0.0.0.0/0
bgp import 64512 static filter 1
bgp configure refresh
# Additional Notes and Questions
# - Amazon Virtual Private Cloud Getting Started Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
# - Amazon Virtual Private Cloud Network Administrator Guide:
# http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
# - Yamaha router's manual:
# http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/index.html
# - Yamaha router's NAT settings in IPsec:
# http://www.rtpro.yamaha.co.jp/RT/docs/ipsec/nat.html
# - XSL Version: 2009-07-15-1119716
#■ YAMAHA NVR700W 設定
##● 初期設定確認
YAMAHA NVR700WをInternet接続できるように事前設定しておきます
# show config
# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
# MAC Address : 00:a0:de:b3:32, 00:a0:de:b3:33
# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
# main: NVR700W ver=00 serial=TESTSERIAL
# Reporting Date: Aug 16 18:01:51 2020
console character en.ascii
ip route default gateway pdp wan1
ip lan1 address 192.168.0.1/24
ip wan1 address pdp
ip wan1 nat descriptor 31000
wan1 bind wwan 1
wwan select 1
description wwan Sim
wwan always-on on
wwan auth accept chap
wwan auth myname sim@pass sim
wwan auto connect on
wwan disconnect time off
wwan disconnect input time off
wwan disconnect output time off
wwan access-point name sim.jp
wwan access limit length off
wwan access limit time off
wwan enable 1
ip filter 500000 restrict * * * * *
nat descriptor type 31000 masquerade
nat descriptor address outer 31000 primary
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.0.2-192.168.0.191/24
dns host lan1
dns server pdp wan1
dns server select 500401 pdp wan1 any .
dns private address spoof on
dns private name setup.netvolante.jp
analog supplementary-service pseudo call-waiting
analog extension dial prefix sip prefix="9#"
statistics traffic on
wwan-module use on
##● IPSec VPN設定
ダウンロードしたファイルから、以下情報をYAMAHA NVR700Wへ設定
(1) Tunnel1設定
tunnel select 1
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike pre-shared-key 1 text Password01
ipsec tunnel 201
ipsec sa policy 201 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike pfs 1 on
ipsec tunnel outer df-bit clear
ipsec ike keepalive use 1 on dpd 10 3
ipsec ike local address 1 100.100.100.101
ipsec ike remote address 1 200.200.200.201
ip tunnel address 169.254.154.138/30
ip tunnel remote address 169.254.154.137
ipsec ike local id 1 0.0.0.0/0
ipsec ike remote id 1 0.0.0.0/0
ip tunnel tcp mss limit 1379
tunnel enable 1
tunnel select none
ipsec auto refresh on
(2) Tunnel2設定
tunnel select 2
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike pre-shared-key 2 text PassoPasswordwrd02
ipsec tunnel 202
ipsec sa policy 202 2 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike pfs 2 on
ipsec tunnel outer df-bit clear
ipsec ike keepalive use 2 on dpd 10 3
ipsec ike local address 2 100.100.100.101
ipsec ike remote address 2 200.200.200.202
ip tunnel address 169.254.141.154/30
ip tunnel remote address 169.254.141.153
ipsec ike local id 2 0.0.0.0/0
ipsec ike remote id 2 0.0.0.0/0
ip tunnel tcp mss limit 1379
tunnel enable 2
tunnel select none
ipsec auto refresh on
(3) BGP設定
bgp use on
bgp autonomous-system 65000
bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138
bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154
bgp import filter 1 equal 0.0.0.0/0
bgp import 64512 static filter 1
bgp configure refresh
##● IPSec設定反映
# ipsec auto refresh on
# show ipsec sa
Total: isakmp:2 send:2 recv:2
sa sgw isakmp connection dir life[s] remote-id
----------------------------------------------------------------------------
1 1 - isakmp - 28736 200.200.200.201
2 1 1 tun[0001]esp send 3538 200.200.200.201
3 1 1 tun[0001]esp recv 3538 200.200.200.201
4 2 - isakmp - 28762 200.200.200.202
5 2 4 tun[0002]esp send 3564 200.200.200.202
6 2 4 tun[0002]esp recv 3564 200.200.200.202
##● BGP設定反映
# bgp configure refresh
##● BGP伝搬確認
AWS側CIDRが受信されていることを確認
# show ip route
Destination Gateway Interface Kind Additional Info.
default 100.100.100.100 WAN1(PDP) static
169.254.141.152/30 - TUNNEL[2] implicit
169.254.154.136/30 - TUNNEL[1] implicit
172.31.0.0/16 169.254.141.153 TUNNEL[2] BGP path=64512
172.32.0.0/16 169.254.141.153 TUNNEL[2] BGP path=64512
192.168.0.0/24 192.168.0.1 LAN1 implicit
100.0.0.0/8 100.100.100.101 WAN1 implicit
#■ IPSec 接続ステータス確認
##● YAMAHA NVR700W画面
接続状態が、UPしていることを確認
#■ AWS Route Table 設定
VPCからTransitGWを経由して外部へ通信できるようにRoute Tableを設定
##● VPC-172.31.0.0 Route設定
以下のように、OnPremises(192.168.0.0/24), 他VPC-172.32.0.0等へ通信がTransitGWを経由して通るようにRouteを設定
##● VPC-172.32.0.0 Route設定
以下のように、OnPremises(192.168.0.0/24), 他VPC-172.31.0.0等へ通信がTransitGWを経由して通るようにRouteを設定
#■ 接続確認
##● On-Premises --> AWS Instance01
###・ping疎通確認
[onp@MacBook:~] $ ping 172.31 -c 3
PING 172.31.0.11 (172.31.0.11) 56(84) bytes of data.
64 bytes from 172.31.0.11: icmp_seq=1 ttl=61 time=218 ms
64 bytes from 172.31.0.11: icmp_seq=2 ttl=61 time=218 ms
64 bytes from 172.31.0.11: icmp_seq=3 ttl=61 time=217 ms
--- 172.31.0.11 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 217.963/218.257/218.808/0.665 ms
###・traceroute経路確認
[onp@MacBook:~] $ sudo traceroute -I 172.31.0.11
traceroute to 172.31.0.11 (172.31.0.11), 30 hops max, 60 byte packets
1 setup.netvolante.jp (192.168.0.1) 0.261 ms 0.285 ms 0.225 ms
2 * * *
3 172.31.0.11 (172.31.0.11) 253.438 ms 253.383 ms 257.427 ms
###・ssh接続確認
[onp@MacBook:~] $ ssh -i AWS_EC2.pem ec2-user@172.31.0.11 hostname
ip-172-31-0-11.ec2.internal
##● On-Premises --> AWS Instance02
###・ping疎通確認
[onp@MacBook:~] $ ping 172.32.0.22 -c 3
PING 172.32.0.22 (172.32.0.22) 56(84) bytes of data.
64 bytes from 172.32.0.22: icmp_seq=1 ttl=252 time=230 ms
64 bytes from 172.32.0.22: icmp_seq=2 ttl=252 time=219 ms
64 bytes from 172.32.0.22: icmp_seq=3 ttl=252 time=219 ms
--- 172.32.0.22 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 219.414/223.145/230.588/5.276 ms
###・traceroute経路確認
[onp@MacBook:~] $ sudo traceroute -I 172.32.0.22
traceroute to 172.32.0.22 (172.32.0.22), 30 hops max, 60 byte packets
1 setup.netvolante.jp (192.168.0.1) 0.398 ms 0.273 ms 0.241 ms
2 * * *
3 172.32.0.22 (172.32.0.22) 242.235 ms 242.222 ms 248.701 ms
###・ssh接続確認
[onp@MacBook:~] $ ssh -i AWS_EC2.pem ec2-user@172.32.0.22 hostname
ip-172-32-0-22.ec2.internal
#■ Yamaha NVR700W最終config
# show config
# NVR700W Rev.15.00.16 (Thu Jun 20 19:48:42 2019)
# MAC Address : 00:a0:de:b3:32, 00:a0:de:b3:33
# Memory 256Mbytes, 2LAN, 1ONU, 1WWAN
# main: NVR700W ver=00 serial=TESTSERIAL
# Reporting Date: Aug 20 22:01:02 2020
console character en.ascii
ip route default gateway pdp wan1
ip lan1 address 192.168.0.1/24
ip wan1 address pdp
ip wan1 nat descriptor 31000
wan1 bind wwan 1
wwan select 1
description wwan Sim
wwan always-on on
wwan auth accept chap
wwan auth myname sim@pass sim
wwan auto connect on
wwan disconnect time off
wwan disconnect input time off
wwan disconnect output time off
wwan access-point name sim.jp
wwan access limit length off
wwan access limit time off
wwan enable 1
tunnel select 1
ipsec tunnel 201
ipsec sa policy 201 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive use 1 on dpd 10 3
ipsec ike local address 1 100.100.100.101
ipsec ike local id 1 0.0.0.0/0
ipsec ike pfs 1 on
ipsec ike pre-shared-key 1 text Password01
ipsec ike remote address 1 200.200.200.201
ipsec ike remote id 1 0.0.0.0/0
ipsec tunnel outer df-bit clear
ip tunnel address 169.254.154.138/30
ip tunnel remote address 169.254.154.137
ip tunnel tcp mss limit 1379
tunnel enable 1
tunnel select 2
ipsec tunnel 202
ipsec sa policy 202 2 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike keepalive use 2 on dpd 10 3
ipsec ike local address 2 100.100.100.101
ipsec ike local id 2 0.0.0.0/0
ipsec ike pfs 2 on
ipsec ike pre-shared-key 2 text Password02
ipsec ike remote address 2 200.200.200.202
ipsec ike remote id 2 0.0.0.0/0
ipsec tunnel outer df-bit clear
ip tunnel address 169.254.141.154/30
ip tunnel remote address 169.254.141.153
ip tunnel tcp mss limit 1379
tunnel enable 2
ip filter 500000 restrict * * * * *
nat descriptor type 31000 masquerade
nat descriptor address outer 31000 primary
bgp use on
bgp autonomous-system 65000
bgp neighbor 1 64512 169.254.154.137 hold-time=30 local-address=169.254.154.138
bgp neighbor 2 64512 169.254.141.153 hold-time=30 local-address=169.254.141.154
bgp import filter 1 equal 0.0.0.0/0
bgp import 64512 static filter 1
ipsec auto refresh on
telnetd host lan
dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.0.2-192.168.0.191/24
dns host lan1
dns server pdp wan1
dns server select 500401 pdp wan1 any .
dns private address spoof on
dns private name setup.netvolante.jp
analog supplementary-service pseudo call-waiting
analog extension dial prefix sip prefix="9#"
statistics traffic on
wwan-module use on
■ Transit GatewayとOCI接続
TGWから足を一本出して、他Network,他Cloudへ接続できるので、Oracle Cloud(OCI)へ接続してみてみます。
・手順: AWS Transit Gateway経由でオンプレミスとOracle Cloudを接続してみてみた
#■ 参考
・“共有型”AWS DirectConnectでも使えるAWS Transit Gateway
・AWS Transit Gateway - Awsstatic