以前にYAMAHA RTX1200でAWSとサイト間VPNを構築する記事を書きましたがNEC IX2105でも同じようにVPN接続することがあったので備忘録のかねて記事にします。ヤマハもですが「NW機器+AWSとVPN接続設定した」系の記事って、ネットで探してもあんまり出てこないですよね...ネットワークエンジニアの皆さんはあんまりブログやQiita的なやつでアウトプットはしないのか...はたまたメーカ公式ページがサンプルコンフィグ出してるからOKってことなのか...とりあえず誰かの役に立てればと思います。
以前書いたYAMAHAの記事 = YAMAHA RTX1200 でAWS サイト間VPN接続の構築
#今回のゴール
ルータのLAN側IPからVPN経由でAWS VPC内のEC2のプライベートIPとPingで疎通確認が取れるようになること。
【構成イメージ図】
#前提環境
- AWS側サブネットのNWセグメントは10.0.0.0/24でEC2は10.0.0.76/24
- IX2105のLan側IPは192.168.1.254/24を設定
- IX2105のWan側は固定グローバルIPを設定
- 今回Wan回線はフレッツを利用
#設定手順
①EC2をデプロイ
②AWS VPCのカスタマーゲートウェイを設定
③AWS VPCの仮想プライベートゲートウェイを設定
④AWSのセキュリティグループおよびルーティングを設定
⑤サイト間VPNを設定
⑥AWSから必要な設定情報をDLする
⑦IX2105に設定投入
#実際にやってみた
①については他に詳しい記事があるので割愛します。また②~⑤についても以前にYAMAHA RTX1200でサイト間VPNを設定したときと同じなので割愛します。以下を参考に設定してください。
以前書いたYAMAHAの記事 = YAMAHA RTX1200 でAWS サイト間VPN接続の構築
では⑥の設定情報のDLから始めます。VPN設定について、AWS側でいくつかのルータはサンプルコンフィグが用意されています。以前のYAMAHAはサンプルコンフィグがあったのですが、今回のIXシリーズは用意されていないので、「Generic」を選択します。
DLしたコンフィグはこんな感じです。
Amazon Web Services
Virtual Private Cloud
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows:
Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT).
To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
| If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.
- IKE version : IKEv1
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : AAAAAAAAAAAAAAAAAAAAAAA
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Diffie-Hellman : Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1379 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway : "固定グローバルIP"
- Virtual Private Gateway : "IPsec接続先アドレス#1"
Inside IP Addresses
- Customer Gateway : "BGPピアアドレス#1(ルータ側)"
- Virtual Private Gateway : "BGPピアアドレス#1(AWS側)"
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.
BGP Configuration Options:
- Customer Gateway ASN : 65000
- Virtual Private Gateway ASN : 64512
- Neighbor IP Address : "BGPピアアドレス#1(AWS側)"
- Neighbor Hold Time : 30
Configure BGP to announce routes to the Virtual Private Gateway. The gateway
will announce prefixes to your customer gateway based upon the prefix you
assigned to the VPC at creation time.
IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows:
Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT).
To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
| If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.
- IKE version : IKEv1
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : BBBBBBBBBBBBBBBBBBBBB
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Diffie-Hellman : Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1379 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway : "固定グローバルIP"
- Virtual Private Gateway : "IPsec接続先アドレス#2"
Inside IP Addresses
- Customer Gateway : "BGPピアアドレス#2(ルータ側)"
- Virtual Private Gateway : "BGPピアアドレス#2(AWS側)"
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.
BGP Configuration Options:
- Customer Gateway ASN : 65000
- Virtual Private Gateway ASN : 64512
- Neighbor IP Address : "BGPピアアドレス#2(AWS側)"
- Neighbor Hold Time : 30
Configure BGP to announce routes to the Virtual Private Gateway. The gateway
will announce prefixes to your customer gateway based upon the prefix you
assigned to the VPC at creation time.
Additional Notes and Questions
================================================================================
最後にIX2105に設定投入をやっていきます。ルータにコンソール接続してConfigureモードにした状態から始めます。
#必要に応じて今の設定をルータの初期化
Router(config)# erase running-config
Router(config)# restart
あとは下記内容を投入してください。
hostname TestVPN-RT
timezone +09 00
logging buffered 131072
logging subsystem all warn
logging timestamp datetime
ip route default GigaEthernet0.1
ip dhcp enable
ip access-list sec-list permit ip src any dest any
!
!
!
ike proposal ike-prop encryption aes hash sha group 1024-bit
!
ike policy ike-policy1 peer "IPsec接続先アドレス#1" key AAAAAAAAAAAAAAAAAAA ike-prop
ike keepalive ike-policy1 10 3
!
ike policy ike-policy2 peer "IPsec接続先アドレス#2" key BBBBBBBBBBBBBBBBBBB ike-prop
ike keepalive ike-policy2 10 3
!
ipsec autokey-proposal ipsec-prop esp-aes esp-sha
!
ipsec autokey-map ipsec-map1 sec-list peer "IPsec接続先アドレス#1" ipsec-prop pfs 1024-bit
!
ipsec autokey-map ipsec-map2 sec-list peer "IPsec接続先アドレス#2" ipsec-prop pfs 1024-bit
!
!
!
!
!
!
!
proxy-dns ip enable
!
!
!
!
ppp profile ppp_profile
authentication myname XXXXXXXXXXXXXX.jp ←PPPoE接続のためのIPS接続アカウント
authentication password XXXXXXXXXXX.jp XXXXXXXX ←PPPoE接続のためのIPS接続アカウントとPW
!
ip dhcp profile lan1
dns-server 192.168.1.254
!
router bgp 65000
neighbor "BGPピアアドレス#1(AWS側)" remote-as 64512
neighbor "BGPピアアドレス#1(AWS側)" timers 10 30
neighbor "BGPピアアドレス#2(AWS側)" remote-as 64512
neighbor "BGPピアアドレス#2(AWS側)" timers 10 30
address-family ipv4 unicast
originate-default always
!
device GigaEthernet0
!
device GigaEthernet1
!
interface GigaEthernet0.0
no ip address
shutdown
!
interface GigaEthernet1.0
description == local net ==
ip address 192.168.1.254/24
ip dhcp binding lan1
no shutdown
!
interface GigaEthernet0.1
description == flets ==
encapsulation pppoe
auto-connect
ppp binding pppoe
ip address ipcp
ip tcp adjust-mss auto
ip napt enable
ip napt static GigaEthernet0.1 udp 500
ip napt static GigaEthernet0.1 50
no shutdown
!
interface Loopback0.0
no ip address
!
interface Null0.0
no ip address
!
interface Tunnel0.0
description == Tunnel 1 ==
tunnel mode ipsec
ip address "BGPピアアドレス#1(ルータ側)"
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map1 out
no shutdown
!
interface Tunnel1.0
description == Tunnel #2 ==
tunnel mode ipsec
ip address "BGPピアアドレス#2(ルータ側)"
ip tcp adjust-mss auto
ipsec policy tunnel ipsec-map2 out
no shutdown
ちゃんとIPsecのセッションが確立されると機器フロント面のVPNのランプが点灯します。
もし何かあってランプが点灯しない場合は[show ipsec sa]や[show interface tunnel0.0]などで切り分けして原因を特定しましょう。
またAWSコンソールでもIPsecのセッションが張れたか確認しましょう。
以下の画像のようにステータスが「アップ」になっていればOKです。
それではVPN接続もできたので、ルータのLan側IPからEC2のプライベートIPにPingを打ってみましょう。
応答がありますので、これにて目標達成です!
もしIPsecのセッションが張れているのにPingが通らない場合はセキュリティグループ、AWS VPCのルーティング情報、EC2のパーソナルFWが原因と思われますので設定を見直しましょう。
#おわりに
IX2105は2019年9月末で生産終了になっていますが、中古で安く売っていたりして、手に入りやすいわりに、そこそこのスペックなので検証機として重宝しています。YAMAHAと比べてコンフィグもシンプルな気がしますし、AWSとVPN接続する機器としてはオススメです。
#参考にしたサイト
NECのルータIX2105からVPCのVPNに接続する
https://jpn.nec.com/univerge/ix/Support/AWS/index.html