JAWSUG CLI #7 LT VPN Connection

1. 会社のネットワークとAWSを
VPNで接続
2014/11/24
JAWSUG-CLI #7

2. 手順
1. Virtual Gatewayの作成
2. Virtual GatewayをVPCにAttach
3. Customer Gatewayの作成
4. VPN Connectionの作成
5. Customer Gatewayの設定
6. Route Tableの設定
2014/11/25 2

3. 概要図
6. Route Tableを設定
virtual private cloud
AWS cloud
5. CGWを設定4. VPN Connectionを作成
corporate data center
1. VGWの作成
2. VGWをVPCにAttach
3. CGWを作成
2014/11/25 3

4. 手順1 Virtual Gatewayの作成
コマンド
aws ec2 create-vpn-gateway
--type ipsec.1
結果
{
"VpnGateway": {
"State": "available",
"Type": "ipsec.1",
“VpnGatewayId”: “vgw-********",
"VpcAttachments": []
}
}
2014/11/25 4

5. 手順2 Virtual GatewayをVPCにAttach
コマンド
aws ec2 attach-vpn-gateway
--vpn-gateway-id vgw-********
--vpc-id vpc-********
結果
{
"VpcAttachment": {
"State": "attaching",
“VpcId”: “vpc-********"
}
}
2014/11/25 5

6. 手順3 Customer Gatewayの作成
コマンド
aws ec2 create-customer-gateway
--type ipsec.1
--public-ip 203.0.113.*
--bgp-asn 65534
結果
{
"CustomerGateway": {
"CustomerGatewayId": "cgw-********",
"IpAddress": "203.0.113.*",
"State": "available",
"Type": "ipsec.1",
"BgpAsn": "65534"
}
}
2014/11/25 6

7. 手順4 VPN Connectionの作成
コマンド
aws ec2 create-vpn-connection
--type ipsec.1
--customer-gateway-id cgw-********
--vpn-gateway-id vgw-********
結果
{
"VpnConnection": {
"VpnConnectionId": "vpn-********",
"CustomerGatewayConfiguration": "<?xml version="1.0" encoding="UTF-8"?>n<vpn_connection id="vpn-********">n
<customer_gateway_id>cgw-********</customer_gateway_id>n <vpn_gateway_id>vgw-********</vpn_gateway_id>n
<vpn_connection_type>ipsec.1</vpn_connection_type>n <ipsec_tunnel>n <customer_gateway>n <tunnel_outside_address>n
<ip_address>203.0.113.*</ip_address>n </tunnel_outside_address>n <tunnel_inside_address>n
<ip_address>169.254.252.26</ip_address>n <network_mask>255.255.255.252</network_mask>n <network_cidr>30</network_cidr>n
</tunnel_inside_address>n <bgp>n <asn>65534</asn>n <hold_time>30</hold_time>n </bgp>n </customer_gateway>n
<vpn_gateway>n <tunnel_outside_address>n <ip_address>27.0.1.61</ip_address>n </tunnel_outside_address>n
<tunnel_inside_address>n <ip_address>169.254.252.25</ip_address>n <network_mask>255.255.255.252</network_mask>n
<network_cidr>30</network_cidr>n </tunnel_inside_address>n <bgp>n <asn>10124</asn>n <hold_time>30</hold_time>n
</bgp>n </vpn_gateway>n <ike>n <authentication_protocol>sha1</authentication_protocol>n <encryption_protocol>aes-128-
cbc</encryption_protocol>n <lifetime>28800</lifetime>n <perfect_forward_secrecy>group2</perfect_forward_secrecy>n
<mode>main</mode>n <pre_shared_key>********************************</pre_shared_key>n </ike>n <ipsec>n
<protocol>esp</protocol>n <authentication_protocol>hmac-sha1-96</authentication_protocol>n <encryption_protocol>aes-128-
cbc</encryption_protocol>n <lifetime>3600</lifetime>n <perfect_forward_secrecy>group2</perfect_forward_secrecy>n
<mode>tunnel</mode>n <clear_df_bit>true</clear_df_bit>n
<fragmentation_before_encryption>true</fragmentation_before_encryption>n <tcp_mss_adjustment>1387</tcp_mss_adjustment>n
<dead_peer_detection>n <interval>10</interval>n <retries>3</retries>n </dead_peer_detection>n </ipsec>n
</ipsec_tunnel>n <ipsec_tunnel>n <customer_gateway>n <tunnel_outside_address>n <ip_address>203.0.113.*</ip_address>n
</tunnel_outside_address>n <tunnel_inside_address>n <ip_address>169.254.252.30</ip_address>n
<network_mask>255.255.255.252</network_mask>n <network_cidr>30</network_cidr>n </tunnel_inside_address>n <bgp>n
<asn>65534</asn>n <hold_time>30</hold_time>n </bgp>n </customer_gateway>n <vpn_gateway>n
<tunnel_outside_address>n <ip_address>27.0.1.189</ip_address>n </tunnel_outside_address>n <tunnel_inside_address>n
<ip_address>169.254.252.29</ip_address>n <network_mask>255.255.255.252</network_mask>n <network_cidr>30</network_cidr>n
</tunnel_inside_address>n <bgp>n <asn>10124</asn>n <hold_time>30</hold_time>n </bgp>n </vpn_gateway>n
<ike>n <authentication_protocol>sha1</authentication_protocol>n <encryption_protocol>aes-128-cbc</encryption_protocol>n
<lifetime>28800</lifetime>n <perfect_forward_secrecy>group2</perfect_forward_secrecy>n <mode>main</mode>n
<pre_shared_key>********************************</pre_shared_key>n </ike>n <ipsec>n <protocol>esp</protocol>n
<authentication_protocol>hmac-sha1-96</authentication_protocol>n <encryption_protocol>aes-128-cbc</encryption_protocol>n
<lifetime>3600</lifetime>n <perfect_forward_secrecy>group2</perfect_forward_secrecy>n <mode>tunnel</mode>n
<clear_df_bit>true</clear_df_bit>n <fragmentation_before_encryption>true</fragmentation_before_encryption>n
<tcp_mss_adjustment>1387</tcp_mss_adjustment>n <dead_peer_detection>n <interval>10</interval>n <retries>3</retries>n
</dead_peer_detection>n </ipsec>n </ipsec_tunnel>n</vpn_connection>n",
"State": "pending",
"VpnGatewayId": "vgw-********",
"CustomerGatewayId": "cgw-********"
}
}
？！
2014/11/25 7

8. 参考設定のダウンロード
ここでダウンロードできるものが
戻り値に含まれています。
2014/11/25 8

9. 手順5 Customer Gatewayの設定
• 各ルータのマニュアルやダウンロードした設定ファイルを参考に設定
• YAMAHAの場合
• http://www.rtpro.yamaha.co.jp/RT/docs/amazon-vpc/
• 古河電工の場合
• http://www.furukawa.co.jp/fitelnet/product/f200/setting/detail/amazon_vpc.html
• 設定が完了すると、VPN ConnectionのStateがAvailableになります。
2014/11/25 9

10. 手順6 Route Tableの設定
コマンド(例)
aws ec2 create-route
--route-table-id rtb-********
--destination-cidr-block 0.0.0.0/0
--gateway-id vgw-********
結果
（なし）
2014/11/25 10

11. おわり
2014/11/25 11