Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

示例:无边界网关协议的通用客户网关

如果您的客户网关不属于本指南先前讨论的类型,您的整合团队将会提供可用来配置您的客户网关的通用信息。本部分包含这些信息的示例。

两个示意图说明了示例配置。第一个示意图显示客户网关的宏观布局,第二个示意图显示示例配置的详细信息。您应当使用从整合团队收到的实际配置信息,然后将其应用到客户网关。

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。请注意 VPN 连接包含两个隧道:Tunnel 1Tunnel 2。使用冗余隧道确保某个设备发生故障情况下的持续可用性。

 通用宏观示意图

客户网关的详细视图和示例配置

本节中的示意图介绍一个示例通用客户网关 (无 BGP)。紧接着示意图的是您的整合团队应提供的相应配置信息示例。示例配置包含适用于您必须配置的各个隧道的一组信息。

本节中的示意图介绍一个通用客户网关,它对其 VPN 连接使用静态路由 (即它不支持动态路由或边界网关协议 (BGP))。紧接着示意图的是您的整合团队应提供的相应配置信息示例。示例配置包含适用于您必须配置的两条隧道中任意一条的一组信息。

另外,示例配置引用您必须提供的一个项目:

  • YOUR_UPLINK_ADDRESS - 客户网关上 Internet 可路由外部接口的 IP 地址。地址必须是静态的,可位于执行网络地址转换 (NAT) 任务的设备之后。为确保 NAT 遍历 (NAT-T) 能够正常工作,必须调整防火墙规则,使之开放 UDP 端口 4500。

示例配置包括几项示例值,以帮助您理解配置如何起作用。例如,我们提供 VPN 连接 ID (vpn-44a8938f)、虚拟专用网关 ID (vgw-8db04f81) 和 VGW IP 地址 (72.21.209.*、169.254.255.*) 的示例值。您将使用来源于所收到配置信息的实际值替换这些示例值。

在下面的示意图和示例配置中,您必须用适用于您的特定配置的值替换红色斜体项目。

 通用详细示意图

重要

下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值将与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。

Amazon Web Services Virtual Private Cloud VPN Connection Configuration ================================================================================ AWS utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier and is associated with two other identifiers, namely the Customer Gateway Identifier and the Virtual Private Gateway Identifier. Your VPN Connection ID : vpn-44a8938f Your Virtual Private Gateway ID : vgw-8db04f81 Your Customer Gateway ID : cgw-ff628496 A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). It is important that both tunnel security associations be configured. IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. - IKE version : IKEv1 - Authentication Method : Pre-Shared Key - Pre-Shared Key : PRE-SHARED-KEY-IN-PLAIN-TEXT - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Diffie-Hellman : Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : YOUR_UPLINK_ADDRESS - Virtual Private Gateway : 72.21.209.193 Inside IP Addresses - Customer Gateway : 169.254.255.74/30 - Virtual Private Gateway : 169.254.255.73/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.255.73 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels. IPSec Tunnel #2 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows: Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. - IKE version : IKEv1 - Authentication Method : Pre-Shared Key - Pre-Shared Key : PRE-SHARED-KEY-IN-PLAIN-TEXT - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Diffie-Hellman : Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : YOUR_UPLINK_ADDRESS - Virtual Private Gateway : 72.21.209.225 Inside IP Addresses - Customer Gateway : 169.254.255.78/30 - Virtual Private Gateway : 169.254.255.77/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.255.77 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.

如何测试客户网关配置

您必须首先测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  • 在您的客户网关上,验证您已向 VPC CIDR IP 空间添加了静态路由,以便使用隧道接口。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。我们建议您使用 Amazon Linux AMI 之一。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由 – 您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请将 Amazon Linux AMI 的任一实例启动到您的 VPC。当您使用AWS 管理控制台中的实例启动向导时,可在“Quick Start”菜单中使用 Amazon Linux AMI。有关更多信息,请参阅 Amazon VPC 入门指南

  2. 当实例开始运行后,获取其私有 IP 地址 (例如 10.0.0.4)。 控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,对实例的 IP 地址使用 ping 命令。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下所示。

    PROMPT> ping 10.0.0.4 Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

注意

如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

如果您的隧道测试不成功,请参阅 排查使用边界网关协议的通用设备客户网关连接性问题