Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。点 击 Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.

示例:Juniper J-Series JunOS 设备

如果您的客户网关是运行 JunOS 9.5 (或更新) 软件的 Juniper J-Series 路由器,我们将在本部分中引导您完成由您的整合团队提供的配置信息示例。

两个示意图说明了示例配置。第一个示意图显示客户网关的宏观布局,第二个示意图显示示例配置的详细信息。您应当使用从整合团队收到的实际配置信息,然后将其应用到客户网关。

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。请注意,VPN 由两个隧道构成。使用冗余隧道确保某个设备发生故障情况下的持续可用性。

 Juniper JunOS 宏观示意图

客户网关的详细视图和示例配置

本部分的示意图说明用作示例的 Juniper JunOS 客户网关。紧接着示意图的是您的整合团队应提供的相应配置信息示例。示例配置包含适用于您必须配置的各个隧道的一组信息。

另外,示例配置引用您必须提供的这些项目:

  • YOUR_UPLINK_ADDRESS - 客户网关上 Internet 可路由外部接口的 IP 地址。地址必须是静态的,可位于执行网络地址转换 (NAT) 任务的设备之后。为确保 NAT 遍历 (NAT-T) 能够正常工作,必须调整防火墙规则,使之开放 UDP 端口 4500。

  • YOUR_BGP_ASN – 客户网关的 BGP ASN (我们默认使用 65000)

示例配置包括几项示例值,以帮助您理解配置如何起作用。例如,我们提供 VPN 连接 ID (vpn-44a8938f)、虚拟专用网关 ID (vgw-8db04f81)、IP 地址 (72.21.209.*、169.254.255.*) 以及远程 ASN (7224) 的示例值。您将使用来源于所收到配置信息的实际值替换这些示例值。

您还必须:

  • 配置外部接口 (在示例配置中称为 ge-0/0/0.0)。

  • 配置隧道接口 ID (在示例配置中称为 st0.1st0.2)。

  • 对在客户网关和您的本地网络之间传输流量的全部路由选择进行配置。

  • 识别上行链路接口的安全区 (以下示例信息使用默认的“untrust”区)。

  • 识别内部接口的安全区 (以下示例信息使用默认的“trust”区)。

在下面的示意图和示例配置中,您必须用适用于您的特定配置的值替换红色斜体项目。

 Juniper JunOS 详细示意图

警告

下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值将与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。

Copy
# Amazon Web Services # Virtual Private Cloud # # AWS utilizes unique identifiers to manipulate the configuration of # a VPN Connection. Each VPN Connection is assigned a VPN Connection # Identifier and is associated with two other identifiers, namely the # Customer Gateway Identifier and the Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-44a8938f # Your Virtual Private Gateway ID : vgw-8db04f81 # Your Customer Gateway ID : cgw-b4dc3961 # # This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway. # # ------------------------------------------------------------------------- # IPsec Tunnel #1 # ------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. # The address of the external interface for your customer gateway must be a static address. # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. # set security ike proposal ike-prop-vpn-44a8938f-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-44a8938f-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-44a8938f-1 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-44a8938f-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-44a8938f-1 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-44a8938f-1 mode main set security ike policy ike-pol-vpn-44a8938f-1 proposals ike-prop-vpn-44a8938f-0 set security ike policy ike-pol-vpn-44a8938f-1 pre-shared-key ascii-text plain-text-password1 # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address YOUR_UPLINK_ADDRESS is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must # be recreated. set security ike gateway gw-vpn-44a8938f-1 ike-policy ike-pol-vpn-44a8938f-0 set security ike gateway gw-vpn-44a8938f-1 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-44a8938f-1 address 72.21.209.225 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPsec Configuration # # The IPsec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPsec security association. # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. # set security ipsec proposal ipsec-prop-vpn-44a8938f-1 protocol esp set security ipsec proposal ipsec-prop-vpn-44a8938f-1 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-44a8938f-1 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-44a8938f-1 lifetime-seconds 3600 # The IPsec policy incorporates the Diffie-Hellman group and the IPsec # proposal. # set security ipsec policy ipsec-pol-vpn-44a8938f-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-44a8938f-1 proposals ipsec-prop-vpn-44a8938f-0 # A security association is defined here. The IPsec Policy and IKE gateways # are associated with a tunnel interface (st0.1). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-44a8938f-1 bind-interface st0.1 set security ipsec vpn vpn-44a8938f-1 ike gateway gw-vpn-44a8938f-0 set security ipsec vpn vpn-44a8938f-1 ike ipsec-policy ipsec-pol-vpn-44a8938f-0 set security ipsec vpn vpn-44a8938f-1 df-bit clear # This option enables IPsec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-44a8938f-1 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.1 family inet address 169.254.255.2/30 set interfaces st0.1 family inet mtu 1436 set security zones security-zone trust interfaces st0.1 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.255.1 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.255.1 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.255.1 hold-time 30 set protocols bgp group ebgp neighbor 169.254.255.1 local-as YOUR_BGP_ASN # ------------------------------------------------------------------------- # IPsec Tunnel #2 # ------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. # The address of the external interface for your customer gateway must be a static address. # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. # set security ike proposal ike-prop-vpn-44a8938f-2 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-44a8938f-2 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-44a8938f-2 encryption-algorithm aes-128-cbc set security ike proposal ike-prop-vpn-44a8938f-2 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-44a8938f-2 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-44a8938f-2 mode main set security ike policy ike-pol-vpn-44a8938f-2 proposals ike-prop-vpn-44a8938f-2 set security ike policy ike-pol-vpn-44a8938f-2 pre-shared-key ascii-text plain-text-password2 # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address YOUR_UPLINK_ADDRESS is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recreated. # set security ike gateway gw-vpn-44a8938f-2 ike-policy ike-pol-vpn-44a8938f-1 set security ike gateway gw-vpn-44a8938f-2 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-44a8938f-2 address 72.21.209.193 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPsec Configuration # # The IPsec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPsec security association. # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. # set security ipsec proposal ipsec-prop-vpn-44a8938f-2 protocol esp set security ipsec proposal ipsec-prop-vpn-44a8938f-2 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-44a8938f-2 encryption-algorithm aes-128-cbc set security ipsec proposal ipsec-prop-vpn-44a8938f-2 lifetime-seconds 3600 # The IPsec policy incorporates the Diffie-Hellman group and the IPsec # proposal. # set security ipsec policy ipsec-pol-vpn-44a8938f-2 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-44a8938f-2 proposals ipsec-prop-vpn-44a8938f-2 # A security association is defined here. The IPsec Policy and IKE gateways # are associated with a tunnel interface (st0.2). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.20). # set security ipsec vpn vpn-44a8938f-2 bind-interface st0.2 set security ipsec vpn vpn-44a8938f-2 ike gateway gw-vpn-44a8938f-2 set security ipsec vpn vpn-44a8938f-2 ike ipsec-policy ipsec-pol-vpn-44a8938f-2 set security ipsec vpn vpn-44a8938f-2 df-bit clear # This option enables IPsec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-44a8938f-2 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.2 family inet address 169.254.255.6/30 set interfaces st0.2 family inet mtu 1436 set security zones security-zone trust interfaces st0.2 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1387 # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. # # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with # a valid next-hop. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.255.5 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.255.5 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.255.5 hold-time 30 set protocols bgp group ebgp neighbor 169.254.255.5 local-as YOUR_BGP_ASN

如何测试客户网关配置

您可以测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  1. 在客户网关上确定 BGP 状态是 Active

    BGP 对等体变为活跃状态约需 30 秒。

  2. 确保客户网关在向虚拟专用网关发布路由。路由可以是默认路由 (0.0.0.0/0),也可以是您选择的更具体的路由。

正确建立后,您的 BGP 对等体应该从虚拟专用网关接收一条路由,该网关对应您的 VPC 整合团队为该 VPC 指定的前缀(例如 10.0.0.0/24)。如果 BGP 对等体已建立并且您正在接收和发布前缀,那么您的隧道就已正确配置。请确保两条隧道均处于该状态。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。我们建议您使用 Amazon Linux AMI 之一。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由:您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请将 Amazon Linux AMI 的任一实例启动到您的 VPC。当您从 Amazon EC2 控制台中启动实例时,在启动向导中将会列出 Amazon Linux AMI。有关更多信息,请参阅 Amazon VPC 入门指南

  2. 当实例开始运行后,获取其私有 IP 地址(例如 10.0.0.4)。 控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,对实例的 IP 地址使用 ping 命令。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下所示。

    Copy
    ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data:
    
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.0.0.4:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    
    Approximate round trip times in milliseconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

    注意

    如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

  4. (可选) 为测试隧道故障转移,您可临时禁用您的客户网关上的一个隧道,然后重复上一步。您无法禁用 VPN 连接的 AWS 端的隧道。

如果您的隧道测试不成功,请参阅 排查 Juniper JunOS 客户网关连接性问题