Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

示例:无边界网关协议的 Netgate PfSense 设备

本主题提供一个示例,介绍在客户网关是运行 OS 2.2.5 或更高版本的 Netgate pfSense 防火墙时如何配置路由器。

本主题假定您已在 Amazon VPC 控制台中配置了一个具有静态路由的 VPN 连接。有关更多信息,请参阅 Amazon VPC 用户指南 中的在您的 VPC 中添加硬件虚拟专用网关

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。请注意 VPN 连接包含两个隧道:Tunnel 1Tunnel 2。使用冗余隧道确保某个设备发生故障情况下的持续可用性。

您应当使用从整合团队收到的实际配置信息,然后将其应用到客户网关。

 通用宏观示意图

示例配置

示例配置包括几项示例值,以帮助您理解配置如何起作用。例如,我们提供 VPN 连接 ID (vpn-12345678) 和虚拟专用网关 ID (vgw-12345678) 的示例值以及 AWS 终端节点的占位符 (AWS_ENDPOINT_1 和 AWS_ENDPOINT_2)。

在下面的示例配置中,您必须用适用于您的特定配置的值替换红色斜体项目。

重要

下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值将与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。

! Amazon Web Services ! Virtual Private Cloud ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-12345678 ! Your Virtual Private Gateway ID : vgw-12345678 ! Your Customer Gateway ID : cgw-12345678 ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway for redundancy. ! ! -------------------------------------------------------------------------------- ! IPSec Tunnel #1 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, ! and key parameters.The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key ! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH ! groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). To ! ensure that NAT traversal (NAT-T) can function, you must adjust your firewall ! rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Go to VPN-->IPSec. Add a new Phase1 entry (click + button ) General information a. Disabled : uncheck b. Key Exchange version :V1 c. Internet Protocol : IPv4 d. Interface : WAN e. Remote Gateway: AWS_ENPOINT_1 f. Description: Amazon-IKE-vpn-12345678-0 Phase 1 proposal (Authentication) a. Authentication Method: Mutual PSK b. Negotiation mode : Main c. My identifier : My IP address d. Peer identifier : Peer IP address e. Pre-Shared Key: plain-text-password1 Phase 1 proposal (Algorithms) a. Encryption algorithm : aes128 b. Hash algorithm : sha1 c. DH key group : 2 d. Lifetime : 28800 seconds Advanced Options a. Disable Rekey : uncheck b. Responder Only : uncheck c. NAT Traversal : Auto d. Deed Peer Detection : Enable DPD Delay between requesting peer acknowledgement : 10 seconds Number of consecutive failures allowed before disconnect : 3 retries ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. Expand the VPN configuration clicking in "+" and then create a new Phase2 entry as follows: a. Disabled :uncheck b. Mode : Tunnel c. Local Network : Type: LAN subnet Address : ! Enter your local network CIDR in the Address tab d. Remote Network : Type : Network Address : ! Enter your remote network CIDR in the Address tab e. Description : Amazon-IPSec-vpn-12345678-0 Phase 2 proposal (SA/Key Exchange) a. Protocol : ESP b. Encryption algorigthms :aes128 c. Hash algorithms : sha1 d. PFS key group : 2 e. Lifetime : 3600 seconds Advanced Options Automatically ping host : ! Provide the IP address of an EC2 instance in VPC that will respond to ICMP. ! -------------------------------------------------------------------------------- ! -------------------------------------------------------------------------------- ! IPSec Tunnel #2 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, ! and key parameters.The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key ! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH ! groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). To ! ensure that NAT traversal (NAT-T) can function, you must adjust your firewall ! rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Go to VPN-->IPSec. Add a new Phase1 entry (click + button ) General information a. Disabled : uncheck b. Key Exchange version :V1 c. Internet Protocol : IPv4 d. Interface : WAN e. Remote Gateway: AWS_ENPOINT_2 f. Description: Amazon-IKE-vpn-12345678-1 Phase 1 proposal (Authentication) a. Authentication Method: Mutual PSK b. Negotiation mode : Main c. My identifier : My IP address d. Peer identifier : Peer IP address e. Pre-Shared Key: plain-text-password2 Phase 1 proposal (Algorithms) a. Encryption algorithm : aes128 b. Hash algorithm : sha1 c. DH key group : 2 d. Lifetime : 28800 seconds Advanced Options a. Disable Rekey : uncheck b. Responder Only : uncheck c. NAT Traversal : Auto d. Deed Peer Detection : Enable DPD Delay between requesting peer acknowledgement : 10 seconds Number of consecutive failures allowed before disconnect : 3 retries ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. Expand the VPN configuration clicking in "+" and then create a new Phase2 entry as follows: a. Disabled :uncheck b. Mode : Tunnel c. Local Network : Type: LAN subnet Address : ! Enter your local network CIDR in the Address tab d. Remote Network : Type : Network Address : ! Enter your remote network CIDR in the Address tab e. Description : Amazon-IPSec-vpn-12345678-1 Phase 2 proposal (SA/Key Exchange) a. Protocol : ESP b. Encryption algorigthms :aes128 c. Hash algorithms : sha1 d. PFS key group : 2 e. Lifetime : 3600 seconds Advanced Options Automatically ping host : ! Provide the IP address of an EC2 instance in VPC that will respond to ICMP.

如何测试客户网关配置

您必须首先测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  • 在 Amazon VPC 控制台中,确保静态路由已添加到 VPN 连接,以便流量可以返回到您的客户网关。例如,如果您的本地子网前缀是 198.10.0.0/16,您必须向您的 VPN 连接添加一条含有该 CIDR 范围的静态路由。确保两条隧道都有通往您的 VPC 的静态路由。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。我们建议您使用 Amazon Linux AMI 之一。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由 – 您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请将 Amazon Linux AMI 的任一实例启动到您的 VPC。当您使用 Amazon EC2 控制台中的实例启动向导时,可在“Quick Start”菜单中使用 Amazon Linux AMI。有关更多信息,请参阅 Amazon EC2 用户指南(适用于 Linux 实例) 中的启动实例

  2. 当实例开始运行后,获取其私有 IP 地址 (例如 10.0.0.4)。 控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,对实例的 IP 地址使用 ping 命令。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下所示。

    ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

    注意

    如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

  4. (可选) 为测试隧道故障转移,您可临时禁用您的客户网关上的一个隧道,然后重复上一步。您无法禁用 VPN 连接的 AWS 端的隧道。