Amazon Virtual Private Cloud
网络管理员指南
AWS 服务或AWS文档中描述的功能,可能因地区/位置而异。请点击 Amazon AWS 入门,可查看中国地区的具体差异

示例:没有边界网关协议的 Dell SonicWALL SonicOS 设备

本主题提供一个示例,介绍在客户网关是运行 SonicOS 5.9 或 6.2 的 Dell SonicWALL 路由器时如何配置路由器。

本节假定已在 Amazon VPC 控制台中配置了一个具有静态路由的 VPN 连接。有关更多信息,请参阅 Amazon VPC 用户指南 中的在您的 VPC 中添加虚拟专用网关

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。请注意 VPN 连接包含两个隧道:Tunnel 1Tunnel 2。使用冗余隧道确保某个设备发生故障情况下的持续可用性。

 客户网关概要示意图

示例配置文件

从 Amazon VPC 控制台下载的配置文件包含所需的值,以便您使用 OS 6.2 上的命令行工具配置 SonicWALL 设备的每个隧道及 IKE 和 IPsec 设置。

重要

以下配置信息使用示例值 — 您必须使用实际值,而不是此处显示的示例值,否则您的实现将失败。

! Amazon Web Services ! Virtual Private Cloud ! ! VPN Connection Configuration ! ================================================================================ ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier ! and is associated with two other identifiers, namely the ! Customer Gateway Identifier and the Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-44a8938f ! Your Virtual Private Gateway ID : vgw-8db04f81 ! Your Customer Gateway ID : cgw-ff628496 ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your customer gateway. ! ! This configuration was tested on a SonicWALL TZ 600 running OS 6.2.5.1-26n ! ! You may need to populate these values throughout the config based on your setup: ! <vpc_subnet> - VPC IP address range ! ================================================================================ ! #1: Internet Key Exchange (IKE) Configuration ! ! These sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You can modify these sample configuration files to use AES128, SHA1, AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! config address-object ipv4 AWSVPC network 172.30.0.0/16 vpn policy tunnel-interface vpn-44a8938f-1 gateway primary 72.21.209.193 bound-to interface X1 auth-method shared-secret shared-secret PRE-SHARED-KEY-IN-PLAIN-TEXT ike-id local ip your_customer_gateway_IP_address ike-id peer ip 72.21.209.193 end ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! config proposal ipsec lifetime 3600 proposal ipsec authentication sha1 proposal ipsec encryption aes128 proposal ipsec perfect-forward-secrecy dh-group 2 proposal ipsec protocol ESP keep-alive enable commit end ! ! You can use other supported IPSec parameters for encryption such as AES256, and other DH groups such as 1,2, 5, 14-18, 22, 23, and 24. ! IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We ! recommend configuring DPD on your endpoint as follows: ! - DPD Interval : 120 ! - DPD Retries : 3 ! To configure Dead Peer Detection for the SonicWall device, use the SonicOS management interface. ! ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. ! ! To establish connectivity between your internal network and the VPC, you ! must have an interface facing your internal network in the "Trust" zone. ! ! config tunnel-interface vpn T1 ip-assignment VPN static ip 169.254.255.6 netmask 255.255.255.252 exit ! ! ! #4 Static Route Configuration ! ! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa ! This example policy permits all traffic from the local subnet to the VPC through the tunnel interface. ! ! policy interface T1 metric 1 source any destination name AWSVPC service any gateway 169.254.255.5 ! IPSec Tunnel !2 ================================================================================ ! #1: Internet Key Exchange (IKE) Configuration ! ! These sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You can modify these sample configuration files to use AES128, SHA1, AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! config address-object ipv4 AWSVPC network 172.30.0.0/16 vpn policy tunnel-interface vpn-44a8938f-2 gateway primary 72.21.209.225 bound-to interface X1 auth-method shared-secret shared-secret PRE-SHARED-KEY-IN-PLAIN-TEXT ike-id local ip your_customer_gateway_IP_address ike-id peer ip 72.21.209.225 end ! ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! config proposal ipsec lifetime 3600 proposal ipsec authentication sha1 proposal ipsec encryption aes128 proposal ipsec perfect-forward-secrecy dh-group 2 proposal ipsec protocol ESP keep-alive enable commit end ! ! You can use other supported IPSec parameters for encryption such as AES256, and other DH groups such as 1,2, 5, 14-18, 22, 23, and 24. ! ! IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We ! recommend configuring DPD on your endpoint as follows: ! - DPD Interval : 120 ! - DPD Retries : 3 ! To configure Dead Peer Detection for the SonicWall device, use the SonicOS management interface. ! ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. ! ! To establish connectivity between your internal network and the VPC, you ! must have an interface facing your internal network in the "Trust" zone. ! ! config tunnel-interface vpn T2 ip-assignment VPN static ip 169.254.255.2 netmask 255.255.255.252 ! ! #4 Static Route Configuration ! ! Create a firewall policy permitting traffic from your local subnet to the VPC subnet and vice versa ! This example policy permits all traffic from the local subnet to the VPC through the tunnel interface. ! ! policy interface T2 metric 1 source any destination name AWSVPC service any gateway 169.254.255.1

使用管理界面配置 SonicWALL 设备

以下过程演示如何使用 SonicOS 管理界面在 SonicWALL 设备上配置 VPN 隧道。您必须将过程中的示例值替换为配置文件中提供的值。

配置隧道

  1. 打开 SonicWALL SonicOS 管理界面。

  2. 在左窗格中,依次选择 VPNSettings。在 VPN Policies 下方,选择 Add...

  3. General 选项卡上的 VPN 策略窗口中,填写以下信息:

    • Policy Type:选择 Site to Site

    • Authentication Method:选择 IKE using Preshared Secret

    • Name:输入 VPN 策略的名称。建议使用配置文件中提供的 VPN ID 名称。

    • IPsec Primary Gateway Name or Address:输入配置文件中提供的虚拟专用网关 (AWS 端点) 的 IP 地址;如 72.21.209.193

    • IPsec Secondary Gateway Name or Address:保留默认值。

    • Shared Secret:输入配置文件中提供的预共享密钥,然后在 Confirm Shared Secret 中再次输入。

    • Local IKE ID:输入客户网关 (SonicWALL 设备) 的 IPv4 地址。

    • Peer IKE ID:输入虚拟专用网关 (AWS 端点) 的 IPv4 地址。

  4. Network 选项卡上,填写以下信息:

    • Local Networks 下方,选择 Any address。建议使用此选项防止本地网络出现连接问题。

    • Remote Networks 下方,选择 Choose a destination network from list。在 AWS 中使用您的 VPC 的 CIDR 创建一个地址对象。

  5. Proposals 选项卡上,填写以下信息。

    • IKE (Phase 1) Proposal 下方,执行以下操作:

      • Exchange:选择 Main Mode

      • DH Group:输入 Diffie-Hellman 组的值,如 2

      • Encryption:选择 AES-128AES-256

      • Authentication:选择 SHA1SHA256

      • Life Time:输入 28800

    • IKE (Phase 2) Proposal 下方,执行以下操作:

      • Protocol:选择 ESP

      • Encryption:选择 AES-128AES-256

      • Authentication:选择 SHA1SHA256

      • 选中 Enable Perfect Forward Secrecy 复选框,然后选择 Diffie-Hellman 组。

      • Life Time:输入 3600

    重要

    如果在 2015 年 10 月之前创建虚拟专用网关,则必须为这两个阶段指定 Diffie-Hellman 组 2、AES-128 和 SHA1。

  6. Advanced 选项卡上,填写以下信息:

    • 选择 Enable Keep Alive

    • 选择 Enable Phase2 Dead Peer Detection 并输入以下内容:

      • 对于 Dead Peer Detection Interval,输入 60 (这是 SonicWALL 设备接受的最小值)。

      • 对于 Failure Trigger Level,输入 3

    • 对于 VPN Policy bound to,选择 Interface X1。这是通常为公有 IP 地址指定的接口。

  7. 选择 OK。在 Settings 页面上,隧道的 Enable 复选框默认应处于选中状态。绿点表示隧道已启动。

如何测试客户网关配置

您必须首先测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  • 在您的客户网关上,验证您已向 VPC CIDR IP 空间添加了静态路由,以便使用隧道接口。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。建议您使用一个 Amazon Linux AMI。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由;您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请在您的 VPC 中启动 Amazon Linux AMI 的任一实例。当您使用 AWS 管理控制台中的启动实例向导时,可在 Quick Start 菜单中使用 Amazon Linux AMI。有关更多信息,请参阅 Amazon VPC 入门指南

  2. 当实例开始运行后,获取其私有 IP 地址 (例如 10.0.0.4)。 控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,对实例的 IP 地址使用 ping 命令。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下内容:

    ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

注意

如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

如果您的隧道测试不成功,请参阅 排查使用边界网关协议的通用设备客户网关连接性问题