Amazon Virtual Private Cloud
网络管理员指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅中国的 AWS 服务入门

示例:带虚拟隧道接口和边界网关协议的 Cisco ASA 设备

如果您的客户网关是运行 Cisco ASA 9.7.1+ 软件的 Cisco ASA 设备,您将在本节中获得由您的整合团队提供的配置信息示例。

客户网关的宏观视图

下面的示意图显示您的客户网关的详细信息。VPN 连接由两个隧道构成。使用冗余隧道确保某个设备发生故障情况下的持续可用性。


            Cisco ASA 宏观示意图

Cisco ASA 版本 9.7.1 及更高版本支持主动/主动模式。使用这些 Cisco ASA 时,您可同时使两个隧道保持活动状态。借助该冗余度,您应该始终可以通过其中一个隧道连接到您的 VPC。

示例配置

本节中的配置是您的整合团队应提供的配置信息的示例。示例配置包含适用于您必须配置的各个隧道的一组信息。

示例配置包括示例值,以帮助您理解配置如何起作用。例如,我们提供 VPN 连接 ID (vpn-12345678) 和虚拟专用网关 ID (vgw-12345678) 的示例值以及 AWS 终端节点的占位符 (AWS_ENDPOINT_1AWS_ENDPOINT_2)。将这些示例值替换为来源于所收到配置信息的实际值。

此外,您必须执行以下操作:

  • 配置外部接口。

  • 确保 Crypto ISAKMP 策略序列号具有唯一性。

  • 确保 Crypto IPsec 转换集和 Crypto ISAKMP 策略序列与设备上配置的任何其他 IPsec 隧道一致。

  • 对在客户网关和您的本地网络之间传输流量的全部路由选择进行配置。

重要

下面的配置信息是您的整合团队可望提供的示例。以下示例中的很多值与您收到的实际配置信息不同。您必须使用实际值,而非此处所示的示例值,否则您的实施将会失败。

! Amazon Web Services ! Virtual Private Cloud ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-12345678 ! Your Virtual Private Gateway ID : vgw-12345678 ! Your Customer Gateway ID : cgw-12345678 ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! ------------------------------------------------------------------------- ! IPSec Tunnel #1 ! ------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #200, which may conflict with ! an existing policy using the same number. If so, we recommend changing ! the sequence number to avoid conflicts. ! crypto ikev1 enable 'outside_interface' crypto ikev1 policy 200 encryption aes authentication pre-share group 2 lifetime 28800 hash sha ! ------------------------------------------------------------------------- ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set ipsec-prop-vpn-12345678-0 esp-aes esp-sha-hmac ! The IPSec profile references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. ! crypto ipsec profile ipsec-vpn-12345678-0 set pfs group2 set security-association lifetime seconds 3600 set ikev1 transform-set ipsec-prop-vpn-12345678-0 exit ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! This option instructs the router to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. crypto ipsec df-bit clear-df 'outside_interface' ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! This option instructs the router to fragment the unencrypted packets ! (prior to encryption). !You will need to replace the outside_interface with the interface name of your ASA Firewall. ! crypto ipsec fragmentation before-encryption 'outside_interface' ! ------------------------------------------------------------------------- ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 13.54.43.86 type ipsec-l2l tunnel-group 13.54.43.86 ipsec-attributes ikev1 pre-shared-key pre-shared-key ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! ------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! Association with the IPSec security association is done through the ! "tunnel protection" command. ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. interface Tunnel1 nameif Tunnel-int-vpn-12345678-0 ip address 169.254.33.198 255.255.255.252 tunnel source interface 'outside_interface' tunnel destination 13.54.43.86 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-12345678-0 no shutdown exit ! ------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' and 'default-originate' statements. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65343) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! router bgp 65343 address-family ipv4 unicast neighbor 169.254.33.197 remote-as 7224 neighbor 169.254.33.197 timers 10 30 30 neighbor 169.254.33.197 default-originate neighbor 169.254.33.197 activate ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 0.0.0.0 no auto-summary no synchronization exit-address-family exit ! ! ------------------------------------------------------------------------- ! IPSec Tunnel #2 ! ------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #201, which may conflict with ! an existing policy using the same number. If so, we recommend changing ! the sequence number to avoid conflicts. ! crypto ikev1 enable 'outside_interface' crypto ikev1 policy 201 encryption aes authentication pre-share group 2 lifetime 28800 hash sha ! ------------------------------------------------------------------------- ! #2: IPSec Configuration ! ! The IPSec transform set defines the encryption, authentication, and IPSec ! mode parameters. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! crypto ipsec ikev1 transform-set ipsec-prop-vpn-12345678-1 esp-aes esp-sha-hmac ! The IPSec profile references the IPSec transform set and further defines ! the Diffie-Hellman group and security association lifetime. ! crypto ipsec profile ipsec-vpn-12345678-1 set pfs group2 set security-association lifetime seconds 3600 set ikev1 transform-set ipsec-prop-vpn-12345678-1 exit ! Additional parameters of the IPSec configuration are set here. Note that ! these parameters are global and therefore impact other IPSec ! associations. ! This option instructs the router to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. crypto ipsec df-bit clear-df 'outside_interface' ! This option causes the firewall to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. sysopt connection tcpmss 1379 ! This configures the gateway's window for accepting out of order ! IPSec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! This option instructs the router to fragment the unencrypted packets ! (prior to encryption). !You will need to replace the outside_interface with the interface name of your ASA Firewall. ! crypto ipsec fragmentation before-encryption 'outside_interface' ! ------------------------------------------------------------------------- ! The tunnel group sets the Pre Shared Key used to authenticate the ! tunnel endpoints. ! tunnel-group 52.65.137.78 type ipsec-l2l tunnel-group 52.65.137.78 ipsec-attributes ikev1 pre-shared-key pre-shared-key ! ! This option enables IPSec Dead Peer Detection, which causes semi-periodic ! messages to be sent to ensure a Security Association remains operational. ! isakmp keepalive threshold 10 retry 10 exit ! ------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! Association with the IPSec security association is done through the ! "tunnel protection" command. ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! !You will need to replace the outside_interface with the interface name of your ASA Firewall. interface Tunnel2 nameif Tunnel-int-vpn-12345678-1 ip address 169.254.33.194 255.255.255.252 tunnel source interface 'outside_interface' tunnel destination 52.65.137.78 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-12345678-1 no shutdown exit ! ------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' and 'default-originate' statements. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65343) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! router bgp 65343 address-family ipv4 unicast neighbor 169.254.33.193 remote-as 7224 neighbor 169.254.33.193 timers 10 30 30 neighbor 169.254.33.193 default-originate neighbor 169.254.33.193 activate ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 0.0.0.0 no auto-summary no synchronization exit-address-family exit !

如何测试客户网关配置

在路由模式下将 Cisco ASA 用作客户网关时,两个隧道都将处于 UP 状态。

您可以测试每条隧道的网关配置。

如需测试每条隧道的客户网关配置

  • 确保路由通过 BGP 正确公布并显示在路由表中,以便流量能够返回到您的客户网关。例如,如果您的本地子网前缀为 198.10.0.0/16,则必须通过 BGP 公布它。请确保两个隧道都配置了 BGP 路由。

然后,您必须测试每个隧道的连接性,方法是在您的 VPC 中启动一个实例,从您的家庭网络 Ping 该实例。在您开始之前,确保完成以下操作:

  • 使用可以响应 Ping 请求的 AMI。我们建议您使用 Amazon Linux AMI 之一。

  • 配置实例的安全组和网络 ACL,以启用入站 ICMP 流量。

  • 确保已配置 VPN 连接路由 – 您的子网路由表必须包含到虚拟专用网关的路由。有关更多信息,请参阅Amazon VPC 用户指南中的在路由表中启用路由传播

如需测试各条隧道的端到端连接性

  1. 请将 Amazon Linux AMI 的任一实例启动到您的 VPC。当您从 AWS 管理控制台中启动一个实例时,启动向导将列出 Amazon Linux AMI。有关更多信息,请参阅 Amazon VPC 入门指南

  2. 当实例开始运行后,获取其私有 IP 地址(例如10.0.0.4)。控制台显示的地址是实例详细信息的一部分。

  3. 在您的本地网络中的系统上,使用 ping 命令配合该实例的 IP 地址。确保您发出 ping 的计算机位于客户网关后。成功的响应内容应类似如下所示。

    ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

    注意

    如果您从客户网关路由器向实例发出 ping,请确保您的 ping 消息信源为内部 IP 地址,而非隧道 IP 地址。部分 AMI 不响应从隧道 IP 地址发出的 ping 消息。

  4. (可选) 为测试隧道故障转移,您可临时禁用您的客户网关上的一个隧道,然后重复上一步。您无法禁用 VPN 连接的 AWS 端的隧道。

如果您的隧道测试不成功,请参阅 排查 Cisco ASA 客户网关的连接性问题