1. AWS Site-to-Site VPN是什么?
by default, instances that you launch into an Amazon VPC can't communicate with remote network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN connection , and configuration routing to pass traffic through the connection. 默认情况下,在AWS VPC中启动的实例无法与远程网络进行通信。你可以通过创建AWS Site-to-Site VPN connection,并且配置相应的路由使你能够从VPC中的实例访问你的远程网络。
2. Site-to-Site VPN 的组成部分
Virtual Private Gateway a virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection.You create a virtual private gateway and attach it to the VPC from which you want to create the Site-to-Site VPN connection. 虚拟私有网关 虚拟私有网关是 Site-to-Site VPN connection连接在Amazon一端的集中器。创建一个虚拟私有网关并且关联到一个你想要创建Site-to-Site VPN connection的VPC中。
Customer Gateway A customer gateway is a resource in AWS that provides information to AWS about your Customer Gateway Device. 客户网关 客户网关是在在AWS上创建的资源用于提供你的客户网关设备信息。
Customer Gateway Device A customer gateway device is a physical device or software application on your side of the Site-to-Site VPN connection. 客户网关设备 客户网关设备是指Site-to-Site VPN connection在你这一端连接的物理设备或者软件应用程序
3. 环境介绍
实验拓扑
IP地址规划
| 类别 | IP地址 |
|---|---|
| AWS Virtual Private Gateway | 3.113.220.229 |
| AWS VPC | 172.31.0.0/16 |
| AWS EC2 Instance | 172.31.172.47/24 |
| AWS Customer Gateway | 35.229.151.133 |
| GCP VPC | 10.140.0.0/20 |
| GCP VM instance | 10.140.0.10/24 |
4. 配置步骤
- 1.GCP: 获取一个公网的静态IP地址
- 2.AWS: 创建 Customer Gateway,指定GCP上创建的公网IP地址
- 3.AWS: 创建 Virtual Private Gateway,关联到指定VPC
- 4.AWS: 创建Site-to-Site VPN Connections,下载生成的VPN配置文件
- 5.GCP: 根据下载的VPN配置文件的参数,配置Site-to-Site VPN Connections
- 6.确认VPN Tunnel 状态
- 7.验证网络连通性
1.GCP: 获取一个公网的静态IP地址
VPC network -> External IP addresses,选择Reserve Static ADDRESS
2.AWS: 创建Customer Gateway,指定GCP上创建的公网IP地址
3.AWS: 建立 Virtual Private Gateway,关联到指定VPC
4.AWS: 建立Site-to-Site VPN Connections,下载生成的VPN配置文件
5.GCP: 根据下载的VPN配置文件的参数,配置Site-to-Site VPN Connections
选择Networking -> Hybrid Connectivity -> VPN
查看第四步下载的VPN配置文件
文件内容IPsec Tunnel #1
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows:
Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
The address of the external interface for your customer gateway must be a static address.
Your customer gateway may reside behind a device performing network address translation (NAT).
To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500\. If not behind NAT, we recommend disabling NAT-T.
- IKE version : IKEv1
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : O0cTNVp4.5uOhuwF3eSs2vYXYOZRN7vg
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Diffie-Hellman : Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1379 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway : 35.229.151.133
- Virtual Private Gateway : 3.113.220.229
Inside IP Addresses
- Customer Gateway : 169.254.22.254/30
- Virtual Private Gateway : 169.254.22.253/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC,
you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.22.253
You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over
the tunnels.
根据从AWS下载的配置文件配置GCP VPN connection
6.确认VPN Tunnel 状态
在GCP上查看VPN tunnel status
7.验证网络连通性
在GCP的实例尝试ping AWS的实例,可以ping通
