Feed on
Posts
Comments
«
»

Amazon VPC介紹與建置-VPN網路設定

Feb 7th, 2012 by

VPC與硬體式VPN對接

VPC上設定好後,接下來就是設定自家的VPN設備,在這邊我們以Juniper SSG(Screen OS 6.2 or 6.3)做對接,Cisco的ISR有空再寫好了(誤)。有關VPN設備的基本概念就不講了,在下面設定還會有BGP的設定,不清楚就照貼(再誤)。Screen OS架構部分,需要先把Trust與Untrust的介面先切出來。我的設計習慣會是把Trust對內,Untrust對外。

接著拿出AWS提供的VPC範本,通常要做一些修改。AWS預設是把Trust Zone與AWS接起來的,對接介面是ethernet0/0,建立tunnel的介面名稱是tunnel.1與tunnel.2,會與你的環境有些差異,需要自行修改。

以下是VPC所提供的設定檔,紅字部分是需要注意的部分,至於prehare key就是AWS提供啦,不要亂動XD。

set ike p1-proposal ike-prop-vpn-51b81250-1 preshare group2 esp aes128 sha-1 second 28800
set ike gateway gw-vpn-51b81250-1 address 27.x.x.x id 27.x.x.x main outgoing-interface ethernet0/0 preshare “blahblah” proposal ike-prop-vpn-51b81250-1
set ike p2-proposal ipsec-prop-vpn-51b81250-1 group2 esp aes128 sha-1 second 3600
set ike gateway gw-vpn-51b81250-1 dpd-liveness interval 10
set vpn IPSEC-vpn-51b81250-1 gateway gw-vpn-51b81250-1 replay tunnel proposal ipsec-prop-vpn-51b81250-1

set interface tunnel.1 zone Trust
set interface tunnel.1 ip 169.254.252.2/30
set interface tunnel.1 mtu 1436
set vpn IPSEC-vpn-51b81250-1 bind interface tunnel.1
set zone Trust asymmetric-vpn
set flow vpn-tcp-mss 1396

set vrouter trust-vr
set max-ecmp-routes 2
set protocol bgp 65000
set hold-time 30
set ipv4 network 0.0.0.0/0

set ipv4 advertise-def-route
set enable
set neighbor 169.254.252.1 remote-as 10124
set neighbor 169.254.252.1 enable
set ipv4 neighbor 169.254.252.1 activate
exit
exit
set interface tunnel.1 protocol bgp

set ike p1-proposal ike-prop-vpn-51b81250-2 preshare group2 esp aes128 sha-1 second 28800
set ike gateway gw-vpn-51b81250-2 address 27.x.x.x id 27.x.x.x main outgoing-interface ethernet0/0 preshare “blahblah” proposal ike-prop-vpn-51b81250-2
set ike p2-proposal ipsec-prop-vpn-51b81250-2 group2 esp aes128 sha-1 second 3600
set ike gateway gw-vpn-51b81250-2 dpd-liveness interval 10
set vpn IPSEC-vpn-51b81250-2 gateway gw-vpn-51b81250-2 replay tunnel proposal ipsec-prop-vpn-51b81250-2

set interface tunnel.2 zone Trust
set interface tunnel.2 ip 169.254.252.6/30
set interface tunnel.2 mtu 1436
set vpn IPSEC-vpn-51b81250-2 bind interface tunnel.2

set zone Trust asymmetric-vpn
set flow vpn-tcp-mss 1396

set vrouter trust-vr
set max-ecmp-routes 2
set protocol bgp 65000
set hold-time 30
set ipv4 network 0.0.0.0/0

set ipv4 advertise-def-route
set enable
set neighbor 169.254.252.5 remote-as 10124
set neighbor 169.254.252.5 enable
set ipv4 neighbor 169.254.252.5 activate
exit
exit
set interface tunnel.2 protocol bgp

在貼上去設定後,五分鐘內VPC的建線就會建立起來了(要有點耐心XD),如果沒建立起來就…(找顧問)。連線建起來後的畫面會是像這樣,UP啦。

vpc_21.png

VPC的進階設定

VPC上面設定的東西不少,你可以在上面設定ACL,也可以調整設定DHCP。不過這系列文章不會提到(毆飛)。

On this day..

Tags: , , , ,

Posted in Technology, Work

Leave a Reply