{"id":690,"date":"2012-02-07T18:11:17","date_gmt":"2012-02-07T10:11:17","guid":{"rendered":"https:\/\/blog.ychsiao.org\/?p=690"},"modified":"2012-02-09T01:03:49","modified_gmt":"2012-02-08T17:03:49","slug":"amazon-vpc%e4%bb%8b%e7%b4%b9%e8%88%87%e5%bb%ba%e7%bd%ae-vpn%e7%b6%b2%e8%b7%af%e8%a8%ad%e5%ae%9a","status":"publish","type":"post","link":"https:\/\/blog.ychsiao.org\/?p=690","title":{"rendered":"Amazon VPC\u4ecb\u7d39\u8207\u5efa\u7f6e-VPN\u7db2\u8def\u8a2d\u5b9a"},"content":{"rendered":"

VPC\u8207\u786c\u9ad4\u5f0fVPN\u5c0d\u63a5<\/strong><\/p>\n

VPC\u4e0a\u8a2d\u5b9a\u597d\u5f8c\uff0c\u63a5\u4e0b\u4f86\u5c31\u662f\u8a2d\u5b9a\u81ea\u5bb6\u7684VPN\u8a2d\u5099\uff0c\u5728\u9019\u908a\u6211\u5011\u4ee5Juniper SSG(Screen OS 6.2 or 6.3)\u505a\u5c0d\u63a5\uff0cCisco\u7684ISR\u6709\u7a7a\u518d\u5beb\u597d\u4e86(\u8aa4)<\/del>\u3002\u6709\u95dcVPN\u8a2d\u5099\u7684\u57fa\u672c\u6982\u5ff5\u5c31\u4e0d\u8b1b\u4e86\uff0c\u5728\u4e0b\u9762\u8a2d\u5b9a\u9084\u6703\u6709BGP\u7684\u8a2d\u5b9a\uff0c\u4e0d\u6e05\u695a\u5c31\u7167\u8cbc(\u518d\u8aa4)\u3002Screen OS\u67b6\u69cb\u90e8\u5206\uff0c\u9700\u8981\u5148\u628aTrust\u8207Untrust\u7684\u4ecb\u9762\u5148\u5207\u51fa\u4f86\u3002\u6211\u7684\u8a2d\u8a08\u7fd2\u6163\u6703\u662f\u628aTrust\u5c0d\u5167\uff0cUntrust\u5c0d\u5916\u3002
\n<\/p>\n

\u63a5\u8457\u62ff\u51faAWS\u63d0\u4f9b\u7684VPC\u7bc4\u672c\uff0c\u901a\u5e38\u8981\u505a\u4e00\u4e9b\u4fee\u6539\u3002AWS\u9810\u8a2d\u662f\u628aTrust Zone\u8207AWS\u63a5\u8d77\u4f86\u7684\uff0c\u5c0d\u63a5\u4ecb\u9762\u662fethernet0\/0\uff0c\u5efa\u7acbtunnel\u7684\u4ecb\u9762\u540d\u7a31\u662ftunnel.1\u8207tunnel.2\uff0c\u6703\u8207\u4f60\u7684\u74b0\u5883\u6709\u4e9b\u5dee\u7570\uff0c\u9700\u8981\u81ea\u884c\u4fee\u6539\u3002<\/p>\n

\u4ee5\u4e0b\u662fVPC\u6240\u63d0\u4f9b\u7684\u8a2d\u5b9a\u6a94\uff0c\u7d05\u5b57\u90e8\u5206\u662f\u9700\u8981\u6ce8\u610f\u7684\u90e8\u5206\uff0c\u81f3\u65bcprehare key\u5c31\u662fAWS\u63d0\u4f9b\u5566\uff0c\u4e0d\u8981\u4e82\u52d5XD\u3002<\/p>\n

set ike p1-proposal ike-prop-vpn-51b81250-1 preshare group2 esp aes128 sha-1 second 28800<\/em>
\nset ike gateway gw-vpn-51b81250-1 address 27.x.x.x id 27.x.x.x main\u00a0outgoing-interface<\/span>\u00a0ethernet0\/0<\/span>\u00a0preshare “blahblah” proposal ike-prop-vpn-51b81250-1<\/em>
\nset ike p2-proposal ipsec-prop-vpn-51b81250-1 group2 esp aes128 sha-1 second 3600<\/em>
\nset ike gateway gw-vpn-51b81250-1 dpd-liveness interval 10<\/em>
\nset vpn IPSEC-vpn-51b81250-1 gateway gw-vpn-51b81250-1 replay tunnel proposal ipsec-prop-vpn-51b81250-1<\/em><\/p>\n

set interface tunnel.1<\/span> zone\u00a0Trust<\/span><\/em>
\nset interface tunnel.1<\/span> ip 169.254.252.2\/30<\/em>
\nset interface tunnel.1<\/span> mtu 1436<\/em>
\nset vpn IPSEC-vpn-51b81250-1 bind interface\u00a0tunnel.1<\/span>
\nset zone\u00a0Trust<\/span>\u00a0asymmetric-vpn<\/em>
\nset flow vpn-tcp-mss 1396<\/em><\/p>\n

set vrouter trust-vr<\/em>
\nset max-ecmp-routes 2<\/em>
\nset protocol bgp 65000<\/em>
\nset hold-time 30<\/em>
\nset ipv4 network 0.0.0.0\/0<\/em><\/p>\n

set ipv4 advertise-def-route<\/em>
\nset enable<\/em>
\nset neighbor 169.254.252.1 remote-as 10124<\/em>
\nset neighbor 169.254.252.1 enable<\/em>
\nset ipv4 neighbor 169.254.252.1 activate<\/em>
\nexit<\/em>
\nexit<\/em>
\nset interface\u00a0tunnel.1<\/span>\u00a0protocol bgp<\/em><\/p>\n

set ike p1-proposal ike-prop-vpn-51b81250-2 preshare group2 esp aes128 sha-1 second 28800<\/em>
\nset ike gateway gw-vpn-51b81250-2 address 27.x.x.x id 27.x.x.x main\u00a0outgoing-interface ethernet0\/0<\/span>\u00a0preshare “blahblah” proposal ike-prop-vpn-51b81250-2<\/em>
\nset ike p2-proposal ipsec-prop-vpn-51b81250-2 group2 esp aes128 sha-1 second 3600<\/em>
\nset ike gateway gw-vpn-51b81250-2 dpd-liveness interval 10<\/em>
\nset vpn IPSEC-vpn-51b81250-2 gateway gw-vpn-51b81250-2 replay tunnel proposal ipsec-prop-vpn-51b81250-2<\/em><\/p>\n

set interface tunnel.2<\/span> zone\u00a0Trust<\/span><\/em>
\nset interface tunnel.2<\/span> ip 169.254.252.6\/30<\/em>
\nset interface tunnel.2<\/span> mtu 1436<\/em>
\nset vpn IPSEC-vpn-51b81250-2 bind interface\u00a0tunnel.2<\/span><\/em><\/p>\n

set zone\u00a0Trust<\/span>\u00a0asymmetric-vpn<\/em>
\nset flow vpn-tcp-mss 1396<\/em><\/p>\n

set vrouter trust-vr<\/em>
\nset max-ecmp-routes 2<\/em>
\nset protocol bgp 65000<\/em>
\nset hold-time 30<\/em>
\nset ipv4 network 0.0.0.0\/0<\/em><\/p>\n

set ipv4 advertise-def-route<\/em>
\nset enable<\/em>
\nset neighbor 169.254.252.5 remote-as 10124<\/em>
\nset neighbor 169.254.252.5 enable<\/em>
\nset ipv4 neighbor 169.254.252.5 activate<\/em>
\nexit<\/em>
\nexit<\/em>
\nset interface\u00a0tunnel.2<\/span>\u00a0protocol bgp<\/em><\/p><\/blockquote>\n

\u5728\u8cbc\u4e0a\u53bb\u8a2d\u5b9a\u5f8c\uff0c\u4e94\u5206\u9418\u5167VPC\u7684\u5efa\u7dda\u5c31\u6703\u5efa\u7acb\u8d77\u4f86\u4e86(\u8981\u6709\u9ede\u8010\u5fc3XD)\uff0c\u5982\u679c\u6c92\u5efa\u7acb\u8d77\u4f86\u5c31…(\u627e\u9867\u554f)<\/del>\u3002\u9023\u7dda\u5efa\u8d77\u4f86\u5f8c\u7684\u756b\u9762\u6703\u662f\u50cf\u9019\u6a23\uff0c\bUP\u5566\u3002<\/p>\n

\"vpc_21.png\"<\/p>\n

VPC\u7684\u9032\u968e\u8a2d\u5b9a<\/strong><\/p>\n

VPC\u4e0a\u9762\u8a2d\u5b9a\u7684\u6771\u897f\u4e0d\u5c11\uff0c\u4f60\u53ef\u4ee5\u5728\u4e0a\u9762\u8a2d\u5b9aACL\uff0c\u4e5f\u53ef\u4ee5\u8abf\u6574\u8a2d\u5b9aDHCP\u3002\u4e0d\u904e\u9019\u7cfb\u5217\u6587\u7ae0\u4e0d\u6703\u63d0\u5230(\u6bc6\u98db)\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"

VPC\u8207\u786c\u9ad4\u5f0fVPN\u5c0d\u63a5 VPC\u4e0a\u8a2d\u5b9a\u597d\u5f8c\uff0c\u63a5\u4e0b\u4f86\u5c31\u662f\u8a2d\u5b9a\u81ea\u5bb6\u7684VPN\u8a2d\u5099\uff0c\u5728\u9019\u908a\u6211\u5011\u4ee5Juniper SSG(Screen OS 6.2 or 6.3)\u505a\u5c0d\u63a5\uff0cCisco\u7684ISR\u6709\u7a7a\u518d\u5beb\u597d\u4e86(\u8aa4)\u3002\u6709\u95dcVPN\u8a2d\u5099\u7684\u57fa\u672c\u6982\u5ff5\u5c31\u4e0d\u8b1b\u4e86\uff0c\u5728\u4e0b\u9762\u8a2d\u5b9a\u9084\u6703\u6709BGP\u7684\u8a2d\u5b9a\uff0c\u4e0d\u6e05\u695a\u5c31\u7167\u8cbc(\u518d\u8aa4)\u3002Screen OS\u67b6\u69cb\u90e8\u5206\uff0c\u9700\u8981\u5148\u628aTrust\u8207Untrust\u7684\u4ecb\u9762\u5148\u5207\u51fa\u4f86\u3002\u6211\u7684\u8a2d\u8a08\u7fd2\u6163\u6703\u662f\u628aTrust\u5c0d\u5167\uff0cUntrust\u5c0d\u5916\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"categories":[56,55],"tags":[62,61,63,64,65],"class_list":["post-690","post","type-post","status-publish","format-standard","hentry","category-technology","category-work","tag-amazon","tag-aws","tag-cloud","tag-juniper","tag-vpc"],"_links":{"self":[{"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/posts\/690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=690"}],"version-history":[{"count":8,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/posts\/690\/revisions"}],"predecessor-version":[{"id":723,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=\/wp\/v2\/posts\/690\/revisions\/723"}],"wp:attachment":[{"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ychsiao.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}