IPSecVPN

  1. AWS和本地私有网络建立互通
  2. AWS中国区域vpc之间建立互通

    免责说明

    建议测试过程中使用此方案,生产环境使用请自行考虑评估。

项目说明

  1. 适用于AWS中国区域与您的本地私有网络通过IPSecVPN互通场景。此场景要求您的本地办公网络具有支持IPSecVPN功能的路由器或网关。

图片.png

  1. 适用于您在AWS中国区域内有多个VPC,两个VPC之间需要互相访问的场景。

图片.png

AWS端配置

1.创建弹性IP
2.在AWS CloudFormation控制台中启动模板,上传准备好的vpn.yaml模板文件
图片.png
参数说明

参数名称 参数含义 取值
InstanceType 实例类型 下拉选择:t2.micro(测试使用),c5.large(正式使用)
KeyName EC2登陆密钥对名称 下拉选择
LeftIp 本端IP 文本框:本端公网地址
LeftSubnet 本端VPC网段地址 文本框: 地址网段
PSK PreSharedKey 文本框:字符串
RightIP 对端IP 文本框: 对端公网地址
RightSubnet 对端网段地址 文本框: 地址网段
SubnetId EC2所属子网 下拉选择
VpcId EC2所属VPC 下拉选择

配置好之后就创建一台ec2,里面就按照yaml写的,安装并配置好了ipsec

ipsecvpn.yaml

  1. AWSTemplateFormatVersion: 2010-09-09
  3. Parameters:
  4.   KeyName:
  5.     Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
  6.     Type: 'AWS::EC2::KeyPair::KeyName'
  7.     ConstraintDescription: must be the name of an existing EC2 KeyPair.
  8.   InstanceType:
  9.     Description: IpsecVPN EC2 instance type
  10.     Type: String
  11.     Default: t2.micro
  12.     AllowedValues:
  13.       - t2.micro
  14.       - c4.large
  15.       - c5.large     
  16.     ConstraintDescription: must be a valid EC2 instance type.
  17.   VpcId:
  18.     Type: 'AWS::EC2::VPC::Id'
  19.     Description: VpcId of your existing Virtual Private Cloud (VPC)
  20.     ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
  21.   SubnetId:
  22.     Type: 'AWS::EC2::Subnet::Id'
  23.     Description: SubnetId of an existing public subnet in your Virtual Private Cloud (VPC)
  24.     ConstraintDescription: must be an existing public subnet in the selected Virtual Private Cloud.
  25.   PSK:
  26.     Type: String
  27.     Description: Pre Shared Key
  28.   LeftIp:
  29.     Type: String
  30.     Description: Left static public ip address 
  31.   LeftSubnet:
  32.     Type: String
  33.     Description: Left EC2 Subnet used for IPSecVPN
  34.   RightIp:
  35.     Type: String
  36.     Description: Peering public ip address
  37.   RightSubnet:
  38.     Type: String
  39.     Description: Peering Subnet used for IPSecVPN
  41. Mappings:
  42.   AWSInstanceType2Arch:
  43.     t2.micro:
  44.       Arch: HVM64
  45.     c4.large:
  46.       Arch: HVM64
  47.     c5.large:
  48.       Arch: HVM64
  49.   AWSRegionMap:
  50.     cn-north-1: # Beijing (China)
  51.       HVM64: ami-071e0769a839a3f0d # latest amzn2 ami
  52.       # HVM64: ami-03ae67ee227d997be
  53.       AWSARN: aws-cn
  54.     cn-northwest-1: # Ningxia (China)
  55.       HVM64: ami-0934e7d625575bb7c # latest amzn2 ami
  56.       # HVM64: ami-00d2f9d34d345da04
  57.       AWSARN: aws-cn
  59. Resources:
  60.   SecurityGroup:
  61.     Type: 'AWS::EC2::SecurityGroup'
  62.     Properties:
  63.       VpcId: !Ref VpcId
  64.       GroupDescription: Enable tcp udp access
  65.       SecurityGroupIngress:
  66.         - IpProtocol: '-1'
  67.           FromPort: '-1'
  68.           ToPort: '-1'
  69.           CidrIp: !Ref RightSubnet
  70.         - IpProtocol: '50'
  71.           FromPort: '-1'
  72.           ToPort: '-1'
  73.           CidrIp: 0.0.0.0/0
  74.         - IpProtocol: udp
  75.           FromPort: '4500'
  76.           ToPort: '4500'
  77.           CidrIp: 0.0.0.0/0
  78.         - IpProtocol: icmp
  79.           FromPort: '-1'
  80.           ToPort: '-1'
  81.           CidrIp: 0.0.0.0/0
  82.         - IpProtocol: udp
  83.           FromPort: '500'
  84.           ToPort: '500'
  85.           CidrIp: 0.0.0.0/0
  86.         - IpProtocol: tcp
  87.           FromPort: '22'
  88.           ToPort: '22'
  89.           CidrIp: 0.0.0.0/0
  90.   EC2Instance:
  91.     Type: 'AWS::EC2::Instance'
  92.     Properties:
  93.       ImageId: !FindInMap
  94.         - AWSRegionMap
  95.         - !Ref 'AWS::Region'
  96.         - !FindInMap
  97.           - AWSInstanceType2Arch
  98.           - !Ref InstanceType
  99.           - Arch
  100.       InstanceType: !Ref InstanceType
  101.       KeyName: !Ref KeyName
  102.       SourceDestCheck: 'false'
  103.       Tags:
  104.         - Key: Name
  105.           Value: IpsecInstance
  106.       NetworkInterfaces:
  107.         - AssociatePublicIpAddress: "true"
  108.           DeviceIndex: "0"
  109.           GroupSet:
  110.             - Ref: "SecurityGroup"
  111.           SubnetId:
  112.             Ref: "SubnetId"
  113.       UserData:
  114.         Fn::Base64: !Sub
  115.           - |
  116.             #!/bin/bash -xe
  117.             yum -y install openswan
  119.             echo "${LeftIp}  ${RightIp} : PSK \"${PSK}\"
  120.             " > /etc/ipsec.secrets
  122.             echo "config setup
  123.                 plutostderrlog=/tmp/pluto.log
  125.             conn lan-to-lan
  126.                 auto=start #automatically start if detected
  127.                 type=tunnel #tunnel mode/not transport
  129.                 ###THIS SIDE###
  130.                 left=%defaultroute
  131.                 leftid=${LeftIp}
  132.                 leftsubnet=${LeftSubnet}
  133.                 leftnexthop=%defaultroute
  135.                 ###PEER SIDE###
  136.                 right=${RightIp}
  137.                 rightsubnet=${RightSubnet}
  139.                 #phase 1 encryption-integrity-DiffieHellman
  140.                 keyexchange=ike
  141.                 ikev2=yes
  142.                 ike=aes128-sha1;modp1024
  143.                 ikelifetime=86400s
  144.                 authby=secret #use presharedkey
  145.                 rekey=yes  #should we rekey when key lifetime is about to expire
  147.                 #phase 2 encryption-pfsgroup
  148.                 phase2=esp #esp for encryption | ah for authentication only
  149.                 #phase2alg=aes192-sha1;modp1024
  150.                 phase2alg=aes256-sha1
  151.                 #phase2alg=aes128-sha1;modp1024
  152.                 pfs=no
  154.                 #forceencaps=yes
  155.                 dpddelay=10
  156.                 dpdtimeout=60
  157.                 dpdaction=restart_by_peer
  158.                 salifetime=86400s
  159.             " > /etc/ipsec.conf
  161.             cat > /etc/sysctl.conf <<EOF
  162.             net.ipv4.ip_forward = 1
  163.             net.ipv4.conf.all.accept_redirects = 0
  164.             net.ipv4.conf.all.send_redirects = 0
  165.             net.ipv4.conf.default.send_redirects = 0
  166.             net.ipv4.conf.eth0.send_redirects = 0
  167.             net.ipv4.conf.default.accept_redirects = 0
  168.             net.ipv4.conf.eth0.accept_redirects = 0
  169.             EOF
  171.             systemctl enable ipsec
  172.             systemctl start ipsec 
  174.             iptables -t mangle -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1387
  175.           -
  176.             PSK: !Ref PSK
  177.             LeftIp: !Ref LeftIp
  178.             RightIp: !Ref RightIp
  179.             LeftSubnet:  !Ref LeftSubnet
  180.             RightSubnet: !Ref RightSubnet

将刚准备好的弹性IP绑定到新创建的ipsecvpn服务器,注意这个ip是刚配置的本端公网ip,不是就要改回来,ec2中ipsec.conf的本端公网ip也是这个

修改VPN服务器所在的路由表,添加到对端的路由
图片.png

腾讯云端配置

1.创建对端网关 (对端公网ip就是aws vpn服务器的公网ip)
2.创建VPN网关 (选择Ipsec 和 对应vpc或云企业网)
3.创建VPN通道 (I选择刚创建的对端网关和VPN网关,IKE配置、Ipsec配置、密钥等都要跟 aws vpn配置的对应上)
图片.png

VPN服务器

配置文件和
图片.png