IPSecVPN

  1. AWS和本地私有网络建立互通
  2. AWS中国区域vpc之间建立互通

    免责说明

    建议测试过程中使用此方案,生产环境使用请自行考虑评估。

项目说明

  1. 适用于AWS中国区域与您的本地私有网络通过IPSecVPN互通场景。此场景要求您的本地办公网络具有支持IPSecVPN功能的路由器或网关。

图片.png

  1. 适用于您在AWS中国区域内有多个VPC,两个VPC之间需要互相访问的场景。

图片.png

AWS端配置

1.创建弹性IP
2.在AWS CloudFormation控制台中启动模板,上传准备好的vpn.yaml模板文件
图片.png
参数说明

参数名称 参数含义 取值
InstanceType 实例类型 下拉选择:t2.micro(测试使用),c5.large(正式使用)
KeyName EC2登陆密钥对名称 下拉选择
LeftIp 本端IP 文本框:本端公网地址
LeftSubnet 本端VPC网段地址 文本框: 地址网段
PSK PreSharedKey 文本框:字符串
RightIP 对端IP 文本框: 对端公网地址
RightSubnet 对端网段地址 文本框: 地址网段
SubnetId EC2所属子网 下拉选择
VpcId EC2所属VPC 下拉选择

配置好之后就创建一台ec2,里面就按照yaml写的,安装并配置好了ipsec

ipsecvpn.yaml

  1. AWSTemplateFormatVersion: 2010-09-09
  2. Parameters:
  3. KeyName:
  4. Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
  5. Type: 'AWS::EC2::KeyPair::KeyName'
  6. ConstraintDescription: must be the name of an existing EC2 KeyPair.
  7. InstanceType:
  8. Description: IpsecVPN EC2 instance type
  9. Type: String
  10. Default: t2.micro
  11. AllowedValues:
  12. - t2.micro
  13. - c4.large
  14. - c5.large
  15. ConstraintDescription: must be a valid EC2 instance type.
  16. VpcId:
  17. Type: 'AWS::EC2::VPC::Id'
  18. Description: VpcId of your existing Virtual Private Cloud (VPC)
  19. ConstraintDescription: must be the VPC Id of an existing Virtual Private Cloud.
  20. SubnetId:
  21. Type: 'AWS::EC2::Subnet::Id'
  22. Description: SubnetId of an existing public subnet in your Virtual Private Cloud (VPC)
  23. ConstraintDescription: must be an existing public subnet in the selected Virtual Private Cloud.
  24. PSK:
  25. Type: String
  26. Description: Pre Shared Key
  27. LeftIp:
  28. Type: String
  29. Description: Left static public ip address
  30. LeftSubnet:
  31. Type: String
  32. Description: Left EC2 Subnet used for IPSecVPN
  33. RightIp:
  34. Type: String
  35. Description: Peering public ip address
  36. RightSubnet:
  37. Type: String
  38. Description: Peering Subnet used for IPSecVPN
  39. Mappings:
  40. AWSInstanceType2Arch:
  41. t2.micro:
  42. Arch: HVM64
  43. c4.large:
  44. Arch: HVM64
  45. c5.large:
  46. Arch: HVM64
  47. AWSRegionMap:
  48. cn-north-1: # Beijing (China)
  49. HVM64: ami-071e0769a839a3f0d # latest amzn2 ami
  50. # HVM64: ami-03ae67ee227d997be
  51. AWSARN: aws-cn
  52. cn-northwest-1: # Ningxia (China)
  53. HVM64: ami-0934e7d625575bb7c # latest amzn2 ami
  54. # HVM64: ami-00d2f9d34d345da04
  55. AWSARN: aws-cn
  56. Resources:
  57. SecurityGroup:
  58. Type: 'AWS::EC2::SecurityGroup'
  59. Properties:
  60. VpcId: !Ref VpcId
  61. GroupDescription: Enable tcp udp access
  62. SecurityGroupIngress:
  63. - IpProtocol: '-1'
  64. FromPort: '-1'
  65. ToPort: '-1'
  66. CidrIp: !Ref RightSubnet
  67. - IpProtocol: '50'
  68. FromPort: '-1'
  69. ToPort: '-1'
  70. CidrIp: 0.0.0.0/0
  71. - IpProtocol: udp
  72. FromPort: '4500'
  73. ToPort: '4500'
  74. CidrIp: 0.0.0.0/0
  75. - IpProtocol: icmp
  76. FromPort: '-1'
  77. ToPort: '-1'
  78. CidrIp: 0.0.0.0/0
  79. - IpProtocol: udp
  80. FromPort: '500'
  81. ToPort: '500'
  82. CidrIp: 0.0.0.0/0
  83. - IpProtocol: tcp
  84. FromPort: '22'
  85. ToPort: '22'
  86. CidrIp: 0.0.0.0/0
  87. EC2Instance:
  88. Type: 'AWS::EC2::Instance'
  89. Properties:
  90. ImageId: !FindInMap
  91. - AWSRegionMap
  92. - !Ref 'AWS::Region'
  93. - !FindInMap
  94. - AWSInstanceType2Arch
  95. - !Ref InstanceType
  96. - Arch
  97. InstanceType: !Ref InstanceType
  98. KeyName: !Ref KeyName
  99. SourceDestCheck: 'false'
  100. Tags:
  101. - Key: Name
  102. Value: IpsecInstance
  103. NetworkInterfaces:
  104. - AssociatePublicIpAddress: "true"
  105. DeviceIndex: "0"
  106. GroupSet:
  107. - Ref: "SecurityGroup"
  108. SubnetId:
  109. Ref: "SubnetId"
  110. UserData:
  111. Fn::Base64: !Sub
  112. - |
  113. #!/bin/bash -xe
  114. yum -y install openswan
  115. echo "${LeftIp} ${RightIp} : PSK \"${PSK}\"
  116. " > /etc/ipsec.secrets
  117. echo "config setup
  118. plutostderrlog=/tmp/pluto.log
  119. conn lan-to-lan
  120. auto=start #automatically start if detected
  121. type=tunnel #tunnel mode/not transport
  122. ###THIS SIDE###
  123. left=%defaultroute
  124. leftid=${LeftIp}
  125. leftsubnet=${LeftSubnet}
  126. leftnexthop=%defaultroute
  127. ###PEER SIDE###
  128. right=${RightIp}
  129. rightsubnet=${RightSubnet}
  130. #phase 1 encryption-integrity-DiffieHellman
  131. keyexchange=ike
  132. ikev2=yes
  133. ike=aes128-sha1;modp1024
  134. ikelifetime=86400s
  135. authby=secret #use presharedkey
  136. rekey=yes #should we rekey when key lifetime is about to expire
  137. #phase 2 encryption-pfsgroup
  138. phase2=esp #esp for encryption | ah for authentication only
  139. #phase2alg=aes192-sha1;modp1024
  140. phase2alg=aes256-sha1
  141. #phase2alg=aes128-sha1;modp1024
  142. pfs=no
  143. #forceencaps=yes
  144. dpddelay=10
  145. dpdtimeout=60
  146. dpdaction=restart_by_peer
  147. salifetime=86400s
  148. " > /etc/ipsec.conf
  149. cat > /etc/sysctl.conf <<EOF
  150. net.ipv4.ip_forward = 1
  151. net.ipv4.conf.all.accept_redirects = 0
  152. net.ipv4.conf.all.send_redirects = 0
  153. net.ipv4.conf.default.send_redirects = 0
  154. net.ipv4.conf.eth0.send_redirects = 0
  155. net.ipv4.conf.default.accept_redirects = 0
  156. net.ipv4.conf.eth0.accept_redirects = 0
  157. EOF
  158. systemctl enable ipsec
  159. systemctl start ipsec
  160. iptables -t mangle -A FORWARD -o eth0 -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1387
  161. -
  162. PSK: !Ref PSK
  163. LeftIp: !Ref LeftIp
  164. RightIp: !Ref RightIp
  165. LeftSubnet: !Ref LeftSubnet
  166. RightSubnet: !Ref RightSubnet

将刚准备好的弹性IP绑定到新创建的ipsecvpn服务器,注意这个ip是刚配置的本端公网ip,不是就要改回来,ec2中ipsec.conf的本端公网ip也是这个

修改VPN服务器所在的路由表,添加到对端的路由
图片.png

腾讯云端配置

1.创建对端网关 (对端公网ip就是aws vpn服务器的公网ip)
2.创建VPN网关 (选择Ipsec 和 对应vpc或云企业网)
3.创建VPN通道 (I选择刚创建的对端网关和VPN网关,IKE配置、Ipsec配置、密钥等都要跟 aws vpn配置的对应上)
图片.png

VPN服务器

配置文件和
图片.png