vpc-nag.pdf (application/pdf Object).
# Amazon Web Services # Virtual Private Cloud # # AWS utilizes unique identifiers to manipulate the configuration of # a VPN Connection. Each VPN Connection is assigned a VPN Connection # Identifier and is associated with two other identifiers, namely the # Customer Gateway Identifier and the Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-44a8938f # Your Virtual Private Gateway ID : vgw-8db04f81 # Your Customer Gateway ID : cgw-b4dc3961 # # This configuration consists of two tunnels. Both tunnels must be # configured on your Customer Gateway. # # ------------------------------------------------------------------------- # IPsec Tunnel #1 API Version 2011-07-15 26 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration # ------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # set security ike proposal ike-prop-vpn-44a8938f-1 authentication-method preshared- keys set security ike proposal ike-prop-vpn-44a8938f-1 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-44a8938f-1 encryption-algorithm aes-128- cbc set security ike proposal ike-prop-vpn-44a8938f-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-44a8938f-1 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # set security ike policy ike-pol-vpn-44a8938f-1 mode main set security ike policy ike-pol-vpn-44a8938f-1 proposals ike-prop-vpn-44a8938f- 0 set security ike policy ike-pol-vpn-44a8938f-1 pre-shared-key ascii-text plaintext- password1 # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address YOUR_UPLINK_ADDRESS is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must # be recreated. set security ike gateway gw-vpn-44a8938f-1 ike-policy ike-pol-vpn-44a8938f-0 set security ike gateway gw-vpn-44a8938f-1 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-44a8938f-1 address 72.21.209.225 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPsec Configuration # # The IPsec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPsec security association. # set security ipsec proposal ipsec-prop-vpn-44a8938f-1 protocol esp set security ipsec proposal ipsec-prop-vpn-44a8938f-1 authentication-algorithm hmac-sha1-96 API Version 2011-07-15 27 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration set security ipsec proposal ipsec-prop-vpn-44a8938f-1 encryption-algorithm aes- 128-cbc set security ipsec proposal ipsec-prop-vpn-44a8938f-1 lifetime-seconds 3600 # The IPsec policy incorporates the Diffie-Hellman group and the IPsec # proposal. # set security ipsec policy ipsec-pol-vpn-44a8938f-1 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-44a8938f-1 proposals ipsec-prop-vpn- 44a8938f-0 # A security association is defined here. The IPsec Policy and IKE gateways # are associated with a tunnel interface (st0.1). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.10). # set security ipsec vpn vpn-44a8938f-1 bind-interface st0.1 set security ipsec vpn vpn-44a8938f-1 ike gateway gw-vpn-44a8938f-0 set security ipsec vpn vpn-44a8938f-1 ike ipsec-policy ipsec-pol-vpn-44a8938f- 0 set security ipsec vpn vpn-44a8938f-1 df-bit clear # This option enables IPsec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-44a8938f-1 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.1 family inet address 169.254.255.2/30 set interfaces st0.1 family inet mtu 1436 set security zones security-zone trust interfaces st0.1 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1396 API Version 2011-07-15 28 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. Only one prefix is # accepted by the Virtual Private Gateway. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from routefilter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.255.1 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.255.1 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.255.1 hold-time 30 set protocols bgp group ebgp neighbor 169.254.255.1 local-as YOUR_BGP_ASN # ------------------------------------------------------------------------- # IPsec Tunnel #2 # ------------------------------------------------------------------------- # #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, # authentication, Diffie-Hellman, and lifetime parameters. # set security ike proposal ike-prop-vpn-44a8938f-2 authentication-method preshared- keys set security ike proposal ike-prop-vpn-44a8938f-2 authentication-algorithm sha1 set security ike proposal ike-prop-vpn-44a8938f-2 encryption-algorithm aes-128- cbc set security ike proposal ike-prop-vpn-44a8938f-2 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-44a8938f-2 dh-group group2 # An IKE policy is established to associate a Pre Shared Key with the # defined proposal. # API Version 2011-07-15 29 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration set security ike policy ike-pol-vpn-44a8938f-2 mode main set security ike policy ike-pol-vpn-44a8938f-2 proposals ike-prop-vpn-44a8938f- 2 set security ike policy ike-pol-vpn-44a8938f-2 pre-shared-key ascii-text plaintext- password2 # The IKE gateway is defined to be the Virtual Private Gateway. The gateway # configuration associates a local interface, remote IP address, and # IKE policy. # # This example shows the outside of the tunnel as interface ge-0/0/0.0. # This should be set to the interface that IP address YOUR_UPLINK_ADDRESS is # associated with. # This address is configured with the setup for your Customer Gateway. # # If the address changes, the Customer Gateway and VPN Connection must be recre ated. # set security ike gateway gw-vpn-44a8938f-2 ike-policy ike-pol-vpn-44a8938f-1 set security ike gateway gw-vpn-44a8938f-2 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-44a8938f-2 address 72.21.209.193 # Troubleshooting IKE connectivity can be aided by enabling IKE tracing. # The configuration below will cause the router to log IKE messages to # the 'kmd' log. Run 'show messages kmd' to retrieve these logs. # set security ike traceoptions file kmd # set security ike traceoptions file size 1024768 # set security ike traceoptions file files 10 # set security ike traceoptions flag all # #2: IPsec Configuration # # The IPsec proposal defines the protocol, authentication, encryption, and # lifetime parameters for our IPsec security association. # set security ipsec proposal ipsec-prop-vpn-44a8938f-2 protocol esp set security ipsec proposal ipsec-prop-vpn-44a8938f-2 authentication-algorithm hmac-sha1-96 set security ipsec proposal ipsec-prop-vpn-44a8938f-2 encryption-algorithm aes- 128-cbc set security ipsec proposal ipsec-prop-vpn-44a8938f-2 lifetime-seconds 3600 # The IPsec policy incorporates the Diffie-Hellman group and the IPsec # proposal. # set security ipsec policy ipsec-pol-vpn-44a8938f-2 perfect-forward-secrecy keys group2 set security ipsec policy ipsec-pol-vpn-44a8938f-2 proposals ipsec-prop-vpn- 44a8938f-2 # A security association is defined here. The IPsec Policy and IKE gateways # are associated with a tunnel interface (st0.2). # The tunnel interface ID is assumed; if other tunnels are defined on # your router, you will need to specify a unique interface name # (for example, st0.20). # API Version 2011-07-15 30 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration set security ipsec vpn vpn-44a8938f-2 bind-interface st0.2 set security ipsec vpn vpn-44a8938f-2 ike gateway gw-vpn-44a8938f-2 set security ipsec vpn vpn-44a8938f-2 ike ipsec-policy ipsec-pol-vpn-44a8938f- 2 set security ipsec vpn vpn-44a8938f-2 df-bit clear # This option enables IPsec Dead Peer Detection, which causes periodic # messages to be sent to ensure a Security Association remains operational. # set security ike gateway gw-vpn-44a8938f-2 dead-peer-detection # #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # set interfaces st0.2 family inet address 169.254.255.6/30 set interfaces st0.2 family inet mtu 1436 set security zones security-zone trust interfaces st0.2 # The security zone protecting external interfaces of the router must be # configured to allow IKE traffic inbound. # set security zones security-zone untrust host-inbound-traffic system-services ike # The security zone protecting internal interfaces (including the logical # tunnel interfaces) must be configured to allow BGP traffic inbound. # set security zones security-zone trust host-inbound-traffic protocols bgp # This option causes the router to reduce the Maximum Segment Size of # TCP packets to prevent packet fragmentation. # set security flow tcp-mss ipsec-vpn mss 1396 # #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway # will announce the prefix corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0), # which can be done with the EXPORT-DEFAULT policy. Only one prefix is # accepted by the Virtual Private Gateway. # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured # as part of your Customer Gateway. If the ASN must be changed, the API Version 2011-07-15 31 Amazon Virtual Private Cloud Network Administrator Guide A Detailed View of the Customer Gateway and an Example Configuration # Customer Gateway and VPN Connection will need to be recreated with AWS. # # We establish a basic route policy to export a default route to the # Virtual Private Gateway. # set policy-options policy-statement EXPORT-DEFAULT term default from routefilter 0.0.0.0/0 exact set policy-options policy-statement EXPORT-DEFAULT term default then accept set policy-options policy-statement EXPORT-DEFAULT term reject then reject set protocols bgp group ebgp type external set protocols bgp group ebgp neighbor 169.254.255.5 export EXPORT-DEFAULT set protocols bgp group ebgp neighbor 169.254.255.5 peer-as 7224 set protocols bgp group ebgp neighbor 169.254.255.5 hold-time 30 set protocols bgp group ebgp neighbor 169.254.255.5 local-as YOUR_BGP_ASN # ------------------------------------------------------------------------- # Additional Notes and Questions # - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AWSVPC/latest/GettingStartedGuide