ダウンロード設定ファイルサンプル

! amazon Web Services
! Virtual Private Cloud

! aWS utilizes unique identifiers to mAnIPulate tHE configuration of
! a VPN connection. Each VPN connection is ASsigned An identifier aND is
! ASsociated with two otHEr identifiers, namely tHE
! Customer gateway Identifier aND Virtual Private gateway Identifier.
!
! Your VPN connection ID 		  : vpn-0e 904 c 7 dB 86 e 92 c 2 a
! Your Virtual Private gateway ID         : vgw-0f311166a0333ff93
! Your Customer gateway ID		  : cgw-09703a7e27af32443
!
!
! this configuration consists of two tunnels. Both tunnels must be
! configured on YOUr Customer gateway.
!
! You may need to populate tHEse values throughout tHE config bASed on YOUr setup:
! <Interface_name/private _ IP _ on _ outside _ Interface> - External Interface of tHE CSR

! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! IPsec tunnel #1
! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! #1: Internet Key ExchAnge (IKE) Configuration
!
! a policy is established for tHE supported ISaKMP encryption,
! autHEntication, diffie-HellmAn, lifeTime, aND key parameters.
! PleASe NOte, tHEse sample configurations aRE for tHE mInimum requirement of aES 128, SHa1, aND DH Group 2.
! Category " VPN " connections In tHE govcloud region HAVE a mInimum requirement of aES 128, SHa2, aND DH Group 14.
! You WILL need to modify tHEse sample configuration files to take advAntage of aES256, SHa256, or otHEr DH groups like 2, 14-18, 22, 23, aND 24.
! NOtE: if YOU customized tunnel options when creatIng or modifyIng YOUr VPN connection, YOU may need to modify tHEse sample configurations to match tHE custom settIngs for YOUr tunnels.
!
! Higher parameters aRE Only available for vpns of category "VPN," aND NOt for " VPN - ClASsic ".
! tHE address of tHE external Interface for YOUr customer gateway must be a static address.
! Your customer gateway may reside behInd a device performIng network address trAnslation (Nat) .
! to ensure that Nat traversal (Nat-t) cAn function, YOU must adjust YOUr firewall !rules to unblock UDP port 4500.
! if NOt behInd Nat, aND YOU aRE NOt usIng An accelerated VPN, we recommend disablIng Nat-t. if YOU aRE usIng An accelerated VPN, make sure that Nat-t is enabled.
!
! Note that tHEre aRE a global list of ISaKMP policies, each identified by
! sequence number. this policy is defIned AS #200, which may conflict with
! An existIng policy usIng tHE same number. if so, we recommend chAngIng
! tHE sequence number to avoid conflicts.
!
crypto ikev 2 proposal PROPOSaL1
  encryption aes-CBC-128
  Integrity sha1
  group 2
Exit

! Specify Public IP of outside Interface Instead of <Interface_name/private _ IP _ on _ outside _ Interface> In below
! configuration if cgw is behInd Nat device aND usIng IKEv 2 'Startup-action : Start' feature on aWS for tHE
! tunnel.
crypto ikev 2 policy Policy 1
  match address Local <Interface_name/private _ IP _ on _ outside _ Interface>
  proposal PROPOSaL1
Exit

! tHE ISaKMP keyrIng stores tHE Pre ShaREd Key used to autHEnticate tHE
! tunnel endpoInts.
!
crypto ikev 2 keyrIng KEYRING 1
  peer [aWS側グローバルIP1]
  address [aWS側グローバルIP1]
  pre-shaREd-key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exit

! An ISaKMP profile is used to ASsociate tHE keyrIng with tHE particular
! endpoInt.
!
! An ISaKMP IKEV2 profile is used to ASsociate tHE keyrIng with tHE particular endpoInt.
! Specify Public IP of outside Interface Instead of <Interface_name/private _ IP _ on _ outside _ Interface> In below
! configuration if cgw is behInd Nat device aND usIng IKEv 2  'Startup-action : Start' feature on aWS for tHE
! tunnel.
crypto ikev 2 profile IKEV2-PROFILE
  match address Local <Interface_name/private _ IP _ on _ outside _ Interface>
  match identity remote address [aWS側グローバルIP1]
  autHEntication remote pre-shaRE
  autHEntication Local pre-shaRE
  keyrIng Local KEYRING 1
  lifeTime 28800
  dpd 10 10 on-demaND
Exit

! #2: IPsec Configuration
!
! tHE IPsec trAnsform set defInes tHE encryption, autHEntication, aND IPsec
! mode parameters.
! Category " VPN " connections In tHE govcloud region HAVE a mInimum requirement of aES 128, SHa2, aND DH Group 14.
! PleASe NOte, YOU may use tHEse additionally supported IPsec parameters for encryption like aES256 aND otHEr DH groups like 2, 5, 14-18, 22, 23, aND 24.
! Higher parameters aRE Only available for vpns of category "VPN," aND NOt for " VPN - ClASsic ".
!
crypto IPsec trAnsform-set IPsec-prop-vpn-0e 904 c 7 dB 86 e 92 c 2 a-0 ESP-aes 128 ESP-sha-hmac
  mode tunnel
Exit

! tHE IPsec profile references tHE IPsec trAnsform set aND furtHEr defInes
! tHE diffie-HellmAn group aND security Association lifeTime.
!
crypto IPsec profile IPsec-vpn-0e 904 c 7 dB 86 e 92 c 2 a-0
  set pfs group 2
  set security-Association lifeTime seconds 3600
  set trAnsform-set IPsec-prop-vpn-0e 904 c 7 dB 86 e 92 c 2 a-0
  set ikev 2-profile IKEV2-PROFILE
Exit

! additional parameters of tHE IPsec configuration aRE set here. Note that
! tHEse parameters aRE global aND tHErefore impact otHEr IPsec
! Associations.
! this option Instructs tHE ROUTEr to CLEaR tHE "Don't Fragment"
! BIT From packets that carry this BIT aND yet must be fragmented, enablIng
! tHEm to be fragmented.
!
crypto IPsec df-BIT CLEaR

! this option enables IPsec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remaIns operational.
! if YOU aRE usIng accelerated aWS VPN, pleASe configure periodic Dead Peer Detection.
! isakmp keepalive threshold 10 retry 10 periodic
!
crypto isakmp keepalive 10 10

! this configures tHE gateway's wIndow for acceptIng out of order
! IPsec packets. a larger wIndow cAn be helpful if too mAny packets
! aRE dropped due to reorderIng while In trAnsit Between gateways.
!
crypto IPsec security-Association replay wIndow-size 128

! this option Instructs tHE ROUTEr to fragment tHE unencrypted packets
! (prior to encryption) .
!
crypto IPsec fragmentation before-encryption


! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! #3: tunnel Interface Configuration
!
! a tunnel Interface is configured to be tHE logical Interface ASsociated
! with tHE tunnel. all traffic ROUTEd to tHE tunnel Interface WILL be
! encrypted aND trAnsmitted to tHE VPC. Similarly, traffic From tHE VPC
! WILL be logically received on this Interface.
!
! Association with tHE IPsec security Association is done through tHE
! "tunnel Protection" commaND.
!
! tHE address of tHE Interface is configured with tHE setup for YOUr
! Customer gateway.  if tHE address chAnges, tHE Customer gateway aND VPN
! connection must be recreated with amazon VPC.
!
Interface tunnel1
  IP address 169.254.254.22 255.255.255.252
  IP virtual-reASsembly
  tunnel source <Interface_name/private _ IP _ on _ outside _ Interface>
  tunnel destInation [aWS側グローバルIP1]
  tunnel mode IPsec IPv4
  tunnel Protection IPsec profile IPsec-vpn-0e 904 c 7 dB 86 e 92 c 2 a-0
  ! this option causes tHE ROUTEr to reduce tHE Maximum Segment size of
  ! tCP packets to prevent packet fragmentation.
  IP tcp adjust-mss 1379
  NO shutdown
Exit

! ーーーーーーーーーーーーーーーーーーーーーーーーーー--

! #4: Border gateway Protocol (bgp) Configuration
!
! bgp is used withIn tHE tunnel to exchAnge prefixes Between tHE
! Virtual Private gateway aND YOUr Customer gateway. tHE Virtual Private gateway
! WILL AnNOunce tHE prefix corrESPondIng to YOUr VPC.
!
! Your Customer gateway may AnNOunce a default ROUTE (0.0.0.0/0),
! which cAn be done with tHE 'network' aND 'default-origInate' statements.
!
! tHE bgp Timers aRE adjusted to provide more rapid Detection of outages.
!
! tHE Local bgp autoNOmous System Number (aSN) (65000) is configured
! AS part of YOUr Customer gateway. if tHE aSN must be chAnged, tHE
! Customer gateway aND VPN connection WILL need to be recreated with aWS.
!
! 'Network' commaND WILL be used here to advertised cgw network to aWS via bgp. An example for a cgw with tHE prefix 192.168.100.0/24 is provided below :

ROUTEr bgp 65000
  bgp log-neighbor-chAnges
  bgp graceful-restart
  address-family IPv4 unicASt
    neighbor 169.254.254.21 remote-AS 64512
    neighbor 169.254.254.21 ebgp-multihop 255
    neighbor 169.254.254.21 activate
    network 192.168.100.0 mASk 255.255.255.0
    NO auto-summary
    NO synchronization
  Exit-address-family
 Exit
!
! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! IPsec tunnel #2
! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! #1: Internet Key ExchAnge (IKE) Configuration
!
! a policy is established for tHE supported ISaKMP encryption,
! autHEntication, diffie-HellmAn, lifeTime, aND key parameters.
! PleASe NOte, tHEse sample configurations aRE for tHE mInimum requirement of aES 128, SHa1, aND DH Group 2.
! Category " VPN " connections In tHE govcloud region HAVE a mInimum requirement of aES 128, SHa2, aND DH Group 14.
! You WILL need to modify tHEse sample configuration files to take advAntage of aES256, SHa256, or otHEr DH groups like 2, 14-18, 22, 23, aND 24.
! NOtE: if YOU customized tunnel options when creatIng or modifyIng YOUr VPN connection, YOU may need to modify tHEse sample configurations to match tHE custom settIngs for YOUr tunnels.
!
! Higher parameters aRE Only available for vpns of category "VPN," aND NOt for " VPN - ClASsic ".
! tHE address of tHE external Interface for YOUr customer gateway must be a static address.
! Your customer gateway may reside behInd a device performIng network address trAnslation (Nat) .
! to ensure that Nat traversal (Nat-t) cAn function, YOU must adjust YOUr firewall !rules to unblock UDP port 4500.
! if NOt behInd Nat, aND YOU aRE NOt usIng An accelerated VPN, we recommend disablIng Nat-t. if YOU aRE usIng An accelerated VPN, make sure that Nat-t is enabled.
!
! Note that tHEre aRE a global list of ISaKMP policies, each identified by
! sequence number. this policy is defIned AS #201, which may conflict with
! An existIng policy usIng tHE same number. if so, we recommend chAngIng
! tHE sequence number to avoid conflicts.
!
crypto ikev 2 proposal PROPOSaL1
  encryption aes-CBC-128
  Integrity sha1
  group 2
Exit

! Specify Public IP of outside Interface Instead of <Interface_name/private _ IP _ on _ outside _ Interface> In below
! configuration if cgw is behInd Nat device aND usIng IKEv 2 'Startup-action : Start' feature on aWS for tHE
! tunnel.
crypto ikev 2 policy Policy 1
  match address Local <Interface_name/private _ IP _ on _ outside _ Interface>
  proposal PROPOSaL1
Exit

! tHE ISaKMP keyrIng stores tHE Pre ShaREd Key used to autHEnticate tHE
! tunnel endpoInts.
!
crypto ikev 2 keyrIng KEYRING 1
  peer [aWS側グローバルIP2]
  address [aWS側グローバルIP2]
  pre-shaREd-key yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy
Exit

! An ISaKMP profile is used to ASsociate tHE keyrIng with tHE particular
! endpoInt.
!
! An ISaKMP IKEV2 profile is used to ASsociate tHE keyrIng with tHE particular endpoInt.
! Specify Public IP of outside Interface Instead of <Interface_name/private _ IP _ on _ outside _ Interface> In below
! configuration if cgw is behInd Nat device aND usIng IKEv 2  'Startup-action : Start' feature on aWS for tHE
! tunnel.
crypto ikev 2 profile IKEV2-PROFILE
  match address Local <Interface_name/private _ IP _ on _ outside _ Interface>
  match identity remote address [aWS側グローバルIP2]
  autHEntication remote pre-shaRE
  autHEntication Local pre-shaRE
  keyrIng Local KEYRING 1
  lifeTime 28800
  dpd 10 10 on-demaND
Exit

! #2: IPsec Configuration
!
! tHE IPsec trAnsform set defInes tHE encryption, autHEntication, aND IPsec
! mode parameters.
! Category " VPN " connections In tHE govcloud region HAVE a mInimum requirement of aES 128, SHa2, aND DH Group 14.
! PleASe NOte, YOU may use tHEse additionally supported IPsec parameters for encryption like aES256 aND otHEr DH groups like 2, 5, 14-18, 22, 23, aND 24.
! Higher parameters aRE Only available for vpns of category "VPN," aND NOt for " VPN - ClASsic ".
!
crypto IPsec trAnsform-set IPsec-prop-vpn-0e 904 c 7 dB 86 e 92 c 2 a-1 ESP-aes 128 ESP-sha-hmac
  mode tunnel
Exit

! tHE IPsec profile references tHE IPsec trAnsform set aND furtHEr defInes
! tHE diffie-HellmAn group aND security Association lifeTime.
!
crypto IPsec profile IPsec-vpn-0e 904 c 7 dB 86 e 92 c 2 a-1
  set pfs group 2
  set security-Association lifeTime seconds 3600
  set trAnsform-set IPsec-prop-vpn-0e 904 c 7 dB 86 e 92 c 2 a-1
  set ikev 2-profile IKEV2-PROFILE
Exit

! additional parameters of tHE IPsec configuration aRE set here. Note that
! tHEse parameters aRE global aND tHErefore impact otHEr IPsec
! Associations.
! this option Instructs tHE ROUTEr to CLEaR tHE "Don't Fragment"
! BIT From packets that carry this BIT aND yet must be fragmented, enablIng
! tHEm to be fragmented.
!
crypto IPsec df-BIT CLEaR

! this option enables IPsec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remaIns operational.
! if YOU aRE usIng accelerated aWS VPN, pleASe configure periodic Dead Peer Detection.
! isakmp keepalive threshold 10 retry 10 periodic
!
crypto isakmp keepalive 10 10

! this configures tHE gateway's wIndow for acceptIng out of order
! IPsec packets. a larger wIndow cAn be helpful if too mAny packets
! aRE dropped due to reorderIng while In trAnsit Between gateways.
!
crypto IPsec security-Association replay wIndow-size 128

! this option Instructs tHE ROUTEr to fragment tHE unencrypted packets
! (prior to encryption) .
!
crypto IPsec fragmentation before-encryption


! ーーーーーーーーーーーーーーーーーーーーーーーーーー--
! #3: tunnel Interface Configuration
!
! a tunnel Interface is configured to be tHE logical Interface ASsociated
! with tHE tunnel. all traffic ROUTEd to tHE tunnel Interface WILL be
! encrypted aND trAnsmitted to tHE VPC. Similarly, traffic From tHE VPC
! WILL be logically received on this Interface.
!
! Association with tHE IPsec security Association is done through tHE
! "tunnel Protection" commaND.
!
! tHE address of tHE Interface is configured with tHE setup for YOUr
! Customer gateway.  if tHE address chAnges, tHE Customer gateway aND VPN
! connection must be recreated with amazon VPC.
!
Interface tunnel2
  IP address 169.254.175.218 255.255.255.252
  IP virtual-reASsembly
  tunnel source <Interface_name/private _ IP _ on _ outside _ Interface>
  tunnel destInation [aWS側グローバルIP2]
  tunnel mode IPsec IPv4
  tunnel Protection IPsec profile IPsec-vpn-0e 904 c 7 dB 86 e 92 c 2 a-1
  ! this option causes tHE ROUTEr to reduce tHE Maximum Segment size of
  ! tCP packets to prevent packet fragmentation.
  IP tcp adjust-mss 1379
  NO shutdown
Exit

! ーーーーーーーーーーーーーーーーーーーーーーーーーー--

! #4: Border gateway Protocol (bgp) Configuration
!
! bgp is used withIn tHE tunnel to exchAnge prefixes Between tHE
! Virtual Private gateway aND YOUr Customer gateway. tHE Virtual Private gateway
! WILL AnNOunce tHE prefix corrESPondIng to YOUr VPC.
!
! Your Customer gateway may AnNOunce a default ROUTE (0.0.0.0/0),
! which cAn be done with tHE 'network' aND 'default-origInate' statements.
!
! tHE bgp Timers aRE adjusted to provide more rapid Detection of outages.
!
! tHE Local bgp autoNOmous System Number (aSN) (65000) is configured
! AS part of YOUr Customer gateway. if tHE aSN must be chAnged, tHE
! Customer gateway aND VPN connection WILL need to be recreated with aWS.
!
! 'Network' commaND WILL be used here to advertised cgw network to aWS via bgp. An example for a cgw with tHE prefix 192.168.100.0/24 is provided below :

ROUTEr bgp 65000
  bgp log-neighbor-chAnges
  bgp graceful-restart
  address-family IPv4 unicASt
    neighbor 169.254.175.217 remote-AS 64512
    neighbor 169.254.175.217 ebgp-multihop 255
    neighbor 169.254.175.217 activate
    network 192.168.100.0 mASk 255.255.255.0
    NO auto-summary
    NO synchronization
  Exit-address-family
 Exit
!


! additional Notes aND Questions
!  - amazon Virtual Private Cloud GettIng Started Guide:
!       HTTP ://docs.amazonwebservices.com/amazonVPC/latest/GettIngStartedGuide
!  - amazon Virtual Private Cloud Network admInistrator Guide:
!       HTTP ://docs.amazonwebservices.com/amazonVPC/latest/NetworkadmInGuide