pfsenseを使用したAmazonVPCへのVpnトンネル
オフィスとAmazonVPCの間にipsecトンネルを作成しようとしています。しかし、私はこれまでipsecを使用したことがないので、迷っています。
ゲートウェイ/ファイアウォールは、FreeBSD8.3-RELEASE-p16でpfsense2.1.3-RELEASE(i386)を実行しています。
オフィスネットワークは192.168.1.0/24と192.168.2.0/24(OpenVPNクライアント)を使用します。 VPCは10.0.0.0/24を使用します。 VPCゲートウェイは静的ルートを使用します。
異なるガイドでトンネルを作成する方法を読み込もうとしましたが、ipsecの動作についてほとんど混乱しています。または、ガイドがpfsense/awsの異なるバージョン用であり、理解が不足しているため、翻訳に苦労しています。それ。一部のガイドは仮想IPについて説明し、一部は説明しません。
ですから、ここにいる誰かがpfsenseでトンネルを作成するためのステップバイステップガイドを作成して、物事がどのように機能するかを少し説明してくれるかどうか、謙虚に尋ねます。
これは私がAmazonから入手した構成ガイドです(資格情報とOffice IPが難読化されています)
IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key :
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel interface.
Outside IP Addresses:
- Customer Gateway : x.x.x.x
- Virtual Private Gateway : y.y.y.y
Inside IP Addresses
- Customer Gateway : 169.254.254.62/30
- Virtual Private Gateway : 169.254.254.61/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC, you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.254.61 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.
IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : xxxx
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPSec Configuration
Configure the IPSec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway:
- TCP MSS Adjustment : 1387 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel interface.
Outside IP Addresses:
- Customer Gateway : x.x.x.x
- Virtual Private Gateway : z.z.z.z
Inside IP Addresses
- Customer Gateway : 169.254.254.58/30
- Virtual Private Gateway : 169.254.254.57/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Static Routing Configuration:
To route traffic between your internal network and your VPC, you will need a static route added to your router.
Static Route Configuration Options:
- Next hop : 169.254.254.57 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels.
PFSenseで構成されたAWSへのIPSecを取得しました。
クリックバイクリックガイドを提供するつもりはありませんが、作業構成がどのように見えるかをお見せすることができます。 %%で埋め込まれた変数を置き換える
PH1
<phase1>
<ikeid>6</ikeid>
<interface>lan</interface>
<remote-gateway>%%AWS_GW_IP%%</remote-gateway>
<mode>main</mode>
<protocol>inet</protocol>
<myid_type>myaddress</myid_type>
<myid_data/>
<peerid_type>peeraddress</peerid_type>
<peerid_data/>
<encryption-algorithm>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm>
<hash-algorithm>sha1</hash-algorithm>
<dhgroup>2</dhgroup>
<lifetime>28800</lifetime>
<pre-shared-key>%%AWS_PSK%%</pre-shared-key>
<private-key/>
<certref/>
<caref/>
<authentication_method>pre_shared_key</authentication_method>
<generate_policy/>
<proposal_check/>
<descr><![CDATA[ VPC AWS ]]></descr>
<nat_traversal>off</nat_traversal>
<dpd_delay>10</dpd_delay>
<dpd_maxfail>2</dpd_maxfail>
</phase1>
PH2
<phase2>
<ikeid>6</ikeid>
<mode>tunnel</mode>
<localid>
<type>network</type>
<address>%%YOUR_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</localid>
<remoteid>
<type>network</type>
<address>%%VPC_NETWORK%%</address>
<netbits>%%MASK%%</netbits>
</remoteid>
<protocol>esp</protocol>
<encryption-algorithm-option>
<name>aes</name>
<keylen>128</keylen>
</encryption-algorithm-option>
<hash-algorithm-option>hmac_sha1</hash-algorithm-option>
<pfsgroup>2</pfsgroup>
<lifetime>3600</lifetime>
<pinghost>%%Host TO CHECK%%</pinghost>
<descr><![CDATA[VPC AWS]]></descr>
</phase2>
私の知る限り、2つのトンネルを構成して冗長に機能させることは、PFでは不可能です。