AWS VPN 如何连接
AWS VPN how to connect
如何从 ubuntu 桌面连接到 AWS 实例 VPN?
我已经配置了一个虚拟专用网关、一个客户网关和 VPN 连接。
安全组允许所有流量和 ACL。
这是我的 VPN 配置。
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : vpn-c9562082
! Your Virtual Private Gateway ID : vgw-e0704394
! Your Customer Gateway ID : cgw-d73201a3
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-c9562082-0
local-address 193.145.247.253
pre-shared-key address 52.30.80.142 key YsTEH4xu5t2Z7F.QtkvXy4NsSJ9fRJe2
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-c9562082-0
local-address 193.145.247.253
match identity address 52.30.80.142
keyring keyring-vpn-c9562082-0
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-c9562082-0 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-c9562082-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-c9562082-0
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel1
ip address 169.254.20.134 255.255.255.252
ip virtual-reassembly
tunnel source 193.145.247.253
tunnel destination 52.30.80.142
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-c9562082-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65000
neighbor 169.254.20.133 remote-as 9059
neighbor 169.254.20.133 activate
neighbor 169.254.20.133 timers 10 30 30
address-family ipv4 unicast
neighbor 169.254.20.133 remote-as 9059
neighbor 169.254.20.133 timers 10 30 30
neighbor 169.254.20.133 default-originate
neighbor 169.254.20.133 activate
neighbor 169.254.20.133 soft-reconfiguration inbound
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
network 0.0.0.0
exit
exit
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 201
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-c9562082-1
local-address 193.145.247.253
pre-shared-key address 52.30.118.25 key 5_KiSCRDEgIebtEdblX3Bu7k.QnPQYnf
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-c9562082-1
local-address 193.145.247.253
match identity address 52.30.118.25
keyring keyring-vpn-c9562082-1
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-c9562082-1 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-c9562082-1
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-c9562082-1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel2
ip address 169.254.20.226 255.255.255.252
ip virtual-reassembly
tunnel source 193.145.247.253
tunnel destination 52.30.118.25
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-c9562082-1
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65000
neighbor 169.254.20.225 remote-as 9059
neighbor 169.254.20.225 activate
neighbor 169.254.20.225 timers 10 30 30
address-family ipv4 unicast
neighbor 169.254.20.225 remote-as 9059
neighbor 169.254.20.225 timers 10 30 30
neighbor 169.254.20.225 default-originate
neighbor 169.254.20.225 activate
neighbor 169.254.20.225 soft-reconfiguration inbound
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
network 0.0.0.0
exit
exit
!
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
! - XSL Version: 2009-07-15-1119716
确保您的安全组配置和网络 ACL 允许通过端口 22 的入站连接。
有关此处的更多信息:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Amazon VPC 提供的标准 VPN 连接不适用于偶尔的连接。它意味着永久连接。
首先,值得一提的是 VPC 可以连接到现有 ('on-premise') 网络的方式:
- 直接连接:您现有数据中心与 AWS 之间的光纤连接
- 通过虚拟专用网关 (VGW) 的 VPN 连接: 现有数据中心内的本地网络路由器与 Amazon VPC(连接到VGW)。这需要一个永久配置的本地路由器,而不是为临时连接而设计的。提供了两个 IPSEC 隧道用于冗余,每个隧道终止于 AWS 内的不同设备。
- 临时(拨入)VPN 连接: 用于偶尔连接,类似于使用 securID 令牌连接到工作场所网络时的情况
您似乎正在尝试建立从 ubuntu 桌面到 VGW 的临时连接。这不是 VPN 连接的预期用途。
相反,您应该在您的 VPC 中的一个实例上使用软件 VPN 解决方案 运行(例如 OpenSwan, OpenVPN)。
一些相关文章:
如何从 ubuntu 桌面连接到 AWS 实例 VPN? 我已经配置了一个虚拟专用网关、一个客户网关和 VPN 连接。 安全组允许所有流量和 ACL。
这是我的 VPN 配置。
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : vpn-c9562082
! Your Virtual Private Gateway ID : vgw-e0704394
! Your Customer Gateway ID : cgw-d73201a3
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-c9562082-0
local-address 193.145.247.253
pre-shared-key address 52.30.80.142 key YsTEH4xu5t2Z7F.QtkvXy4NsSJ9fRJe2
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-c9562082-0
local-address 193.145.247.253
match identity address 52.30.80.142
keyring keyring-vpn-c9562082-0
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-c9562082-0 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-c9562082-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-c9562082-0
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel1
ip address 169.254.20.134 255.255.255.252
ip virtual-reassembly
tunnel source 193.145.247.253
tunnel destination 52.30.80.142
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-c9562082-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65000
neighbor 169.254.20.133 remote-as 9059
neighbor 169.254.20.133 activate
neighbor 169.254.20.133 timers 10 30 30
address-family ipv4 unicast
neighbor 169.254.20.133 remote-as 9059
neighbor 169.254.20.133 timers 10 30 30
neighbor 169.254.20.133 default-originate
neighbor 169.254.20.133 activate
neighbor 169.254.20.133 soft-reconfiguration inbound
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
network 0.0.0.0
exit
exit
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 201
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-c9562082-1
local-address 193.145.247.253
pre-shared-key address 52.30.118.25 key 5_KiSCRDEgIebtEdblX3Bu7k.QnPQYnf
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-c9562082-1
local-address 193.145.247.253
match identity address 52.30.118.25
keyring keyring-vpn-c9562082-1
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-c9562082-1 esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-c9562082-1
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-c9562082-1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel2
ip address 169.254.20.226 255.255.255.252
ip virtual-reassembly
tunnel source 193.145.247.253
tunnel destination 52.30.118.25
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-c9562082-1
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1387
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65000
neighbor 169.254.20.225 remote-as 9059
neighbor 169.254.20.225 activate
neighbor 169.254.20.225 timers 10 30 30
address-family ipv4 unicast
neighbor 169.254.20.225 remote-as 9059
neighbor 169.254.20.225 timers 10 30 30
neighbor 169.254.20.225 default-originate
neighbor 169.254.20.225 activate
neighbor 169.254.20.225 soft-reconfiguration inbound
! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
! and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
network 0.0.0.0
exit
exit
!
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
! - XSL Version: 2009-07-15-1119716
确保您的安全组配置和网络 ACL 允许通过端口 22 的入站连接。
有关此处的更多信息: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
Amazon VPC 提供的标准 VPN 连接不适用于偶尔的连接。它意味着永久连接。
首先,值得一提的是 VPC 可以连接到现有 ('on-premise') 网络的方式:
- 直接连接:您现有数据中心与 AWS 之间的光纤连接
- 通过虚拟专用网关 (VGW) 的 VPN 连接: 现有数据中心内的本地网络路由器与 Amazon VPC(连接到VGW)。这需要一个永久配置的本地路由器,而不是为临时连接而设计的。提供了两个 IPSEC 隧道用于冗余,每个隧道终止于 AWS 内的不同设备。
- 临时(拨入)VPN 连接: 用于偶尔连接,类似于使用 securID 令牌连接到工作场所网络时的情况
您似乎正在尝试建立从 ubuntu 桌面到 VGW 的临时连接。这不是 VPN 连接的预期用途。
相反,您应该在您的 VPC 中的一个实例上使用软件 VPN 解决方案 运行(例如 OpenSwan, OpenVPN)。
一些相关文章: