Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Amazon Web Services
- # Virtual Private Cloud
- #
- # AWS utilizes unique identifiers to manipulate the configuration of
- # a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
- # and is associated with two other identifiers, namely the
- # Customer Gateway Identifier and the Virtual Private Gateway Identifier.
- #
- # Your VPN Connection ID : vpn-xxx
- # Your Virtual Private Gateway ID : vgw-xxx
- # Your Customer Gateway ID : cgw-xxx
- #
- # This configuration consists of two tunnels. Both tunnels must be
- # configured on your Customer Gateway.
- #
- #
- # --------------------------------------------------------------------------------
- # IPSec Tunnel #1
- # --------------------------------------------------------------------------------
- # #1: Internet Key Exchange (IKE) Configuration
- #
- # A proposal is established for the supported IKE encryption,
- # authentication, Diffie-Hellman, and lifetime parameters.
- # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
- # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
- # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
- # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- # The address of the external interface for your customer gateway must be a static address.
- # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
- #
- set security ike proposal ike-prop-vpn-xxx-1 authentication-method pre-shared-keys
- set security ike proposal ike-prop-vpn-xxx-1 authentication-algorithm sha1
- set security ike proposal ike-prop-vpn-xxx-1 encryption-algorithm aes-128-cbc
- set security ike proposal ike-prop-vpn-xxx-1 lifetime-seconds 28800
- set security ike proposal ike-prop-vpn-xxx-1 dh-group group2
- # An IKE policy is established to associate a Pre Shared Key with the
- # defined proposal.
- #
- set security ike policy ike-pol-vpn-xxx-1 mode main
- set security ike policy ike-pol-vpn-xxx-1 proposals ike-prop-vpn-xxx-1
- set security ike policy ike-pol-vpn-xxx-1 pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- # The IKE gateway is defined to be the Virtual Private Gateway. The gateway
- # configuration associates a local interface, remote IP address, and
- # IKE policy.
- #
- # This example shows the outside of the tunnel as interface ge-0/0/0.0.
- # This should be set to the interface that IP address xx.xx.xx.xx is
- # associated with.
- # This address is configured with the setup for your Customer Gateway.
- #
- # If the address changes, the Customer Gateway and VPN Connection must be recreated.
- #
- set security ike gateway gw-vpn-xxx-1 ike-policy ike-pol-vpn-xxx-1
- set security ike gateway gw-vpn-xxx-1 external-interface ge-0/0/0.0
- set security ike gateway gw-vpn-xxx-1 address 3.105.xx.xxx
- set security ike gateway gw-vpn-xxx-1 no-nat-traversal
- # This option enables IPSec Dead Peer Detection, which causes periodic
- # messages to be sent to ensure a Security Association remains operational.
- #
- set security ike gateway gw-vpn-xxx-1 dead-peer-detection interval 10 threshold 3
- # Troubleshooting IKE connectivity can be aided by enabling IKE tracing.
- # The configuration below will cause the router to log IKE messages to
- # the 'kmd' log. Run 'show log kmd' to retrieve these logs.
- # set security ike traceoptions file kmd
- # set security ike traceoptions file size 1024768
- # set security ike traceoptions file files 10
- # set security ike traceoptions flag all
- # #2: IPSec Configuration
- #
- # The IPSec proposal defines the protocol, authentication, encryption, and
- # lifetime parameters for our IPSec security association.
- # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
- # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
- # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- #
- set security ipsec proposal ipsec-prop-vpn-xxx-1 protocol esp
- set security ipsec proposal ipsec-prop-vpn-xxx-1 authentication-algorithm hmac-sha1-96
- set security ipsec proposal ipsec-prop-vpn-xxx-1 encryption-algorithm aes-128-cbc
- set security ipsec proposal ipsec-prop-vpn-xxx-1 lifetime-seconds 3600
- # The IPSec policy incorporates the Diffie-Hellman group and the IPSec
- # proposal.
- #
- set security ipsec policy ipsec-pol-vpn-xxx-1 perfect-forward-secrecy keys group2
- set security ipsec policy ipsec-pol-vpn-xxx-1 proposals ipsec-prop-vpn-xxx-1
- # A security association is defined here.
- #
- set security ipsec vpn vpn-xxx-1 ike gateway gw-vpn-xxx-1
- set security ipsec vpn vpn-xxx-1 ike ipsec-policy ipsec-pol-vpn-xxx-1
- set security ipsec vpn vpn-xxx-1 df-bit clear
- # #3: Tunnel Interface Configuration
- #
- # The tunnel interface is configured with the internal IP address. The IPSec Policy and IKE gateways
- # are associated with a tunnel interface (st0.2).
- # The tunnel interface ID is assumed; if other tunnels are defined on
- # your router, you will need to specify a unique interface name
- # (for example, st0.20).
- #
- set interfaces st0.2 family inet address 169.254.26.210/30
- set interfaces st0.2 family inet mtu 1436
- set security zones security-zone trust interfaces st0.2
- set security ipsec vpn vpn-xxx-1 bind-interface st0.2
- # The security zone protecting external interfaces of the router must be
- # configured to allow IKE traffic inbound.
- #
- set security zones security-zone untrust host-inbound-traffic system-services ike
- # The security zone protecting internal interfaces (including the logical
- # tunnel interfaces) must be configured to allow BGP traffic inbound.
- #
- set security zones security-zone trust host-inbound-traffic protocols bgp
- # This option causes the router to reduce the Maximum Segment Size of
- # TCP packets to prevent packet fragmentation.
- #
- set security flow tcp-mss ipsec-vpn mss 1379
- # --------------------------------------------------------------------------------
- # #4: Border Gateway Protocol (BGP) Configuration
- #
- # BGP is used within the tunnel to exchange prefixes between the
- # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
- # will announce the prefix corresponding to your VPC.
- #
- # Your Customer Gateway may announce a default route (0.0.0.0/0),
- # which can be done with the EXPORT-DEFAULT policy.
- #
- # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
- # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
- # a valid next-hop.
- #
- # The BGP timers are adjusted to provide more rapid detection of outages.
- #
- # The local BGP Autonomous System Number (ASN) (65000) is configured
- # as part of your Customer Gateway. If the ASN must be changed, the
- # Customer Gateway and VPN Connection will need to be recreated with AWS.
- #
- # We establish a basic route policy to export a default route to the
- # Virtual Private Gateway.
- set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
- set policy-options policy-statement EXPORT-DEFAULT term default then accept
- set policy-options policy-statement EXPORT-DEFAULT term reject then reject
- set protocols bgp group ebgp type external
- set protocols bgp group ebgp neighbor 169.254.26.209 export EXPORT-DEFAULT
- set protocols bgp group ebgp neighbor 169.254.26.209 peer-as 64512
- set protocols bgp group ebgp neighbor 169.254.26.209 hold-time 30
- set protocols bgp group ebgp neighbor 169.254.26.209 local-as 65000
- #
- # --------------------------------------------------------------------------------
- # IPSec Tunnel #2
- # --------------------------------------------------------------------------------
- # #1: Internet Key Exchange (IKE) Configuration
- #
- # A proposal is established for the supported IKE encryption,
- # authentication, Diffie-Hellman, and lifetime parameters.
- # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
- # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
- # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
- # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- # The address of the external interface for your customer gateway must be a static address.
- # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
- #
- set security ike proposal ike-prop-vpn-xxx-2 authentication-method pre-shared-keys
- set security ike proposal ike-prop-vpn-xxx-2 authentication-algorithm sha1
- set security ike proposal ike-prop-vpn-xxx-2 encryption-algorithm aes-128-cbc
- set security ike proposal ike-prop-vpn-xxx-2 lifetime-seconds 28800
- set security ike proposal ike-prop-vpn-xxx-2 dh-group group2
- # An IKE policy is established to associate a Pre Shared Key with the
- # defined proposal.
- #
- set security ike policy ike-pol-vpn-xxx-2 mode main
- set security ike policy ike-pol-vpn-xxx-2 proposals ike-prop-vpn-xxx-2
- set security ike policy ike-pol-vpn-xxx-2 pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- # The IKE gateway is defined to be the Virtual Private Gateway. The gateway
- # configuration associates a local interface, remote IP address, and
- # IKE policy.
- #
- # This example shows the outside of the tunnel as interface ge-0/0/0.0.
- # This should be set to the interface that IP address xx.xx.xx.xx is
- # associated with.
- # This address is configured with the setup for your Customer Gateway.
- #
- # If the address changes, the Customer Gateway and VPN Connection must be recreated.
- #
- set security ike gateway gw-vpn-xxx-2 ike-policy ike-pol-vpn-xxx-2
- set security ike gateway gw-vpn-xxx-2 external-interface ge-0/0/0.0
- set security ike gateway gw-vpn-xxx-2 address 52.xx.xx.xx
- set security ike gateway gw-vpn-xxx-2 no-nat-traversal
- # This option enables IPSec Dead Peer Detection, which causes periodic
- # messages to be sent to ensure a Security Association remains operational.
- #
- set security ike gateway gw-vpn-xxx-2 dead-peer-detection interval 10 threshold 3
- # Troubleshooting IKE connectivity can be aided by enabling IKE tracing.
- # The configuration below will cause the router to log IKE messages to
- # the 'kmd' log. Run 'show log kmd' to retrieve these logs.
- # set security ike traceoptions file kmd
- # set security ike traceoptions file size 1024768
- # set security ike traceoptions file files 10
- # set security ike traceoptions flag all
- # #2: IPSec Configuration
- #
- # The IPSec proposal defines the protocol, authentication, encryption, and
- # lifetime parameters for our IPSec security association.
- # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
- # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
- # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
- #
- set security ipsec proposal ipsec-prop-vpn-xxx-2 protocol esp
- set security ipsec proposal ipsec-prop-vpn-xxx-2 authentication-algorithm hmac-sha1-96
- set security ipsec proposal ipsec-prop-vpn-xxx-2 encryption-algorithm aes-128-cbc
- set security ipsec proposal ipsec-prop-vpn-xxx-2 lifetime-seconds 3600
- # The IPSec policy incorporates the Diffie-Hellman group and the IPSec
- # proposal.
- #
- set security ipsec policy ipsec-pol-vpn-xxx-2 perfect-forward-secrecy keys group2
- set security ipsec policy ipsec-pol-vpn-xxx-2 proposals ipsec-prop-vpn-xxx-2
- # A security association is defined here.
- #
- set security ipsec vpn vpn-xxx-2 ike gateway gw-vpn-xxx-2
- set security ipsec vpn vpn-xxx-2 ike ipsec-policy ipsec-pol-vpn-xxx-2
- set security ipsec vpn vpn-xxx-2 df-bit clear
- # #3: Tunnel Interface Configuration
- #
- # The tunnel interface is configured with the internal IP address. The IPSec Policy and IKE gateways
- # are associated with a tunnel interface (st0.3).
- # The tunnel interface ID is assumed; if other tunnels are defined on
- # your router, you will need to specify a unique interface name
- # (for example, st0.20).
- #
- set interfaces st0.3 family inet address 169.254.118.242/30
- set interfaces st0.3 family inet mtu 1436
- set security zones security-zone trust interfaces st0.3
- set security ipsec vpn vpn-xxx-2 bind-interface st0.3
- # The security zone protecting external interfaces of the router must be
- # configured to allow IKE traffic inbound.
- #
- set security zones security-zone untrust host-inbound-traffic system-services ike
- # The security zone protecting internal interfaces (including the logical
- # tunnel interfaces) must be configured to allow BGP traffic inbound.
- #
- set security zones security-zone trust host-inbound-traffic protocols bgp
- # This option causes the router to reduce the Maximum Segment Size of
- # TCP packets to prevent packet fragmentation.
- #
- set security flow tcp-mss ipsec-vpn mss 1379
- # --------------------------------------------------------------------------------
- # #4: Border Gateway Protocol (BGP) Configuration
- #
- # BGP is used within the tunnel to exchange prefixes between the
- # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
- # will announce the prefix corresponding to your VPC.
- #
- # Your Customer Gateway may announce a default route (0.0.0.0/0),
- # which can be done with the EXPORT-DEFAULT policy.
- #
- # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
- # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
- # a valid next-hop.
- #
- # The BGP timers are adjusted to provide more rapid detection of outages.
- #
- # The local BGP Autonomous System Number (ASN) (65000) is configured
- # as part of your Customer Gateway. If the ASN must be changed, the
- # Customer Gateway and VPN Connection will need to be recreated with AWS.
- #
- # We establish a basic route policy to export a default route to the
- # Virtual Private Gateway.
- set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
- set policy-options policy-statement EXPORT-DEFAULT term default then accept
- set policy-options policy-statement EXPORT-DEFAULT term reject then reject
- set protocols bgp group ebgp type external
- set protocols bgp group ebgp neighbor 169.254.118.241 export EXPORT-DEFAULT
- set protocols bgp group ebgp neighbor 169.254.118.241 peer-as 64512
- set protocols bgp group ebgp neighbor 169.254.118.241 hold-time 30
- set protocols bgp group ebgp neighbor 169.254.118.241 local-as 65000
- #
- # Additional Notes and Questions
- # - Amazon Virtual Private Cloud Getting Started Guide:
- # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
- # - Amazon Virtual Private Cloud Network Administrator Guide:
- # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
- # - XSL Version: 2009-07-15-1119716
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement