API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Oct 10th, 2019
911
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 15.80 KB | None | 0 0
raw download clone embed print report
  1. # Amazon Web Services
  2. # Virtual Private Cloud
  3. #
  4. # AWS utilizes unique identifiers to manipulate the configuration of
  5. # a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
  6. # and is associated with two other identifiers, namely the
  7. # Customer Gateway Identifier and the Virtual Private Gateway Identifier.
  8. #
  9.  
  10. # Your VPN Connection ID : vpn-xxx
  11. # Your Virtual Private Gateway ID : vgw-xxx
  12. # Your Customer Gateway ID : cgw-xxx
  13. #
  14. # This configuration consists of two tunnels. Both tunnels must be
  15. # configured on your Customer Gateway.
  16. #
  17. #
  18. # --------------------------------------------------------------------------------
  19. # IPSec Tunnel #1
  20. # --------------------------------------------------------------------------------
  21. # #1: Internet Key Exchange (IKE) Configuration
  22. #
  23. # A proposal is established for the supported IKE encryption,
  24. # authentication, Diffie-Hellman, and lifetime parameters.
  25. # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
  26. # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
  27. # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
  28. # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
  29. # The address of the external interface for your customer gateway must be a static address.
  30. # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
  31. #
  32. set security ike proposal ike-prop-vpn-xxx-1 authentication-method pre-shared-keys
  33. set security ike proposal ike-prop-vpn-xxx-1 authentication-algorithm sha1
  34. set security ike proposal ike-prop-vpn-xxx-1 encryption-algorithm aes-128-cbc
  35. set security ike proposal ike-prop-vpn-xxx-1 lifetime-seconds 28800
  36. set security ike proposal ike-prop-vpn-xxx-1 dh-group group2
  37.  
  38. # An IKE policy is established to associate a Pre Shared Key with the
  39. # defined proposal.
  40. #
  41. set security ike policy ike-pol-vpn-xxx-1 mode main
  42. set security ike policy ike-pol-vpn-xxx-1 proposals ike-prop-vpn-xxx-1
  43. set security ike policy ike-pol-vpn-xxx-1 pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  44.  
  45. # The IKE gateway is defined to be the Virtual Private Gateway. The gateway
  46. # configuration associates a local interface, remote IP address, and
  47. # IKE policy.
  48. #
  49. # This example shows the outside of the tunnel as interface ge-0/0/0.0.
  50. # This should be set to the interface that IP address xx.xx.xx.xx is
  51. # associated with.
  52. # This address is configured with the setup for your Customer Gateway.
  53. #
  54. # If the address changes, the Customer Gateway and VPN Connection must be recreated.
  55. #
  56. set security ike gateway gw-vpn-xxx-1 ike-policy ike-pol-vpn-xxx-1
  57. set security ike gateway gw-vpn-xxx-1 external-interface ge-0/0/0.0
  58. set security ike gateway gw-vpn-xxx-1 address 3.105.xx.xxx
  59. set security ike gateway gw-vpn-xxx-1 no-nat-traversal
  60.  
  61. # This option enables IPSec Dead Peer Detection, which causes periodic
  62. # messages to be sent to ensure a Security Association remains operational.
  63. #
  64. set security ike gateway gw-vpn-xxx-1 dead-peer-detection interval 10 threshold 3
  65.  
  66. # Troubleshooting IKE connectivity can be aided by enabling IKE tracing.
  67. # The configuration below will cause the router to log IKE messages to
  68. # the 'kmd' log. Run 'show log kmd' to retrieve these logs.
  69. # set security ike traceoptions file kmd
  70. # set security ike traceoptions file size 1024768
  71. # set security ike traceoptions file files 10
  72. # set security ike traceoptions flag all
  73.  
  74. # #2: IPSec Configuration
  75. #
  76. # The IPSec proposal defines the protocol, authentication, encryption, and
  77. # lifetime parameters for our IPSec security association.
  78. # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
  79. # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
  80. # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
  81. #
  82. set security ipsec proposal ipsec-prop-vpn-xxx-1 protocol esp
  83. set security ipsec proposal ipsec-prop-vpn-xxx-1 authentication-algorithm hmac-sha1-96
  84. set security ipsec proposal ipsec-prop-vpn-xxx-1 encryption-algorithm aes-128-cbc
  85. set security ipsec proposal ipsec-prop-vpn-xxx-1 lifetime-seconds 3600
  86.  
  87. # The IPSec policy incorporates the Diffie-Hellman group and the IPSec
  88. # proposal.
  89. #
  90. set security ipsec policy ipsec-pol-vpn-xxx-1 perfect-forward-secrecy keys group2
  91. set security ipsec policy ipsec-pol-vpn-xxx-1 proposals ipsec-prop-vpn-xxx-1
  92.  
  93. # A security association is defined here.
  94. #
  95. set security ipsec vpn vpn-xxx-1 ike gateway gw-vpn-xxx-1
  96. set security ipsec vpn vpn-xxx-1 ike ipsec-policy ipsec-pol-vpn-xxx-1
  97. set security ipsec vpn vpn-xxx-1 df-bit clear
  98.  
  99.  
  100. # #3: Tunnel Interface Configuration
  101. #
  102.  
  103. # The tunnel interface is configured with the internal IP address. The IPSec Policy and IKE gateways
  104. # are associated with a tunnel interface (st0.2).
  105. # The tunnel interface ID is assumed; if other tunnels are defined on
  106. # your router, you will need to specify a unique interface name
  107. # (for example, st0.20).
  108. #
  109. set interfaces st0.2 family inet address 169.254.26.210/30
  110. set interfaces st0.2 family inet mtu 1436
  111. set security zones security-zone trust interfaces st0.2
  112. set security ipsec vpn vpn-xxx-1 bind-interface st0.2
  113.  
  114. # The security zone protecting external interfaces of the router must be
  115. # configured to allow IKE traffic inbound.
  116. #
  117. set security zones security-zone untrust host-inbound-traffic system-services ike
  118.  
  119. # The security zone protecting internal interfaces (including the logical
  120. # tunnel interfaces) must be configured to allow BGP traffic inbound.
  121. #
  122. set security zones security-zone trust host-inbound-traffic protocols bgp
  123.  
  124. # This option causes the router to reduce the Maximum Segment Size of
  125. # TCP packets to prevent packet fragmentation.
  126. #
  127. set security flow tcp-mss ipsec-vpn mss 1379
  128.  
  129. # --------------------------------------------------------------------------------
  130. # #4: Border Gateway Protocol (BGP) Configuration
  131. #
  132. # BGP is used within the tunnel to exchange prefixes between the
  133. # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
  134. # will announce the prefix corresponding to your VPC.
  135. #
  136. # Your Customer Gateway may announce a default route (0.0.0.0/0),
  137. # which can be done with the EXPORT-DEFAULT policy.
  138. #
  139. # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
  140. # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
  141. # a valid next-hop.
  142. #
  143. # The BGP timers are adjusted to provide more rapid detection of outages.
  144. #
  145. # The local BGP Autonomous System Number (ASN) (65000) is configured
  146. # as part of your Customer Gateway. If the ASN must be changed, the
  147. # Customer Gateway and VPN Connection will need to be recreated with AWS.
  148. #
  149. # We establish a basic route policy to export a default route to the
  150. # Virtual Private Gateway.
  151. set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
  152. set policy-options policy-statement EXPORT-DEFAULT term default then accept
  153. set policy-options policy-statement EXPORT-DEFAULT term reject then reject
  154. set protocols bgp group ebgp type external
  155. set protocols bgp group ebgp neighbor 169.254.26.209 export EXPORT-DEFAULT
  156. set protocols bgp group ebgp neighbor 169.254.26.209 peer-as 64512
  157. set protocols bgp group ebgp neighbor 169.254.26.209 hold-time 30
  158. set protocols bgp group ebgp neighbor 169.254.26.209 local-as 65000
  159. #
  160. # --------------------------------------------------------------------------------
  161. # IPSec Tunnel #2
  162. # --------------------------------------------------------------------------------
  163. # #1: Internet Key Exchange (IKE) Configuration
  164. #
  165. # A proposal is established for the supported IKE encryption,
  166. # authentication, Diffie-Hellman, and lifetime parameters.
  167. # Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
  168. # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
  169. # You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
  170. # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
  171. # The address of the external interface for your customer gateway must be a static address.
  172. # To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
  173. #
  174. set security ike proposal ike-prop-vpn-xxx-2 authentication-method pre-shared-keys
  175. set security ike proposal ike-prop-vpn-xxx-2 authentication-algorithm sha1
  176. set security ike proposal ike-prop-vpn-xxx-2 encryption-algorithm aes-128-cbc
  177. set security ike proposal ike-prop-vpn-xxx-2 lifetime-seconds 28800
  178. set security ike proposal ike-prop-vpn-xxx-2 dh-group group2
  179.  
  180. # An IKE policy is established to associate a Pre Shared Key with the
  181. # defined proposal.
  182. #
  183. set security ike policy ike-pol-vpn-xxx-2 mode main
  184. set security ike policy ike-pol-vpn-xxx-2 proposals ike-prop-vpn-xxx-2
  185. set security ike policy ike-pol-vpn-xxx-2 pre-shared-key ascii-text xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  186.  
  187. # The IKE gateway is defined to be the Virtual Private Gateway. The gateway
  188. # configuration associates a local interface, remote IP address, and
  189. # IKE policy.
  190. #
  191. # This example shows the outside of the tunnel as interface ge-0/0/0.0.
  192. # This should be set to the interface that IP address xx.xx.xx.xx is
  193. # associated with.
  194. # This address is configured with the setup for your Customer Gateway.
  195. #
  196. # If the address changes, the Customer Gateway and VPN Connection must be recreated.
  197. #
  198. set security ike gateway gw-vpn-xxx-2 ike-policy ike-pol-vpn-xxx-2
  199. set security ike gateway gw-vpn-xxx-2 external-interface ge-0/0/0.0
  200. set security ike gateway gw-vpn-xxx-2 address 52.xx.xx.xx
  201. set security ike gateway gw-vpn-xxx-2 no-nat-traversal
  202.  
  203. # This option enables IPSec Dead Peer Detection, which causes periodic
  204. # messages to be sent to ensure a Security Association remains operational.
  205. #
  206. set security ike gateway gw-vpn-xxx-2 dead-peer-detection interval 10 threshold 3
  207.  
  208. # Troubleshooting IKE connectivity can be aided by enabling IKE tracing.
  209. # The configuration below will cause the router to log IKE messages to
  210. # the 'kmd' log. Run 'show log kmd' to retrieve these logs.
  211. # set security ike traceoptions file kmd
  212. # set security ike traceoptions file size 1024768
  213. # set security ike traceoptions file files 10
  214. # set security ike traceoptions flag all
  215.  
  216. # #2: IPSec Configuration
  217. #
  218. # The IPSec proposal defines the protocol, authentication, encryption, and
  219. # lifetime parameters for our IPSec security association.
  220. # Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
  221. # Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
  222. # Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
  223. #
  224. set security ipsec proposal ipsec-prop-vpn-xxx-2 protocol esp
  225. set security ipsec proposal ipsec-prop-vpn-xxx-2 authentication-algorithm hmac-sha1-96
  226. set security ipsec proposal ipsec-prop-vpn-xxx-2 encryption-algorithm aes-128-cbc
  227. set security ipsec proposal ipsec-prop-vpn-xxx-2 lifetime-seconds 3600
  228.  
  229. # The IPSec policy incorporates the Diffie-Hellman group and the IPSec
  230. # proposal.
  231. #
  232. set security ipsec policy ipsec-pol-vpn-xxx-2 perfect-forward-secrecy keys group2
  233. set security ipsec policy ipsec-pol-vpn-xxx-2 proposals ipsec-prop-vpn-xxx-2
  234.  
  235. # A security association is defined here.
  236. #
  237. set security ipsec vpn vpn-xxx-2 ike gateway gw-vpn-xxx-2
  238. set security ipsec vpn vpn-xxx-2 ike ipsec-policy ipsec-pol-vpn-xxx-2
  239. set security ipsec vpn vpn-xxx-2 df-bit clear
  240.  
  241.  
  242. # #3: Tunnel Interface Configuration
  243. #
  244.  
  245. # The tunnel interface is configured with the internal IP address. The IPSec Policy and IKE gateways
  246. # are associated with a tunnel interface (st0.3).
  247. # The tunnel interface ID is assumed; if other tunnels are defined on
  248. # your router, you will need to specify a unique interface name
  249. # (for example, st0.20).
  250. #
  251. set interfaces st0.3 family inet address 169.254.118.242/30
  252. set interfaces st0.3 family inet mtu 1436
  253. set security zones security-zone trust interfaces st0.3
  254. set security ipsec vpn vpn-xxx-2 bind-interface st0.3
  255.  
  256. # The security zone protecting external interfaces of the router must be
  257. # configured to allow IKE traffic inbound.
  258. #
  259. set security zones security-zone untrust host-inbound-traffic system-services ike
  260.  
  261. # The security zone protecting internal interfaces (including the logical
  262. # tunnel interfaces) must be configured to allow BGP traffic inbound.
  263. #
  264. set security zones security-zone trust host-inbound-traffic protocols bgp
  265.  
  266. # This option causes the router to reduce the Maximum Segment Size of
  267. # TCP packets to prevent packet fragmentation.
  268. #
  269. set security flow tcp-mss ipsec-vpn mss 1379
  270.  
  271. # --------------------------------------------------------------------------------
  272. # #4: Border Gateway Protocol (BGP) Configuration
  273. #
  274. # BGP is used within the tunnel to exchange prefixes between the
  275. # Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
  276. # will announce the prefix corresponding to your VPC.
  277. #
  278. # Your Customer Gateway may announce a default route (0.0.0.0/0),
  279. # which can be done with the EXPORT-DEFAULT policy.
  280. #
  281. # To advertise additional prefixes to Amazon VPC, add additional prefixes to the "default" term
  282. # EXPORT-DEFAULT policy. Make sure the prefix is present in the routing table of the device with
  283. # a valid next-hop.
  284. #
  285. # The BGP timers are adjusted to provide more rapid detection of outages.
  286. #
  287. # The local BGP Autonomous System Number (ASN) (65000) is configured
  288. # as part of your Customer Gateway. If the ASN must be changed, the
  289. # Customer Gateway and VPN Connection will need to be recreated with AWS.
  290. #
  291. # We establish a basic route policy to export a default route to the
  292. # Virtual Private Gateway.
  293. set policy-options policy-statement EXPORT-DEFAULT term default from route-filter 0.0.0.0/0 exact
  294. set policy-options policy-statement EXPORT-DEFAULT term default then accept
  295. set policy-options policy-statement EXPORT-DEFAULT term reject then reject
  296. set protocols bgp group ebgp type external
  297. set protocols bgp group ebgp neighbor 169.254.118.241 export EXPORT-DEFAULT
  298. set protocols bgp group ebgp neighbor 169.254.118.241 peer-as 64512
  299. set protocols bgp group ebgp neighbor 169.254.118.241 hold-time 30
  300. set protocols bgp group ebgp neighbor 169.254.118.241 local-as 65000
  301. #
  302.  
  303. # Additional Notes and Questions
  304. # - Amazon Virtual Private Cloud Getting Started Guide:
  305. # http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
  306. # - Amazon Virtual Private Cloud Network Administrator Guide:
  307. # http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
  308. # - XSL Version: 2009-07-15-1119716
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!