Ciscoルータから AWS Site to Site VPN への接続を試す
(1) 静的ルートを利用 / IKEv1で接続
# オンプレミスのグローバルIPアドレス
publicip=x.x.x.x
# VGWをアタッチするVPC
vpcid=vpc-<unique-id>
# オンプレミスのBGP ASN
customerasn=65000
# AWS側のBGP ASN
amazonasn=64512
# ルートを伝播するルートテーブル
routetableid=rtb-<uniqueid>
# VGWを宛先とするアドレス帯(スタティックルート)
localcidr=x.x.x.x/x
AWS S2S VPNは2セッション貼ることができる。
障害発生時にルートを切り替える設定を入れると盤石。
(ここではセッションは1つしかはらない)
仮想プライベートゲートウェイの作成
aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn ${amazonasn}
結果確認
vpngatewayid=vgw-<unique-id>
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}
VPCへのVGWのアタッチ
aws ec2 attach-vpn-gateway --vpn-gateway-id ${vpngatewayid} --vpc-id ${vpcid}
結果確認
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}
カスタマーゲートウェイの作成
aws ec2 create-customer-gateway --type ipsec.1 --public-ip ${publicip} --bgp-asn ${customerasn}
結果確認
customergatewayid=cgw-<unique-id>
aws ec2 describe-customer-gateways --customer-gateway-ids ${customergatewayid}
VPN接続の作成
静的ルートのみ利用する
aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id ${customergatewayid} --vpn-gateway-id ${vpngatewayid} \
--options "{\"StaticRoutesOnly\":true}"
結果確認
vpnconnectionid=vpn-<unique-id>
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}
VPN接続用のスタティックルートの追加
aws ec2 create-vpn-connection-route --vpn-connection-id ${vpnconnectionid} --destination-cidr-block ${localcidr}
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}
対向の設定のエクスポート
利用できるデバイスタイプを確認
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Cisco Systems, Inc.`]'
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Strongswan`]'
目的のデバイスのものを出力
aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id b0adb196 --internet-key-exchange-version ikev1 --output text
Cisco ルータの設定
必要となる情報は
<VGWのアドレス>
<ルータのアドレス> NAT超えの場合は、ルータのインタフェースのアドレスでいい。
<PSK>
<トンネルデバイスのIPアドレス> と <トンネルデバイスのNWマスク>
<VPCのIPアドレス> と <VPCののNWマスク>
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
crypto keyring keyring-awsvpn-0
local-address <ルータのアドレス>
pre-shared-key address <VGWのアドレス> key <pre shared key>
crypto isakmp profile isakmp-awsvpn-0
local-address <ルータのアドレス>
match identity address <VGWのアドレス>
keyring keyring-awsvpn-0
crypto ipsec transform-set ipsec-prop-awsvpn-0 esp-aes 128 esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec-awsvpn-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-awsvpn-0
crypto ipsec df-bit clear
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption
interface Tunnel1
ip address <トンネルデバイスのIPアドレス> <トンネルデバイスのNWマスク>
ip virtual-reassembly
! tunnel source 220.146.31.241
tunnel source <ルータのアドレス>
tunnel destination <VGWのアドレス>
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-awsvpn-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1379
no shutdown
ip route <VPCのIPアドレス> <VPCののNWマスク> Tunnel1
結果確認
R1#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
3.114.212.141 192.168.11.212 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R1#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.212
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.114.212.141 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
#pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.11.212, remote crypto endpt.: 3.114.212.141
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xC1851607(3246724615)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0xDD6AD72(232172914)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4304515/3513)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xC1851607(3246724615)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4304515/3513)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set ipsec-prop-awss2svpn-0: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },
R1#show crypto session int tun1
Crypto session current status
Interface: Tunnel1
Profile: isakmp-awss2svpn-0
Session status: UP-ACTIVE
Peer: 3.114.212.141 port 4500
Session ID: 0
IKEv1 SA: local 192.168.11.212/4500 remote 3.114.212.141/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
R1#show crypto session int tun1 detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Tunnel1
Profile: isakmp-awss2svpn-0
Uptime: 00:04:35
Session status: UP-ACTIVE
Peer: 3.114.212.141 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 3.114.212.141
Desc: (none)
Session ID: 0
IKEv1 SA: local 192.168.11.212/4500 remote 3.114.212.141/4500 Active
Capabilities:N connid:1001 lifetime:07:55:24
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 3 drop 0 life (KB/Sec) 4304515/3324
Outbound: #pkts enc'ed 3 drop 0 life (KB/Sec) 4304515/3324
AWS 側で接続を確認
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}
ルートの伝播
aws ec2 enable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
結果確認
aws ec2 describe-route-tables --route-table-id ${routetableid}
片付け
aws ec2 disable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 delete-vpn-connection-route --vpn-connection-id ${vpnconnectionid} --destination-cidr-block ${localcidr}
aws ec2 delete-vpn-connection --vpn-connection-id ${vpnconnectionid}
aws ec2 delete-customer-gateway --customer-gateway-id ${customergatewayid}
aws ec2 detach-vpn-gateway --vpc-id ${vpcid} --vpn-gateway-id ${vpngatewayid}
aws ec2 describe-vpn-gateways 〜 で、detaching となっている間は次の削除ができない。detached となるまで待つ。
"VpnGateways": [
{
"VpcAttachments": [
{
"State": "detaching"
}
]
}
aws ec2 delete-vpn-gateway --vpn-gateway-id ${vpngatewayid}
(2) BGPを利用 / IKEv1で接続。
BGPの設定を活かして、2つのセッション間で通信を振り分けたりもできるようだ。
仮想プライベートゲートウェイの作成
aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn ${amazonasn}
vpngatewayid=vgw-<unique-id>
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}
VPCへのVGWのアタッチ
aws ec2 attach-vpn-gateway --vpn-gateway-id ${vpngatewayid} --vpc-id ${vpcid}
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}
カスタマーゲートウェイの作成
aws ec2 create-customer-gateway --type ipsec.1 --public-ip ${publicip} --bgp-asn ${customerasn}
customergatewayid=cgw-<unique-id>
aws ec2 describe-customer-gateways --customer-gateway-ids ${customergatewayid}
VPN接続の作成
aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id ${customergatewayid} --vpn-gateway-id ${vpngatewayid}
vpnconnectionid=vpn-<unique-id>
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}
対向の設定のエクスポート
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Cisco Systems, Inc.`]'
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Strongswan`]'
aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id b0adb196 --internet-key-exchange-version ikev1 --output text
Ciscoルータ側設定
その他の設定は(1)と同様なので割愛。
追加でBGPの設定をする
<ネイバーのIPアドレス> トンネルIPアドレスの1つ若番
<オンプレミスのアドレス帯> 0.0.0.0 だとデフォルトをVPNに向けられる。
router bgp 65000
neighbor <ネイバーのIPアドレス> remote-as 64512
neighbor <ネイバーのIPアドレス> activate
neighbor <ネイバーのIPアドレス> timers 10 30 30
address-family ipv4 unicast
neighbor <ネイバーのIPアドレス> remote-as 64512
neighbor <ネイバーのIPアドレス> timers 10 30 30
neighbor <ネイバーのIPアドレス> default-originate
neighbor <ネイバーのIPアドレス> activate
neighbor <ネイバーのIPアドレス> soft-reconfiguration inbound
network <オンプレミスのアドレス帯>
exit
exit
ネイバーを確認
R1#show ip bgp summ
BGP router identifier 192.168.100.1, local AS number 65000
BGP table version is 2, main routing table version 2
1 network entries using 144 bytes of memory
2 path entries using 160 bytes of memory
2/1 BGP path/bestpath attribute entries using 288 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 592 total bytes of memory
BGP activity 1/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
<ネイバーのIPアドレス> 4 64512 3 5 2 0 0 00:00:04 0
トポロジーテーブルを確認
R1#show ip bgp
BGP table version is 3, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,
x best-external, a additional-path, c RIB-compressed,
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found
Network Next Hop Metric LocPrf Weight Path
0.0.0.0 0.0.0.0 0 i
*> 192.168.11.254 0 32768 i
*> 10.0.0.0/16 <ネイバーのIPアドレス> 100 0 64512 i
ルートを確認
R1#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 192.168.11.254 to network 0.0.0.0
10.0.0.0/16 is subnetted, 1 subnets
B 10.0.0.0 [20/100] via <ネイバーのIPアドレス>, 00:00:23
AWS 側で接続を確認
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}
BGPを設定しないと IPSEC IS UPとなっても、Status は Downのままとなる。
"VgwTelemetry": [
{
"AcceptedRouteCount": 0,
"LastStatusChange": "2025-07-17T22:48:35+00:00",
"OutsideIpAddress": "3.114.212.141",
"Status": "DOWN",
"StatusMessage": "IPSEC IS UP"
},
{
"AcceptedRouteCount": 0,
"LastStatusChange": "2025-07-17T22:40:48+00:00",
"OutsideIpAddress": "13.230.233.135",
"Status": "DOWN",
"StatusMessage": "IPSEC IS DOWN"
}
],
BGP がネイバー関係になるとUPになる。
"VgwTelemetry": [
{
"AcceptedRouteCount": 1,
"LastStatusChange": "2025-07-17T23:08:38+00:00",
"OutsideIpAddress": "3.114.212.141",
"Status": "UP",
"StatusMessage": "1 BGP ROUTES"
},
{
"AcceptedRouteCount": 0,
"LastStatusChange": "2025-07-17T22:40:48+00:00",
"OutsideIpAddress": "13.230.233.135",
"Status": "DOWN",
"StatusMessage": "IPSEC IS DOWN"
}
ルートの伝播
aws ec2 enable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 describe-route-tables --route-table-id ${routetableid}
片付け
aws ec2 disable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 delete-vpn-connection --vpn-connection-id ${vpnconnectionid}
aws ec2 delete-customer-gateway --customer-gateway-id ${customergatewayid}
aws ec2 detach-vpn-gateway --vpc-id ${vpcid} --vpn-gateway-id ${vpngatewayid}
aws ec2 delete-vpn-gateway --vpn-gateway-id ${vpngatewayid}
(3) 静的ルートを利用 / IKEv2で接続
AWSに対しては、基本的に (1) と同様の操作。
対向の設定のエクスポート
aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id 7b754310 --internet-key-exchange-version ikev2 --output text
Cisco ルータの設定
<VGWのアドレス>
<ルータのアドレス> NAT超えの場合は、ルータのインタフェースのアドレスでいい。
<PSK>
<トンネルデバイスのIPアドレス> と <トンネルデバイスのNWマスク>
<VPCのIPアドレス> と <VPCののNWマスク>
crypto ikev2 proposal PROPOSAL1
encryption aes-cbc-128
integrity sha1
group 2
crypto ikev2 policy POLICY1
match address local <ルータのアドレス>
proposal PROPOSAL1
crypto ikev2 keyring KEYRING1
peer <VGWのアドレス>
address <VGWのアドレス>
pre-shared-key <PSK>
crypto ikev2 profile IKEV2-PROFILE
match address local <ルータのアドレス>
match identity remote address <VGWのアドレス>
authentication remote pre-share
authentication local pre-share
keyring local KEYRING1
lifetime 28800
dpd 10 10 on-demand
crypto ipsec transform-set ipsec-prop-awsvpn-0 esp-aes 128 esp-sha-hmac
mode tunnel
crypto ipsec profile ipsec-awsvpn-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-awsvpn-0
set ikev2-profile IKEV2-PROFILE
crypto ipsec df-bit clear
crypto isakmp keepalive 10 10
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption
interface Tunnel1
ip address <トンネルデバイスのIPアドレス> <トンネルデバイスのNWマスク>
ip virtual-reassembly
tunnel source <ルータのアドレス>
tunnel destination <VGWのアドレス>
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-awsvpn-0
ip tcp adjust-mss 1379
no shutdown
ip route <VPCのIPアドレス> <VPCののNWマスク> Tunnel1
結果確認
IOU2#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.11.212/4500 54.65.54.133/4500 none/none READY
Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 28800/1425 sec
IPv6 Crypto IKEv2 SA
IOU2#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.11.212
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 54.65.54.133 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
#pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.11.212, remote crypto endpt.: 54.65.54.133
plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
current outbound spi: 0xCEB1B70E(3467753230)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x85418A83(2235665027)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4177787/2106)
IV size: 16 bytes
replay detection support: Y
ecn bit support: Y status: off replay window size: 128
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCEB1B70E(3467753230)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4177787/2106)
IV size: 16 bytes
replay detection support: Y
ecn bit support: Y status: off replay window size: 128
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
IOU2#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac }
will negotiate = { Transport, },
Transform set ipsec-prop-awsvpn-0: { esp-aes esp-sha-hmac }
will negotiate = { Tunnel, },
IOU2#show crypto session int tun1
Crypto session current status
Interface: Tunnel1
Profile: IKEV2-PROFILE
Session status: UP-ACTIVE
Peer: 54.65.54.133 port 4500
Session ID: 1
IKEv2 SA: local 192.168.11.212/4500 remote 54.65.54.133/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
IOU2#show crypto session int tun1 detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect
Interface: Tunnel1
Profile: IKEV2-PROFILE
Uptime: 00:27:21
Session status: UP-ACTIVE
Peer: 54.65.54.133 port 4500 fvrf: (none) ivrf: (none)
Phase1_id: 54.65.54.133
Desc: (none)
Session ID: 1
IKEv2 SA: local 192.168.11.212/4500 remote 54.65.54.133/4500 Active
Capabilities:DN connid:1 lifetime:07:32:39
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 5 drop 0 life (KB/Sec) 4177787/1959
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4177787/1959
Discussion