🛑

Ciscoルータから AWS Site to Site VPN への接続を試す

に公開

(1) 静的ルートを利用 / IKEv1で接続

# オンプレミスのグローバルIPアドレス
publicip=x.x.x.x

# VGWをアタッチするVPC
vpcid=vpc-<unique-id>

# オンプレミスのBGP ASN
customerasn=65000

# AWS側のBGP ASN
amazonasn=64512

# ルートを伝播するルートテーブル
routetableid=rtb-<uniqueid>

# VGWを宛先とするアドレス帯(スタティックルート)
localcidr=x.x.x.x/x

AWS S2S VPNは2セッション貼ることができる。
障害発生時にルートを切り替える設定を入れると盤石。
(ここではセッションは1つしかはらない)

仮想プライベートゲートウェイの作成

aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn ${amazonasn}

結果確認

vpngatewayid=vgw-<unique-id>
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}

VPCへのVGWのアタッチ

aws ec2 attach-vpn-gateway --vpn-gateway-id ${vpngatewayid} --vpc-id ${vpcid}

結果確認

aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}

カスタマーゲートウェイの作成

aws ec2 create-customer-gateway --type ipsec.1 --public-ip ${publicip} --bgp-asn ${customerasn}

結果確認

customergatewayid=cgw-<unique-id>
aws ec2 describe-customer-gateways --customer-gateway-ids ${customergatewayid}

VPN接続の作成

静的ルートのみ利用する

aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id ${customergatewayid} --vpn-gateway-id ${vpngatewayid} \
--options "{\"StaticRoutesOnly\":true}"

結果確認

vpnconnectionid=vpn-<unique-id>
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}

VPN接続用のスタティックルートの追加

aws ec2 create-vpn-connection-route --vpn-connection-id ${vpnconnectionid} --destination-cidr-block ${localcidr}
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}

対向の設定のエクスポート

利用できるデバイスタイプを確認

aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Cisco Systems, Inc.`]'
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Strongswan`]'

目的のデバイスのものを出力

aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id b0adb196 --internet-key-exchange-version ikev1 --output text

Cisco ルータの設定

必要となる情報は
<VGWのアドレス>
<ルータのアドレス> NAT超えの場合は、ルータのインタフェースのアドレスでいい。
<PSK>
<トンネルデバイスのIPアドレス> と <トンネルデバイスのNWマスク>
<VPCのIPアドレス> と <VPCののNWマスク>

crypto isakmp policy 200
  encryption aes 128
  authentication pre-share
  group 2
  lifetime 28800
  hash sha

crypto keyring keyring-awsvpn-0
  local-address <ルータのアドレス>
  pre-shared-key address <VGWのアドレス> key <pre shared key>

crypto isakmp profile isakmp-awsvpn-0
  local-address <ルータのアドレス>
  match identity address <VGWのアドレス>
  keyring keyring-awsvpn-0

crypto ipsec transform-set ipsec-prop-awsvpn-0 esp-aes 128 esp-sha-hmac
  mode tunnel

crypto ipsec profile ipsec-awsvpn-0
  set pfs group2
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-awsvpn-0

crypto ipsec df-bit clear
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption

interface Tunnel1
  ip address <トンネルデバイスのIPアドレス> <トンネルデバイスのNWマスク>
  ip virtual-reassembly
  ! tunnel source 220.146.31.241
  tunnel source <ルータのアドレス>
  tunnel destination <VGWのアドレス>
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-awsvpn-0
  ! This option causes the router to reduce the Maximum Segment Size of
  ! TCP packets to prevent packet fragmentation.
  ip tcp adjust-mss 1379
  no shutdown

ip route <VPCのIPアドレス> <VPCののNWマスク> Tunnel1

結果確認

R1#show crypto isakmp sa 
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
3.114.212.141   192.168.11.212  QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R1#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.11.212

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 3.114.212.141 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
    #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.11.212, remote crypto endpt.: 3.114.212.141
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0xC1851607(3246724615)
     PFS (Y/N): Y, DH group: group2

     inbound esp sas:
      spi: 0xDD6AD72(232172914)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: SW:1, sibling_flags 80004040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4304515/3513)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 128
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC1851607(3246724615)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2, flow_id: SW:2, sibling_flags 80004040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4304515/3513)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 128
        Status: ACTIVE(ACTIVE)
          
     outbound ah sas:

     outbound pcp sas:
R1#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  } 
   will negotiate = { Transport,  }, 
   
Transform set ipsec-prop-awss2svpn-0: { esp-aes esp-sha-hmac  } 
   will negotiate = { Tunnel,  }, 
R1#show crypto session int tun1
Crypto session current status

Interface: Tunnel1
Profile: isakmp-awss2svpn-0
Session status: UP-ACTIVE     
Peer: 3.114.212.141 port 4500 
  Session ID: 0  
  IKEv1 SA: local 192.168.11.212/4500 remote 3.114.212.141/4500 Active 
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
R1#show crypto session int tun1 detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Tunnel1
Profile: isakmp-awss2svpn-0
Uptime: 00:04:35
Session status: UP-ACTIVE     
Peer: 3.114.212.141 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 3.114.212.141
      Desc: (none)
  Session ID: 0  
  IKEv1 SA: local 192.168.11.212/4500 remote 3.114.212.141/4500 Active 
          Capabilities:N connid:1001 lifetime:07:55:24
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 3 drop 0 life (KB/Sec) 4304515/3324
        Outbound: #pkts enc'ed 3 drop 0 life (KB/Sec) 4304515/3324

AWS 側で接続を確認

aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}

ルートの伝播

aws ec2 enable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}

結果確認

aws ec2 describe-route-tables --route-table-id ${routetableid}

片付け

aws ec2 disable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 delete-vpn-connection-route --vpn-connection-id ${vpnconnectionid} --destination-cidr-block ${localcidr}
aws ec2 delete-vpn-connection --vpn-connection-id ${vpnconnectionid}
aws ec2 delete-customer-gateway --customer-gateway-id ${customergatewayid}
aws ec2 detach-vpn-gateway --vpc-id ${vpcid} --vpn-gateway-id ${vpngatewayid}

aws ec2 describe-vpn-gateways 〜 で、detaching となっている間は次の削除ができない。detached となるまで待つ。

    "VpnGateways": [
        {
            "VpcAttachments": [
                {
                    "State": "detaching"
                }
            ]
        }
aws ec2 delete-vpn-gateway --vpn-gateway-id ${vpngatewayid}

(2) BGPを利用 / IKEv1で接続。

BGPの設定を活かして、2つのセッション間で通信を振り分けたりもできるようだ。

仮想プライベートゲートウェイの作成

aws ec2 create-vpn-gateway --type ipsec.1 --amazon-side-asn ${amazonasn}
vpngatewayid=vgw-<unique-id>
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}

VPCへのVGWのアタッチ

aws ec2 attach-vpn-gateway --vpn-gateway-id ${vpngatewayid} --vpc-id ${vpcid}
aws ec2 describe-vpn-gateways --vpn-gateway-ids ${vpngatewayid}

カスタマーゲートウェイの作成

aws ec2 create-customer-gateway --type ipsec.1 --public-ip ${publicip} --bgp-asn ${customerasn}
customergatewayid=cgw-<unique-id>
aws ec2 describe-customer-gateways --customer-gateway-ids ${customergatewayid}

VPN接続の作成

aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id ${customergatewayid} --vpn-gateway-id ${vpngatewayid}
vpnconnectionid=vpn-<unique-id>
aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}

対向の設定のエクスポート

aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Cisco Systems, Inc.`]'
aws ec2 get-vpn-connection-device-types --query 'VpnConnectionDeviceTypes[?Vendor==`Strongswan`]'

aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id b0adb196 --internet-key-exchange-version ikev1 --output text

Ciscoルータ側設定

その他の設定は(1)と同様なので割愛。

追加でBGPの設定をする

<ネイバーのIPアドレス> トンネルIPアドレスの1つ若番
<オンプレミスのアドレス帯> 0.0.0.0 だとデフォルトをVPNに向けられる。

router bgp 65000
  neighbor <ネイバーのIPアドレス> remote-as 64512
  neighbor <ネイバーのIPアドレス> activate
  neighbor <ネイバーのIPアドレス> timers 10 30 30
  address-family ipv4 unicast
    neighbor <ネイバーのIPアドレス> remote-as 64512
    neighbor <ネイバーのIPアドレス> timers 10 30 30
    neighbor <ネイバーのIPアドレス> default-originate
    neighbor <ネイバーのIPアドレス> activate
    neighbor <ネイバーのIPアドレス> soft-reconfiguration inbound
    network <オンプレミスのアドレス帯>
  exit
exit

ネイバーを確認

R1#show ip bgp summ
BGP router identifier 192.168.100.1, local AS number 65000
BGP table version is 2, main routing table version 2
1 network entries using 144 bytes of memory
2 path entries using 160 bytes of memory
2/1 BGP path/bestpath attribute entries using 288 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 592 total bytes of memory
BGP activity 1/0 prefixes, 2/0 paths, scan interval 60 secs

Neighbor        V           AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
<ネイバーのIPアドレス>  4        64512       3       5        2    0    0 00:00:04        0

トポロジーテーブルを確認

R1#show ip bgp      
BGP table version is 3, local router ID is 192.168.100.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, 
              r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter, 
              x best-external, a additional-path, c RIB-compressed, 
Origin codes: i - IGP, e - EGP, ? - incomplete
RPKI validation codes: V valid, I invalid, N Not found

     Network          Next Hop            Metric LocPrf Weight Path
     0.0.0.0          0.0.0.0                                0 i
 *>                   192.168.11.254           0         32768 i
 *>  10.0.0.0/16      <ネイバーのIPアドレス>         100             0 64512 i

ルートを確認

R1#show ip route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 192.168.11.254 to network 0.0.0.0

      10.0.0.0/16 is subnetted, 1 subnets
B        10.0.0.0 [20/100] via <ネイバーのIPアドレス>, 00:00:23

AWS 側で接続を確認

aws ec2 describe-vpn-connections --vpn-connection-ids ${vpnconnectionid}

BGPを設定しないと IPSEC IS UPとなっても、Status は Downのままとなる。

            "VgwTelemetry": [                                                                                                                                                                                      
                {                                                                                                                                                                                                  
                    "AcceptedRouteCount": 0,                                                                                                                                                                       
                    "LastStatusChange": "2025-07-17T22:48:35+00:00",                                     
                    "OutsideIpAddress": "3.114.212.141",                                                 
                    "Status": "DOWN",                                                                    
                    "StatusMessage": "IPSEC IS UP"                                                       
                },                                  
                {                                                                                                                                                                                                  
                    "AcceptedRouteCount": 0,                                                                                                                                                                       
                    "LastStatusChange": "2025-07-17T22:40:48+00:00",                                     
                    "OutsideIpAddress": "13.230.233.135",                                                
                    "Status": "DOWN",                                                                                                                                                                              
                    "StatusMessage": "IPSEC IS DOWN"                                                                                                                                                               
                }                                                                                                                                                                                                  
            ],                                 

BGP がネイバー関係になるとUPになる。

            "VgwTelemetry": [
                {
                    "AcceptedRouteCount": 1,
                    "LastStatusChange": "2025-07-17T23:08:38+00:00",
                    "OutsideIpAddress": "3.114.212.141",
                    "Status": "UP",
                    "StatusMessage": "1 BGP ROUTES"
                },
                {
                    "AcceptedRouteCount": 0,
                    "LastStatusChange": "2025-07-17T22:40:48+00:00",
                    "OutsideIpAddress": "13.230.233.135",
                    "Status": "DOWN",
                    "StatusMessage": "IPSEC IS DOWN"
                }

ルートの伝播

aws ec2 enable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 describe-route-tables --route-table-id ${routetableid}

片付け

aws ec2 disable-vgw-route-propagation --gateway-id ${vpngatewayid} --route-table-id ${routetableid}
aws ec2 delete-vpn-connection --vpn-connection-id ${vpnconnectionid}
aws ec2 delete-customer-gateway --customer-gateway-id ${customergatewayid}
aws ec2 detach-vpn-gateway --vpc-id ${vpcid} --vpn-gateway-id ${vpngatewayid}
aws ec2 delete-vpn-gateway --vpn-gateway-id ${vpngatewayid}

(3) 静的ルートを利用 / IKEv2で接続

AWSに対しては、基本的に (1) と同様の操作。

対向の設定のエクスポート

aws ec2 get-vpn-connection-device-sample-configuration --vpn-connection-id ${vpnconnectionid} \
--vpn-connection-device-type-id 7b754310 --internet-key-exchange-version ikev2 --output text

Cisco ルータの設定

<VGWのアドレス>
<ルータのアドレス> NAT超えの場合は、ルータのインタフェースのアドレスでいい。
<PSK>
<トンネルデバイスのIPアドレス> と <トンネルデバイスのNWマスク>
<VPCのIPアドレス> と <VPCののNWマスク>

crypto ikev2 proposal PROPOSAL1
  encryption aes-cbc-128
  integrity sha1
  group 2

crypto ikev2 policy POLICY1
  match address local <ルータのアドレス>
  proposal PROPOSAL1

crypto ikev2 keyring KEYRING1
  peer <VGWのアドレス>
  address <VGWのアドレス>
  pre-shared-key <PSK>

crypto ikev2 profile IKEV2-PROFILE
  match address local <ルータのアドレス>
  match identity remote address <VGWのアドレス>
  authentication remote pre-share
  authentication local pre-share
  keyring local KEYRING1
  lifetime 28800
  dpd 10 10 on-demand

crypto ipsec transform-set ipsec-prop-awsvpn-0 esp-aes 128 esp-sha-hmac
  mode tunnel

crypto ipsec profile ipsec-awsvpn-0
  set pfs group2
  set security-association lifetime seconds 3600
  set transform-set ipsec-prop-awsvpn-0
  set ikev2-profile IKEV2-PROFILE

crypto ipsec df-bit clear
crypto isakmp keepalive 10 10
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption

interface Tunnel1
  ip address <トンネルデバイスのIPアドレス> <トンネルデバイスのNWマスク>
  ip virtual-reassembly
  tunnel source <ルータのアドレス>
  tunnel destination <VGWのアドレス>
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile ipsec-awsvpn-0
  ip tcp adjust-mss 1379
  no shutdown

ip route <VPCのIPアドレス> <VPCののNWマスク> Tunnel1

結果確認

IOU2#show crypto ikev2 sa          
 IPv4 Crypto IKEv2  SA 

Tunnel-id Local                 Remote                fvrf/ivrf            Status 
1         192.168.11.212/4500   54.65.54.133/4500     none/none            READY  
      Encr: AES-CBC, keysize: 128, Hash: SHA96, DH Grp:2, Auth sign: PSK, Auth verify: PSK
      Life/Active Time: 28800/1425 sec

 IPv6 Crypto IKEv2  SA 
IOU2#show crypto ipsec sa

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 192.168.11.212

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 54.65.54.133 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 5, #pkts encrypt: 5, #pkts digest: 5
    #pkts decaps: 5, #pkts decrypt: 5, #pkts verify: 5
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 192.168.11.212, remote crypto endpt.: 54.65.54.133
     plaintext mtu 1422, path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xCEB1B70E(3467753230)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x85418A83(2235665027)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4177787/2106)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off  replay window size: 128
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xCEB1B70E(3467753230)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4177787/2106)
        IV size: 16 bytes
        replay detection support: Y
        ecn bit support: Y status: off  replay window size: 128
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:
IOU2#show crypto ipsec transform-set
Transform set default: { esp-aes esp-sha-hmac  } 
   will negotiate = { Transport,  }, 
   
Transform set ipsec-prop-awsvpn-0: { esp-aes esp-sha-hmac  } 
   will negotiate = { Tunnel,  }, 
IOU2#show crypto session int tun1
Crypto session current status

Interface: Tunnel1
Profile: IKEV2-PROFILE
Session status: UP-ACTIVE     
Peer: 54.65.54.133 port 4500 
  Session ID: 1  
  IKEv2 SA: local 192.168.11.212/4500 remote 54.65.54.133/4500 Active 
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
IOU2#show crypto session int tun1 detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation
R - IKE Auto Reconnect

Interface: Tunnel1
Profile: IKEV2-PROFILE
Uptime: 00:27:21
Session status: UP-ACTIVE     
Peer: 54.65.54.133 port 4500 fvrf: (none) ivrf: (none)
      Phase1_id: 54.65.54.133
      Desc: (none)
  Session ID: 1  
  IKEv2 SA: local 192.168.11.212/4500 remote 54.65.54.133/4500 Active 
          Capabilities:DN connid:1 lifetime:07:32:39
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 5 drop 0 life (KB/Sec) 4177787/1959
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4177787/1959
GitHubで編集を提案

Discussion