BGP через IPSEC (пиринг с Amazon)

Материал из IN-TON
Перейти к: навигация, поиск

Приведен пример конфига, в некоторых случаях его можно упростить или добавить опции (например префикс фильтры).

Содержание

IKE

  1. ! #1: Internet Key Exchange (IKE) Configuration
  2. !
  3. ! A policy is established for the supported ISAKMP encryption,
  4. ! authentication, Diffie-Hellman, lifetime, and key parameters.
  5. !
  6. ! Note that there are a global list of ISAKMP policies, each identified by
  7. ! sequence number. This policy is defined as #200, which may conflict with
  8. ! an existing policy using the same number. If so, we recommend changing
  9. ! the sequence number to avoid conflicts.
  10. !
  11. crypto isakmp policy 200
  12. encryption aes 128
  13. authentication pre-share
  14. group 2
  15. lifetime 28800
  16. hash sha
  17. exit
  18.  
  19. ! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
  20. ! tunnel endpoints.
  21. !
  22. crypto keyring keyring-vpn-44a8938f-0
  23. pre-shared-key address 72.21.209.225 key plain-text-password1
  24. exit
  25.  
  26. ! An ISAKMP profile is used to associate the keyring with the particular
  27. ! endpoint.
  28. !
  29. crypto isakmp profile isakmp-vpn-44a8938f-0
  30. match identity address 72.21.209.225
  31. keyring keyring-vpn-44a8938f-0
  32. exit
  33.  

IPSEC

  1. ! #2: IPsec Configuration
  2. !
  3. ! The IPsec transform set defines the encryption, authentication, and IPsec
  4. ! mode parameters.
  5. !
  6. crypto ipsec transform-set ipsec-prop-vpn-44a8938f-0 esp-aes 128 esp-sha-hmac
  7. mode tunnel
  8. exit
  9.  
  10. ! The IPsec profile references the IPsec transform set and further defines
  11. ! the Diffie-Hellman group and security association lifetime.
  12. !
  13. crypto ipsec profile ipsec-vpn-44a8938f-0
  14. set pfs group2
  15. set security-association lifetime seconds 3600
  16. set transform-set ipsec-prop-vpn-44a8938f-0
  17. exit
  18.  
  19. ! Additional parameters of the IPsec configuration are set here. Note that
  20. ! these parameters are global and therefore impact other IPsec
  21. ! associations.
  22. ! This option instructs the router to clear the "Don't Fragment"
  23. ! bit from packets that carry this bit and yet must be fragmented, enabling
  24. ! them to be fragmented.
  25. !
  26. crypto ipsec df-bit clear
  27.  
  28. ! This option enables IPsec Dead Peer Detection, which causes periodic
  29. ! messages to be sent to ensure a Security Association remains operational.
  30. !
  31. crypto isakmp keepalive 10 10 on-demand
  32.  
  33. ! This configures the gateway's window for accepting out of order
  34. ! IPsec packets. A larger window can be helpful if too many packets
  35. ! are dropped due to reordering while in transit between gateways.
  36. !
  37. crypto ipsec security-association replay window-size 128
  38.  
  39. ! This option instructs the router to fragment the unencrypted packets
  40. ! (prior to encryption).
  41. !
  42. crypto ipsec fragmentation before-encryption
  43.  

Tunnel

  1.  
  2. ! #3: Tunnel Interface Configuration
  3. !
  4. ! A tunnel interface is configured to be the logical interface associated
  5. ! with the tunnel. All traffic routed to the tunnel interface will be
  6. ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
  7. ! will be logically received on this interface.
  8. !
  9. ! Association with the IPsec security association is done through the
  10. ! "tunnel protection" command.
  11. !
  12. ! The address of the interface is configured with the setup for your
  13. ! Customer Gateway. If the address changes, the Customer Gateway and VPN
  14. ! Connection must be recreated with Amazon VPC.
  15. !
  16. interface Tunnel1
  17. ip address 169.254.255.2 255.255.255.252
  18. ip virtual-reassembly
  19. tunnel source YOUR_UPLINK_ADDRESS
  20. tunnel destination 72.21.209.225
  21. tunnel mode ipsec ipv4
  22. tunnel protection ipsec profile ipsec-vpn-44a8938f-0
  23.  ! This option causes the router to reduce the Maximum Segment Size of
  24.  ! TCP packets to prevent packet fragmentation.
  25. ip tcp adjust-mss 1396
  26. no shutdown
  27. exit
  28.  

BGP

  1. ! #4: Border Gateway Protocol (BGP) Configuration
  2. !
  3. ! BGP is used within the tunnel to exchange prefixes between the
  4. ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
  5. ! will announce the prefix corresponding to your VPC.
  6. !
  7. ! Your Customer Gateway may announce a default route (0.0.0.0/0),
  8. ! which can be done with the 'network' statement and
  9. ! 'default-originate' statements.
  10. !
  11. ! The BGP timers are adjusted to provide more rapid detection of outages.
  12. !
  13. ! The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured
  14. ! as part of your Customer Gateway. If the ASN must be changed, the
  15. ! Customer Gateway and VPN Connection will need to be recreated with AWS.
  16. !
  17. router bgp YOUR_BGP_ASN
  18. neighbor 169.254.255.1 remote-as 7224
  19. neighbor 169.254.255.1 activate
  20. neighbor 169.254.255.1 timers 10 30 30
  21. address-family ipv4 unicast
  22. neighbor 169.254.255.1 remote-as 7224
  23. neighbor 169.254.255.1 timers 10 30 30
  24. neighbor 169.254.255.1 default-originate
  25. neighbor 169.254.255.1 activate
  26. neighbor 169.254.255.1 soft-reconfiguration inbound
  27. ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement
  28. ! and identify the prefix you wish to advertise. Make sure the prefix is present
  29. ! in the routing table of the device with a valid next-hop.
  30. network 0.0.0.0
  31. exit
  32. exit
  33.