使用云服务 (Amazon VPC)

可以提供使用VPN连接至提供云服务的数据中心的解决方案。
此处发表的是使用IPsec VPN的安全通信,加上使用BGP构筑动态路由,连接至Amazon VPC服务的设置例。

关于Amazon VPC服务的详细信息,请参考技术资料(英语)

使用云服务

可以使用IPsec VPN连接云服务。由于使用了VPN,即使是通过Internet使用云服务,也能确保信息的安全。另外,由于使用基于Internet的云服务的资源就像是使用公司内网的资源一样。所以,不必大幅度地改变公司内网的安全设置就能将云服务导入到公司内部。

关于使用Amazon VPC的详细信息、在下述的技术资料中有详细说明。请根据使用的服务确认设置信息。

RTX1200设置

可以导出以下的设置部分。

ConfigDownload

IP地址的设置
(LAN侧)
ip lan1 address 192.168.0.1/24
PP接口设置 PPPoE连接
pp select 1
pp always-on on
pppoe use lan2
pppoe auto disconnect off
pp auth accept pap chap
pp auth myname NAME PASSWORD
ppp lcp mru on 1454
ppp ipcp ipaddress on
ppp ipcp msext on
ppp ccp type none
ip pp nat descriptor 1
pp enable 1
隧道接口的设置--通常 tunnel select 1
ipsec tunnel 101
ipsec sa policy 101 1 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 1 3600
ipsec ike duration isakmp-sa 1 28800
ipsec ike encryption 1 aes-cbc
ipsec ike group 1 modp1024
ipsec ike hash 1 sha
ipsec ike keepalive use 1 on dpd 10 3
ipsec ike local address 1 192.168.0.1
ipsec ike pre-shared-key 1 text PRE-SHARED-KEY1
ipsec ike remote address 1 72.21.209.225
ipsec tunnel outer df-bit clear
ip tunnel address 169.254.255.2/30
ip tunnel remote address 169.254.255.1
ip tunnel tcp mss limit 1396
tunnel enable 1
隧道接口的设置--备份 tunnel select 2
ipsec tunnel 102
ipsec sa policy 102 2 esp aes-cbc sha-hmac
ipsec ike duration ipsec-sa 2 3600
ipsec ike duration isakmp-sa 2 28800
ipsec ike encryption 2 aes-cbc
ipsec ike group 2 modp1024
ipsec ike hash 2 sha
ipsec ike keepalive log 2 off
ipsec ike keepalive use 2 on dpd 10 3
ipsec ike local address 2 192.168.0.1
ipsec ike pre-shared-key 2 text PRE-SHARED-KEY2
ipsec ike remote address 2 72.21.209.193
ipsec auto refresh 2 on
ipsec tunnel outer df-bit clear
ip tunnel address 169.254.255.6/30
ip tunnel remote address 169.254.255.5
ip tunnel tcp mss limit 1396
tunnel enable 2
NAT的设置 nat descriptor type 1 masquerade
nat descriptor masquerade static 1 1 192.168.0.1 udp 500
nat descriptor masquerade static 1 2 192.168.0.1 esp
BGP的设置 bgp use on
bgp autonomous-system 65000
bgp neighbor 1 7224 169.254.255.1 hold-time=30 local-address=169.254.255.2
bgp neighbor 2 7224 169.254.255.5 hold-time=30 local-address=169.254.255.6
bgp import filter 1 equal 0.0.0.0/0
bgp import 7224 static filter 1
使用IPsec时
必要的设置
ipsec auto refresh on
其他设置 dhcp service server
dhcp server rfc2131 compliant except remain-silent
dhcp scope 1 192.168.0.2-192.168.0.191/24

dns server pp 1
dns private address spoof on

返回顶部