aws 서비스는 여러군대의 resion이 있음. 


region간에 가상망 통신에 관련하여서 test한 내용 정리


참조한 링크


https://www.youtube.com/watch?v=lnyT9FnVKcs

ㄴ openswan - openswan multi cross region 연결 관련내용


http://blog.leedoing.com/32

ㄴ openswan - vgw 연결



test 환경


tokyo region (openswan) - singapore region (VGW) 


ㅁ tokyo region 

ㄴ VPC 생성 (10.71.0.0/16)

ㄴ subnet 생성 (10.71.0.0/24, 10.71.10.0/24)

ㄴ security group은 평범하게 구성해도 이상없음

ㄴ nat instance혹은 nat gateway 구성 (tokyo region은 nat gateway을 지원함으로 nat gateway구성)

ㄴ route table 구성

ㄴㄴ 10.71.0.0/24 -> 기본 VPN route 정책, 0.0.0.0/0 IGW구성

ㄴㄴ 10.71.10.0/24 -> 기본 VPN route 정책 0.0.0.0/0 NAT Gateway추가

ㄴ openswan 설치용 instance 구성

ㄴㄴ 기본 instance(아무거나 괜찬음)

ㄴㄴ EIP (외부 연결용) 할당, 10.71.0.0/24 route table 적용


ㅁ singapore region

ㄴ VPC 생성 (10.61.0.0/16)

ㄴ subnet 생성 (10.61.0.0/24, 10.61.10.0/24)

ㄴ security group은 평범하게 구성해도 이상없음

ㄴ VGW 생성 (10.61.0.0/16 vpc)

ㄴ route table 0.0.0.0/0 IGW, 10.71.0.0/16 VGW 추가

ㄴ VPN connect

ㄴㄴ Virtual Private Gateway -> vgw선택

ㄴㄴ Customer Gateway -> new -> IP Address (tokyo region의 openswan IP

ㄴㄴ Routing Options -> Static 

ㄴㄴ Static IP Prefixes -> 10.71.0.0/16


생성후 설정파일 다운로드해서 연결할 터널 IP및 키값 확인


IPSec Tunnel #1

  - Pre-Shared Key           : XrNEvlQO_UJ_fft5ubrqHa817Z6dwVHI


Outside IP Addresses:

  - Customer Gateway        : 52.197.5.200 

  - Virtual Private Gateway        : 52.77.123.186


해당 subnet에 테스트용 instance 생성 (ping check)



ㅁ openswan 설치 (tokyo region)


yum update -y && yum install openswan -y

 

chkconfig ipsec on 


vi /etc/sysctl.conf

...

### openswan config

net.ipv4.ip_forward = 1

...


sysctl -p


vim ipsec.conf


include /etc/ipsec.d/*.conf
ㄴ 주석제거

conn tokyo-singapore
        authby=secret
        auto=start
        type=tunnel
        left=%defaultroute
        leftid=52.197.5.200
        leftnexthop=%defaultroute
        leftsubnet=10.71.0.0/16
        right=52.77.123.186
        rightsubnet=10.61.0.0/16
        pfs=yes
        ike=aes256-sha1;modp1024!
        phase2alg=aes256-sha1;modp1024


leftid=52.197.5.200 -> openswan용 instance pubilc IP

leftsubnet=10.71.0.0/16 -> tokyo VPC 사설망



right=52.77.123.186 -> VGW vpn 연결시 생성되는 터널 IP (2개중 아무거나 하나)
rightsubnet=10.61.0.0/16 -> singapore VPN 사설망




vi /etc/ipsec.secrets


52.197.5.200 52.77.123.186: PSK "XrNEvlQO_UJ_fft5ubrqHa817Z6dwVHI"


52.197.5.200 -> openswan IP

52.77.123.186 -> VGW 터널 IP


XrNEvlQO_UJ_fft5ubrqHa817Z6dwVHI -> VPN config download 설정파일중 터널 IP에 해당되는 PSK키값



[root@ip-10-71-0-104 ~]# service ipsec restart

ipsec_setup: Stopping Openswan IPsec...

could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )

ipsec_setup: Starting Openswan IPsec U2.6.37/K4.4.11-23.53.amzn1.x86_64...

ipsec_setup: could not open include filename: '/etc/ipsec.d/*.conf' (tried  and )

ipsec_setup: /usr/libexec/ipsec/addconn Non-fips mode set in /proc/sys/crypto/fips_enabled

[root@ip-10-71-0-104 ~]#



[root@ip-10-71-0-104 ~]# service ipsec status

IPsec running  - pluto pid: 28384

pluto pid 28384

1 tunnels up

some eroutes exist

[root@ip-10-71-0-104 ~]# 



[root@ip-10-71-0-104 ~]# ping 10.61.10.165

PING 10.61.10.165 (10.61.10.165) 56(84) bytes of data.

64 bytes from 10.61.10.165: icmp_seq=1 ttl=254 time=92.5 ms

64 bytes from 10.61.10.165: icmp_seq=2 ttl=254 time=92.4 ms

^C

--- 10.61.10.165 ping statistics ---

2 packets transmitted, 2 received, 0% packet loss, time 1001ms

rtt min/avg/max/mdev = 92.466/92.529/92.592/0.063 ms

[root@ip-10-71-0-104 ~]#


[root@ip-10-71-0-104 ~]# iptables --table nat --appen POSTROUTING --source 10.61.0.0/16 -j MASQUERADE

[root@ip-10-71-0-104 ~]# iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         


Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         


Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination         


Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination                 

    0     0 MASQUERADE  all  --  *      *       10.61.0.0/16         0.0.0.0/0           

[root@ip-10-71-0-104 ~]#


ㅁ singapore region



[root@ip-10-61-10-165 ~]# ping 10.71.0.104

PING 10.71.0.104 (10.71.0.104) 56(84) bytes of data.

64 bytes from 10.71.0.104: icmp_seq=1 ttl=254 time=92.6 ms

64 bytes from 10.71.0.104: icmp_seq=2 ttl=254 time=92.5 ms

64 bytes from 10.71.0.104: icmp_seq=3 ttl=254 time=92.4 ms

^C

--- 10.71.0.104 ping statistics ---

3 packets transmitted, 3 received, 0% packet loss, time 2003ms

rtt min/avg/max/mdev = 92.493/92.582/92.674/0.073 ms

[root@ip-10-61-10-165 ~]#


서로 Ping 하는데 이상없음


openswan을 frontend로 설정하고 그 내부에 backend subnet을 구성하여서 테스트를 하려 하였으나, 업무시간에 쫒겨 테스트 하지못함


최종적으로 

tokyo (10.71.0.0/24 subnet) - singapore (10.61.10.0/24) 연결 테스트를 이상없이 구현하였음





'AWS > 응용' 카테고리의 다른 글

ELB 를 통한 내부네트워크 EC2 FTP 접속  (0) 2017.12.12
ec2 user data tomcat start test  (0) 2017.12.05
amazon linux redis install & cluster config  (0) 2017.02.28
aws vpc, openstack neutron  (0) 2016.07.18

+ Recent posts

티스토리툴바