Amazon VPC VPN接続設定を自動化してみた
Amazon VPC VPN接続の作成〜設定投入を自動化してみました。
昨日のTwitterでの会話( RTX1100 からVPCに接続した記録 - petachの日記 に関して)
コンフィグファイルの自動生成方法
ec2-describe-vpn-connectionや、ec2-create-vpn-connectionでは、引数に--formatを渡す事で色々な機器用の設定ファイルを得る事ができます。この際にXMLを選ぶと、--stylesheetでXSLTスタイルシートを指定できます。
これを利用して、Vyattaに投入するコマンドを生成して、sshで流し込んでしまおうという魂胆です。
XSLTファイルはこちら。
コンフィグファイルの自動投入方法
前提
- EC2 API Toolsがインストールされていて、Vyattaにsshが鍵認証で行えるホストから実行します。
- cgwとvgwが既に作成されている状態で、VPNコネクションを作成しつつ、コンフィグファイルを生成して、ssh経由で流し込みます。
$ ( echo configure ; ec2-create-vpn-connection -t ipsec.1 --customer-gateway cgw-63a91c62 --vpn-gateway vgw-5ca81d5d --format xml --stylesheet vyatta.xsl | grep ^set ; echo commit ; echo exit ; echo logout ) | ssh -t -t vyatta@{VyattaIP}
Welcome to Vyatta
Linux vyatta2 3.3.8-1-586-vyatta-virt #1 SMP Mon Nov 12 12:23:24 PST 2012 i686
configure
Welcome to Vyatta.
This system is open-source software. The exact distribution terms for
each module comprising the full system are described in the individual
files in /usr/share/doc/*/copyright.
Last login: Thu Jan 10 17:31:36 2013 from 192.168.1.133
vyatta@vyatta2:~$ configure
[edit]
vyatta@vyatta2# set vpn ipsec ike-group AWS lifetime '28800'
[edit]
vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 dh-group '2'
[edit]
vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
[edit]
vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
[edit]@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection interval '15'
[edit]
vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS compression 'disable'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS lifetime '3600'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS mode 'tunnel'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS pfs 'enable'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
[edit]
vyatta@vyatta2# set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
[edit]
vyatta@vyatta2# set vpn ipsec ipsec-interfaces interface 'eth0'
[edit]
re-shared-secret'et vpn ipsec site-to-site peer 27.0.1.16 authentication mode 'p
[edit]
red-secret PRESHAREDSECRET eer 27.0.1.16 authentication pre-sha
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 ike-group 'AWS'
[edit]
x.50a@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 local-address x.x.
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 vti bind 'vti0'
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 vti esp-group 'AWS'
[edit]
vyatta@vyatta2# set interfaces vti vti0 address '169.254.252.2/30'
[edit]
vyatta@vyatta2# set interfaces vti vti0 mtu '1390'
vyatta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 remote-as '10124'
[edit]@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 remote-as '10124'
ion 'inbound'2# set protocols bgp 65000 neighbor 169.254.252.1 soft-reconfigurat
[edit]
30'tta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 timers holdtime '
[edit]
'30'ta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 timers keepalive
[edit]
vyatta@vyatta2# set protocols bgp 65000 network 0.0.0.0/0
[edit]
pre-shared-secret't vpn ipsec site-to-site peer 27.0.1.144 authentication mode '
[edit]
ared-secret PRESHAREDSECRET er 27.0.1.144 authentication pre-sh
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 ike-group 'AWS'
[edit]
x.50@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 local-address x.x.
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 vti bind 'vti1'
[edit]
vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 vti esp-group 'AWS'
[edit]
vyatta@vyatta2# set interfaces vti vti1 address '169.254.252.6/30'
[edit]
vyatta@vyatta2# set interfaces vti vti1 mtu '1390'
vyatta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 remote-as '10124'
[edit]@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 remote-as '10124'
ion 'inbound'2# set protocols bgp 65000 neighbor 169.254.252.5 soft-reconfigurat
[edit]
30'tta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 timers holdtime '
[edit]
'30'ta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 timers keepalive
[edit]
vyatta@vyatta2# set protocols bgp 65000 network 0.0.0.0/0
Configuration path: [protocols bgp 65000 network 0.0.0.0/0] already exists
[edit]
vyatta@vyatta2# commit
[edit]
vyatta@vyatta2# exit
Warning: configuration changes have not been saved.
exit
vyatta@vyatta2:~$ logout
Connection to 192.168.1.50 closed.VPN connectionのprovisioningが終わって、IPsecがupし、BGP経路情報が交換されると、
vyatta@vyatta2:~$ show int | grep vti
vti0 169.254.252.2/30 u/u
vti1 169.254.252.6/30 u/u
vyatta@vyatta2:~$ show ip bgp
BGP table version is 0, local router ID is 172.31.1.50
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale, R Removed
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 0.0.0.0 x.x.x.49 0 32768 i
* 10.0.0.0/16 169.254.252.1 0 10124 i
*> 169.254.252.5 0 10124 i
Total number of prefixes 2
vyatta@vyatta2:~$ ping 10.0.1.4
PING 10.0.1.4 (10.0.1.4) 56(84) bytes of data.
64 bytes from 10.0.1.4: icmp_req=1 ttl=62 time=8.36 ms
64 bytes from 10.0.1.4: icmp_req=2 ttl=62 time=7.11 ms
64 bytes from 10.0.1.4: icmp_req=3 ttl=62 time=8.44 ms
64 bytes from 10.0.1.4: icmp_req=4 ttl=62 time=6.64 ms
^C
--- 10.0.1.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 6.645/7.644/8.448/0.781 ms疎通ができています。
自動切断
VPN接続を削除し、Vyattaを再起動します(commitした後saveしていないので、VPN設定のない状態に戻ります)。
$ ec2-describe-vpn-connections -F state=available | grep cgw-63a91c62 | cut -f 2 | xargs ec2-delete-vpn-connection VPN_CONNECTION vpn-16942117 $ ( echo reboot ; echo yes ) | ssh -t -t vyatta@192.168.1.50 Welcome to Vyatta Linux vyatta2 3.3.8-1-586-vyatta-virt #1 SMP Mon Nov 12 12:23:24 PST 2012 i686 Welcome to Vyatta. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. Last login: Thu Jan 10 17:47:58 2013 from 192.168.1.133 reboot yes vyatta@vyatta2:~$ reboot Proceed with reboot? (Yes/No) [No] yes Broadcast message from root@vyatta2 (pts/1) (Thu Jan 10 17:48:19 2013): The system is going down for reboot NOW!
最後に
ドアの開閉をAruduinoあたりで検知して...あとはまかせた!
(というかcronでやってもいいんじゃないかと思います)
