Amazon VPC VPN接続設定を自動化してみた
Amazon VPC VPN接続の作成〜設定投入を自動化してみました。
昨日のTwitterでの会話( RTX1100 からVPCに接続した記録 - petachの日記 に関して)
コンフィグファイルの自動生成方法
ec2-describe-vpn-connectionや、ec2-create-vpn-connectionでは、引数に--formatを渡す事で色々な機器用の設定ファイルを得る事ができます。この際にXMLを選ぶと、--stylesheetでXSLTスタイルシートを指定できます。
これを利用して、Vyattaに投入するコマンドを生成して、sshで流し込んでしまおうという魂胆です。
XSLTファイルはこちら。
コンフィグファイルの自動投入方法
前提
- EC2 API Toolsがインストールされていて、Vyattaにsshが鍵認証で行えるホストから実行します。
- cgwとvgwが既に作成されている状態で、VPNコネクションを作成しつつ、コンフィグファイルを生成して、ssh経由で流し込みます。
$ ( echo configure ; ec2-create-vpn-connection -t ipsec.1 --customer-gateway cgw-63a91c62 --vpn-gateway vgw-5ca81d5d --format xml --stylesheet vyatta.xsl | grep ^set ; echo commit ; echo exit ; echo logout ) | ssh -t -t vyatta@{VyattaIP} Welcome to Vyatta Linux vyatta2 3.3.8-1-586-vyatta-virt #1 SMP Mon Nov 12 12:23:24 PST 2012 i686 configure Welcome to Vyatta. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. Last login: Thu Jan 10 17:31:36 2013 from 192.168.1.133 vyatta@vyatta2:~$ configure [edit] vyatta@vyatta2# set vpn ipsec ike-group AWS lifetime '28800' [edit] vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 dh-group '2' [edit] vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' [edit] vyatta@vyatta2# set vpn ipsec ike-group AWS proposal 1 hash 'sha1' vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection action 'restart' [edit]@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection action 'restart' vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection interval '15' [edit] vyatta@vyatta2# set vpn ipsec ike-group AWS dead-peer-detection timeout '30' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS compression 'disable' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS lifetime '3600' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS mode 'tunnel' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS pfs 'enable' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' [edit] vyatta@vyatta2# set vpn ipsec esp-group AWS proposal 1 hash 'sha1' [edit] vyatta@vyatta2# set vpn ipsec ipsec-interfaces interface 'eth0' [edit] re-shared-secret'et vpn ipsec site-to-site peer 27.0.1.16 authentication mode 'p [edit] red-secret PRESHAREDSECRET eer 27.0.1.16 authentication pre-sha [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 ike-group 'AWS' [edit] x.50a@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 local-address x.x. [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 vti bind 'vti0' [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.16 vti esp-group 'AWS' [edit] vyatta@vyatta2# set interfaces vti vti0 address '169.254.252.2/30' [edit] vyatta@vyatta2# set interfaces vti vti0 mtu '1390' vyatta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 remote-as '10124' [edit]@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 remote-as '10124' ion 'inbound'2# set protocols bgp 65000 neighbor 169.254.252.1 soft-reconfigurat [edit] 30'tta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 timers holdtime ' [edit] '30'ta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.1 timers keepalive [edit] vyatta@vyatta2# set protocols bgp 65000 network 0.0.0.0/0 [edit] pre-shared-secret't vpn ipsec site-to-site peer 27.0.1.144 authentication mode ' [edit] ared-secret PRESHAREDSECRET er 27.0.1.144 authentication pre-sh [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 ike-group 'AWS' [edit] x.50@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 local-address x.x. [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 vti bind 'vti1' [edit] vyatta@vyatta2# set vpn ipsec site-to-site peer 27.0.1.144 vti esp-group 'AWS' [edit] vyatta@vyatta2# set interfaces vti vti1 address '169.254.252.6/30' [edit] vyatta@vyatta2# set interfaces vti vti1 mtu '1390' vyatta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 remote-as '10124' [edit]@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 remote-as '10124' ion 'inbound'2# set protocols bgp 65000 neighbor 169.254.252.5 soft-reconfigurat [edit] 30'tta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 timers holdtime ' [edit] '30'ta@vyatta2# set protocols bgp 65000 neighbor 169.254.252.5 timers keepalive [edit] vyatta@vyatta2# set protocols bgp 65000 network 0.0.0.0/0 Configuration path: [protocols bgp 65000 network 0.0.0.0/0] already exists [edit] vyatta@vyatta2# commit [edit] vyatta@vyatta2# exit Warning: configuration changes have not been saved. exit vyatta@vyatta2:~$ logout Connection to 192.168.1.50 closed.
VPN connectionのprovisioningが終わって、IPsecがupし、BGP経路情報が交換されると、
vyatta@vyatta2:~$ show int | grep vti vti0 169.254.252.2/30 u/u vti1 169.254.252.6/30 u/u vyatta@vyatta2:~$ show ip bgp BGP table version is 0, local router ID is 172.31.1.50 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal, r RIB-failure, S Stale, R Removed Origin codes: i - IGP, e - EGP, ? - incomplete Network Next Hop Metric LocPrf Weight Path *> 0.0.0.0 x.x.x.49 0 32768 i * 10.0.0.0/16 169.254.252.1 0 10124 i *> 169.254.252.5 0 10124 i Total number of prefixes 2 vyatta@vyatta2:~$ ping 10.0.1.4 PING 10.0.1.4 (10.0.1.4) 56(84) bytes of data. 64 bytes from 10.0.1.4: icmp_req=1 ttl=62 time=8.36 ms 64 bytes from 10.0.1.4: icmp_req=2 ttl=62 time=7.11 ms 64 bytes from 10.0.1.4: icmp_req=3 ttl=62 time=8.44 ms 64 bytes from 10.0.1.4: icmp_req=4 ttl=62 time=6.64 ms ^C --- 10.0.1.4 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 6.645/7.644/8.448/0.781 ms
疎通ができています。
自動切断
VPN接続を削除し、Vyattaを再起動します(commitした後saveしていないので、VPN設定のない状態に戻ります)。
$ ec2-describe-vpn-connections -F state=available | grep cgw-63a91c62 | cut -f 2 | xargs ec2-delete-vpn-connection VPN_CONNECTION vpn-16942117 $ ( echo reboot ; echo yes ) | ssh -t -t vyatta@192.168.1.50 Welcome to Vyatta Linux vyatta2 3.3.8-1-586-vyatta-virt #1 SMP Mon Nov 12 12:23:24 PST 2012 i686 Welcome to Vyatta. This system is open-source software. The exact distribution terms for each module comprising the full system are described in the individual files in /usr/share/doc/*/copyright. Last login: Thu Jan 10 17:47:58 2013 from 192.168.1.133 reboot yes vyatta@vyatta2:~$ reboot Proceed with reboot? (Yes/No) [No] yes Broadcast message from root@vyatta2 (pts/1) (Thu Jan 10 17:48:19 2013): The system is going down for reboot NOW!
最後に
ドアの開閉をAruduinoあたりで検知して...あとはまかせた!
(というかcronでやってもいいんじゃないかと思います)