Академический Документы
Профессиональный Документы
Культура Документы
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of
AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of
AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of
AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for
"VPN-Classic".
! The address of the external interface for your customer gateway must be a static
address.
! Your customer gateway may reside behind a device performing network address
translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your
firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling
NAT-T.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-0d17356f7ffc06c85-0
local-address <interface_name/private_IP_on_outside_interface>
pre-shared-key address 34.225.92.64 key k0biDzwafapqg2q.nDbqKOjQiQLs62M.
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0d17356f7ffc06c85-0
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-0d17356f7ffc06c85-0
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel1
ip address 169.254.46.222 255.255.255.252
ip virtual-reassembly
tunnel source <interface_name/private_IP_on_outside_interface>
tunnel destination 34.225.92.64
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0d17356f7ffc06c85-0
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1379
no shutdown
exit
! --------------------------------------------------------------------------------
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-0d17356f7ffc06c85-1
local-address <interface_name/private_IP_on_outside_interface>
pre-shared-key address 35.153.237.168 key 7e8H75BCSsTwecdmOM8efbL6ASZIhitY
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-0d17356f7ffc06c85-1
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-0d17356f7ffc06c85-1
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
interface Tunnel2
ip address 169.254.45.34 255.255.255.252
ip virtual-reassembly
tunnel source <interface_name/private_IP_on_outside_interface>
tunnel destination 35.153.237.168
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-0d17356f7ffc06c85-1
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1379
no shutdown
exit
! --------------------------------------------------------------------------------