build立到Amazon VPC的VPN连接 – 路由

我在外出办公室和AWS VPC之间build立一个VPN有一些真正的问题。 “隧道”似乎是起来的，但我不知道他们是否正确configuration。

我正在使用的设备是一个Netgear VPN防火墙 – FVS336GV2

如果您在从VPC（＃3隧道接口configuration）下载的configuration中看到，它给了我隧道的一些“内部”地址。 设置IPsec隧道时，我是否使用内部隧道IP（例如169.254.254.2/30）还是使用我的内部networking子网（10.1.1.0/24）

我尝试了两个，当我尝试本地networking（10.1.1.x）时，tracert停在路由器上。 当我尝试使用“inside”ips时，到Amazon的VPC（10.0.0.x）的tracert通过互联网发送。

• 使用CloudFormation创buildAWS VPC端点
• VPC中2个EC2实例之间的networking速度
• 一个VPC或许多VPC的
• pipe理多个AWS VPC – 成为子网/ ec2实例的水果沙拉
• AWS：RDS + CloudFormation – VPC对等

这一切都引导我到下一个问题，对于这个路由器，我如何设置阶段＃4，静态下一跳？

这些看似随机的“内部”地址是什么，亚马逊从哪里产生的呢？ 169.254.254.x似乎很奇怪？

像这样的设备，防火墙后面的VPN是什么？

我调整了下面的任何IP地址，以便它们不是“真实的”。 我完全知道，这可能是措辞不当。 请如果有任何进一步的信息/截图将帮助，让我知道。

Amazon Web Services Virtual Private Cloud IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : --- - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : 217.33.22.33 - Virtual Private Gateway : 87.222.33.42 Inside IP Addresses - Customer Gateway : 169.254.254.2/30 - Virtual Private Gateway : 169.254.254.1/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: To route traffic between your internal network and your VPC, you will need a static route added to your router. Static Route Configuration Options: - Next hop : 169.254.254.1 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels. IPSec Tunnel #2 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : --- - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Outside IP Addresses: - Customer Gateway : 217.33.22.33 - Virtual Private Gateway : 87.222.33.46 Inside IP Addresses - Customer Gateway : 169.254.254.6/30 - Virtual Private Gateway : 169.254.254.5/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Static Routing Configuration: Static Route Configuration Options: - Next hop : 169.254.254.5 You should add static routes towards your internal network on the VGW. The VGW will then send traffic towards your internal network over the tunnels. 

编辑＃1

写这篇文章后，我继续拨弄，开始工作，只是不是很可靠。 设置隧道时使用的本地IP，实际上是我的networking子网。 这进一步混淆了这些“内部”IP地址的用途。

问题是，结果并不一致。 我可以“有时”ping，我可以“有时”使用VPN的RDP。 有时，隧道1或隧道2可以上或下。

当我今天回到工作岗位时，隧道1倒塌了，所以我删除了它，并重新创build了它。 现在我不能ping任何东西，但亚马逊和路由器告诉我隧道1/2是好的。

我想路由器/ VPN的硬件，我只是没有达到工作…..

编辑＃2

现在隧道1已经启动，隧道2已经closures（我没有改变任何设置），我可以再次ping / rdp。

编辑＃3

路由器已build立的路由表的屏幕截图。 当前状态（隧道1仍然向上并且正在进入string，2仍然停止并且不会重新连接）

 Gateway, ConnectionName, <preshared_key> Remote WAN: 87.222.33.42 Local WAN: 217.33.22.33 Remote LAN: 10.0.0.0 Remote Subnet mask: 255.255.252.0