매뉴얼

image.png

image.png

이렇게 해주면 Site-to-Site VPN 매뉴얼을 다운로드 받을 수 있다.

Site-to-Site VPN 설정

도쿄에 onprem-bastion에서 작업을 진행한다.

libreswan 설치

sudo yum install -y libreswan

Open /etc/sysctl.conf and ensure that its values match the following

매뉴얼:
1) Open /etc/sysctl.conf and ensure that its values match the following:
   net.ipv4.ip_forward = 1
   net.ipv4.conf.default.rp_filter = 0
   net.ipv4.conf.default.accept_source_route = 0

sudo vim /etc/sysctl.conf

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0
<- 이 내용을 /etc/sysctl.conf에 추가
:x

sudo systcl -p
정상 출력:
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.

매뉴얼:
3) Open /etc/ipsec.conf and look for the line below. Ensure that the # in front of the line has been removed, then save and exit the file.
    #include /etc/ipsec.d/*.conf

sudo vim /etc/ipsec.conf
만약 include /etc/ipsec.d/*.conf가 주석이면 주석 해제하고, 주석이 아니라면 그냥 나오면 된다.

Create a new file at /etc/ipsec.d/aws.conf if doesn't already exist, and then open it. Append the following configuration to the end in the file

매뉴얼:
 #leftsubnet= is the local network behind your openswan server, and you will need to replace the <LOCAL NETWORK> below with this value (don't include the brackets). If you have multiple subnets, you can use 0.0.0.0/0 instead.
 #rightsubnet= is the remote network on the other side of your VPN tunnel that you wish to have connectivity with, and you will need to replace <REMOTE NETWORK> with this value (don't include brackets).

conn Tunnel1
	authby=secret
	auto=start
	left=%defaultroute
	leftid=35.72.4.73
	right=13.209.252.24
	type=tunnel
	ikelifetime=8h
	keylife=1h
	phase2alg=aes128-sha1;modp1024
	ike=aes128-sha1;modp1024
	auth=esp
	keyingtries=%forever
	keyexchange=ike
	leftsubnet=<LOCAL NETWORK>
	rightsubnet=<REMOTE NETWORK>
	dpddelay=10
	dpdtimeout=30
	dpdaction=restart_by_peer

sudo vim /etc/ipsec.d/aws.conf
conn Tunnel1
        authby=secret
        auto=start
        left=%defaultroute
				leftid=35.72.4.73
				right=13.209.252.24
        type=tunnel
        ikelifetime=8h
        keylife=1h
        phase2alg=aes_gcm
        ike=aes256-sha1
        keyingtries=%forever
        keyexchange=ike
        leftsubnet=10.0.0.0/16
        rightsubnet=172.16.0.0/16
        dpddelay=10
        dpdtimeout=30
        dpdaction=restart_by_peer

<- 이 내용을 /etc/ipsec.d/aws.conf에 넣어준다.

Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append this line to the file (be mindful of the spacing!)

매뉴얼:
5) Create a new file at /etc/ipsec.d/aws.secrets if it doesn't already exist, and append this line to the file (be mindful of the spacing!):
35.72.4.73 13.209.252.24: PSK "Ze8IsrsGjfglyXozCNGBPZ_T9vFyMlQ4"

sudo vim /etc/ipsec.d/aws.secrets
35.72.4.73 13.209.252.24: PSK "Ze8IsrsGjfglyXozCNGBPZ_T9vFyMlQ4"
<- 이 내용을 넣어준다.