设置与 Amazon VPC 的 VPN 连接 - 路由

我在办公室和 AWS VPC 之间设置 VPN 时遇到了一些实际问题。“隧道”似乎已启动，但我不知道它们是否配置正确。

我使用的设备是 Netgear VPN 防火墙 - FVS336GV2

如果您看到从 VPC 下载的附加配置（#3 隧道接口配置），它会为我提供一些隧道的“内部”地址。设置 IPsec 隧道时，我是否使用内部隧道 IP（例如 169.254.254.2/30）或使用我的内部网络子网（10.1.1.0/24）

我尝试了这两种方法，当我尝试本地网络 (10.1.1.x) 时，tracert 在路由器处停止。当我尝试使用“内部”ips 时，到 amazon VPC (10.0.0.x) 的 tracert 会通过互联网发出。

这一切都引出了我的下一个问题，对于这个路由器，我如何设置第 4 阶段，即静态下一跳？

这些看似随机的“内部”地址是什么？亚马逊从哪里生成这些地址？169.254.254.x 似乎很奇怪？

对于这样的设备，VPN 是否在防火墙后面？

我已经调整了下面的所有 IP 地址，使它们不再是“真实的”。我完全明白，这可能措辞不当。如果有任何进一步的信息/截图可以提供帮助，请告诉我。

 Amazon Web Services
Virtual Private Cloud

IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : ---
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPSec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.

The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPSec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel
interface. 

Outside IP Addresses:
  - Customer Gateway                : 217.33.22.33 
  - Virtual Private Gateway         : 87.222.33.42

Inside IP Addresses
  - Customer Gateway                : 169.254.254.2/30
  - Virtual Private Gateway             : 169.254.254.1/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

To route traffic between your internal network and your VPC, 
you will need a static route added to your router.

Static Route Configuration Options:

  - Next hop       : 169.254.254.1

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over 
the tunnels.        

IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
  - Authentication Method    : Pre-Shared Key 
  - Pre-Shared Key           : ---
  - Authentication Algorithm : sha1
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 28800 seconds
  - Phase 1 Negotiation Mode : main
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
  - Protocol                 : esp
  - Authentication Algorithm : hmac-sha1-96
  - Encryption Algorithm     : aes-128-cbc
  - Lifetime                 : 3600 seconds
  - Mode                     : tunnel
  - Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
  - DPD Interval             : 10
  - DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled
  - Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Outside IP Addresses:
  - Customer Gateway                : 217.33.22.33 
  - Virtual Private Gateway         : 87.222.33.46

Inside IP Addresses
  - Customer Gateway                : 169.254.254.6/30
  - Virtual Private Gateway             : 169.254.254.5/30

Configure your tunnel to fragment at the optimal size:
  - Tunnel interface MTU     : 1436 bytes


#4: Static Routing Configuration:

Static Route Configuration Options:

  - Next hop       : 169.254.254.5

You should add static routes towards your internal network on the VGW.
The VGW will then send traffic towards your internal network over 
the tunnels.  

编辑＃1

写完这篇文章后，我继续摆弄，有些东西开始起作用了，只是不太可靠。设置隧道时使用的本地 IP 确实是我的网络子网。这让我更加困惑这些“内部” IP 地址的用途。

问题是，结果并不一致。我“有时”可以 ping 通，我“有时”可以使用 VPN 进行 RDP。有时，隧道 1 或隧道 2 可以打开或关闭。

今天我回来上班时，隧道 1 已关闭，所以我删除了它并从头开始重新创建。现在我无法 ping 任何内容，但亚马逊和路由器都告诉我隧道 1/2 正常。

我猜我所拥有的路由器/vpn 硬件无法胜任这项工作......

编辑＃2

现在隧道 1 已启动，隧道 2 已关闭（我没有更改任何设置）并且我可以再次 ping/rdp。

编辑#3

路由器已建立的路由表的屏幕截图。当前状态（隧道 1 仍处于开启状态并正常运行，隧道 2 仍处于关闭状态且无法重新连接）