スタック作成後の作業
1.NATルータのポート開放/マッピング(環境に依存)
当環境ではインターネット接続にNATルータを使用している。いわゆる市販の「無線LAN親機+有線LANのルータ」だ。これがVPNセッションの間に存在する。AWS側のエンドポイント発→オンプレ側のエンドポイント着の通信を通すため、NATルータに転送設定を入れる必要がある。
2.ルータの構築[オンプレ]
そのへんにルータが転がっていなかったので、フリーのソフトウェアルータであるVyOSを使用。QEMU+KVMの仮想ゲストとして作成。VyOSの基本設定は別記事に記載予定。
3.ルータのVPN接続設定[オンプレ]
AWSのVPN設定画面より、ルータに投入するコンフィグを入手する。
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : vpn-0f6da5e2f75ebe6a1
! Your Virtual Private Gateway ID : vgw-0d3787853b3d7acf6
! Your Customer Gateway ID : cgw-0bbe8c483fb8bcd62
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
| If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.
!
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 13.113.234.114 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 13.113.234.114 authentication pre-shared-secret 'vBj9QDCoZb0rAT8Sbgkx_ApK3IHBsyHx'
set vpn ipsec site-to-site peer 13.113.234.114 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 13.113.234.114 ike-group 'AWS'
set vpn ipsec site-to-site peer 13.113.234.114 local-address 'X.X.X.X'
set vpn ipsec site-to-site peer 13.113.234.114 vti bind 'vti0'
set vpn ipsec site-to-site peer 13.113.234.114 vti esp-group 'AWS'
! #2: IPSec Configuration
!
! The IPSec (Phase 2) proposal defines the protocol, authentication,
! encryption, and lifetime parameters for our IPSec security association.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
!
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! The tunnel interface is configured with the internal IP address.
set interfaces vti vti0 address '169.254.101.30/30'
set interfaces vti vti0 description 'VPC tunnel 1'
set interfaces vti vti0 mtu '1436'
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' statement.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
set protocols bgp 65000 neighbor 169.254.101.29 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.101.29 soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.101.29 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.101.29 timers keepalive '10'
! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the
! the following line with the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
set protocols bgp 65000 network 0.0.0.0/0
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
| If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.
!
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 52.199.22.93 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 52.199.22.93 authentication pre-shared-secret 'TdBgv71bbrEl9hKNpXpas4Kj6wcXh1Jf'
set vpn ipsec site-to-site peer 52.199.22.93 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 52.199.22.93 ike-group 'AWS'
set vpn ipsec site-to-site peer 52.199.22.93 local-address 'X.X.X.X'
set vpn ipsec site-to-site peer 52.199.22.93 vti bind 'vti1'
set vpn ipsec site-to-site peer 52.199.22.93 vti esp-group 'AWS'
! #2: IPSec Configuration
!
! The IPSec (Phase 2) proposal defines the protocol, authentication,
! encryption, and lifetime parameters for our IPSec security association.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
!
set vpn ipsec ipsec-interfaces interface 'eth0'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! The tunnel interface is configured with the internal IP address.
set interfaces vti vti1 address '169.254.25.154/30'
set interfaces vti vti1 description 'VPC tunnel 2'
set interfaces vti vti1 mtu '1436'
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the 'network' statement.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65000) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
set protocols bgp 65000 neighbor 169.254.25.153 remote-as '64512'
set protocols bgp 65000 neighbor 169.254.25.153 soft-reconfiguration 'inbound'
set protocols bgp 65000 neighbor 169.254.25.153 timers holdtime '30'
set protocols bgp 65000 neighbor 169.254.25.153 timers keepalive '10'
! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the
! the following line with the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
set protocols bgp 65000 network 0.0.0.0/0
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
! - XSL Version: 2009-07-15-1119716
ただし、このままでは上手くいかなかった。VyOSとVyattaはあくまで別物だからだろうか。
整理して実際に投入したコンフィグは以下。
# delete previous configuration
configure
delete interface vti vti0
delete interface vti vti1
delete interface vti vti2
delete protocols bgp
delete vpn
commit
save
exit
# configure tunnel #1
configure
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 13.113.234.114 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 13.113.234.114 authentication pre-shared-secret 'vBj9QDCoZb0rAT8Sbgkx_ApK3IHBsyHx'
set vpn ipsec site-to-site peer 13.113.234.114 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 13.113.234.114 ike-group 'AWS'
set vpn ipsec site-to-site peer 13.113.234.114 local-address '10.0.0.253'
set vpn ipsec site-to-site peer 13.113.234.114 vti bind 'vti1'
set vpn ipsec site-to-site peer 13.113.234.114 vti esp-group 'AWS'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set interfaces vti vti1 address '169.254.101.30/30'
set interfaces vti vti1 description 'VPC tunnel 1'
set interfaces vti vti1 mtu '1436'
set protocols bgp neighbor 169.254.101.29 remote-as '64512'
set protocols bgp neighbor 169.254.101.29 soft-reconfiguration 'inbound'
set protocols bgp neighbor 169.254.101.29 timers holdtime '30'
set protocols bgp neighbor 169.254.101.29 timers keepalive '10'
set protocols bgp local-as 65000
commit
save
exit
# configure tunnel #2
configure
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'
set vpn ipsec site-to-site peer 52.199.22.93 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 52.199.22.93 authentication pre-shared-secret 'TdBgv71bbrEl9hKNpXpas4Kj6wcXh1Jf'
set vpn ipsec site-to-site peer 52.199.22.93 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 52.199.22.93 ike-group 'AWS'
set vpn ipsec site-to-site peer 52.199.22.93 local-address '10.0.0.253'
set vpn ipsec site-to-site peer 52.199.22.93 vti bind 'vti2'
set vpn ipsec site-to-site peer 52.199.22.93 vti esp-group 'AWS'
set vpn ipsec ipsec-interfaces interface 'eth1'
set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set interfaces vti vti2 address '169.254.25.154/30'
set interfaces vti vti2 description 'VPC tunnel 2'
set interfaces vti vti2 mtu '1436'
set protocols bgp neighbor 169.254.25.153 remote-as '64512'
set protocols bgp neighbor 169.254.25.153 soft-reconfiguration 'inbound'
set protocols bgp neighbor 169.254.25.153 timers holdtime '30'
set protocols bgp neighbor 169.254.25.153 timers keepalive '10'
set protocols bgp local-as 65000
commit
save
exit
# route advertisement
configure
set protocols bgp address-family ipv4-unicast network 172.16.0.0/24
commit
save
exit
# confirm
show interfaces
show vpn ike sa
show vpn ipsec sa
show bgp summary
show ip route
show ip bgp
4.VPN接続の確認[オンプレ]
vyos@vyos:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 172.16.0.253/24 u/u
eth1 10.0.0.253/24 u/u
lo 127.0.0.1/8 u/u
::1/128
vti1 169.254.101.30/30 u/u VPC tunnel 1
vti2 169.254.25.154/30 u/u VPC tunnel 2
vyos@vyos:~$ show vpn ike sa
Peer ID / IP Local ID / IP
------------ -------------
52.199.22.93 52.199.22.93 10.0.0.253 10.0.0.253
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_1024 yes 11 0
Peer ID / IP Local ID / IP
------------ -------------
13.113.234.114 13.113.234.114 10.0.0.253 10.0.0.253
State IKEVer Encrypt Hash D-H Group NAT-T A-Time L-Time
----- ------ ------- ---- --------- ----- ------ ------
up IKEv2 AES_CBC_128 HMAC_SHA1_96 MODP_1024 yes 28 0
vyos@vyos:~$ show vpn ipsec sa
Connection State Uptime Bytes In/Out Packets In/Out Remote address Remote ID Proposal
--------------------- ------- -------- -------------- ---------------- ---------------- ----------- ---------- --------------
peer_52-199-22-93_vti up 11s 663B/801B 9/11 52.199.22.93 N/A AES_CBC_12 8/HMAC_SHA1_96
vyos@vyos:~$ show bgp summary
IPv4 Unicast Summary:
BGP router identifier 172.16.0.253, local AS number 65000 vrf-id 0
BGP table version 2
RIB entries 3, using 576 bytes of memory
Peers 2, using 43 KiB of memory
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd PfxSnt
169.254.25.153 4 64512 6 5 0 0 0 00:00:11 1 2
169.254.101.29 4 64512 7 6 0 0 0 00:00:29 1 2
Total number of neighbors 2
vyos@vyos:~$ show ip route
Codes: K - kernel route, C - connected, S - static, R - RIP,
O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
F - PBR, f - OpenFabric,
> - selected route, * - FIB route, q - queued, r - rejected, b - backup
S>* 0.0.0.0/0 [1/0] via 10.0.0.254, eth1, weight 1, 00:16:15
C>* 10.0.0.0/24 is directly connected, eth1, 00:16:25
C>* 169.254.25.152/30 is directly connected, vti2, 00:00:11
C>* 169.254.101.28/30 is directly connected, vti1, 00:00:29
C>* 172.16.0.0/24 is directly connected, eth0, 00:16:25
B>* 172.18.0.0/16 [20/100] via 169.254.101.29, vti1, weight 1, 00:00:28
vyos@vyos:~$ show ip bgp
BGP table version is 2, local router ID is 172.16.0.253, vrf id 0
Default local pref 100, local AS 65000
Status codes: s suppressed, d damped, h history, * valid, > best, = multipath,
i internal, r RIB-failure, S Stale, R Removed
Nexthop codes: @NNN nexthop's vrf id, < announce-nh-self
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 172.16.0.0/24 0.0.0.0 0 32768 i
* 172.18.0.0/16 169.254.25.153 200 0 64512 i
*> 169.254.101.29 100 0 64512 i
Displayed 2 routes and 3 total paths
以下を確認する。スクリーンショットは気が向いたら貼る。
- VPNのトンネル1,2の状態がアップであること。
- ルートテーブルにオンプレのルートが自動登録されていること(172.16.0.0/24)。BGPによる伝搬。
6.疎通確認用のサーバの構築[オンプレ]
以下の要件を満たすサーバを用意する。手段は問わない。当環境ではQEMU+KVMの仮想ゲストとしてCentOSを構築した。
- プライベートサブネット(172.16.0.0/24)に所属する。
- デフォルトゲートウェイはVyOSのルータ(172.16.0.253)。
7.疎通確認[オンプレ→AWS]
ping疎通を確認。EC2インスタンスのIPは172.18.1.198。これはパブリックIPでもElasticIPでもなく、インターネットゲートウェイに繋がっていないプライベートサブネットのIP。ここ重要。
[root@server ~]# ping 172.18.1.198
PING 172.18.1.198 (172.18.1.198) 56(84) bytes of data.
64 bytes from 172.18.1.198: icmp_seq=1 ttl=253 time=11.10 ms
64 bytes from 172.18.1.198: icmp_seq=2 ttl=253 time=10.2 ms
--- 172.18.1.198 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 3ms
rtt min/avg/max/mdev = 10.242/11.116/11.990/0.874 ms
ssh疎通を確認。公開鍵は事前にサーバ上に配置済み。
[root@server ~]# ssh -i /tmp/keypair01.pem -l ec2-user 172.18.1.198
The authenticity of host '172.18.1.198 (172.18.1.198)' can't be established.
ECDSA key fingerprint is SHA256:VqK/desWkzYLa8xHrqkmM3LyyeBvqckLVGWR3oClAxg.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.18.1.198' (ECDSA) to the list of known hosts.
__| __|_ )
_| ( / Amazon Linux 2 AMI
___|\___|___|
https://aws.amazon.com/amazon-linux-2/
[ec2-user@ip-172-18-1-198 ~]$
接続元がオンプレのサーバ(172.16.0.1)であることが確認できる。
[ec2-user@ip-172-18-1-198 ~]$ w
12:18:51 up 21 min, 1 user, load average: 0.00, 0.02, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
ec2-user pts/0 ip-172-16-0-1.am 12:18 2.00s 0.02s 0.00s w
[ec2-user@ip-172-18-1-198 ~]$ tps -ef || entstnetstat -an | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 36 172.18.1.198:22 172.16.0.1:39320 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN
8.疎通確認[AWS→オンプレ]
疎通確認元であるAWSのEC2にログインする手段は、オンプレからのVPN経由しか存在しない。この時点で疎通できていることが明白だが、もしかしたら逆方向のトラフィックは通らないかもしれないので確認する。
ping疎通を確認。
[ec2-user@ip-172-18-1-198 ~]$ ping 172.16.0.1
PING 172.16.0.1 (172.16.0.1) 56(84) bytes of data.
64 bytes from 172.16.0.1: icmp_seq=1 ttl=63 time=9.74 ms
64 bytes from 172.16.0.1: icmp_seq=2 ttl=63 time=10.4 ms
--- 172.16.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 9.748/10.087/10.427/0.354 ms
ssh疎通を確認。
[ec2-user@ip-172-18-1-198 ~]$ ssh root@172.16.0.1
The authenticity of host '172.16.0.1 (172.16.0.1)' can't be established.
ECDSA key fingerprint is SHA256:GaMu1CbR/A6wKpX/Ce0ceD2T8RESL9A+tWE39qTmSSM.
ECDSA key fingerprint is MD5:17:e2:8a:eb:44:46:1a:18:d2:49:b4:8c:ad:27:8f:10.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.0.1' (ECDSA) to the list of known hosts.
root@172.16.0.1's password:
Last login: Tue Jul 6 21:18:10 2021
[root@server ~]#
接続元がEC2(172.18.1.198)であることが確認できる。
[root@server ~]# w
21:21:46 up 4 min, 2 users, load average: 0.04, 0.17, 0.09
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
root ttyS0 - 21:18 1.00s 1.20s 0.05s ssh -i /tmp/keypair01.pem -l ec2-user 172.18.1.198
root pts/0 172.18.1.198 21:21 1.00s 0.05s 0.01s w
[root@server ~]# ps -ef | grep netstat -an | grep 22
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 36 172.16.0.1:22 172.18.1.198:50280 ESTABLISHED
tcp 0 36 172.16.0.1:39326 172.18.1.198:22 ESTABLISHED
tcp6 0 0 :::22 :::* LISTEN