EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (VTI over IKEv1/IPsec)


Overview


Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between an EdgeRouter and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using static routing. The other VPN option that is available when connecting to AWS is:

NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information.
 
More info about Amazon VPC and their requirements can be found here.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Configuring a Route-Based VPN
  3. Setting up the Amazon Virtual Private Gateway
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter and AWS:

ER-4

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vti0 - 169.254.x.x/30
  • vti1 - 169.254.x.x/30

AWS VGW

  • VGW1 - 192.0.2.1
  • VGW2 - 198.51.100.2
  • vpc cidr (LAN) - 172.16.0.0/22
  • vpc subnet - 172.16.1.0/24

topology.png

The type of VPN that will be created is a Route-Based over IKEv1/IPsec tunnel.


Configuring a Route-Based VPN


Back to Top

CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).

set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec-aws
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

7. Repeat the process for the second AWS peer address using a second virtual tunnel interface (vti1)

set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiate
set vpn ipsec site-to-site peer 198.51.100.1 description ipsec-aws
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1

set vpn ipsec site-to-site peer 198.51.100.1 ike-group FOO0
set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti1
set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group FOO0

8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.

set interfaces vti vti0 address 169.254.x.x/30
set interfaces vti vti1 address 169.254.x.x/30
NOTE: The tunnel IP addresses can be found in the Vyatta Network OS  configuration file.

9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.

set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379

10. Create static routes for the remote VPC subnet.

set protocols static interface-route 172.16.0.0/22 next-hop-interface vti0
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti1

11. Commit the changes and save the configuration.

commit ; save

Setting up the Amazon Virtual Private Gateway


Back to Top

The names of the AWS gateway connections and subnets are randomly generated and unique for each environment. For reference purposes, the names used in this example are:

  • vpc vpc-f8e99891
  • sbn subnet-fb400392
  • rtbl rtb-389cd051
  • cgw cgw-4e2ca07e
  • vgw vgw-d5c945e5
  • vpn vpn-2704cf10
GUI: Access the AWS Management Console.

1. If not already present, create a new Virtual Private Cloud (VPC).

Services > VPC > VPC Dashboard > Your VPCs > Create VPC

IPv4 CIDR Block: 172.16.0.0/22
IPv6 CIDR Block: No IPv6 CIDR Block
Tenancy: default

2. If not already present, create a new subnet in the VPC address range.

VPC Dashboard > Subnets > Create Subnet

VPC: vpc-f8e99891
VPC CIDRs: 172.16.0.0/22
Availability Zone: No Preference
IPv4 CIDR Block: 172.16.1.0/24

3. Create a new Customer Gateway (CGW) and enter the EdgeRouter's public IP address.

VPC Dashboard > Customer Gateways > Create Customer Gateway

Name: er-cgw
Routing: Static
IP Address: 203.0.113.1

4. Create a new Virtual Private Gateway (VGW).

VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway

Name: er-vgw
ASN: Amazon default ASN

5. Attach the VGW to the VPC created earlier.

VPC Dashboard > Virtual Private Gateway > er-vgw > Actions > Attach to VPC

6. Propagate the routes that will be received on the VGW to the VPC.

VPC Dashboard > Route Tables > Route Propagation > Edit

Check: Propagate er-vgw
NOTE: This step ensures that the AWS virtual hosts receive a route for the 192.168.1.0/24 network after the VPN establishes.

7. Create a new VPN connection and associate the previously created VGW and CGW.

VPC Dashboard > VPN Connections > Create VPN Connection

Name tag: ipsec-er
Virtual Private Gateway: vgw-d5c945e5
Customer Gateway: Existing
Customer Gateway ID: cgw-4e2ca07e
Routing Options: Static
Static IP Prefixes: 192.168.1.0/24
Tunnel Options: Generated by Amazon

8. Download the configuration which contains all the SAs, pre-shared keys and IP addresses.

VPC Dashboard > VPN Connections > ipsec-er > Download Configuration

Vendor: Generic
Platform: Generic
Software: Vendor Agnostic

Related Articles


Back to Top

EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (BGP over IKEv1/IPsec)

EdgeRouter - Route-Based Site-to-Site IPsec VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!