Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between an EdgeRouter and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using static routing. It is also possible to configure a Route-Based Site-to-Site VPN using BGP instead.
NOTES & REQUIREMENTS:
Applicable to the latest EdgeOS firmware on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information.
More info about Amazon VPC and their requirements can be found here.
Devices used in this article:
Table of Contents
- Network Diagram
- Configuring a Route-Based VPN
- Setting up the Amazon Virtual Private Gateway
- Related Articles
The network topology is shown below and the following interfaces are in use on the EdgeRouter and AWS:
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
- vti0 - 169.254.x.x/30
- vti1 - 169.254.x.x/30
- VGW1 - 192.0.2.1
- VGW2 - 198.51.100.2
- vpc cidr (LAN) - 172.16.0.0/22
- vpc subnet - 172.16.1.0/24
The type of VPN that will be created is a Route-Based over IKEv1/IPsec tunnel.
Configuring a Route-Based VPN
CLI: Access the Command Line Interface. You can do this using the CLI button in the GUI or by using a program such as PuTTY.
1. Enter configuration mode.
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec-aws
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Repeat the process for the second AWS peer address using a second virtual tunnel interface (vti1)
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiate
set vpn ipsec site-to-site peer 198.51.100.1 description ipsec-aws
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 198.51.100.1 ike-group FOO0
set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti1
set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group FOO0
8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.
set interfaces vti vti0 address 169.254.x.x/30
set interfaces vti vti1 address 169.254.x.x/30
NOTE: The tunnel IP addresses can be found in the Vyatta Network OS configuration file.
9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379
10. Create static routes for the remote VPC subnet.
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti0
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti1
11. Commit the changes and save the configuration.
commit ; save
Setting up the Amazon Virtual Private Gateway
The names of the AWS gateway connections and subnets are randomly generated and unique for each environment. For reference purposes, the names used in this example are:
GUI: Access the AWS Management Console.
1. If not already present, create a new Virtual Private Cloud (VPC).
Services > VPC > VPC Dashboard > Your VPCs > Create VPC
IPv4 CIDR Block: 172.16.0.0/22
IPv6 CIDR Block: No IPv6 CIDR Block
2. If not already present, create a new subnet in the VPC address range.
VPC Dashboard > Subnets > Create Subnet
VPC CIDRs: 172.16.0.0/22
Availability Zone: No Preference
IPv4 CIDR Block: 172.16.1.0/24
3. Create a new Customer Gateway (CGW) and enter the EdgeRouter's public IP address.
VPC Dashboard > Customer Gateways > Create Customer Gateway
IP Address: 203.0.113.1
4. Create a new Virtual Private Gateway (VGW).
VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway
ASN: Amazon default ASN
5. Attach the VGW to the VPC created earlier.
VPC Dashboard > Virtual Private Gateway > er-vgw > Actions > Attach to VPC
6. Propagate the routes that will be received on the VGW to the VPC.
VPC Dashboard > Route Tables > Route Propagation > Edit
Check: Propagate er-vgw
NOTE: This step ensures that the AWS virtual hosts receive a route for the 192.168.1.0/24 network after the VPN establishes.
7. Create a new VPN connection and associate the previously created VGW and CGW.
VPC Dashboard > VPN Connections > Create VPN Connection
Name tag: ipsec-er
Virtual Private Gateway: vgw-d5c945e5
Customer Gateway: Existing
Customer Gateway ID: cgw-4e2ca07e
Routing Options: Static
Static IP Prefixes: 192.168.1.0/24
Tunnel Options: Generated by Amazon
8. Download the configuration which contains all the SAs, pre-shared keys and IP addresses.
VPC Dashboard > VPN Connections > ipsec-er > Download Configuration
Software: Vendor Agnostic