EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (BGP over IKEv1/IPsec)


Overview


Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between an EdgeRouter and the Amazon Web Services (AWS) Virtual Private Cloud (VPC). 

NOTES & REQUIREMENTS:
Applicable to EdgeOS firmware v1.10.0 and up on all EdgeRouter models. Knowledge of the Command Line Interface (CLI) and advanced networking knowledge is required. Please see the Related Articles below for more information and see the attachments for the configuration used in this article.
 
More info about Amazon VPC and their requirements can be found here.
 
Devices used in this article:

Table of Contents


  1. Network Diagram
  2. Configuring a Route-Based VPN
  3. Setting up the Amazon Virtual Private Gateway
  4. Related Articles

Network Diagram


Back to Top

The network topology is shown below and the following interfaces are in use on the EdgeRouter and AWS:

ER-4 (AS 65000)

  • eth0 (WAN) - 203.0.113.1
  • eth1 (LAN) - 192.168.1.1/24
  • vti0 - 169.254.x.x/30
  • vti1 - 169.254.x.x/30

AWS (AS 65515)

  • vgw1 - 192.0.2.1
  • vgw2 - 198.51.100.1
  • vpc cidr - 172.16.0.0/22
  • vpc subnet - 172.16.1.0/24

topology.png

The BGP protocol will be used to facilitate routing between the sites.


Configuring a Route-Based VPN


Back to Top

CLI: Access the command line interface (CLI). You can do this using the CLI button in the GUI or by using a program such as PuTTY.

1. Enter configuration mode.

configure

2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.

set vpn ipsec auto-firewall-nat-exclude enable

3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).

set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30

4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).

set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).

set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec-aws
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1

6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).

set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

7. Repeat the process for the second AWS peer address using a different virtual tunnel interface (vti1)

set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiate
set vpn ipsec site-to-site peer 198.51.100.1 description ipsec-aws
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1

set vpn ipsec site-to-site peer 198.51.100.1 ike-group FOO0
set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti1
set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group FOO0

8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.

set interfaces vti vti0 address 169.254.x.x/30
set interfaces vti vti1 address 169.254.x.x/30
NOTE: The tunnel IP addresses can be found in the Vyatta Network OS configuration file.

9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.

set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379

10. Create a prefix-list for BGP that will be used to filter advertised and received prefixes.

set policy prefix-list BGP rule 10 action deny
set policy prefix-list BGP rule 10 description deny-localgw
set policy prefix-list BGP rule 10 prefix 203.0.113.1/32

set policy prefix-list BGP rule 20 action deny
set policy prefix-list BGP rule 20 description deny-remotegw1
set policy prefix-list BGP rule 20 prefix 192.0.2.1/32

set policy prefix-list BGP rule 30 action deny
set policy prefix-list BGP rule 30 description deny-remotegw2
set policy prefix-list BGP rule 30 prefix 198.51.100.1/32

set policy prefix-list BGP rule 100 action permit
set policy prefix-list BGP rule 100 description permit-localsubnet
set policy prefix-list BGP rule 100 prefix 192.168.1.0/24

set policy prefix-list BGP rule 110 action permit
set policy prefix-list BGP rule 110 description permit-remotesubnet
set policy prefix-list BGP rule 110 prefix 172.16.0.0/22

11. Define the BGP neighbor and peering options.

set protocols bgp 65000 timers holdtime 30
set protocols bgp 65000 timers keepalive 10
set protocols bgp 65000 network 192.168.1.0/24

set protocols bgp 65000 neighbor 169.254.x.x prefix-list export BGP
set protocols bgp 65000 neighbor 169.254.x.x prefix-list import BGP
set protocols bgp 65000 neighbor 169.254.x.x remote-as 65515
set protocols bgp 65000 neighbor 169.254.x.x soft-reconfiguration inbound

set protocols bgp 65000 neighbor 169.254.x.x prefix-list export BGP
set protocols bgp 65000 neighbor 169.254.x.x prefix-list import BGP
set protocols bgp 65000 neighbor 169.254.x.x remote-as 65515
set protocols bgp 65000 neighbor 169.254.x.x soft-reconfiguration inbound
NOTE: The BGP neighbor IP addresses are listed under VPC Dashboard > VPN Connections > Tunnel Details.

12. Advertise the local subnet into BGP.

set protocols bgp 65000 network 192.168.1.0/24

13. Commit the changes and save the configuration.

commit ; save

Setting up the Amazon Virtual Private Gateway


Back to Top

The names of the AWS gateway connections and subnets are randomly generated and unique for each environment. For reference purposes, the names used in this example are:

  • vpcvpc-f8e99891
  • sbnsubnet-fb400392
  • rtblrtb-389cd051
  • cgwcgw-4e2ca07e
  • vgwvgw-d5c945e5
  • vpnvpn-2704cf10
GUI: Access the AWS Management Console.

1. If not already created, create a new virtual private cloud.

Services > VPC > VPC Dashboard > Your VPCs > Create VPC

IPv4 CIDR Block: 172.16.0.0/22
IPv6 CIDR Block: No IPv6 CIDR Block
Tenancy: default

2. If not already created, create a new subnet in the VPC address range. 

VPC Dashboard > Subnets > Create Subnet

VPC: vpc-f8e99891
VPC CIDRs: 172.16.0.0/22
Availability Zone: No Preference
IPv4 CIDR Block: 172.16.1.0/24

3. Create a new customer gateway and enter the EdgeRouter's public IP address.

VPC Dashboard > Customer Gateways > Create Customer Gateway

Name: er-cgw
Routing: Dynamic
BGP ASN: 65000

IP Address: 203.0.113.1

4. Create a new virtual private gateway.

VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway

Name: er-vgw
ASN: Custom ASN
ASN: 65515

5. Attach the vgw to the vpc created earlier.

VPC Dashboard > Virtual Private Gateway > er-vgw > Actions > Attach to VPC

6. Propagate the routes that will be received on the VGW to the VPC.

VPC Dashboard > Route Tables > Route Propagation > Edit

  • Check: Propagate er-vgw
NOTE: This step ensures that the AWS virtual hosts receive a route for the 192.168.1.0/24 network after the VPN establishes.

7. Create a new VPN connection and associate the previously created vgw and cgw.

VPC Dashboard > VPN Connections > Create VPN Connection

Name tag: ipsec-er
Virtual Private Gateway: vgw-d5c945e5
Customer Gateway: Existing
Customer Gateway ID: cgw-4e2ca07e
Routing Options: Dynamic
Tunnel Options: Generated by Amazon

8. Download the configuration which contains all the SAs, pre-shared keys and IP addresses.

VPC Dashboard > VPN Connections > ipsec-er > Download Configuration

Vendor: Vyatta
Platform: Vyatta Network OS
Software: Vyatta Network OS 6.5+

Related Articles


Back to Top

EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (VTI over IKEv1/IPsec)

EdgeRouter - IPsec Route-Based (VTI) Site-to-Site VPN

Intro to Networking - How to Establish a Connection Using SSH


We're sorry to hear that!