fir3net
PPS-Firenetbanner-780.5x190-30-03-17

How to Create a Site to Site VPN Between AWS and a Vyatta vRouter

Contents[Hide]

Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud.

Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from the VPN is then controlled via the use of a policy.

Encryption Domain

First of all for our example lets look at the encryption domain that will be used within this article.

Local 

Local EndpointLocal VTILocal Peer
192.168.3.0/24 169.254.20.254/30 (VTI1) 133.1.1.100
192.168.3.0/24 169.254.20.138/30 (VTI2) 133.1.1.100

Remote

Remote EndpointRemote VTIRemote Peer
10.0.1.0/24 169.254.20.253/30 (VTI1) 52.48.97.50
10.0.1.0/24 169.254.20.137/30 (VTI2) 52.50.142.56

AWS

VPC

VPN Connectivity into AWS is performed via the creation of Virtual Private Gateways. These are configured within an AWS VPC.

What is VPC ? VPC (Virtual Private Cloud) allows you to create virtual networks within AWS. This allows you to logically separate resources, add additional security, configure networking attributes (such as routing tables etc) along with build VPNs from your remote site into your AWS solution.

AWS VPNs are route based. This means that Virtual Tunnel Interfaces (VTIs) are created on the AWS side. Additionally you will also observe that only a single SA is generated.

Steps

Within the AWS Management Portal and within VPC,

  • Create a VPC (Virtual Private Cloud / Your VPCs / Create VPC)
  • Create a Customer Gateway (VPN Connections / Customer Gateway)
    • Routing : Static
    • IP Address : Local Peer IP
  • Create a Virtual Private Gateway - (VPN Connections / Virtual Private Gateway)
  • Create a VPN Connection  - (VPN Connections / VPN Connections). Please note there is a Download Configuration icon. This will allow you to download the VPN configuration in a number of formats i.e Cisco ASA etc.
    • Virtual Private Gateway : Select previously created gateway
    • Customer Gateway : Select previously created gateway
    • Routing Options : Static
    • Static IP Prefixes : Local Endpoint (192.168.3.0/24)
  • Update Virtual Private Cloud (Virtual Private Cloud / Route Tables ) go to the routing table hosting your subnet (i.e 10.0.1.0/24). Within Route Propagation edit the route that shows the vgw-xxxxx and enable Propagate. This will propagate a route for the endpoint you previously added within your Static IP Prefixes.

Vyatta

Interfaces

First of all we configure the outside and inside interfaces.

set interfaces ethernet eth2 address '133.1.1.100/24'
set interfaces ethernet eth2 if-id 'public'
set interfaces ethernet eth5 address '192.168.3.2/24'
set interfaces ethernet eth5 if-id 'INSIDE-192.168.3.0/24'

Tunnel Interfaces

Each of the virtual tunnel interfaces (VTI) are then configured. 

set interfaces vti vti1 address '169.254.20.254/30'
set interfaces vti vti1 description 'VPC tunnel 1'
set interfaces vti vti2 address '169.254.20.138/30'
set interfaces vti vti2 description 'VPC tunnel 2'

WAN LoadBalancing

Next we configure WAN loadbalancing. This provides the ability to set one VTI as primary and the other as backup, via the use of weights. We then monitor the VTIs on the remote (AWS) side of the VPN. Should the monitor fail the backup VTI is promoted to master.

set load-balancing wan 'disable-source-nat'

set load-balancing wan interface-health vti1 failure-count '5'
set load-balancing wan interface-health vti1 nexthop '169.254.20.253'
set load-balancing wan interface-health vti1 success-count '1'
set load-balancing wan interface-health vti1 test 10 resp-time '5'
set load-balancing wan interface-health vti1 test 10 target '169.254.20.253'
set load-balancing wan interface-health vti1 test 10 ttl-limit '1'
set load-balancing wan interface-health vti1 test 10 type 'ping'
set load-balancing wan interface-health vti2 failure-count '5'
set load-balancing wan interface-health vti2 nexthop '169.254.20.137'
set load-balancing wan interface-health vti2 success-count '1'
set load-balancing wan interface-health vti2 test 10 resp-time '5'
set load-balancing wan interface-health vti2 test 10 target '169.254.20.137'
set load-balancing wan interface-health vti2 test 10 ttl-limit '1'
set load-balancing wan interface-health vti2 test 10 type 'ping'

set load-balancing wan rule 10 'failover'
set load-balancing wan rule 10 inbound-interface 'eth5'
set load-balancing wan rule 10 interface vti1 weight '10'
set load-balancing wan rule 10 interface vti2 weight '1'
set load-balancing wan rule 10 protocol 'all'

NAT Exemption

NAT Exemption is configured to ensure that traffic is sent over the VPN tunnel using the real IPs. 

set nat source rule 10 destination address '10.0.1.0/24'
set nat source rule 10 'exclude'
set nat source rule 10 outbound-interface 'eth2'
set nat source rule 10 source address '192.168.3.0/24'
set nat source rule 20 destination address '192.168.3.0/24'
set nat source rule 20 'exclude'
set nat source rule 20 outbound-interface 'eth2'
set nat source rule 20 source address '10.0.1.0/24'

Routes

 Routes for the remote endpoint via each of the VTIs are then configured.

set protocols static interface-route 10.0.1.0/24 next-hop-interface 'vti1'
set protocols static interface-route 10.0.1.0/24 next-hop-interface 'vti2'

Phase 1/2 Parameters

The phase 1 and phase 2 parameters as then defined. 

set vpn ipsec esp-group AWS compression 'disable'
set vpn ipsec esp-group AWS lifetime '3600'
set vpn ipsec esp-group AWS mode 'tunnel'
set vpn ipsec esp-group AWS pfs 'enable'
set vpn ipsec esp-group AWS proposal 1 encryption 'aes128'
set vpn ipsec esp-group AWS proposal 1 hash 'sha1'

set vpn ipsec ike-group AWS dead-peer-detection action 'restart'
set vpn ipsec ike-group AWS dead-peer-detection interval '15'
set vpn ipsec ike-group AWS dead-peer-detection timeout '30'
set vpn ipsec ike-group AWS lifetime '28800'
set vpn ipsec ike-group AWS proposal 1 dh-group '2'
set vpn ipsec ike-group AWS proposal 1 encryption 'aes128'
set vpn ipsec ike-group AWS proposal 1 hash 'sha1'

Peers 

 For each peer we define the pre shared key, associate the phase1/2 policies and bind the relating VTI.

set vpn ipsec ipsec-interfaces interface 'eth2'
set vpn ipsec site-to-site peer 52.48.97.50 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 52.48.97.50 authentication pre-shared-secret <pre_shared_key>
set vpn ipsec site-to-site peer 52.48.97.50 connection-type 'initiate'
set vpn ipsec site-to-site peer 52.48.97.50 description 'VPC tunnel 1'
set vpn ipsec site-to-site peer 52.48.97.50 ike-group 'AWS'
set vpn ipsec site-to-site peer 52.48.97.50 local-address '133.1.1.100'
set vpn ipsec site-to-site peer 52.48.97.50 vti bind 'vti1'
set vpn ipsec site-to-site peer 52.48.97.50 vti esp-group 'AWS'
set vpn ipsec site-to-site peer 52.50.142.56 authentication mode 'pre-shared-secret'
set vpn ipsec site-to-site peer 52.50.142.56 authentication pre-shared-secret <pre_shared_key>
set vpn ipsec site-to-site peer 52.50.142.56 connection-type 'initiate'
set vpn ipsec site-to-site peer 52.50.142.56 description 'VPC tunnel 2'
set vpn ipsec site-to-site peer 52.50.142.56 ike-group 'AWS'
set vpn ipsec site-to-site peer 52.50.142.56 local-address '133.1.1.100'
set vpn ipsec site-to-site peer 52.50.142.56 vti bind 'vti2'
set vpn ipsec site-to-site peer 52.50.142.56 vti esp-group 'AWS'

Access Policy

Finally we ensure traffic from our local endpoint is permitted through our access policy.

set firewall name INSIDE default-action 'drop'
set firewall name INSIDE rule 10 action 'accept'
set firewall name INSIDE rule 10 protocol 'all'

Show Commands

Confirm Phase 1

vyatta@vyatta:~$ show vpn ike sa
Peer ID / IP                            Local ID / IP
------------                            -------------
52.50.142.56                            133.1.1.100

    State  Encrypt  Hash  D-H Grp  NAT-T  A-Time  L-Time
    -----  -------  ----  -------  -----  ------  ------
    up     aes256   sha1  2        no     2012    86400

Confirm Phase 2

vyatta@vyatta:~$ show vpn ipsec sa
Peer ID / IP                            Local ID / IP
------------                            -------------
52.50.142.56                            133.1.1.100

    Tunnel  State  Bytes Out/In   Encrypt  Hash  NAT-T  A-Time  L-Time  Proto
    ------  -----  -------------  -------  ----  -----  ------  ------  -----
    1       up     0.0/0.0        aes256   sha1  no     2030    3600    all

Further information can be obtained via show vpn ipsec sa [details | statistics ]

VTI WAN Loadbalance Status

vyatta@vyatta:~$ show wan-load-balance 
Interface:  vti1
  Status:  active
  Last Status Change:  Mon May  9 20:42:40 2016
  +Test:  ping  Target: 169.254.20.253
    Last Interface Success:  0s 
    Last Interface Failure:  9h32m10s   
    # Interface Failure(s):  0

Interface:  vti2
  Status:  active
  Last Status Change:  Mon May  9 20:42:40 2016
  +Test:  ping  Target: 169.254.20.137
    Last Interface Success:  0s 
    Last Interface Failure:  9h32m10s   
    # Interface Failure(s):  0

Tags: Vyatta, Brocade, VPN, IPSEC, AWS, vRouter

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001