Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud.
Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) is created and assigned to your external interface. Any traffic that you wish to encrypt is routed to this tunnel interface. Access to and from the VPN is then controlled via the use of a policy.
Encryption Domain
First of all for our example lets look at the encryption domain that will be used within this article.
Local
Local Endpoint | Local VTI | Local Peer |
---|---|---|
192.168.3.0/24 | 169.254.20.254/30 (VTI1) | 133.1.1.100 |
192.168.3.0/24 | 169.254.20.138/30 (VTI2) | 133.1.1.100 |
Remote
Remote Endpoint | Remote VTI | Remote Peer |
---|---|---|
10.0.1.0/24 | 169.254.20.253/30 (VTI1) | 52.48.97.50 |
10.0.1.0/24 | 169.254.20.137/30 (VTI2) | 52.50.142.56 |
AWS
VPC
VPN Connectivity into AWS is performed via the creation of Virtual Private Gateways. These are configured within an AWS VPC.
What is VPC ? VPC (Virtual Private Cloud) allows you to create virtual networks within AWS. This allows you to logically separate resources, add additional security, configure networking attributes (such as routing tables etc) along with build VPNs from your remote site into your AWS solution.
AWS VPNs are route based. This means that Virtual Tunnel Interfaces (VTIs) are created on the AWS side. Additionally you will also observe that only a single SA is generated.
Steps
Within the AWS Management Portal and within VPC,
- Create a VPC (Virtual Private Cloud / Your VPCs / Create VPC)
- Create a Customer Gateway (VPN Connections / Customer Gateway)
- Routing : Static
- IP Address : Local Peer IP
- Create a Virtual Private Gateway – (VPN Connections / Virtual Private Gateway)
- Create a VPN Connection – (VPN Connections / VPN Connections). Please note there is a Download Configuration icon. This will allow you to download the VPN configuration in a number of formats i.e Cisco ASA etc.
- Virtual Private Gateway : Select previously created gateway
- Customer Gateway : Select previously created gateway
- Routing Options : Static
- Static IP Prefixes : Local Endpoint (192.168.3.0/24)
- Update Virtual Private Cloud (Virtual Private Cloud / Route Tables ) go to the routing table hosting your subnet (i.e 10.0.1.0/24). Within Route Propagation edit the route that shows the vgw-xxxxx and enable Propagate. This will propagate a route for the endpoint you previously added within your Static IP Prefixes.
Vyatta
Interfaces
First of all we configure the outside and inside interfaces.
set interfaces ethernet eth2 address '133.1.1.100/24' set interfaces ethernet eth2 if-id 'public' set interfaces ethernet eth5 address '192.168.3.2/24' set interfaces ethernet eth5 if-id 'INSIDE-192.168.3.0/24'
Tunnel Interfaces
Each of the virtual tunnel interfaces (VTI) are then configured.
set interfaces vti vti1 address '169.254.20.254/30' set interfaces vti vti1 description 'VPC tunnel 1' set interfaces vti vti2 address '169.254.20.138/30' set interfaces vti vti2 description 'VPC tunnel 2'
WAN LoadBalancing
Next we configure WAN loadbalancing. This provides the ability to set one VTI as primary and the other as backup, via the use of weights. We then monitor the VTIs on the remote (AWS) side of the VPN. Should the monitor fail the backup VTI is promoted to master.
set load-balancing wan 'disable-source-nat'
set load-balancing wan interface-health vti1 failure-count ‘5’
set load-balancing wan interface-health vti1 nexthop ‘169.254.20.253’
set load-balancing wan interface-health vti1 success-count ‘1’
set load-balancing wan interface-health vti1 test 10 resp-time ‘5’
set load-balancing wan interface-health vti1 test 10 target ‘169.254.20.253’
set load-balancing wan interface-health vti1 test 10 ttl-limit ‘1’
set load-balancing wan interface-health vti1 test 10 type ‘ping’
set load-balancing wan interface-health vti2 failure-count ‘5’
set load-balancing wan interface-health vti2 nexthop ‘169.254.20.137’
set load-balancing wan interface-health vti2 success-count ‘1’
set load-balancing wan interface-health vti2 test 10 resp-time ‘5’
set load-balancing wan interface-health vti2 test 10 target ‘169.254.20.137’
set load-balancing wan interface-health vti2 test 10 ttl-limit ‘1’
set load-balancing wan interface-health vti2 test 10 type ‘ping’
set load-balancing wan rule 10 ‘failover’
set load-balancing wan rule 10 inbound-interface ‘eth5′
set load-balancing wan rule 10 interface vti1 weight ’10’
set load-balancing wan rule 10 interface vti2 weight ‘1’
set load-balancing wan rule 10 protocol ‘all’
NAT Exemption
NAT Exemption is configured to ensure that traffic is sent over the VPN tunnel using the real IPs.
set nat source rule 10 destination address '10.0.1.0/24' set nat source rule 10 'exclude' set nat source rule 10 outbound-interface 'eth2' set nat source rule 10 source address '192.168.3.0/24' set nat source rule 20 destination address '192.168.3.0/24' set nat source rule 20 'exclude' set nat source rule 20 outbound-interface 'eth2' set nat source rule 20 source address '10.0.1.0/24'
Routes
Routes for the remote endpoint via each of the VTIs are then configured.
set protocols static interface-route 10.0.1.0/24 next-hop-interface 'vti1' set protocols static interface-route 10.0.1.0/24 next-hop-interface 'vti2'
Phase 1/2 Parameters
The phase 1 and phase 2 parameters as then defined.
set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1'
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ’15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ’30’
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
Peers
For each peer we define the pre shared key, associate the phase1/2 policies and bind the relating VTI.
set vpn ipsec ipsec-interfaces interface 'eth2' set vpn ipsec site-to-site peer 52.48.97.50 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.48.97.50 authentication pre-shared-secret <pre_shared_key> set vpn ipsec site-to-site peer 52.48.97.50 connection-type 'initiate' set vpn ipsec site-to-site peer 52.48.97.50 description 'VPC tunnel 1' set vpn ipsec site-to-site peer 52.48.97.50 ike-group 'AWS' set vpn ipsec site-to-site peer 52.48.97.50 local-address '133.1.1.100' set vpn ipsec site-to-site peer 52.48.97.50 vti bind 'vti1' set vpn ipsec site-to-site peer 52.48.97.50 vti esp-group 'AWS' set vpn ipsec site-to-site peer 52.50.142.56 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.50.142.56 authentication pre-shared-secret <pre_shared_key> set vpn ipsec site-to-site peer 52.50.142.56 connection-type 'initiate' set vpn ipsec site-to-site peer 52.50.142.56 description 'VPC tunnel 2' set vpn ipsec site-to-site peer 52.50.142.56 ike-group 'AWS' set vpn ipsec site-to-site peer 52.50.142.56 local-address '133.1.1.100' set vpn ipsec site-to-site peer 52.50.142.56 vti bind 'vti2' set vpn ipsec site-to-site peer 52.50.142.56 vti esp-group 'AWS'
Access Policy
Finally we ensure traffic from our local endpoint is permitted through our access policy.
set firewall name INSIDE default-action 'drop' set firewall name INSIDE rule 10 action 'accept' set firewall name INSIDE rule 10 protocol 'all'
Show Commands
Confirm Phase 1
[email protected]:~$ show vpn ike sa Peer ID / IP Local ID / IP ------------ ------------- 52.50.142.56 133.1.1.100 State Encrypt Hash D-H Grp NAT-T A-Time L-Time ----- ------- ---- ------- ----- ------ ------ up aes256 sha1 2 no 2012 86400
Confirm Phase 2
[email protected]:~$ show vpn ipsec sa Peer ID / IP Local ID / IP ------------ ------------- 52.50.142.56 133.1.1.100 Tunnel State Bytes Out/In Encrypt Hash NAT-T A-Time L-Time Proto ------ ----- ------------- ------- ---- ----- ------ ------ ----- 1 up 0.0/0.0 aes256 sha1 no 2030 3600 all
Further information can be obtained via show vpn ipsec sa [details | statistics ]
VTI WAN Loadbalance Status
[email protected]:~$ show wan-load-balance Interface: vti1 Status: active Last Status Change: Mon May 9 20:42:40 2016 +Test: ping Target: 169.254.20.253 Last Interface Success: 0s Last Interface Failure: 9h32m10s # Interface Failure(s): 0 Interface: vti2 Status: active Last Status Change: Mon May 9 20:42:40 2016 +Test: ping Target: 169.254.20.137 Last Interface Success: 0s Last Interface Failure: 9h32m10s # Interface Failure(s): 0
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial