<\/span><\/h3>\nNext we configure WAN loadbalancing. This provides the ability to set one VTI as primary and the other as backup, via the use of weights. We then monitor the VTIs on the remote (AWS) side of the VPN. Should the monitor fail the backup VTI is promoted to master.<\/p>\n
set load-balancing wan 'disable-source-nat'<\/pre>\nset load-balancing wan interface-health vti1 failure-count ‘5’ \nset load-balancing wan interface-health vti1 nexthop ‘169.254.20.253’ \nset load-balancing wan interface-health vti1 success-count ‘1’ \nset load-balancing wan interface-health vti1 test 10 resp-time ‘5’ \nset load-balancing wan interface-health vti1 test 10 target ‘169.254.20.253’ \nset load-balancing wan interface-health vti1 test 10 ttl-limit ‘1’ \nset load-balancing wan interface-health vti1 test 10 type ‘ping’ \nset load-balancing wan interface-health vti2 failure-count ‘5’ \nset load-balancing wan interface-health vti2 nexthop ‘169.254.20.137’ \nset load-balancing wan interface-health vti2 success-count ‘1’ \nset load-balancing wan interface-health vti2 test 10 resp-time ‘5’ \nset load-balancing wan interface-health vti2 test 10 target ‘169.254.20.137’ \nset load-balancing wan interface-health vti2 test 10 ttl-limit ‘1’ \nset load-balancing wan interface-health vti2 test 10 type ‘ping’<\/p>\n
set load-balancing wan rule 10 ‘failover’ \nset load-balancing wan rule 10 inbound-interface ‘eth5′ \nset load-balancing wan rule 10 interface vti1 weight ’10’ \nset load-balancing wan rule 10 interface vti2 weight ‘1’ \nset load-balancing wan rule 10 protocol ‘all’<\/p>\n
<\/span>NAT Exemption<\/span><\/h3>\nNAT\u00a0Exemption is configured to ensure that traffic is sent over the VPN tunnel using the real IPs.<\/p>\n
set nat source rule 10 destination address '10.0.1.0\/24'\r\nset nat source rule 10 'exclude'\r\nset nat source rule 10 outbound-interface 'eth2'\r\nset nat source rule 10 source address '192.168.3.0\/24'\r\nset nat source rule 20 destination address '192.168.3.0\/24'\r\nset nat source rule 20 'exclude'\r\nset nat source rule 20 outbound-interface 'eth2'\r\nset nat source rule 20 source address '10.0.1.0\/24'<\/pre>\n<\/span>Routes<\/span><\/h3>\nRoutes for the remote endpoint via each of the VTIs are then configured.<\/p>\n
set protocols static interface-route 10.0.1.0\/24 next-hop-interface 'vti1'\r\nset protocols static interface-route 10.0.1.0\/24 next-hop-interface 'vti2'<\/pre>\n<\/span>Phase 1\/2 Parameters<\/span><\/h3>\nThe phase 1 and phase 2 parameters as then defined.<\/p>\n
set vpn ipsec esp-group AWS compression 'disable'\r\nset vpn ipsec esp-group AWS lifetime '3600'\r\nset vpn ipsec esp-group AWS mode 'tunnel'\r\nset vpn ipsec esp-group AWS pfs 'enable'\r\nset vpn ipsec esp-group AWS proposal 1 encryption 'aes128'\r\nset vpn ipsec esp-group AWS proposal 1 hash 'sha1'<\/pre>\nset vpn ipsec ike-group AWS dead-peer-detection action ‘restart’ \nset vpn ipsec ike-group AWS dead-peer-detection interval ’15’ \nset vpn ipsec ike-group AWS dead-peer-detection timeout ’30’ \nset vpn ipsec ike-group AWS lifetime ‘28800’ \nset vpn ipsec ike-group AWS proposal 1 dh-group ‘2’ \nset vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’ \nset vpn ipsec ike-group AWS proposal 1 hash ‘sha1’<\/p>\n
<\/span>Peers<\/span><\/h3>\nFor each peer we define the pre shared key, associate the phase1\/2 policies and bind the relating VTI.<\/p>\n
set vpn ipsec ipsec-interfaces interface 'eth2'\r\nset vpn ipsec site-to-site peer 52.48.97.50 authentication mode 'pre-shared-secret'\r\nset vpn ipsec site-to-site peer 52.48.97.50 authentication pre-shared-secret <pre_shared_key>\r\nset vpn ipsec site-to-site peer 52.48.97.50 connection-type 'initiate'\r\nset vpn ipsec site-to-site peer 52.48.97.50 description 'VPC tunnel 1'\r\nset vpn ipsec site-to-site peer 52.48.97.50 ike-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.48.97.50 local-address '133.1.1.100'\r\nset vpn ipsec site-to-site peer 52.48.97.50 vti bind 'vti1'\r\nset vpn ipsec site-to-site peer 52.48.97.50 vti esp-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.50.142.56 authentication mode 'pre-shared-secret'\r\nset vpn ipsec site-to-site peer 52.50.142.56 authentication pre-shared-secret <pre_shared_key>\r\nset vpn ipsec site-to-site peer 52.50.142.56 connection-type 'initiate'\r\nset vpn ipsec site-to-site peer 52.50.142.56 description 'VPC tunnel 2'\r\nset vpn ipsec site-to-site peer 52.50.142.56 ike-group 'AWS'\r\nset vpn ipsec site-to-site peer 52.50.142.56 local-address '133.1.1.100'\r\nset vpn ipsec site-to-site peer 52.50.142.56 vti bind 'vti2'\r\nset vpn ipsec site-to-site peer 52.50.142.56 vti esp-group 'AWS'<\/pre>\n<\/span>Access Policy<\/span><\/h3>\nFinally we ensure traffic from our local endpoint is permitted through our access policy.<\/p>\n
set firewall name INSIDE default-action 'drop'\r\nset firewall name INSIDE rule 10 action 'accept'\r\nset firewall name INSIDE rule 10 protocol 'all'<\/pre>\n<\/span>Show Commands<\/span><\/h2>\n<\/span>Confirm Phase 1<\/span><\/h3>\nvyatta@vyatta:~$ show vpn ike sa\r\nPeer ID \/ IP Local ID \/ IP\r\n------------ -------------\r\n52.50.142.56 133.1.1.100\r\n\r\n State Encrypt Hash D-H Grp NAT-T A-Time L-Time\r\n ----- ------- ---- ------- ----- ------ ------\r\n up aes256 sha1 2 no 2012 86400<\/pre>\n<\/span>Confirm Phase 2<\/span><\/h3>\nvyatta@vyatta:~$ show vpn ipsec sa\r\nPeer ID \/ IP Local ID \/ IP\r\n------------ -------------\r\n52.50.142.56 133.1.1.100\r\n\r\n Tunnel State Bytes Out\/In Encrypt Hash NAT-T A-Time L-Time Proto\r\n ------ ----- ------------- ------- ---- ----- ------ ------ -----\r\n 1 up 0.0\/0.0 aes256 sha1 no 2030 3600 all<\/pre>\nFurther information can be obtained via\u00a0show vpn ipsec sa [details | statistics ]<\/span><\/p>\n<\/span>VTI WAN Loadbalance Status<\/span><\/h3>\nvyatta@vyatta:~$ show wan-load-balance \r\nInterface: vti1\r\n Status: active\r\n Last Status Change: Mon May 9 20:42:40 2016\r\n +Test: ping Target: 169.254.20.253\r\n Last Interface Success: 0s \r\n Last Interface Failure: 9h32m10s \r\n # Interface Failure(s): 0\r\n\r\nInterface: vti2\r\n Status: active\r\n Last Status Change: Mon May 9 20:42:40 2016\r\n +Test: ping Target: 169.254.20.137\r\n Last Interface Success: 0s \r\n Last Interface Failure: 9h32m10s \r\n # Interface Failure(s): 0<\/pre>\n","protected":false},"excerpt":{"rendered":"Within this article we will show you how to create an IPSEC site to site VPN from a Vyatta vRouter into the AWS cloud. Due to the nature of AWS VPNs, explained further on a tunnel based VPN will be created. The main difference with a route based VPN is that a tunnel interface (VTI) … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":854,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"yoast_head":"\nCreate Site to Site VPN Between AWS & Vyatta vRouter - Fir3net<\/title>\n \n \n \n \n \n \n \n \n \n \n \n \n\t \n\t \n\t \n \n \n \n\t \n\t \n\t \n