EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (BGP over IKEv1/IPsec)
Overview
Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between an EdgeRouter and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using BGP routing. It is also possible to configure a Route-Based Site-to-Site VPN using Static Routing instead.
Table of Contents
- Network Diagram
- Configuring a Route-Based VPN
- Setting up the Amazon Virtual Private Gateway
- Related Articles
Network Diagram
The network topology is shown below and the following interfaces are in use on the EdgeRouter and AWS:
ER-4 (AS 65500)
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
- vti0 - 169.254.x.x/30
- vti1 - 169.254.x.x/30
AWS VGW (AS 65515)
- VGW1 - 192.0.2.1
- VGW2 - 198.51.100.2
- vpc cidr (LAN) - 172.16.0.0/22
- vpc subnet - 172.16.1.0/24
The type of VPN that will be created is a Route-Based over IKEv1/IPsec tunnel over which a BGP session is established.
Configuring a Route-Based VPN
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables
firewall.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec-aws
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Repeat the process for the second AWS peer address using a second virtual tunnel interface (vti1)
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiate
set vpn ipsec site-to-site peer 198.51.100.1 description ipsec-aws
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 198.51.100.1 ike-group FOO0
set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti1
set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group FOO0
8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.
set interfaces vti vti0 address 169.254.x.x/30
set interfaces vti vti1 address 169.254.x.x/30
9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379
10. Create a prefix-list for BGP that will be used to filter advertised and received prefixes.
set policy prefix-list BGP rule 10 action deny
set policy prefix-list BGP rule 10 description deny-localgw
set policy prefix-list BGP rule 10 prefix 203.0.113.1/32
set policy prefix-list BGP rule 20 action deny
set policy prefix-list BGP rule 20 description deny-remotegw1
set policy prefix-list BGP rule 20 prefix 192.0.2.1/32
set policy prefix-list BGP rule 30 action deny
set policy prefix-list BGP rule 30 description deny-remotegw2
set policy prefix-list BGP rule 30 prefix 198.51.100.1/32
set policy prefix-list BGP rule 100 action permit
set policy prefix-list BGP rule 100 description permit-localsubnet
set policy prefix-list BGP rule 100 prefix 192.168.1.0/24
set policy prefix-list BGP rule 110 action permit
set policy prefix-list BGP rule 110 description permit-remotesubnet
set policy prefix-list BGP rule 110 prefix 172.16.0.0/22
11. Define the BGP neighbor and peering options.
set protocols bgp 65000 timers holdtime 30
set protocols bgp 65000 timers keepalive 10
set protocols bgp 65000 network 192.168.1.0/24
set protocols bgp 65000 neighbor 169.254.x.x prefix-list export BGP
set protocols bgp 65000 neighbor 169.254.x.x prefix-list import BGP
set protocols bgp 65000 neighbor 169.254.x.x remote-as 65515
set protocols bgp 65000 neighbor 169.254.x.x soft-reconfiguration inbound
set protocols bgp 65000 neighbor 169.254.x.x prefix-list export BGP
set protocols bgp 65000 neighbor 169.254.x.x prefix-list import BGP
set protocols bgp 65000 neighbor 169.254.x.x remote-as 65515
set protocols bgp 65000 neighbor 169.254.x.x soft-reconfiguration inbound
12. Advertise the local subnet into BGP.
set protocols bgp 65000 network 192.168.1.0/24
13. Commit the changes and save the configuration.
commit ; save
Setting up the Amazon Virtual Private Gateway
The names of the AWS gateway connections and subnets are randomly generated and unique for each environment. For reference purposes, the names used in this example are:
-
vpc
vpc-f8e99891 -
sbn
subnet-fb400392 -
rtbl
rtb-389cd051 -
cgw
cgw-4e2ca07e -
vgw
vgw-d5c945e5 -
vpn
vpn-2704cf10
1. If not already present, create a new Virtual Private Cloud (VPC).
Services > VPC > VPC Dashboard > Your VPCs > Create VPC
IPv4 CIDR Block: 172.16.0.0/22
IPv6 CIDR Block: No IPv6 CIDR Block
Tenancy: default
2. If not already present, create a new subnet in the VPC address range.
VPC Dashboard > Subnets > Create Subnet
VPC: vpc-f8e99891
VPC CIDRs: 172.16.0.0/22
Availability Zone: No Preference
IPv4 CIDR Block: 172.16.1.0/24
3. Create a new Customer Gateway (CGW) and enter the EdgeRouter's public IP address.
VPC Dashboard > Customer Gateways > Create Customer Gateway
Name: er-cgw
Routing: Dynamic
BGP ASN: 65000
IP Address: 203.0.113.1
4. Create a new Virtual Private Gateway (VGW).
VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway
Name: er-vgw
ASN: Custom ASN
ASN: 65515
5. Attach the VGW to the VPC created earlier.
VPC Dashboard > Virtual Private Gateway > er-vgw > Actions > Attach to VPC
6. Propagate the routes that will be received on the VGW to the VPC.
VPC Dashboard > Route Tables > Route Propagation > Edit
Check: Propagate er-vgw
7. Create a new VPN connection and associate the previously created VGW and CGW.
VPC Dashboard > VPN Connections > Create VPN Connection
Name tag: ipsec-er
Virtual Private Gateway: vgw-d5c945e5
Customer Gateway: Existing
Customer Gateway ID: cgw-4e2ca07e
Routing Options: Dynamic
Tunnel Options: Generated by Amazon
8. Download the configuration which contains all the SAs, pre-shared keys and IP addresses.
VPC Dashboard > VPN Connections > ipsec-er > Download Configuration
Vendor: Vyatta
Platform: Vyatta Network OS
Software: Vyatta Network OS 6.5+
Related Articles
EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (VTI over IKEv1/IPsec)
EdgeRouter - Route-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH