EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (VTI over IKEv1/IPsec)
Overview
Readers will learn how to configure a Route-Based Site-to-Site IPsec VPN between an EdgeRouter and the Amazon Web Services (AWS) Virtual Private Cloud (VPC) using static routing. It is also possible to configure a Route-Based Site-to-Site VPN using BGP instead.
Table of Contents
- Network Diagram
- Configuring a Route-Based VPN
- Setting up the Amazon Virtual Private Gateway
- Related Articles
Network Diagram
The network topology is shown below and the following interfaces are in use on the EdgeRouter and AWS:
ER-4
- eth0 (WAN) - 203.0.113.1
- eth1 (LAN) - 192.168.1.1/24
- vti0 - 169.254.x.x/30
- vti1 - 169.254.x.x/30
AWS VGW
- VGW1 - 192.0.2.1
- VGW2 - 198.51.100.2
- vpc cidr (LAN) - 172.16.0.0/22
- vpc subnet - 172.16.1.0/24
The type of VPN that will be created is a Route-Based over IKEv1/IPsec tunnel.
Configuring a Route-Based VPN
1. Enter configuration mode.
configure
2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables
firewall.
set vpn ipsec auto-firewall-nat-exclude enable
3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1
5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).
set vpn ipsec site-to-site peer 192.0.2.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 192.0.2.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 192.0.2.1 connection-type initiate
set vpn ipsec site-to-site peer 192.0.2.1 description ipsec-aws
set vpn ipsec site-to-site peer 192.0.2.1 local-address 203.0.113.1
6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0
7. Repeat the process for the second AWS peer address using a second virtual tunnel interface (vti1)
set vpn ipsec site-to-site peer 198.51.100.1 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 198.51.100.1 authentication pre-shared-secret <secret>
set vpn ipsec site-to-site peer 198.51.100.1 connection-type initiate
set vpn ipsec site-to-site peer 198.51.100.1 description ipsec-aws
set vpn ipsec site-to-site peer 198.51.100.1 local-address 203.0.113.1
set vpn ipsec site-to-site peer 198.51.100.1 ike-group FOO0
set vpn ipsec site-to-site peer 198.51.100.1 vti bind vti1
set vpn ipsec site-to-site peer 198.51.100.1 vti esp-group FOO0
8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.
set interfaces vti vti0 address 169.254.x.x/30
set interfaces vti vti1 address 169.254.x.x/30
9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379
10. Create static routes for the remote VPC subnet.
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti0
set protocols static interface-route 172.16.0.0/22 next-hop-interface vti1
11. Commit the changes and save the configuration.
commit ; save
Setting up the Amazon Virtual Private Gateway
The names of the AWS gateway connections and subnets are randomly generated and unique for each environment. For reference purposes, the names used in this example are:
-
vpc
vpc-f8e99891 -
sbn
subnet-fb400392 -
rtbl
rtb-389cd051 -
cgw
cgw-4e2ca07e -
vgw
vgw-d5c945e5 -
vpn
vpn-2704cf10
1. If not already present, create a new Virtual Private Cloud (VPC).
Services > VPC > VPC Dashboard > Your VPCs > Create VPC
IPv4 CIDR Block: 172.16.0.0/22
IPv6 CIDR Block: No IPv6 CIDR Block
Tenancy: default
2. If not already present, create a new subnet in the VPC address range.
VPC Dashboard > Subnets > Create Subnet
VPC: vpc-f8e99891
VPC CIDRs: 172.16.0.0/22
Availability Zone: No Preference
IPv4 CIDR Block: 172.16.1.0/24
3. Create a new Customer Gateway (CGW) and enter the EdgeRouter's public IP address.
VPC Dashboard > Customer Gateways > Create Customer Gateway
Name: er-cgw
Routing: Static
IP Address: 203.0.113.1
4. Create a new Virtual Private Gateway (VGW).
VPC Dashboard > Virtual Private Gateways > Create Virtual Private Gateway
Name: er-vgw
ASN: Amazon default ASN
5. Attach the VGW to the VPC created earlier.
VPC Dashboard > Virtual Private Gateway > er-vgw > Actions > Attach to VPC
6. Propagate the routes that will be received on the VGW to the VPC.
VPC Dashboard > Route Tables > Route Propagation > Edit
Check: Propagate er-vgw
7. Create a new VPN connection and associate the previously created VGW and CGW.
VPC Dashboard > VPN Connections > Create VPN Connection
Name tag: ipsec-er
Virtual Private Gateway: vgw-d5c945e5
Customer Gateway: Existing
Customer Gateway ID: cgw-4e2ca07e
Routing Options: Static
Static IP Prefixes: 192.168.1.0/24
Tunnel Options: Generated by Amazon
8. Download the configuration which contains all the SAs, pre-shared keys and IP addresses.
VPC Dashboard > VPN Connections > ipsec-er > Download Configuration
Vendor: Generic
Platform: Generic
Software: Vendor Agnostic
Related Articles
EdgeRouter - Route-Based Site-to-Site VPN to AWS VPC (BGP over IKEv1/IPsec)
EdgeRouter - Route-Based Site-to-Site IPsec VPN
Intro to Networking - How to Establish a Connection Using SSH