AWS VPC IPSEC site to site VPN using a Ubiquiti EdgeMax EdgeRouter with BGP routing
Well, I spent the better part of about 12 hours trying to get a static ipsec site to site tunnel up from my home office EdgeRouter to AWS VPC and just couldn’t seem to get the routing part of it down right. After pointless hours of googling and fussing with it, I ditched the static ipsec in favor of a dynamic BGP tunnel, and it worked like a charm.
But there is a small trick to it, i’ll outline here for you.
First, setup your AWS VPC VPN Customer Gateway:
Give it a name, and make sure to choose Dynamic for your routing. The IP Address will be that of your public ip on your EdgeRouter. And the BGP ASN should be 64512 or a higher number if you like but not higher than 65534.
Then, make sure you’ve created a Virtual Private Gateway attached to your VPC
Next you create your VPN Connection. Just select your Virtual Private Gateway and your Customer Gateway, and make sure to select Routing Options as Dynamic, not static, and create it.
Great! Now get this, AWS will have a config for you to download with commands that you can run on your EdgeRouter. Once you’ve created your VPN, click the Download Configuration button at the top and select Vyatta.
Now, if you didn’t know it already, EdgeOs is largely based on Vyatta, and you can run command line arguments that closely match Vyatta’s CLI config, which is exactly what we’re going to do on our EdgeRouter.
Now, once you’ve download your config, open it with your favorite text editor, we’ve got to modify just one line in the config. Find the line that looks like this:
set protocols bgp 64512 network 0.0.0.0/0
You’re going to remove the 0.0.0.0/0 and replace it with the CIDR block of your subnet on your EdgeRouter, so now it looks like this:
set protocols bgp 64512 network 192.168.0.0/24
And if you have more than one private subnet on your EdgeRouter, just add a second line.
set protocols bgp 64512 network 192.168.0.0/24
set protocols bgp 64512 network 192.168.1.0/24
This is what your EdgeRouter will advertise to your VPC as networks available on your side of the Router.
I’ve highlighted the lines in the config below you need to modify.
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : vpn-xxxxxxx
! Your Virtual Private Gateway ID : vgw-xxxxxxx
! Your Customer Gateway ID : cgw-xxxxxxx
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! IPSec Tunnel #1
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 34.21.998.21 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 34.21.998.21 authentication pre-shared-secret ‘rsIROCxxxxxxxxxxxxxxxguftguyf’
set vpn ipsec site-to-site peer 34.21.998.21 description ‘VPC tunnel 1’
set vpn ipsec site-to-site peer 34.21.998.21 ike-group ‘AWS’
set vpn ipsec site-to-site peer 34.21.998.21 local-address ‘87.255.988.13’
set vpn ipsec site-to-site peer 34.21.998.21 vti bind ‘vti0’
set vpn ipsec site-to-site peer 34.21.998.21 vti esp-group ‘AWS’
! #2: IPSec Configuration
!
! The IPSec (Phase 2) proposal defines the protocol, authentication,
! encryption, and lifetime parameters for our IPSec security association.
!
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ‘15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ‘30’
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #3: Tunnel Interface Configuration
!
! The tunnel interface is configured with the internal IP address.
set interfaces vti vti0 address ‘169.254.13.162/30’
set interfaces vti vti0 description ‘VPC tunnel 1’
set interfaces vti vti0 mtu ‘1436’
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the ‘network’ statement.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (64512) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
set protocols bgp 64512 neighbor 169.254.13.161 remote-as ‘7224’
set protocols bgp 64512 neighbor 169.254.13.161 soft-reconfiguration ‘inbound’
set protocols bgp 64512 neighbor 169.254.13.161 timers holdtime ‘30’
set protocols bgp 64512 neighbor 169.254.13.161 timers keepalive ‘30’
! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the
! the following line with the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
set protocols bgp 64512 network 0.0.0.0/0
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! IPSec Tunnel #2
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 34.21.998.22 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 34.21.998.22 authentication pre-shared-secret ‘r5HcYxxxxxxxxxxxxxxxwergwefq2sg’
set vpn ipsec site-to-site peer 34.21.998.22 description ‘VPC tunnel 2’
set vpn ipsec site-to-site peer 34.21.998.22 ike-group ‘AWS’
set vpn ipsec site-to-site peer 34.21.998.22 local-address ‘87.255.988.13’
set vpn ipsec site-to-site peer 34.21.998.22 vti bind ‘vti1’
set vpn ipsec site-to-site peer 34.21.998.22 vti esp-group ‘AWS’
! #2: IPSec Configuration
!
! The IPSec (Phase 2) proposal defines the protocol, authentication,
! encryption, and lifetime parameters for our IPSec security association.
!
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ‘15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ‘30’
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #3: Tunnel Interface Configuration
!
! The tunnel interface is configured with the internal IP address.
set interfaces vti vti1 address ‘169.254.13.230/30’
set interfaces vti vti1 description ‘VPC tunnel 2’
set interfaces vti vti1 mtu ‘1436’
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway may announce a default route (0.0.0.0/0),
! which can be done with the ‘network’ statement.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (64512) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
set protocols bgp 64512 neighbor 169.254.13.229 remote-as ‘7224’
set protocols bgp 64512 neighbor 169.254.13.229 soft-reconfiguration ‘inbound’
set protocols bgp 64512 neighbor 169.254.13.229 timers holdtime ‘30’
set protocols bgp 64512 neighbor 169.254.13.229 timers keepalive ‘30’
! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the
! the following line with the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop.
set protocols bgp 64512 network 0.0.0.0/0
! Additional Notes and Questions
! — Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
! — Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
! — XSL Version: 2009–07–15–1119716
Now, since you have to build two tunnels on your EdgeRouter to AWS, lots of these config lines are redundant, so here is a consolidate config, and what you’ll actually type into the CLI of your EdgeRouter. Be aware of course, all your IP’s will be different for your setup and your VPC, but again the only thing you have to change is the set protocols bgp 64512 network 0.0.0.0/0.
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! IPSec Tunnel #1
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 34.21.998.21 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 34.21.998.21 authentication pre-shared-secret ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’
set vpn ipsec site-to-site peer 34.21.998.21 description ‘VPC tunnel 1’
set vpn ipsec site-to-site peer 34.21.998.21 ike-group ‘AWS’
set vpn ipsec site-to-site peer 34.21.998.21 local-address ‘87.255.988.13’
set vpn ipsec site-to-site peer 34.21.998.21 vti bind ‘vti0’
set vpn ipsec site-to-site peer 34.21.998.21 vti esp-group ‘AWS’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ‘15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ‘30’
set interfaces vti vti0 address ‘169.254.13.162/30’
set interfaces vti vti0 description ‘VPC tunnel 1’
set interfaces vti vti0 mtu ‘1436’
set protocols bgp 64512 neighbor 169.254.13.161 remote-as ‘7224’
set protocols bgp 64512 neighbor 169.254.13.161 soft-reconfiguration ‘inbound’
set protocols bgp 64512 neighbor 169.254.13.161 timers holdtime ‘30’
set protocols bgp 64512 neighbor 169.254.13.161 timers keepalive ‘30’
set protocols bgp 64512 network 192.168.0.0/24
set protocols bgp 64512 network 192.168.1.0/24
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
! IPSec Tunnel #2
! — — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
set vpn ipsec site-to-site peer 34.21.998.22 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 34.21.998.22 authentication pre-shared-secret ‘xxxxxxxxxxxxxxxxxxxxxxxxxxx’
set vpn ipsec site-to-site peer 34.21.998.22 description ‘VPC tunnel 2’
set vpn ipsec site-to-site peer 34.21.998.22 ike-group ‘AWS’
set vpn ipsec site-to-site peer 34.21.998.22 local-address ‘87.255.988.13’
set vpn ipsec site-to-site peer 34.21.998.22 vti bind ‘vti1’
set vpn ipsec site-to-site peer 34.21.998.22 vti esp-group ‘AWS’
set interfaces vti vti1 address ‘169.254.13.230/30’
set interfaces vti vti1 description ‘VPC tunnel 2’
set interfaces vti vti1 mtu ‘1436’
set protocols bgp 64512 neighbor 169.254.13.229 remote-as ‘7224’
set protocols bgp 64512 neighbor 169.254.13.229 soft-reconfiguration ‘inbound’
set protocols bgp 64512 neighbor 169.254.13.229 timers holdtime ‘30’
set protocols bgp 64512 neighbor 169.254.13.229 timers keepalive ‘30’
Now just open up your Terminal, or Putty, and SSH into your EdgeRouter, login, and type:
$ configure
Then just copy paste your consolidated config to the command line. Once you have each line typed in, and it didn’t return any errors, type:
$ commit
$ save
Your tunnel should start to come up, you can check it in your AWS control panel.
Now the last thing you’ll probably want to do, is to make sure that you have the route in AWS Routes for the VPN set to Propagate.
Go to your VPC > Route Table, select your Route, click the Route Propagation tab, click the Edit button, and make sure your VGW is set to Propagate.
Enjoy.
