AWS cross region ipsec VPN using Vyos and Amazon VPN
This has been a very challenging task but I was able to get it working after a lot of trials.
Task
You need to connect a AWS VPC running in Europe with a AWS VPC running in US.
Since i wanted to learn more about AWS I decided that i will be using the amazon VPN and connect it to a Vyatta/Vyos router running on the other end.
I will try to keep this simple.Once you have everything up and running go back and expand/secure everything.
This is not a in depth guide and i assumed you know how to setup a VPC, setup static routes ,assign IP’s etc…
VPC 1 ) Name US-VPC
IP Range : 10.100.0.0/18
Network ACL => default allow all both directions
1 public subnet 10.100.0.0/24
1 private subnet 10.100.1.0/20
1 public Route 0.0.0.0/0 => IGW
1 private route no 0.0.0/0 => nat instance
VPC 2) EU-Name EU-VPC
IP Range : 10.100.64.0/18
Network ACL => default allow all both directions
1 public subnet 10.100.64.0/24
1 private subnet 10.100.65.0/24
1 public Route 0.0.0.0/0 => IGW
1 private route no 0.0.0/0 => nat instance
You will need to have a Vyos instance running in your US VPC on the public range.
Go to EC => Launch => Community AMIs and search for Vyos. I’ve used the 64bit instance provided by https://www.crownpeak.com/ VyOS-1.1.7 – ami-63193103
Launch this instance on your US VPC inside the public range, make sure the security group allows ALL traffic from everywhere.
Once the instance is up allocate an EIP and assign it to the instance. I will assume this ip is 1.2.3.4
The last step is to disable source/destination check for the Vyos instance.
ssh the Vyos instance using the user vyos and the key used to launch it.
Switch to the EU VPC
- Go to VPC
- Create a new customer gateway and use the ip address you assigned to the US vyatta instance.(1.2.3.4)
- Create a new Virtual Private Gateway and attach it to the VPC.
- Create a new VPN connection. using the Customer Gateway and Virtual Private Gateway
Wait for the vpn to activate and download the configuration for Vyatta 6.5+
Switch to the Vyos Instance and get the eth0 ip address assigned to it. in my case 10.100.0.91 (you will need this!.)
The very first thing we need to add a static route for the entire VPC range otherwise the BGP route will never be announced.
Amazon adds a single static route on the subnet the instance was launched on and doesn’t add one for the entire VPC.
set protocols static route 10.100.0.0/18 next-hop 10.100.0.1 distance 10
the gateway/next-hop is 10.100.0.1 because the instance was launched inside the 10.100.0.0/24 subnet if your subnet differs then replace 10.100.0.1 with your subnet gateway
show ip route
you should see your route active.
Open the Downloaded configuration and remove all the comments “!”, you will be left with something like the below configuration.
Pay attention to what I’ve changed/added
Tunel 1
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 52.28.133.180 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 52.28.133.180 authentication pre-shared-secret ‘sadoisudjm80389i4&54’
set vpn ipsec site-to-site peer 52.28.133.180 description ‘VPC tunnel 1’
set vpn ipsec site-to-site peer 52.28.133.180 ike-group ‘AWS’
set vpn ipsec site-to-site peer 52.28.133.180 local-address ‘10.100.0.91’ #replace local address with the ip address of eth0 on Vyos
set vpn ipsec site-to-site peer 52.28.133.180 authentication id 10.100.0.91 # set the authentication id to the ip address of eth0 on Vyos
set vpn ipsec site-to-site peer 52.28.133.180 authentication remote-id 52.28.133.180 # set the remote id to the peer ip
set vpn ipsec site-to-site peer 52.28.133.180 vti bind ‘vti0’
set vpn ipsec site-to-site peer 52.28.133.180 vti esp-group ‘AWS’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
set interfaces vti vti0 address ‘169.254.43.86/30’
set interfaces vti vti0 description ‘VPC tunnel 1’
set interfaces vti vti0 mtu ‘1436’
set protocols bgp 65000 neighbor 169.254.43.85 remote-as ‘7224’
set protocols bgp 65000 neighbor 169.254.43.85 soft-reconfiguration ‘inbound’
set protocols bgp 65000 neighbor 169.254.43.85 timers holdtime ’30’
set protocols bgp 65000 neighbor 169.254.43.85 timers keepalive ’10’
set protocols bgp 65000 network 10.100.0.0/18 # replace 0.0.0.0/0 with the subnet of the US VPC
Tunel 2
set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 52.59.60.104 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 52.59.60.104 authentication pre-shared-secret ‘iuhnAD(342420342’
set vpn ipsec site-to-site peer 52.59.60.104 description ‘VPC tunnel 2’
set vpn ipsec site-to-site peer 52.59.60.104 ike-group ‘AWS’
set vpn ipsec site-to-site peer 52.59.60.104 local-address ‘10.100.0.91’ #replace local address with the ip address of eth0 on vyatta
set vpn ipsec site-to-site peer 52.59.60.104 authentication id 10.100.0.91 # set the authentication id to the ip address of eth0 on vyatta
set vpn ipsec site-to-site peer 52.59.60.104 authentication remote-id 52.28.133.180 # set the remote id to the peer ip
set vpn ipsec site-to-site peer 52.59.60.104 vti bind ‘vti1’
set vpn ipsec site-to-site peer 52.59.60.104 vti esp-group ‘AWS’
set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’
set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ’15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ’30’
set protocols bgp 65000 neighbor 169.254.42.205 remote-as ‘7224’
set protocols bgp 65000 neighbor 169.254.42.205 soft-reconfiguration ‘inbound’
set protocols bgp 65000 neighbor 169.254.42.205 timers holdtime ’30’
set protocols bgp 65000 neighbor 169.254.42.205 timers keepalive ’10’
set protocols bgp 65000 network 10.100.0.0/18 #replace 0.0.0.0/0 with the subnet of the US VPC
commit
save
exit
At this point the tunel should start to come up and you should see 1 BGP route exported. That means your EU vpc will automatically know how to connect to the US VPC via the VPN.
show ip bgp => you should see both routes
show ip bgp neighbors x.x.x.x advertised-routes #replace x.x.x.x with the next hop ip 169.x.x.x.
show ip bgp neighbors x.x.x.x recveived-routes #replace x.x.x.x with the next hop ip 169.x.x.x.
The last thing you need to do is add a static route in the US VPC pointing back to the EU VPC range.
Go to VPC > Routes => Edit add new route 10.100.64.0/18 and set the Vyos Instance as it’s destination.