/Dev/Zero Linux

AWS cross region ipsec VPN using Vyos and Amazon VPN

Oct
10

This has been a very challenging task but I was able to get it working after a lot of trials.

Task

You need to connect a AWS VPC running in Europe with a AWS VPC running in US.

Since i wanted to learn more about AWS I decided that i will be using the amazon VPN and connect it to a Vyatta/Vyos router running on the other end.

I will try to keep this simple.Once you have everything up and running go back and expand/secure everything.

This is not a in depth guide and i assumed you know how to setup a VPC, setup static routes ,assign IP’s etc…

VPC 1 ) Name US-VPC

IP Range : 10.100.0.0/18

Network ACL => default allow all both directions

1 public subnet 10.100.0.0/24

1 private subnet 10.100.1.0/20

1 public Route 0.0.0.0/0 => IGW

1 private route no 0.0.0/0 => nat instance

VPC 2) EU-Name EU-VPC

IP Range : 10.100.64.0/18

Network ACL => default allow all both directions

1 public subnet 10.100.64.0/24

1 private subnet 10.100.65.0/24

1 public Route 0.0.0.0/0 => IGW

1 private route no 0.0.0/0 => nat instance

You will need to have a Vyos instance running in your US VPC on the public range.

Go to EC => Launch => Community AMIs and search for Vyos. I’ve used the  64bit instance provided by https://www.crownpeak.com/  VyOS-1.1.7 – ami-63193103
Launch this instance on your US VPC inside the public range, make sure the security group allows ALL traffic from everywhere.

Once the instance is up allocate an EIP and assign it to the instance. I will assume this ip is 1.2.3.4

The last step is to disable source/destination check for the Vyos instance.

ssh the Vyos instance using the user vyos and the key used to launch it.

Switch to the EU VPC

  • Go to VPC
  • Create a new customer gateway and use the ip address you assigned to the US vyatta instance.(1.2.3.4)
  • Create a new Virtual Private Gateway and attach it to the VPC.
  • Create a new VPN connection. using the Customer Gateway  and  Virtual Private Gateway

Wait for the vpn to activate and download the configuration for Vyatta 6.5+

Switch to the Vyos Instance and get the eth0 ip address assigned to it. in my case  10.100.0.91  (you will need this!.)

The very first thing we need to add a static route for the entire VPC range otherwise the BGP route will never be announced.

Amazon adds a single static route on the subnet the instance was launched on  and doesn’t add one for the entire VPC.

set protocols static route 10.100.0.0/18 next-hop 10.100.0.1 distance 10

the gateway/next-hop is 10.100.0.1 because the instance was launched inside the 10.100.0.0/24 subnet if your subnet differs then replace 10.100.0.1 with your subnet gateway

 

show ip route

you should see your route active.

Open the Downloaded configuration and remove all the comments “!”, you will be left with something like the below configuration.

Pay attention to what I’ve changed/added

Tunel 1

set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 52.28.133.180 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 52.28.133.180 authentication pre-shared-secret ‘sadoisudjm80389i4&54’
set vpn ipsec site-to-site peer 52.28.133.180 description ‘VPC tunnel 1’
set vpn ipsec site-to-site peer 52.28.133.180 ike-group ‘AWS’
set vpn ipsec site-to-site peer 52.28.133.180 local-address ‘10.100.0.91’ #replace local address with the ip address of eth0 on Vyos

set vpn ipsec site-to-site peer 52.28.133.180 authentication id 10.100.0.91 # set the authentication id to  the ip address of eth0 on Vyos

set vpn ipsec site-to-site peer 52.28.133.180 authentication remote-id 52.28.133.180 # set the remote id to  the peer ip

set vpn ipsec site-to-site peer 52.28.133.180 vti bind ‘vti0’
set vpn ipsec site-to-site peer 52.28.133.180 vti esp-group ‘AWS’

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’

set interfaces vti vti0 address ‘169.254.43.86/30’
set interfaces vti vti0 description ‘VPC tunnel 1’
set interfaces vti vti0 mtu ‘1436’

set protocols bgp 65000 neighbor 169.254.43.85 remote-as ‘7224’
set protocols bgp 65000 neighbor 169.254.43.85 soft-reconfiguration ‘inbound’
set protocols bgp 65000 neighbor 169.254.43.85 timers holdtime ’30’
set protocols bgp 65000 neighbor 169.254.43.85 timers keepalive ’10’

set protocols bgp 65000 network 10.100.0.0/18 # replace 0.0.0.0/0 with the subnet of the US VPC

Tunel 2

set vpn ipsec ike-group AWS lifetime ‘28800’
set vpn ipsec ike-group AWS proposal 1 dh-group ‘2’
set vpn ipsec ike-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec ike-group AWS proposal 1 hash ‘sha1’
set vpn ipsec site-to-site peer 52.59.60.104 authentication mode ‘pre-shared-secret’
set vpn ipsec site-to-site peer 52.59.60.104 authentication pre-shared-secret ‘iuhnAD(342420342’
set vpn ipsec site-to-site peer 52.59.60.104 description ‘VPC tunnel 2’
set vpn ipsec site-to-site peer 52.59.60.104 ike-group ‘AWS’
set vpn ipsec site-to-site peer 52.59.60.104 local-address ‘10.100.0.91’ #replace local address with the ip address of eth0 on vyatta

set vpn ipsec site-to-site peer 52.59.60.104 authentication id 10.100.0.91 # set the authentication id to  the ip address of eth0 on vyatta

set vpn ipsec site-to-site peer 52.59.60.104 authentication remote-id 52.28.133.180 # set the remote id to  the peer ip

set vpn ipsec site-to-site peer 52.59.60.104 vti bind ‘vti1’
set vpn ipsec site-to-site peer 52.59.60.104 vti esp-group ‘AWS’

set vpn ipsec ipsec-interfaces interface ‘eth0’
set vpn ipsec esp-group AWS compression ‘disable’
set vpn ipsec esp-group AWS lifetime ‘3600’
set vpn ipsec esp-group AWS mode ‘tunnel’
set vpn ipsec esp-group AWS pfs ‘enable’
set vpn ipsec esp-group AWS proposal 1 encryption ‘aes128’
set vpn ipsec esp-group AWS proposal 1 hash ‘sha1’

set vpn ipsec ike-group AWS dead-peer-detection action ‘restart’
set vpn ipsec ike-group AWS dead-peer-detection interval ’15’
set vpn ipsec ike-group AWS dead-peer-detection timeout ’30’

set protocols bgp 65000 neighbor 169.254.42.205 remote-as ‘7224’
set protocols bgp 65000 neighbor 169.254.42.205 soft-reconfiguration ‘inbound’
set protocols bgp 65000 neighbor 169.254.42.205 timers holdtime ’30’
set protocols bgp 65000 neighbor 169.254.42.205 timers keepalive ’10’

set protocols bgp 65000 network 10.100.0.0/18 #replace 0.0.0.0/0 with the subnet of the US VPC

commit

save

exit

At this point the tunel should start to come up and you should see 1 BGP route exported. That means your EU vpc will automatically know  how to connect to the US VPC via the VPN.

show ip bgp  => you should see both routes

show ip bgp neighbors x.x.x.x advertised-routes #replace x.x.x.x with the next hop ip 169.x.x.x.

show ip bgp neighbors x.x.x.x recveived-routes #replace x.x.x.x with the next hop ip 169.x.x.x.

The last thing you need to do is add a static route in the US VPC pointing back to the EU VPC range.

Go to VPC > Routes => Edit add new route 10.100.64.0/18 and set the Vyos Instance as it’s destination.

 

Leave a Reply

Your email address will not be published. Required fields are marked *