VPN tunnels: yeah, they sound easy, but can really messy, especially when integrating with partners and customers where you don’t control their equipment. When we started shifting towards AWS last year and my task this summer was to integrate it with our on-prem network, I has a some flashbacks of 2 AM calls with Europeans and Indians troubleshooting pre-shared keys, encryption settings, and connectivity for hours.
Amazon was a pleasant surprise though. After creating a VPN to your endpoint, they then generate and provide the configuration for you. In other words, all you have do is a copy/paste job in to your device – in our case a Cisco ISR G2, but the config will work for just about anything running Cisco IOS with security feature set, like a 6500. And what I really liked is they do VPN tunnels the way they should be done – using point to point IPv4 tunnels with dynamic crypto maps. The routing is handled by an actual routing protocol, BGP.
A trick I learned early on is all AWS VPN tunnels share some common parameters. So rather than copying and pasting each time, you can simply stick these on your router.
! General topions crypto isakmp keepalive 10 10 on-demand crypto ipsec df-bit clear crypto ipsec security-association replay window-size 1024 crypto ipsec fragmentation before-encryption ! AWS Layer 1 (Isakmp) policy. Use PSK, AES 128 encryption, 8 hour lifetime crypto isakmp policy 200 encryption aes 128 authentication pre-share group 2 lifetime 28800 hash sha ! ! Layer 2 (IPSec) transform sets. This is AES 128 bit encryption with SHA-1 crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac mode tunnel ! ! Layer 2 (IPSec) profile. SA lifetime is 1 hour, group 2 is 1024-bit keys crypto ipsec profile AWS set security-association lifetime seconds 3600 set transform-set ESP-AES-SHA set pfs group2 ! ! BGP settings router bgp 65432 template peer-policy eBGP soft-reconfiguration inbound exit-peer-policy ! 10 second keepalive, 30 second holdtime for faster failover timers bgp 10 30 30
Now to add a new session, it’s dead easy. All your really need is the pre-shared key and IP addresses.
! Set the pre-shared key for the local and remote IP addresses crypto keyring keyring-vpn-r2d2c3p0-0 local-address 198.18.1.2 pre-shared-key address 22.214.171.124 key XXXYYYZZ ! ! Create the tunnel interface Tunnel1000 ip address 169.254.32.242 255.255.255.252 ip virtual-reassembly in ip tcp adjust-mss 1387 tunnel source 198.18.1.2 tunnel mode ipsec ipv4 tunnel destination 126.96.36.199 tunnel protection ipsec profile AWS ! ! Add the BGP session router bgp 65432 neighbor 169.254.32.241 remote-as 7224 neighbor 169.254.32.241 inherit peer-policy eBGP