VPN tunnels: yeah, they sound easy, but can really messy, especially when integrating with partners and customers where you don’t control their equipment.  When we started shifting towards AWS last year and my task this summer was to integrate it with our on-prem network, I has a some flashbacks of 2 AM calls with Europeans and Indians troubleshooting pre-shared keys, encryption settings, and connectivity for hours.

Amazon was a pleasant surprise though.  After creating a VPN to your endpoint, they then generate and provide the configuration for you.  In other words, all you have do is a copy/paste job in to your device – in our case a Cisco ISR G2, but the config will work for just about anything running Cisco IOS with security feature set, like a 6500.  And what I really liked is they do VPN tunnels the way they should be done – using point to point IPv4 tunnels with dynamic crypto maps.  The routing is handled by an actual routing protocol, BGP.

A trick I learned early on is all AWS VPN tunnels share some common parameters.  So rather than copying and pasting each time, you can simply stick these on your router.

! General topions
crypto isakmp keepalive 10 10 on-demand
crypto ipsec df-bit clear
crypto ipsec security-association replay window-size 1024
crypto ipsec fragmentation before-encryption

! AWS Layer 1 (Isakmp) policy. Use PSK, AES 128 encryption, 8 hour lifetime 
crypto isakmp policy 200
 encryption aes 128
 authentication pre-share
 group 2
 lifetime 28800
 hash sha
!
! Layer 2 (IPSec) transform sets. This is AES 128 bit encryption with SHA-1
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
 mode tunnel
!
! Layer 2 (IPSec) profile.  SA lifetime is 1 hour, group 2 is 1024-bit keys
 crypto ipsec profile AWS
 set security-association lifetime seconds 3600
 set transform-set ESP-AES-SHA
 set pfs group2
!

! BGP settings
router bgp 65432
 template peer-policy eBGP
  soft-reconfiguration inbound
 exit-peer-policy
 ! 10 second keepalive, 30 second holdtime for faster failover
 timers bgp 10 30 30

Now to add a new session, it’s dead easy.  All your really need is the pre-shared key and IP addresses.

! Set the pre-shared key for the local and remote IP addresses
crypto keyring keyring-vpn-r2d2c3p0-0
 local-address 198.18.1.2
 pre-shared-key address 52.63.64.205 key XXXYYYZZ
!

! Create the tunnel
interface Tunnel1000
ip address 169.254.32.242 255.255.255.252
 ip virtual-reassembly in
 ip tcp adjust-mss 1387
 tunnel source 198.18.1.2
 tunnel mode ipsec ipv4
 tunnel destination 52.63.64.205
 tunnel protection ipsec profile AWS
!

! Add the BGP session
router bgp 65432
 neighbor 169.254.32.241 remote-as 7224
 neighbor 169.254.32.241 inherit peer-policy eBGP
Advertisements