Configure IPsec VPN tunnel to Amazon Web Service VPC

In previous post, I went through the steps to configure IPsec site-to-site VPN connection in AWS VPC. In this post I will go through the steps to configure my local (on-premise) VPN device. These steps are based on the sample configuration provided by Amazon. The instructions here are specific to the Cisco IOS platform I use but the concepts should be common to other devices.

Phase 1 (IKEv1)

First we will configure a matching Phase 1 ISAKMP policy. This will include the standard encryption algorithm, authentication type, hash algorithm, Diffie-Hellman group and lifetime that AWS uses. Note that with Cisco IOS ISAKMP policies are global so they will be used for all connections. I use sequence number 1 here so it will be sent first by the router to negotiate all connections. It can be changed to a higher number if you want to put lower preference to it.

crypto isakmp policy 1
 encryption aes 128
 authentication pre-share
 group 2
 lifetime 28800
 hash sha

The ISAKMP keyring stores the Pre-Shared Key (PSK) used for Phase 1 authentication. The name is typical of what AWS will provide though you can change it if you prefer. It has the public peer IP address of my local VPN device. The PSK is what I had previously configured in AWS.

crypto keyring keyring-vpn-ebf3ee8a-0
 local-address 1.1.1.1
 pre-shared-key address 34.194.43.112 key PRE_SHARED_KEY_1

An ISAKMP profile is then used to associate the keyring with the particular endpoint.

crypto isakmp profile isakmp-vpn-ebf3ee8a-0
 local-address 1.1.1.1
 match identity address 34.194.43.112
 keyring keyring-vpn-ebf3ee8a-0
Phase 2 (IPsec)

Next we configures an IPsec transform set which defines a particular combination of encryption, authentication and IPsec mode parameters. You can name it whatever you want but a sensible and intuitive name is a good idea.

crypto ipsec transform-set ipsec-prop-vpn-ebf3ee8a-0 esp-aes 128 esp-sha-hmac 
 mode tunnel

Next comes the IPSec profile which takes this IPSec transform set and defines further the Diffie-Hellman group and security association lifetime.

crypto ipsec profile ipsec-vpn-ebf3ee8a-0
 set pfs group2
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-ebf3ee8a-0

There are several additional IPsec parameters required by Amazon. These parameters are global so if you have existing configurations they may affect your connections.

The configuration below instructs the router to clear the Don’t Fragment (DF) bit from packets that carry it, enabling them to be fragmented. Otherwise those packets maybe dropped if they exceed the maximum frame size.

crypto ipsec df-bit clear

The configuration below enables Dead Peer Detection (DPD) to keep the tunnel up in case it goes idle and there is no traffic flow. It will query the remote peer to check that it is still responding.

crypto isakmp keepalive 10 10 on-demand

The configuration below increases the default value (64 packets) of the gateway’s window for accepting out of order IPsec packets. A larger window can be helpful if too many packets are dropped due to reordering while in transit between gateways.

crypto ipsec security-association replay window-size 128

The configuration below instructs the router to fragment the packets prior to encryption.

crypto ipsec fragmentation before-encryption
Tunnel Interface Configuration

There are two approaches to configuring IPsec site-to-site (also known as LAN-to-LAN / l2l) in Cisco IOS, policy-based and route-based. With policy-based method, we define an ACL – often called a crypto ACL – to identify traffic destined for the VPN tunnel. This crypto ACL is then applied to a real interface, usually the outside, Internet facing, of the router.

With route-based method, we define a logical / virtual tunnel interface (VTI) associated with the IPsec tunnel.  Route-based method is what AWS uses. All traffic routed to this virtual interface will be encrypted and transmitted to our AWS VPC. Conversely, traffic from the VPC will be logically received on this interface.

Association with the IPsec configs (security association) is done through the tunnel protection command. The local and remote addresses on the interface are pre-configured by Amazon and provided in their sample configuration.

interface Tunnel1
 ip address 169.254.46.238 255.255.255.252
 ip virtual-reassembly
 tunnel source 1.1.1.1
 tunnel destination 34.194.43.112 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vpn-ebf3ee8a-0
 ! This option causes the router to reduce the Maximum Segment Size of
 ! TCP packets to prevent packet fragmentation.
 ip tcp adjust-mss 1379
Static Route Configuration

Finally we need to configure a static route for the prefix corresponding to our VPC to send traffic over the tunnel interface. Here I have used the address range 10.0.0.0/16 for my VPC.

ip route 10.0.0.0 255.255.0.0 Tunnel1 track 1

By default, Amazon configures two tunnels during setup for redundancy and recommends using SLA Monitor to failover between the two tunnels. With the SLA Monitor configured below, the route via Tunnel1 (primary) will be removed if the remote end of the tunnel interface is not reachable (Track 100).

ip sla 1
 icmp-echo 169.254.46.237 source-interface Tunnel1
 timeout 1000
 frequency 5
exit
ip sla schedule 1 life forever start-time now
track 8 ip sla 1 reachability

Second Tunnel

Apart from unique values such as IP address and pre-shared key, the configuration of the second tunnel is identical. I could actually reuse  the IPsec transform set and profile from the first tunnel configuration however for clarity I have configured a separate set per the sample config from Amazon.

crypto keyring keyring-vpn-ebf3ee8a-1
 local-address 1.1.1.1
 pre-shared-key address 34.197.154.29 key H57dlSoEZY5g8gUmeCrRrxerdiIw8gCy
!
crypto isakmp profile isakmp-vpn-ebf3ee8a-1
 local-address 1.1.1.1
 match identity address 34.197.154.29
 keyring keyring-vpn-ebf3ee8a-1
!
crypto ipsec transform-set ipsec-prop-vpn-ebf3ee8a-1 esp-aes 128 esp-sha-hmac 
 mode tunnel
!
crypto ipsec profile ipsec-vpn-ebf3ee8a-1
 set pfs group2
 set security-association lifetime seconds 3600
 set transform-set ipsec-prop-vpn-ebf3ee8a-1
!
interface Tunnel2
 ip address 169.254.46.30 255.255.255.252
 ip virtual-reassembly
 tunnel source 1.1.1.1
 tunnel destination 34.197.154.29 
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile ipsec-vpn-ebf3ee8a-1
 ip tcp adjust-mss 1379 
!
ip route 10.0.0.0 255.255.0.0 Tunnel2 track 10
!
ip sla 2
 icmp-echo 169.254.46.29 source-interface Tunnel2
 timeout 1000
 frequency 5
!
ip sla schedule 2 life forever start-time now
track 10 ip sla 2 reachability