In previous post, I went through the steps to configure IPsec site-to-site VPN connection in AWS VPC. In this post I will go through the steps to configure my local (on-premise) VPN device. These steps are based on the sample configuration provided by Amazon. The instructions here are specific to the Cisco IOS platform I use but the concepts should be common to other devices.
Phase 1 (IKEv1)
First we will configure a matching Phase 1 ISAKMP policy. This will include the standard encryption algorithm, authentication type, hash algorithm, Diffie-Hellman group and lifetime that AWS uses. Note that with Cisco IOS ISAKMP policies are global so they will be used for all connections. I use sequence number 1 here so it will be sent first by the router to negotiate all connections. It can be changed to a higher number if you want to put lower preference to it.
crypto isakmp policy 1 encryption aes 128 authentication pre-share group 2 lifetime 28800 hash sha
The ISAKMP keyring stores the Pre-Shared Key (PSK) used for Phase 1 authentication. The name is typical of what AWS will provide though you can change it if you prefer. It has the public peer IP address of my local VPN device. The PSK is what I had previously configured in AWS.
crypto keyring keyring-vpn-ebf3ee8a-0 local-address 126.96.36.199 pre-shared-key address 188.8.131.52 key PRE_SHARED_KEY_1
An ISAKMP profile is then used to associate the keyring with the particular endpoint.
crypto isakmp profile isakmp-vpn-ebf3ee8a-0 local-address 184.108.40.206 match identity address 220.127.116.11 keyring keyring-vpn-ebf3ee8a-0
Phase 2 (IPsec)
Next we configures an IPsec transform set which defines a particular combination of encryption, authentication and IPsec mode parameters. You can name it whatever you want but a sensible and intuitive name is a good idea.
crypto ipsec transform-set ipsec-prop-vpn-ebf3ee8a-0 esp-aes 128 esp-sha-hmac mode tunnel
Next comes the IPSec profile which takes this IPSec transform set and defines further the Diffie-Hellman group and security association lifetime.
crypto ipsec profile ipsec-vpn-ebf3ee8a-0 set pfs group2 set security-association lifetime seconds 3600 set transform-set ipsec-prop-vpn-ebf3ee8a-0
There are several additional IPsec parameters required by Amazon. These parameters are global so if you have existing configurations they may affect your connections.
The configuration below instructs the router to clear the Don’t Fragment (DF) bit from packets that carry it, enabling them to be fragmented. Otherwise those packets maybe dropped if they exceed the maximum frame size.
crypto ipsec df-bit clear
The configuration below enables Dead Peer Detection (DPD) to keep the tunnel up in case it goes idle and there is no traffic flow. It will query the remote peer to check that it is still responding.
crypto isakmp keepalive 10 10 on-demand
The configuration below increases the default value (64 packets) of the gateway’s window for accepting out of order IPsec packets. A larger window can be helpful if too many packets are dropped due to reordering while in transit between gateways.
crypto ipsec security-association replay window-size 128
The configuration below instructs the router to fragment the packets prior to encryption.
crypto ipsec fragmentation before-encryption
Tunnel Interface Configuration
There are two approaches to configuring IPsec site-to-site (also known as LAN-to-LAN / l2l) in Cisco IOS, policy-based and route-based. With policy-based method, we define an ACL – often called a crypto ACL – to identify traffic destined for the VPN tunnel. This crypto ACL is then applied to a real interface, usually the outside, Internet facing, of the router.
With route-based method, we define a logical / virtual tunnel interface (VTI) associated with the IPsec tunnel. Route-based method is what AWS uses. All traffic routed to this virtual interface will be encrypted and transmitted to our AWS VPC. Conversely, traffic from the VPC will be logically received on this interface.
Association with the IPsec configs (security association) is done through the tunnel protection command. The local and remote addresses on the interface are pre-configured by Amazon and provided in their sample configuration.
interface Tunnel1 ip address 169.254.46.238 255.255.255.252 ip virtual-reassembly tunnel source 18.104.22.168 tunnel destination 22.214.171.124 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-ebf3ee8a-0 ! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ip tcp adjust-mss 1379
Static Route Configuration
Finally we need to configure a static route for the prefix corresponding to our VPC to send traffic over the tunnel interface. Here I have used the address range 10.0.0.0/16 for my VPC.
ip route 10.0.0.0 255.255.0.0 Tunnel1 track 1
By default, Amazon configures two tunnels during setup for redundancy and recommends using SLA Monitor to failover between the two tunnels. With the SLA Monitor configured below, the route via Tunnel1 (primary) will be removed if the remote end of the tunnel interface is not reachable (Track 100).
ip sla 1 icmp-echo 169.254.46.237 source-interface Tunnel1 timeout 1000 frequency 5 exit ip sla schedule 1 life forever start-time now track 8 ip sla 1 reachability
Apart from unique values such as IP address and pre-shared key, the configuration of the second tunnel is identical. I could actually reuse the IPsec transform set and profile from the first tunnel configuration however for clarity I have configured a separate set per the sample config from Amazon.
crypto keyring keyring-vpn-ebf3ee8a-1 local-address 126.96.36.199 pre-shared-key address 188.8.131.52 key H57dlSoEZY5g8gUmeCrRrxerdiIw8gCy ! crypto isakmp profile isakmp-vpn-ebf3ee8a-1 local-address 184.108.40.206 match identity address 220.127.116.11 keyring keyring-vpn-ebf3ee8a-1 ! crypto ipsec transform-set ipsec-prop-vpn-ebf3ee8a-1 esp-aes 128 esp-sha-hmac mode tunnel ! crypto ipsec profile ipsec-vpn-ebf3ee8a-1 set pfs group2 set security-association lifetime seconds 3600 set transform-set ipsec-prop-vpn-ebf3ee8a-1 ! interface Tunnel2 ip address 169.254.46.30 255.255.255.252 ip virtual-reassembly tunnel source 18.104.22.168 tunnel destination 22.214.171.124 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-ebf3ee8a-1 ip tcp adjust-mss 1379 ! ip route 10.0.0.0 255.255.0.0 Tunnel2 track 10 ! ip sla 2 icmp-echo 169.254.46.29 source-interface Tunnel2 timeout 1000 frequency 5 ! ip sla schedule 2 life forever start-time now track 10 ip sla 2 reachability