[AWS] How To Create Site To Site From EdgeRouter X With AWS

Environment

Cloud

• ### CIDR : 172.31.0.0/16
• ### Public : X.X.X.X

On-Premise

• ### CIDR : 172.16.0.0/16
• ### Public : Y.Y.Y.Y # How To ## Part of AWS
• ### Create Customer Gateway (CGW) #### Create CGW

Enter Name tag, GP ASN, Certificate ARN

• ### Create Virtual Private Gateway (VGW) #### Create VGW

Enter The Name, And Choice ASN

Attach VPC

• Setting Route Table

  Create Static Route Table

  

• Create Site to Site VPN Connect

  Create VPN Connect

  

Enter, Choice VPN Tunnel Information

Enter Tunnel Options

After Create Then Wait

Download Conf If Needed

Part of Edge Router X

ssh adm@fw

# Conf mode
configure

# Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the firewall.iptables
set vpn ipsec auto-firewall-nat-exclude enable

# Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1
set vpn ipsec ike-group FOO0 dead-peer-detection action restart
set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30


# Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS)
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

# Define the first AWS peer address
set vpn ipsec site-to-site peer <VGW_IP> authentication mode pre-shared-secret
set vpn ipsec site-to-site peer <VGW_IP> authentication pre-shared-secret <Secret_From_Download_File>
set vpn ipsec site-to-site peer <VGW_IP> connection-type initiate
set vpn ipsec site-to-site peer <VGW_IP> description ipsec-aws
set vpn ipsec site-to-site peer <VGW_IP> local-address <Your_Pub_IP>

# Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
set vpn ipsec site-to-site peer 192.0.2.1 ike-group FOO0
set vpn ipsec site-to-site peer 192.0.2.1 vti bind vti0
set vpn ipsec site-to-site peer 192.0.2.1 vti esp-group FOO0

# Configure the RFC 3927 IP addresses on the virtual tunnel interfaces
set interfaces vti vti0 address 169.254.x.x/30

# Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
set firewall options mss-clamp interface-type vti
set firewall options mss-clamp mss 1379

# Set route table
set protocols static interface-route 172.31.0.0/16 next-hop-interface vti0

# Apply conf & save conf
commit ; save

# Verify ike
show vpn ipsec ike-group FOO0
 dead-peer-detection {
     action restart
     interval 15
     timeout 30
 }
 ikev2-reauth no
 key-exchange ikev1
 lifetime 28800
 proposal 1 {
     dh-group 2
     encryption aes128
     hash sha1


# Verify esp
show vpn ipsec esp-group FOO0
 compression disable
 lifetime 3600
 mode tunnel
 pfs enable
 proposal 1 {
     encryption aes128
     hash sha1
    }
# Verify ipsec
show vpn ipsec site-to-site peer

peer <AWS_VGW_IP> {
     authentication {
         mode pre-shared-secret
         pre-shared-secret <AWS_Secret>
     }
     connection-type initiate
     description ipsec-AWS
     ike-group FOO0
     local-address <Local_Pub_IP>
     vti {
         bind vti0
         esp-group FOO0
     }
 }

Wait To Tunnel Up

Verify