Hello everyone! 🤓
As the Cloud grows, we Network Engineers need to create a connection between our On-Premises Data Center (DC) and the Cloud environment. There are many options to establish a connection between them,but now let's focus in create an AWS Site-to-Site VPN with a Cisco Router, and with BGP routing protocol enabled to exchange the network prefixes.
As I don't have a on-premise DC environment available, then we are going to simulate our DC inside of the AWS cloud, and our edge device on the DC side will be a Cisco CSR 1000V with IOS XE system. So if you need to create a Site-to-Site VPN between AWS cloud and your DC using a Cisco Router this post it's for you.
The diagram below show our proposal scenario, where on the left side we have the AWS environment with a VPC, private subnet, EC2 instance to test the connectivity, a Transit Gateway (TGW) to concentrate the connections with our VPC and site-to-site VPN. On the right side, we are going to simulate Corporate DC, as said before. As Customer Gateway or Egde device, we will use a Cisco CSR 1000V, and it will have an interface on the public subnet, which it's nedded to attach public IP address on it, and an interface on the Private subnet. This private subnet will simulate our internal network to allocate our internal services.
Proposed topology:
Note: I assume you know how to create the EC2 instance, VPC, subnets, SG, route tables, Transit Gateway, ... so this post will only concentrate in deploying the site-to-site VPN on the AWS and also the settings needed on the Cisco router to come up the tunnels.
Deployment steps:
1 - Create the customer gateway on the AWS side;
2 - Create a Site-to-Site VPN on the AWS side;
3 - Check the Transit Gateway Attachment created on the Site-to-Site VPN deployment;
4 - Create a Transit Gateway Route table for the Site-to-Site VPN;
5 - Setup the Site-to-Site VPN on the Cisco Router;
6 - Setup the BGP protocol on the Cisco Router;
7 - Check the routes learned on the AWS and Cisco router side;
8 - Test connectivity.
Those are the steps to deploy a site-to-site VPN as per the proposal scenario, so let's get start! 🙂
1 - Create the customer gateway on the AWS side
Our customer gateway is the Cisco CSR 1000V on the on-premises network. As all site-to-site VPN deployment, we need to know the Peer address of device that I would like to establish a VPN connection, then with this Public IP address, and also the BGP AS number - once we will use the BGP Routing protocol - in our hands, we can be able create the customer gateway.
Customer Gateway IP address: 3.132.131.135
BGP AS number: 65000
Now, let 's go to the VPC dashboard, and on the Virtual private network (VPN) session, clink on the "Customer gateways". For create the Customer gateways, click on the Create customer gateway button.
Define the name, Peer address and AS number as per the customer information, and at the end click on the Create customer gateway button.
Okay, once it's created, let's move on to the next step.
2 - Create a Site-to-Site VPN on the AWS side
On the VPC dashboard, and on the Virtual private network (VPN) session, clink on the "Site-to-Site VPN connections". For create a site-to-site VPN click on the Create VPN connection button.
Define the name, choose the Transit Gateway, and Customer gateway created on the before step.
Define BGP Route as routing protocol, protocol IPv4 address, there is more these other option to improve the VPN performance, and which networks will be allowed over VPN tunnels, but now as it's example, let's keep the option as default, but it's important to enable and define the settings for the production connections to improve the connection performance and retrict the networks allowed inside of the tunnels.
On the Tunnel 1 and Tunnel 2 options you can define the phases 1 and 2 settings like encryption, integrity, Diffie-Hellman group, IKE Version, lifetime, and a lot of stardand settings related to the IPSEC VPN, but now let's keep these options as default settings, and click on the Create VPN connection button
After some minutes the VPN connections move from pending to available status, but the Tunnels will still as down on the tunnels tab because we don't setup the VPN on the Router CSR1000V side.
For helping us on the router settings on the DC side, we download the configuration as you can see below.
There are a lot of the Vendor to choose, but now let's select generic device and choose the IKE version. In this case I defined the "ikev2" (safer than ikve1), and download the settings.
For assuranced the high available with the same Peer, the AWS create two tunnels for each VPN connection, then with this file you will see the informations about each tunnel as Pre-shared Key, Authentication, Encryption, Lifetime, DH, and other information about the VPN settings.
But before move to deploy router settings on the onpremise DC side, let's check other settings on the AWS side.
3 - Check the Transit Gateway Attachment created on the Site-to-Site VPN deployment
On the VPC dashboard, and on the Transit gateways session, clink on the Transit gateway attachments (TGW attachements). With the VPN ID realted the VPN connection created, you can filter the TGW attachement assigined to the VPN connection.
4 - Create a Transit Gateway Route table for the Site-to-Site VPN
On the VPC dashboard, and on the Transit gateways session, clink on the Transit gateway route tables (TGW route table). Let's create a TGW route table and assigned to the TGW attachement checked on the before step. Click on the Create transit gateway route table button.
Define a name, and assigned to the Transit Gateway.
After created it, let's assign the TGW attchement to this TGW route table. Filter the TGW route table, select it, click on the associations tab, and click on the create association button.
Select the TGW attachment to the VPN connection created and click on the create button.
Now, on the Propagations tab, let's propagate the routes related to the our internal VPC (10.100.0.0/16), and the customer routes learned by BGP routing protocol. So, let's assigned to the TGW attachement realted to the VPN and also the VPC application.
VPN TGW attachment:
VPC application TGW attachment:
TGW attachements assigned to the VPN TGW route table.
Now, let's to move the settings on the cisco router side on the On-premise DC.
5 - Setup the Site-to-Site VPN on the Cisco Router
Note: On the this part, let's focus on the IPSEC VPN on the Cisco router side, but the idea here it's not to detail each command.
Let's specify pre-shared key for each Peer of the AWS side. The IKEv2 keyring specifies the pre-shared keys used for IKEv2 negotiation.
Let's check the settings on the File downloaded on the Step #2.
Peer address and Pre-shared Key related to the tunnel #1:
Pre-shared Key related to the tunnel #2:
Based on these informations, let set these informations on the configuration mode.
!
crypto ikev2 keyring AWS-KEYRING
# Tunnel 1
peer vpn-aws-x-dc-tunnel1
address 3.223.8.46
pre-shared-key cN5zi29A3lJ_lqLUsOYiEkXFeypiW3F8
!
# Tunnel 2
peer vpn-aws-x-dc-tunnel2
address 34.236.4.200
pre-shared-key GFfKIgr6LGmJlOR5bGCUAQq8pvEFHQ3q
!
!
Let's create the IKEv2 profile:
!
crypto ikev2 profile AWS-US-EAST2-PROFILE
match address local interface GigabitEthernet1
match identity remote address 3.223.8.46 255.255.255.255
match identity remote address 34.236.4.200 255.255.255.255
authentication remote pre-share
authentication local pre-share
keyring local AWS-KEYRING
lifetime 28800
dpd 30 5 periodic
exit
!
Note: Replace the "gigabitEthernet1" for your external interface.
Now, let's specify security policy for traffic.
!
crypto ipsec transform-set AWS-TS esp-aes esp-sha256-hmac
mode tunnel
exit
!
Create the The IPSec crypto profile that it is invoked in IKE Phase 2.
!
crypto ipsec profile AWS-VTI
set transform-set AWS-TS
set pfs group20
set ikev2-profile AWS-US-EAST2-PROFILE
!
Define the Interface tunnels:
Go back to thefile downloaded on the Step #2, and let's see the Inside IP Addresses related to the tunnel #1.
Let's see the Inside IP Addresses related to the tunnel #2
!
interface Tunnel30
description AWS-US-EAST2-Tunnel1
ip address 169.254.29.170 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1350
keepalive 10 6
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 3.223.8.46
tunnel protection ipsec profile AWS-VTI
no shut
!
!
interface Tunnel40
description AWS-US-EAST2-Tunnel2
ip address 169.254.254.222 255.255.255.252
ip mtu 1400
ip tcp adjust-mss 1350
keepalive 10 6
tunnel source GigabitEthernet1
tunnel mode ipsec ipv4
tunnel destination 34.236.4.200
tunnel protection ipsec profile AWS-VTI
no shut
!
!
Afer that, we can see the interfaces tunnels up, and IPSeC VPN up as well.
6 - Setup the BGP protocol on the Cisco Router
Once VPC tunnels UP, we can run these command below to establish the BGP neighbors with both tunnels.
!
router bgp 65000
bgp log-neighbor-changes
bgp graceful-restart
address-family ipv4 unicast
!#Tunnel 1
neighbor 169.254.29.169 remote-as 64512
neighbor 169.254.29.169 ebgp-multihop 255
neighbor 169.254.29.169 activate
!
!#Tunnel 2
neighbor 169.254.254.221 remote-as 64512
neighbor 169.254.254.221 ebgp-multihop 255
neighbor 169.254.254.221 activate
!
network 10.200.50.0 mask 255.255.255.0
network 10.200.1.0 mask 255.255.255.0
no auto-summary
no synchronization
exit-address-family
exit
!
7 - Check the routes learned on the AWS and Cisco router side
And after that, we can see the neighbor establish and the router 10.100.0.0/16 route learned via BGP protocol.
We can also check the status on the AWS side.
VPN tunnels and BGP running
and also see the route on the TGW route table assigned to the VPN connection.
8 - Test connectivity.
As the VPN tunnels are UP, and the routes were learned we can test the connectivity.
From a EC2 instance on the AWS side, which belong to the 10.100.1.0/24 network range, to the VM on the DC side which belong to the 10.200.1.0/24 network range. As you can see below on the screenshot the connection was established.
I hope you liked the procedure, and If you have any issue, please, let me know.
Top comments (0)