08-03-2010 07:41 AM
Hi all,
I'm planned to create a site-to-site VPN with an Amazon Virtual Private Cloud (VPC). Our currentl gateway is a Cisco ASA 5520 which we had set up previously with multiple site-to-site VPNs with no problem. While finding out more about the Amazon VPC a guy on the Amazon forums says that the ASA 5520 cannot support a site-to-site with a VPC because it doesn't support the required features, namely binding tunnels to logical interfaces (route-based VPN). Is this true? It's a bit irritating if it can't because the ASA was very expensive. If this is true is there anything that can be done? I have a spare Cisco 3600 router lying around, could that be used?
Amazon generate a Cisco config file once you have create a VPC to be used as a guide but our ASA doesn't seem to be having any of it:
VPNCONNECTION vpn-83f5ddf7 available ipsec.1 cgw-7ff6de0b vgw-17f6de63
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and VPN Gateway Identifier.
!
! Your VPN Connection ID : vpn-xxxxx
! Your VPN Gateway ID : vgw-xxxxx
! Your Customer Gateway ID : cgw-xxxxx
!
!
! This configuration consists of two tunnels. Both tunnels must be
! configured on your Customer Gateway.
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #200, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 200
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-83f5ddf7-0
pre-shared-key address x.x.x.x key xxxxxxxxxxxxxxxx
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-xxxxxxx
match identity address x.x.x.x
keyring keyring-vpn-xxxxxxx
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-xxxxxxxx
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-xxxxxx
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! #3: Tunnel Interface Configuration
!
! This configuration assumes the presence of an internal
! Virtual Routing and Forwarding (VRF) instance. For more details, see the
! associated diagram. Here, we assume the internal VRF is named "YOUR_VRF".
!
ip vrf YOUR_VRF
rd 1:1
exit
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! The interface is a member of the internal routing instance (YOUR_VRF).
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! This example shows the outside of the tunnel as interface FastEthernet0.
!
! This should be set to the interface that IP address 213.121.253.125 is
! associated with.
!
! This address is configured with the setup for your Customer Gateway.
!
! If the address changes, the Customer Gateway and VPN Connection must be
! recreated with AWS.
!
interface Tunnel1
ip vrf forwarding YOUR_VRF
ip address 169.254.254.2 255.255.255.252
ip virtual-reassembly
tunnel source FastEthernet0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-xxxxxxxx
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1396
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! VPN Gateway and your Customer Gateway. The VPN Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway must announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
! Only one prefix is accepted by the VPN Gateway.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65212) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65212
neighbor 169.254.254.1 remote-as 9059
neighbor 169.254.254.1 activate
neighbor 169.254.254.1 timers 10 30 30
address-family ipv4 unicast vrf YOUR_VRF
neighbor 169.254.254.1 remote-as 9059
neighbor 169.254.254.1 timers 10 30 30
neighbor 169.254.254.1 default-originate
neighbor 169.254.254.1 activate
neighbor 169.254.254.1 soft-reconfiguration inbound
network 0.0.0.0
exit
exit
!
! --------------------------------------------------------------------------------
! IPSec Tunnel #2
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
! Note that there are a global list of ISAKMP policies, each identified by
! sequence number. This policy is defined as #201, which may conflict with
! an existing policy using the same number. If so, we recommend changing
! the sequence number to avoid conflicts.
!
crypto isakmp policy 201
encryption aes 128
authentication pre-share
group 2
lifetime 28800
hash sha
exit
! The ISAKMP keyring stores the Pre Shared Key used to authenticate the
! tunnel endpoints.
!
crypto keyring keyring-vpn-xxxxxxx
pre-shared-key address x.x.x.x key xxxxxxxxxxxxxx
exit
! An ISAKMP profile is used to associate the keyring with the particular
! endpoint.
!
crypto isakmp profile isakmp-vpn-xxxxxxx
match identity address x.x.x.x
keyring keyring-vpn-xxxxxxx
exit
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
crypto ipsec transform-set ipsec-prop-vpn-xxxxxxxx esp-aes 128 esp-sha-hmac
mode tunnel
exit
! The IPSec profile references the IPSec transform set and further defines
! the Diffie-Hellman group and security association lifetime.
!
crypto ipsec profile ipsec-vpn-xxxxxxxx
set pfs group2
set security-association lifetime seconds 3600
set transform-set ipsec-prop-vpn-xxxxxxx
exit
! Additional parameters of the IPSec configuration are set here. Note that
! these parameters are global and therefore impact other IPSec
! associations.
! This option instructs the router to clear the "Don't Fragment"
! bit from packets that carry this bit and yet must be fragmented, enabling
! them to be fragmented.
!
crypto ipsec df-bit clear
! This option enables IPSec Dead Peer Detection, which causes periodic
! messages to be sent to ensure a Security Association remains operational.
!
crypto isakmp keepalive 10 10 on-demand
! This configures the gateway's window for accepting out of order
! IPSec packets. A larger window can be helpful if too many packets
! are dropped due to reordering while in transit between gateways.
!
crypto ipsec security-association replay window-size 128
! This option instructs the router to fragment the unencrypted packets
! (prior to encryption).
!
crypto ipsec fragmentation before-encryption
! #3: Tunnel Interface Configuration
!
! This configuration assumes the presence of an internal
! Virtual Routing and Forwarding (VRF) instance. For more details, see the
! associated diagram. Here, we assume the internal VRF is named "YOUR_VRF".
!
ip vrf YOUR_VRF
rd 1:1
exit
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! The interface is a member of the internal routing instance (YOUR_VRF).
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! This example shows the outside of the tunnel as interface FastEthernet0.
!
! This should be set to the interface that IP address x.x.x.x is
! associated with.
!
! This address is configured with the setup for your Customer Gateway.
!
! If the address changes, the Customer Gateway and VPN Connection must be
! recreated with AWS.
!
interface Tunnel2
ip vrf forwarding YOUR_VRF
ip address 169.254.254.6 255.255.255.252
ip virtual-reassembly
tunnel source FastEthernet0
tunnel destination x.x.x.x
tunnel mode ipsec ipv4
tunnel protection ipsec profile ipsec-vpn-xxxxxxxx
! This option causes the router to reduce the Maximum Segment Size of
! TCP packets to prevent packet fragmentation.
ip tcp adjust-mss 1396
no shutdown
exit
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! VPN Gateway and your Customer Gateway. The VPN Gateway
! will announce the prefix corresponding to your VPC.
!
! Your Customer Gateway must announce a default route (0.0.0.0/0),
! which can be done with the 'network' and 'default-originate' statements.
! Only one prefix is accepted by the VPN Gateway.
!
! The BGP timers are adjusted to provide more rapid detection of outages.
!
! The local BGP Autonomous System Number (ASN) (65212) is configured
! as part of your Customer Gateway. If the ASN must be changed, the
! Customer Gateway and VPN Connection will need to be recreated with AWS.
!
router bgp 65212
neighbor 169.254.254.5 remote-as 9059
neighbor 169.254.254.5 activate
neighbor 169.254.254.5 timers 10 30 30
address-family ipv4 unicast vrf YOUR_VRF
neighbor 169.254.254.5 remote-as 9059
neighbor 169.254.254.5 timers 10 30 30
neighbor 169.254.254.5 default-originate
neighbor 169.254.254.5 activate
neighbor 169.254.254.5 soft-reconfiguration inbound
network 0.0.0.0
exit
exit
!
! To establish connectivity between your internal network and your VPC, you
! must have an interface facing your internal network in the "YOUR_VRF" VRF.
! This is done using configuration like that shown below.
!interface FastEthernet1
! ip vrf forwarding YOUR_VRF
!exit
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/AWSVPC/latest/GettingStartedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/AWSVPC/latest/NetworkAdminGuide
! - XSL Version: 2009-07-15-207071
VPNCONNECTION vpn-xxxxx deleted ipsec.1 xxxxx vgw-xxxxxx
Many help would be much appreciated.
Regards
Paul.
08-03-2010 07:52 AM
You are absolutely correct. ASA does not support VRF, nor GRE tunnel, nor BGP configuration.
The config file that has been posted will work well on Cisco router, and yes, you can use the 3600 router that you have to run the GRE over IPSec on VRF configuration.
08-03-2010 07:59 AM
Thanks for the quick reply mate.
So would I use the 3600 in conjunction with the ASA? This would be preferable as our remote client VPN is set up on the ASA. I'm guessing that I would put the 3600 as the gateway and have the ASA sit behind it?
08-03-2010 08:07 AM
That probably needs to be look into a little bit more in terms of routing, etc etc.
You can place the router outside interface in paralel with the ASA, and all traffic that has been decrypted on the router to be passed through to the ASA for another layer of security. However, you would need to design all the ip addressing prior to make sure that routing does not break.
08-03-2010 11:50 AM
Hi halijenn
Thanks for replying again. I have created a network diagram of my interpretation of the setup. Would you mind having a quick look? (See attached image).
We have 2 public IP addresses at our office, and have previously run two firewalls in tandem. My understanding is that if I have our current ASA as it is (acting as a general gateway for the office and a remote client VPN) on our first public IP address and then add the 3600 as a second gateway on our second public IP. Create all the VPC tunnelling with the 3600 and then create a route on the ASA stating that any office traffic destined for the VPC should go via the 3600. Would this be plausable?
Also, does the 3600 do everything required for the VPC connection or will I need additional hardware/software to make the VPC communicate with the office network?
Kind regards
Paul.
08-04-2010 08:21 AM
Yup, that design will work. Just kindly make sure that there is no overlapping in network subnets, otherwise, routing will not work.
In regards to hardware, you shouldn't need anything else. With the software, you would need to upgrade it to the version of software that supports VRF aware IPSec and BGP. Something like 12.4(24)T (latest T train) should be fine.
02-20-2014 12:58 PM
I know that this thread is 4 years old, but I just wanted to make sure that this is still not the case. My understanding is that the Cisco ASA (5505 with version 8.4.7 specifically) can be used to connect to an Amazon VPC VPN. Am I correct?
Thanks in advance if you answer me
08-17-2015 06:42 AM
did you find out about this? i have a asa 5520
08-17-2015 02:12 PM
Yes I found out about the 5505. It will not work. Threw the 5505 away and installed a free copy of pfSense BSD firewall. It has been more stable than my Sonicwall for connecting to our AWS VPC.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide