Amazon VPC

Introduction

Amazon Virtual Private Cloud is a secure and seamless bridge between a company’s existing IT infrastructure and the AWS cloud. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources. For more information please read here.

Okapi supports creation of VPN tunnels to Amazon VPC gateway using IPSec and route forwarding using BGP.

Following is a diagram showing an example where we require to establish an IPSec tunnel between an customer gateway running Okapi and the Amazon VPC server. The example has been taken from here. In the following, we assume that the reader is familiar with here.

Following is the corresponding example of the configuration information you should get from your integration team. It contains a set of information for each of the two tunnels you must configure.

The example configuration refers to two items that you must provide:

The example configuration includes several dummy values we're using to help you understand how configuration works. For example, we're using dummy values for the VPN connection ID (44a8938f), VPN gateway ID (8db04f81), etc.; the IP addresses (e.g., 72.21.209.*, 169.254.255.*, etc.); and the remote ASN (7224). The actual configuration information you get will have real values in place of those dummy values.

AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the VPN Gateway Identifier.

Your VPN Connection ID : vpn-44a8938f
Your VPN Gateway ID : vgw-8db04f81
Your Customer Gateway ID : cgw-b4dc3961

A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured. 

Configuration

Okapi Router can be used to connect to Amazon Virtual Private Cloud.
There are four main parts to be configured:

1. IKE

2. IPsec

3. Tunnel

4. BGP

IKE

Internet Key Exchange (IKE) Configuration

A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime, and key parameters.

Note that there are a global list of ISAKMP policies, each identified by sequence number. This policy is defined as #1, which may conflict with an existing policy using the same number. If so, we recommend changing the sequence number to avoid conflicts.

Configure the IKE SA as follows for tunnel 1

•   - Authentication Method : Pre-Shared Key
•   - Pre-Shared Key : plain-text-password1
•   - Authentication Algorithm : sha1
•   - Encryption Algorithm : aes-128-cbc
•   - Lifetime : 28800 seconds
•   - Phase 1 Negotiation Mode : main
•   - Perfect Forward Secrecy : Diffie-Hellman Group 2

Configure the IKE SA as follows for tunnel 2

•    - Authentication Method : Pre-Shared Key
•   - Pre-Shared Key : plain-text-password2
•   - Authentication Algorithm : sha1
•   - Encryption Algorithm : aes-128-cbc
•   - Lifetime : 28800 seconds
•   - Phase 1 Negotiation Mode : main
•   - Perfect Forward Secrecy : Diffie-Hellman Group 2

Pre-share keys are used by tunnel end-points to authenticate. Configure pre-share keys corresponding to the two tunnels.

IPSec

The IPSec transform set defines the encryption, authentication, and IPSec mode parameters. Configure the IPSec SA as follows:

•   - Protocol : esp
•   - Authentication Algorithm : hmac-sha1-96
•   - Encryption Algorithm : aes-128-cbc
•   - Lifetime : 3600 seconds
•   - Mode : tunnel
•   - Perfect Forward Secrecy : Diffie-Hellman Group 2

Tunnel

Your Customer Gateway must be configured with two IPSec tunnels. All traffic transmitted to the tunnel is encrypted and transmitted to the VPN Gateway.

The Customer Gateway and VPN Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface.

The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway.

The Customer Gateway inside IP address should be configured on your tunnel interface.

Tunnel 1:

Outside IP Addresses:

•  - Customer Gateway: : YOUR_UPLINK_ADDRESS
•  - VPN Gateway : 72.21.209.225

Inside IP Addresses

•  - Customer Gateway : 169.254.255.2/30
•  - VPN Gateway : 169.254.255.1/30

Tunnel 2:

Outside IP Addresses:

•  - Customer Gateway: : YOUR_UPLINK_ADDRESS
•  - VPN Gateway : 72.21.209.209

Inside IP Addresses

•  - Customer Gateway : 169.254.255.6/30
•  - VPN Gateway : 169.254.255.5/30

Configuring the traffic that is allowed to pass through the tunnel. Here 10.0.0.0/24 is the VPC CIDR block and 10.20.50.0/24 is the subnet in private network. You may configure all the traffic here that you want to encrypt and pass through the tunnel.

Configure a crypto map "amazon" with two tunnels.

BGP

The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside IP addresses, to exchange routes from the VPC to your home network. Each BGP router has an Autonomous System Number (ASN). Your ASN was provided to AWS when the Customer Gateway was created.

BGP Configuration Options:

Tunnel 1:

• - Customer Gateway ASN : YOUR_BGP_ASN
• - VPN Gateway ASN : 7224
• - Neighbor IP Address : 169.254.255.1
• - Neighbor Hold Time : 30

Tunnel 2:

• - Customer Gateway ASN : YOUR_BGP_ASN
• - VPN Gateway ASN : 7224
• - Neighbor IP Address : 169.254.255.5
• - Neighbor Hold Time : 30