Let's connect VPN between AWS and home NW (RTX1100)

Hello everyone.
My name is Hirata and I belong to the Operations Management Division of the System Solutions Department.

This time, I will introduce how to connect AWS and my home NW (RTX1100) with a VPN.

 

background

The other day, I was in charge of a local VPN connection with AWS for a certain project, and I was curious, so I tried making a VPN connection between my home NW and AWS.

It went well, so I decided to write it up as a blog article.

AWS side

*Proceed with the assumption that an EC2 instance has already been created on the VPC.

Create virtual private gateway

Follow the steps below to enter the virtual private gateway creation screen.

AWS Management Console -> VPC -> Virtual Private Gateway -> Create Virtual Private Gateway

Configure as shown in the screen below.

Set the name tag optionally. For ASN, select "Amazon Default ASN".

After creating the virtual private gateway, attach the created virtual private gateway to the existing VPC as shown in the screen below.

 

Creating a customer gateway

Follow the steps below to enter the customer gateway creation screen.

AWS Management Console -> VPC -> Customer Gateway -> Create Customer Gateway

Configure as shown in the screen below.

Set the name as desired. For routing, select "Dynamic" because we will use BGP as the routing protocol this time. Leave the BGP ASN at the default of 65000. For the IP address, enter the public IP address of your home NW.

 

Setting up a VPN connection

Follow the steps below to enter the VPN connection creation screen.

AWS Management Console -> VPC -> Site-to-Site VPN Connections -> Create VPN Connection

Configure as shown in the screen below.

Set the name as desired. Select the virtual private gateway you created earlier. For Customer Gateway ID, select the customer gateway you created earlier. Select Dynamic
as the routing option There is an item called tunnel option, but this time I left it blank and there was no problem.

 

Download the config to set on your home NW router

Download the config to be set on your home NW router by following the steps below.

AWS Management Console -> VPC -> Site-to-Site VPN Connection -> Download Configuration

This time we will be using YAMAHA's RTX1100, so download the config as shown in the screen below.

 

Configure route table

Follow the steps below to move to the route table screen.

AWS Management Console -> VPC -> Route Table

Click the "Route Propagation" tab and click the "Edit Route Propagation" button as shown in the screen below.

The virtual private gateway you created earlier is displayed, so click the checkbox to configure the settings.

 

Home NW router settings

Modify the downloaded config

Set the config you downloaded earlier on your home NW router.

However, there are some settings in the config that need to be modified. There are two corrections.

Correction point 1

ip tunnel remote address (home NW public IP address)

Modify this (home NW public IP address) to the private IP address set on the router's LAN.

In my case I would fix it to 192.168.253.1.

Correction point 2

bgp import filter 1 equal 0.0.0.0/0

Modify this "0.0.0.0/0" to the network address set for the LAN.

In my case I would fix it to 192.168.253.0/24.

Set config

Set the above modified config on the router.

This time I will write the final router config.

show config # RTX1100 Rev.8.03.94 (Thu Dec 5 19:06:16 2013) # Memory 32Mbytes, 3LAN, 1BRI # Reporting Date: Jan 1 10:03:57 1980 timezone +09:00 console character ascii console prompt [ aws_test] login timer 1000 ip route default gateway pp 1 ip lan1 address 192.168.253.1/24 ip lan1 proxyarp on pp select 1 pp name FLETS pp always-on on pppoe use lan2 pppoe auto connect on pppoe auto disconnect on pp auth accept pap chap pp auth myname (ISP connection ID) (ISP connection password) ppp lcp mru on 1454 ppp ipcp ipaddress on ip pp mtu 1454 ip pp secure filter in 1 ip pp secure filter out 2 ip pp nat descriptor 1000 pp enable 1 tunnel select 1 ipsec tunnel 201 ipsec sa policy 201 1 esp aes-cbc sha-hmac ipsec ike duration ipsec-sa 1 3600 ipsec ike encryption 1 aes-cbc ipsec ike group 1 modp1024 ipsec ike hash 1 sha ipsec ike keepalive use 1 on dpd 10 3 ipsec ike local address 1 192.168.253.1 ipsec ike pfs 1 on ipsec ike pre-shared-key 1 text (VPN private key passphrase 1) ipsec ike remote address 1 52.193.39.138 ipsec tunnel outer df-bit clear ip tunnel address 169.254.24.102/ 30 ip tunnel remote address 169.254.24.101 ip tunnel tcp mss limit 1379 tunnel enable 1 tunnel select 2 ipsec tunnel 202 ipsec sa policy 202 2 esp aes-cbc sha-hmac ipsec ike duration ipsec-sa 2 3600 ipsec ike encryption 2 aes-cbc ipsec ike group 2 modp1024 ipsec ike hash 2 sha ipsec ike keepalive use 2 on dpd 10 3 ipsec ike local address 2 192.168.253.1 ipsec ike pfs 2 on ipsec ike pre-shared-key 2 text (VPN private key passphrase 2) ipsec ike remote address 2 52.196.197.66 ipsec tunnel outer df-bit clear ip tunnel address 169.254.25.218/30 ip tunnel remote address 169.254.25.217 ip tunnel tcp mss limit 1379 tunnel enable 2 ip filter 1 pass * * * * * ip filter 2 pass * * * * * nat descriptor type 1000 masquerade nat descriptor address outer 1000 ipcp nat descriptor address inner 1000 auto bgp use on bgp autonomous-system 65000 bgp neighbor 1 64512 169.254.24.101 hold-time=30 local-address=169.254.24.102 bgp neighbor 2 64512 169.254.25.217 hold-time=30 local-address=169.254.25.218 bgp import filter 1 equal 192.168.253.0/24 bgp import 64512 static filter 1 ipsec auto refresh on tftp host any dhcp service server dhcp scope 1 8. 253.100-192.168.253.200/24 ​​dns server 8.8.8.8 8.8.4.4

By the way, this time I set it to a router that was initialized for testing, and all filters are allowed. Please be careful when actually using it.

 

Operation confirmation

Check AWS tunnel status

Follow the steps below to enter the VPN connection screen.

AWS Management Console -> VPC -> VPN connection between sites

Click the Tunnel Details tab.

Make sure the status is up.

 

Checking the tunnel status of the router (RTX1100)

Check the tunnel status using the RTX1100 command.

[aws_test]# show status tunnel 1 TUNNEL[1]: Description: Interface type: IPsec Current status is Online. from 1980/01/01 09:52:26. 1 hour 26 minutes 51 seconds connection. Received: (IPv4) 894 packets [65571 octets] (IPv6) 0 packet [0 octet] Transmitted: (IPv4) 1289 packets [85905 octets] (IPv6) 0 packet [0 octet] [aws_test]# show status tunnel 2 TUNNEL[2]: Description: Interface type: IPsec Current status is Online. from 1980/01/01 09:52:52. 1 hour 26 minutes 27 seconds connection. Received: (IPv4) 1004 packets [62349 octets] (IPv6) 0 packet [0 octet] Transmitted: (IPv4) 847 packets [54026 octets] (IPv6) 0 packets [0 octets]

 

Confirm communication to EC2 instance

The VPN connection between AWS and your home NW is now complete, so let's check communication.

Check ping

Check ping communication from your home NW terminal to the EC2 instance (172.31.37.121).

~ $ ping 172.31.37.121 PING 172.31.37.121 (172.31.37.121): 56 data bytes 64 bytes from 172.31.37.121: icmp_seq=0 ttl=253 time=20.483 ms 64 bytes from 172.31.37.121 : icmp_seq=1 ttl=253 time =40.084 ms 64 bytes from 172.31.37.121: icmp_seq=2 ttl=253 time=26.764 ms

 

ssh confirmation

Check ping communication from your home NW terminal to the EC2 instance (172.31.37.121).

~ $ ssh -i .ssh/aws.pem [email protected] Last login: Sun Sep 8 11:42:56 2019 from ip-192-168-253-100.ap-northeast-1.compute.internal __| __ |_ ) _| ( / Amazon Linux 2 AMI ___|\___|___| https://aws.amazon.com/amazon-linux-2/ 4 package(s) needed for security, out of 14 available Run "sudo yum update" to apply all updates. [ec2-user@ip-172-31-37-121 ~]$

summary

This time, I was able to connect AWS and my home NW via VPN.

The RTX1100 can be purchased used for a few thousand yen, so I think it's perfect for tests like this.

Please note that there are fees for connecting to a VPN with AWS.