Table of Contents

AWS VPN Full Tunnel

Description

The following configuration will route all traffic, including internet traffic, from the office, over the site to site VPN to AWS, and egress from AWS. This can be useful if centralized content filtering needs to be done and will be located in AWS. This also works for VPCs that are attached to the Transit Gateway.

Diagram


Cisco ASA

!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.168.1 255.255.255.0
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 50.50.50.2 255.255.255.248
!
object network inside
 subnet 192.168.168.0 255.255.255.0
object network obj-amzn
 subnet 10.10.0.0 255.255.240.0
object network all
 subnet 0.0.0.0 0.0.0.0
!
access-list outside_access_in extended permit ip host 3.13.125.0 host 50.50.50.2
access-list outside_access_in extended permit ip host 3.130.75.165 host 50.50.50.2
access-list acl-amzn extended permit ip object inside any4
access-list amzn-filter extended permit ip any4 object inside
access-list amzn-filter extended deny ip any any
!
icmp permit any inside
icmp permit any outside
!
route outside 0.0.0.0 0.0.0.0 50.50.50.1 1
!
sla monitor 1
 type echo protocol ipIcmpEcho 10.10.0.77 interface outside
 frequency 5
sla monitor schedule 1 life forever start-time now
!
crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac
crypto ipsec security-association replay window-size 128
crypto ipsec security-association pmtu-aging infinite
crypto ipsec df-bit clear-df outside
!
crypto map amzn_vpn_map 1 match address acl-amzn
crypto map amzn_vpn_map 1 set pfs
crypto map amzn_vpn_map 1 set peer 3.13.125.0 3.130.75.165
crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn
crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600
crypto map amzn_vpn_map interface outside
!
crypto ca trustpool policy
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 201
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 28800
!
dhcpd address 192.168.168.30-192.168.168.60 inside
dhcpd dns 9.9.9.9 interface inside
dhcpd enable inside
!
group-policy filter internal
group-policy filter attributes
 vpn-filter value amzn-filter
!
tunnel-group 3.13.125.0 type ipsec-l2l
tunnel-group 3.13.125.0 general-attributes
 default-group-policy filter
tunnel-group 3.13.125.0 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
!
tunnel-group 3.130.75.165 type ipsec-l2l
tunnel-group 3.130.75.165 general-attributes
 default-group-policy filter
tunnel-group 3.130.75.165 ipsec-attributes
 ikev1 pre-shared-key *****
 isakmp keepalive threshold 10 retry 10
!
policy-map global_policy
 class inspection_default
  ! == icmp was added to the defaults ==
  inspect icmp
!

Ubiquiti EdgeRouter

Policy Based VPN

The policy based VPN can be configured via the EdgeRouter web interface, but you will have to put in the VPC CIDR instead of 0.0.0.0/0. You will then need to use the EdgeRotuer CLI to change the remote prefix to 0.0.0.0/0

set interfaces ethernet eth0 address 50.50.50.2/29
set interfaces ethernet eth0 description Internet
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 firewall in name WAN_IN
set interfaces ethernet eth0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 speed auto

set interfaces ethernet eth1 description Local
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto

set interfaces switch switch0 address 192.168.168.1/24
set interfaces switch switch0 description Local
set interfaces switch switch0 mtu 1500
set interfaces switch switch0 switch-port interface eth1
set interfaces switch switch0 switch-port vlan-aware disable

set service dhcp-server disabled false
set service dhcp-server shared-network-name LAN authoritative enable
set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 default-router 192.168.168.1
set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 dns-server 9.9.9.9
set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 lease 86400
set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 start 192.168.168.38 stop 192.168.168.243

set system gateway-address 50.50.50.1

set system name-server 9.9.9.9

set vpn ipsec allow-access-to-local-interface disable
set vpn ipsec auto-firewall-nat-exclude enable

set vpn ipsec esp-group FOO0 compression disable
set vpn ipsec esp-group FOO0 lifetime 3600
set vpn ipsec esp-group FOO0 mode tunnel
set vpn ipsec esp-group FOO0 pfs enable
set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
set vpn ipsec esp-group FOO0 proposal 1 hash sha1

set vpn ipsec esp-group FOO1 compression disable
set vpn ipsec esp-group FOO1 lifetime 3600
set vpn ipsec esp-group FOO1 mode tunnel
set vpn ipsec esp-group FOO1 pfs enable
set vpn ipsec esp-group FOO1 proposal 1 encryption aes128
set vpn ipsec esp-group FOO1 proposal 1 hash sha1

set vpn ipsec ike-group FOO0 ikev2-reauth no
set vpn ipsec ike-group FOO0 key-exchange ikev1
set vpn ipsec ike-group FOO0 lifetime 28800
set vpn ipsec ike-group FOO0 proposal 1 dh-group 14
set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
set vpn ipsec ike-group FOO0 proposal 1 hash sha1

set vpn ipsec ike-group FOO1 ikev2-reauth no
set vpn ipsec ike-group FOO1 key-exchange ikev1
set vpn ipsec ike-group FOO1 lifetime 28800
set vpn ipsec ike-group FOO1 proposal 1 dh-group 14
set vpn ipsec ike-group FOO1 proposal 1 encryption aes128
set vpn ipsec ike-group FOO1 proposal 1 hash sha1

set vpn ipsec site-to-site peer 3.13.125.0 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 3.13.125.0 authentication pre-shared-secret SyTclcYrs5cK7ik0pRSVGA.MXb12IE5G
set vpn ipsec site-to-site peer 3.13.125.0 connection-type initiate
set vpn ipsec site-to-site peer 3.13.125.0 description AWS1
set vpn ipsec site-to-site peer 3.13.125.0 ike-group FOO0
set vpn ipsec site-to-site peer 3.13.125.0 ikev2-reauth inherit
set vpn ipsec site-to-site peer 3.13.125.0 local-address 50.50.50.2
set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 esp-group FOO0
set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 local prefix 192.168.168.0/24
set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 remote prefix 0.0.0.0/0

set vpn ipsec site-to-site peer 3.130.75.165 authentication mode pre-shared-secret
set vpn ipsec site-to-site peer 3.130.75.165 authentication pre-shared-secret vj9QRycPvViyglu8nucmT2FI2CFNpADM
set vpn ipsec site-to-site peer 3.130.75.165 connection-type initiate
set vpn ipsec site-to-site peer 3.130.75.165 description AWS2
set vpn ipsec site-to-site peer 3.130.75.165 ike-group FOO1
set vpn ipsec site-to-site peer 3.130.75.165 ikev2-reauth inherit
set vpn ipsec site-to-site peer 3.130.75.165 local-address 50.50.50.2
set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 allow-nat-networks disable
set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 allow-public-networks disable
set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 esp-group FOO1
set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 local prefix 192.168.168.0/24
set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 remote prefix 0.0.0.0/0

delete service nat

Interface VPN

To change from a policy based VPN to a virtual tunnel interface VPN you will need to make the following changes to the policy based VPN configuration.

set interfaces vti vti1 description AWS1
set interfaces vti vti1 address 169.254.93.34/30
set interfaces vti vti2 description AWS2
set interfaces vti vti2 address 169.254.221.246/30

delete vpn ipsec site-to-site peer 3.13.125.0 tunnel 1
set vpn ipsec site-to-site peer 3.13.125.0 vti bind vti1
set vpn ipsec site-to-site peer 3.13.125.0 vti esp-group FOO0

delete vpn ipsec site-to-site peer 3.130.75.165 tunnel 1
set vpn ipsec site-to-site peer 3.130.75.165 vti bind vti2
set vpn ipsec site-to-site peer 3.130.75.165 vti esp-group FOO1

set protocols static route 3.13.125.0/32 next-hop 50.50.50.1
set protocols static route 3.130.75.165/32 next-hop 50.50.50.1

set protocols static interface-route 0.0.0.0/0 next-hop-interface vti0
set protocols static interface-route 0.0.0.0/0 next-hop-interface vti1