How to establish a policy based VPN connection to AWS Hardware VPN

Hello Guys,

I wanted to write this article as personal documentation but as well because I wanted to be in most of our partners’ shoes. Most of the time when they want to establish a VPN connection with us and we handover a seemingly complicated AWS VPN generated configuration.

In this tutorial we are going to create a AWS Managed VPN in the California Region us-west-1 and get our VyOS EC2 instance from the us-east-1 to connection to it.

us-east-1 vpc is : 172.20.0.0/16
us-west-1 vpc is : 172.31.0.0/16

Here will be our plan of actions

  • Create AWS VPN in California
  • Configure the VyOS

Creating AWS Hardware VPN

Each AWS Virtual Private Cloud (VPC), there is a default network. We will just leverage on the default VPC instead of creating a new one. In order to get a create a new AWS VPN, we will need the following:

  • Customer Gateway
  • Virtual Private Gateway

Customer Gateway

This is an AWS terminology to define the peer ip address. To create a customer gateway , get to the VPC section of AWS , choose the right aws region (california in this tutorial), and below on the left panel of the VPC page, choose click on Customer Gateways under VPN Connections section. We will be using the same VyOS instance we used during our previous VPN. Because we are doing a policy based VPN, we will choose static routing option.

Virtual Private Gateway

This is also another AWS terminology to define the AWS side of the VPN. Probably there are better explanations but this is the simple one I could come up with. A Virtual Private Gateway (VPG) is pretty useless unless attached to the VPC the VPN is meant for. In order to create one, from the VPC page and under the VPN Connections section, click on Virtual Private Gateways and follow the steps below.

Creating the VPG
Attaching the VPG to the VPC

Creating the AWS VPN

With the Customer Gateway and the Virtual Private Gateway we have all we need for our Connection. Click on the VPN Connections link on the left panel to get to the VPN section. Click on Create VPN Connection button to start the process.

Creating VPN with static routes
VPN Current Status

Creating Firewall Rules

We need to accept on boxes behind our AWS VPN traffic from our yet to be configured VyOS VPN side of boxes.

172.20.0.10
172.20.10.5

open port on the firewall for Vyos us-east-1 boxes

Generated AWS VPN Configuration

Now to connect to the VPN from our VyOS instance , we needed to generate configuration from the by clicking on the download configuration button. I have downloaded a Generic one. As seen on the screenshot there are 2 separate tunnels with 2 different peer IPs. This configuration is vendor agnostic. They are other vendor specific configuration like for cisco, palo alto, juniper, fortinet, microsoft etc.

Configuring VPN on VyOS

We will be using the same VyOS box used on previous VPN blog post so I will skip the setup part of this. So this part assumes you have a little knowledge on how to get you VyOS box up and running in an AWS environment.

Creating Virtual Interfaces

We will need to create virtual interfaces to map to each of AWS VPN Virtual Private Gateways. After login on VyOS we will to type configure to start the configuration mode of it.

Creating IKE and ESP Settings

AWS support a wide variety of proposals for encryption aes128, aes256, 3des and hashing algorithm like md5, sha1 or sha2. We will be using aes256 for encryption and sha1 for hashing. Still in configuration mode enter the following commands.

Creating IPSEC Configuration

Now that we have all we need to start configuring our peers. Let’s step into vpn ipsec configuration. Still in vyos configuration mode let’s input the following commands

Creating static routes

We will be reaching out 2 boxes behind AWS VPN their IPs are:

172.31.7.4
172.31.15.235

We are creating static routes on the VyOS to forward any traffic to those IPs to go through the virtual interfaces/ Virtual Private Gateway. In configuration mode, issue the following commands:

Below is the full configuration

Persist Configuration

In VyOS, changes made to the configuration should be committed and then save to file. That can be done with the following:

Verification

Let’s check VPN status on the VyOS side. This command is done in normal mode show vpn ipsec sa

VyOS showing status up

On the AWS VPN side as well let’s verify on the VPN page tunnel tab status of our VPN

AWS VPN showing status up on both tunnels

Testing Connectivity

Connection from 172.20.10.5 to 172.31.7.4 ping and telnet
Connection from 172.20.10.5 to 172.31.15.235 ping and telnet
Connection from 172.20.0.10 to 172.31.7.4 ping and telnet
Connection from 172.20.0.10 to 172.31.15.235 ping and telnet

Obviously I have skipped routing at the aws route table level. I did automatic propagation on the AWS VPN side and did it manually on the VyOS side.

Next time we will look at similar setup but this time with dynamic routing. I hope this was useful

2 thoughts on “How to establish a policy based VPN connection to AWS Hardware VPN

  1. These configurations are route-based vpn configs… aren’t they? The name of the document is “How to establish a policy based VPN connection to AWS Hardware VPN”. If you are creating virtual tunnel interfaces and using them for routing traffic over the tunnel, that is route-based. I am so confused now.

Leave a Reply

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top