How to establish a route based VPN connection to AWS Hardware VPN

Hello Guys,

This post is the continuation of our conversation of establishing connection to AWS Hardware VPN. I am certainly not qualified to explain the differences between route based and policy based but I am hoping with these 2 posts it can be clear to you 😀 .For this experiment we are going to create a AWS Managed VPN in the California Region us-west-1 and get our VyOS EC2 instance from the Ohio region us-east-2 to connect to it.

10.0.0.0/16 # AWS VPN network.
172.20.0.0/16 # VyOS network

Here will be our plan of actions

  • Create AWS VPN in Ohio
  • Configure the VyOS with dynamic

Creating AWS Hardware VPN

I have actually used the vpc wizard to set up this. I used the third option which sets up a public , a private subnet with a hardware VPN. I choose this wizard because it’s more like has all we wanted to do. I have not used the same VyOS as I used in the first part of this tutorials but there isn’t any reason you should not use the same.

Setting up VPC details

Setting up VPN details
Status of VPN after creation

Generated AWS VPN Configuration

Below is the configuration that we generated for Vyatta. Vyatta is the ancestor from where VyOS is forked from.

Generating Vyatta Configuration

Enabling Route propagation on AWS VPN network

Here is the tricky part that got me when I did this. On previous tutorial, I manually created the routes on the VPC route table to point to AWS Vitual Gateway then any box on the VPC want to connect to the VyOS side. I reckon in the previous post as well, Route propagation can be done for the listed encryption domain in there. Here in our case there is no encryption domain to create route for. So Having the BGP to advertise the VyOS network to AWS VPN network, finally gets to the AWS VPN route table when Route propagation is enabled. You can find this under route table page of the actual vpc.

Activating route propagation to VGW
Finding propagation tab or route table

Creating Firewall Rules

Rules on AWS VPN side

For a complete simulation , I have created a small t2.nano EC2 to serve as node behind the AWS VPN. Below is the security group for inbound connection from VyOS side

Opening up port 80 and all ICMP port

As you can see we have opened port 80 and all ports on ICMP for all traffic coming from VyOS nework

Rules on the VyOS side

Rule on VyOS itself

There is here as well a box to serve as node behind VyOS. VyOS itself being a node has its separate firewall rules.

Rules on VyOS box opening port UDP 4500 and 500 to AWS VPN VPG

Rules on box behind VyOS

Opening port 80 and all ports on ICMP for AWS VPN side network

We need to manually create a entry in route table on VyOS side to send to VyOS all traffic going towards 10.0.0.0/16 network

Configuring VPN on VyOS

As indicated already , I have used a different VyOS for this setup but you can use the same box as used in the first part of this series. I have for this reason used vti 2 and 3 instead as in continuation of the configuration done on the first part. In configuration mode, please enter the following commands.

Creating Virtual Interfaces

Creating IKE and ESP Settings

We are using the same group as in first part. If you are using the same box , you can skip this part.

Creating IPSEC Configuration

Configuring dynamic routes

Creating static routes

I think at this point the astute reading would probably raise his/her eyebrows. The reason why anything here is static is because, in order to get VyOS advertise the network at VyOS side, VyOS itself needs to have that route in its local route table. We are just adding that. it’s more like stating the obvious but it’s pretty essential for the AWS VPN side to receive VyOS network route. This is the only simpler explanation I could come up with for now.

Persist Configuration

Verification

AWS VPN Status with Received Routes

On the image above we could see AWS VPN is up and has Route advertised from VyOS box. On the image below, we have status being up for VyOS as well

Showing VPN status on the VyOS box

Showing route advertised to and received from AWS VPN

Checking on route on tunnel 1
Checking on route on tunnel 2

Testing connectivity

Testing ping and telnet on port 80 from 172.20.0.10 to 10.0.0.88
Testing ping and telnet from port 80 from 10.0.0.88 to 172.20.0.1

That’s it, I hope this has been useful to you.

Thanks for reading.

Leave a Reply

Your email address will not be published. Required fields are marked *

captcha * Time limit is exhausted. Please reload the CAPTCHA.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to top