In this post I want to share my experiences with connecting my Ubiquiti EdgeRouter to a AWS Virtual Private Cloud (VPC) using an IPSEC site to site VPN connection.
AWS VPN options
If you want to connect your on-premises environment to AWS, you have various options:
- AWS hardware VPN – In this scenario AWS provides a Virtual Private Gateway with two VPN endpoints for automatic failover (at the AWS side);
- AWS direct connect – Dedicated private connection from a remote network to your VPC;
- AWS VPN cloudhub – Interesting option, specifically if you have multiple branch offices;
- Software VPN – Connect your on-premises environment through an EC2 instance running VPN software.
In this example I will work with the hardware VPN option. The process for configure the VPN setup consists of the following steps:
- Create a Virtual Private Gateway, that is the router on the Amazon side of the VPN tunnel.
- Create the Customer Gateway, the internet routable IP address of your gateway. So this is the router at the customer side of the VPN tunnel.
- Create the VPN connection between AWS and the on-premises environment.
- Configure routing in AWS.
Part of the configuration is to determine what method is used for routing, you can choose between static routing and routing based on BGP. In this example I will configure BGP.
The hardware VPN connection uses two tunnels, each terminated at an unique IP address as depicted in the image on the right.
Let’s continue with our three step process.
Create a Virtual Private Gateway
The create a Virtual Private Gateway (VPG) option is available in the VPC dashboard. You only have to specify the name of the VPG.
Create a Customer Gateway
Create a customer gateway, also available in the VPC dashboard, requires three input parameters:
- Name for the GW;
- Routing type, dynamic in this case. Dynamic routing is always based on BGP (OSPF or other dynamic routing protocols are not supported);
- After you select dynamic routing, you have to configure an Autonomous System Number or ASN. Use your existing ASN if you have pre-configured any, or use one from the ASN private range (64512-65534).
- IP address, this is the internet routable IP address of your router (customer VPN endpoint).
Create the VPN connection
Now it’s time to create the actual VPN connection. Create a name tag, select the just create Virtual Private Gateway option, select the Customer Gateway and select dynamic routing. Your VPN connection will be created at the AWS. You can download a configuration file to create the VPN connection at the customer (your) side.
For an Ubiquiti EdgeRouter use the Vyatta configuration file, EdgeOS was forked from Vyatta.
You have to make a few changes to the configuration file before you upload it to the your Edgerouter. In my case I had to make the following changes:
- Add the route to the local subnet(s). You to do this for each of the two tunnels.
- Change the local-address for my router, the internet routable address is added to the configuration but because my EdgeRouter is behind the provider modem (and NATed) I had to change this to the actual IP address my router is using. Use the IP address at the WAN side of your router, in my case this is 192.168.101.10.
- Remove the comments the are in the configuration file, this makes the file cleaner and gives you better understanding of any error messages that might appear.
The final configuration file looks like this:
set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 52.57.213.80 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.57.213.80 authentication pre-shared-secret 'super-secret-value' set vpn ipsec site-to-site peer 52.57.213.80 description 'VPC tunnel 1' set vpn ipsec site-to-site peer 52.57.213.80 ike-group 'AWS' set vpn ipsec site-to-site peer 52.57.213.80 local-address '192.168.101.10' <- changed this one set vpn ipsec site-to-site peer 52.57.213.80 vti bind 'vti0' set vpn ipsec site-to-site peer 52.57.213.80 vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti0 address '169.254.42.162/30' set interfaces vti vti0 description 'VPC tunnel 1' set interfaces vti vti0 mtu '1436' set protocols bgp 65512 neighbor 169.254.42.161 remote-as '7224' set protocols bgp 65512 neighbor 169.254.42.161 soft-reconfiguration 'inbound' set protocols bgp 65512 neighbor 169.254.42.161 timers holdtime '30' set protocols bgp 65512 neighbor 169.254.42.161 timers keepalive '10' set protocols bgp 65512 network 192.168.178.0/24 <- changed to local subnet -> add extra lines here if you have more subnets to route set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 52.59.27.70 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.59.27.70 authentication pre-shared-secret 'super-secret-value' set vpn ipsec site-to-site peer 52.59.27.70 description 'VPC tunnel 2' set vpn ipsec site-to-site peer 52.59.27.70 ike-group 'AWS' set vpn ipsec site-to-site peer 52.59.27.70 local-address '192.168.101.10' <- changed this one too set vpn ipsec site-to-site peer 52.59.27.70 vti bind 'vti1' set vpn ipsec site-to-site peer 52.59.27.70 vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti1 address '169.254.40.230/30' set interfaces vti vti1 description 'VPC tunnel 2' set interfaces vti vti1 mtu '1436' set protocols bgp 65512 neighbor 169.254.40.229 remote-as '7224' set protocols bgp 65512 neighbor 169.254.40.229 soft-reconfiguration 'inbound' set protocols bgp 65512 neighbor 169.254.40.229 timers holdtime '30' set protocols bgp 65512 neighbor 169.254.40.229 timers keepalive '10' set protocols bgp 65512 network 192.168.178.0/24 <- changed to local subnet -> add extra lines here if you have more subnets to route
It’s now time to upload the configuration file to the Edgerouter:
viktorvandenberg$ ssh admin@192.168.178.1 admin@192.168.178.1's password: admin@ubnt:~$ configure admin@ubnt# <-- paste your configuration file here --> admin@ubnt# commit [ protocols bgp 65512 ] % Warning: Configured holdtime is set below the default value % Warning: Configured holdtime is set below the default value [ vpn ] net.ipv4.conf.vti0.disable_policy = 1 net.ipv4.conf.vti0.disable_xfrm = 1 net.ipv4.conf.vti1.disable_policy = 1 net.ipv4.conf.vti1.disable_xfrm = 1 [edit] admin@ubnt# save admin@ubnt# exit
Check the connection
Now it’s time to check if the connection is coming up. In the AWS VPC console check the VPN connection, click tunnel details and see if you have a status up:
On the EdgeRouter you can check the status of the VPN connection through the command line (don’t forget to first exit the configuration mode of the router):
show vpn ipsec status show vpn ipsec state
If all signals are green, the last step is the propagate BGP routes into your VPC route tables:
- Select the VPC dashboard;
- Select route tables in the menu on the left;
- Select the route table you want to configure and select route propagation. Choose edit and allow the VPN connection to propagate the routes (it has learned from BGP) into the routing table;
- Wait a few seconds and see if new route(s)/subnet(s) show up in the routing table of the selected network.
As you can see, the 192.168.178.0/24 subnet is added to the routing table, which makes my on-premises subnet routable from the amazon VPC. With the command
show ip route
or
show ip route bgp
You can check if the route on the EdgeRouter has been updated as well, and includes the AWS subnet(s). If everything looks fine it’s time to spin up an EC2 instance and connect to it! Have fun.
I hope this was helpful, thanks for reading.
9 Comments
Eduardo Bayón Perales
This no longer applys as Viatta is not an option in AWS. Do you have a guide if we don’t have this viatta option
viktorious
BTW, what I see as that information is still available on AWS….FYI.
viktorious
The configuration for Ubiquiti is in this article, so maybe you can reuse the information?
Walter
Thank you for this it really simplified things. I am able to ping from hosts in the VPC to our local site. However I am not able to ping from our local site to devices in the VPC. A trace route also just dies on the local site. It seems like there is a routing issue. Any ideas?
Will Holmes
I had to set static routes on my EdgeRouter to reach the VPC network by running these on my EdgeRouter:
set protocols static interface-route 192.168.20.0/24 next-hop-interface vti0
set protocols static interface-route 192.168.20.0/24 next-hop-interface vti1
Replace the CIDR Block with your VPC network.
viktorious
Did you check the routes on the Edge router?
Walter
Thank you for the prompt response. I would assume this line
set protocols bgp 65000 network 192.168.1.0/24
would take care of that. Am I missing something?
viktorious
Please use show ip route and show ip route bgp to check what’s going on on your Edge router…(see my article)
Dillon
Did you have any issues with PFS being enabled? I am able to establish phase1 but phase 2 fails with it disabled….When enabled I lose all connectivity to the router. I have an edge-X, and can’t seem to find a workaround.