1st here's how a single VPC will be present in the customer portal for Amazon Web Srvcs
With a dual VPC we have the ability to craft redundant access. The portal will now have 2 VPCs after you configure the 2nd path.
Now after you walk thru the steps you will have a 2nd vpn gateway defined;
The cisco 1941 cfg is also quite easy to build either as either a one or two router setup. The former is not recommended dual to a single point of failure. Either way, you will download the configurations from the AWS portal. If using 2 routers, the 2 configs will be split between the 2 routers. If your using one single router, just apply the correct vpn key-rings and tunnel/bgp configurations.
I 'm breaking up the configurations in three major steps ( crypto cfg, tunnel & BGP )
==========CRYPTO STUFF===================
! AWS
gateway #1
crypto keyring keyring-vpn-7a6f8b13-0
pre-shared-key address 72.21.209.225 key ####
! AWS gateway #2
crypto keyring keyring-vpn-7a6f8b13-1
pre-shared-key address 72.21.209.193 key ####
!
crypto isakmp policy 200
encr aes
authentication pre-share
group 2
lifetime
28800
!
crypto isakmp policy 201
encr aes
authentication pre-share
group 2
lifetime
28800
crypto isakmp keepalive 10 10
crypto isakmp profile isakmp-vpn-7a6f8b13-0
keyring keyring-vpn-7a6f8b13-0
match
identity address 72.21.209.225 255.255.255.255
crypto isakmp profile isakmp-vpn-7a6f8b13-1
keyring keyring-vpn-7a6f8b13-1
match
identity address 72.21.209.193 255.255.255.255
!
crypto ipsec security-association replay
window-size 128
!
crypto ipsec transform-set
ipsec-prop-vpn-7a6f8b13-0 esp-aes esp-sha-hmac
crypto ipsec transform-set
ipsec-prop-vpn-7a6f8b13-1 esp-aes esp-sha-hmac
crypto ipsec df-bit clear
!
crypto ipsec profile ipsec-vpn-7a6f8b13-0
set
transform-set ipsec-prop-vpn-7a6f8b13-0
set pfs
group2
!
crypto ipsec profile ipsec-vpn-7a6f8b13-1
set
transform-set ipsec-prop-vpn-7a6f8b13-1
set pfs
group2
!
!
==========TUNNEL STUFF===================
!
interface Tunnel1
ip
address 169.254.255.2 255.255.255.252
description tunnel to AWS gateway #1 72.21.209.225
ip nat
inside
ip
virtual-reassembly
ip tcp
adjust-mss 1396
ip
policy route-map nat_vpn
tunnel
source < your public addres here for the ISP provider >
tunnel
mode ipsec ipv4
tunnel
destination 72.21.209.225
tunnel
protection ipsec profile ipsec-vpn-7a6f8b13-0
!
!
interface Tunnel2
ip
address 169.254.255.6 255.255.255.252
description tunnel to AWS gateway #2 72.21.209.193
ip nat
inside
ip
virtual-reassembly
ip tcp
adjust-mss 1396
ip
policy route-map nat_vpn
tunnel
source < your public addres here for the 2nd ISP provider>
tunnel
mode ipsec ipv4
tunnel
destination 72.21.209.193
tunnel
protection ipsec profile ipsec-vpn-7a6f8b13-1
!
==========BGP PEERING STUFF===================
!
router bgp 65000
bgp
log-neighbor-changes
!
! we define the 2 bgp peers that are being used across the tunnels
!
neighbor
169.254.255.1 remote-as 7224
neighbor
169.254.255.1 timers 10 30 30
neighbor
169.254.255.5 remote-as 7224
neighbor
169.254.255.5 timers 10 30 30
!
address-family ipv4
no
synchronization
network
0.0.0.0
neighbor
169.254.255.1 activate
neighbor 169.254.255.1 default-originate
neighbor 169.254.255.1 soft-reconfiguration inbound
neighbor 169.254.255.5 activate
neighbor 169.254.255.5 default-originate
neighbor 169.254.255.5 soft-reconfiguration inbound
no
auto-summary
exit-address-family
!
Things to keep in mind, you have to source the tunnels from 2 unique sources.
Ideally you would buy 2 upstream links & install them in one of these fashions;
NOTE: the solution on the right is the better of the 2. In the 2nd solution, you would also direct a iBGP session between the 2 peers in your private BGP-ASN#
Ken Felix
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
^ ^
=( ^ ^ )=
o
/ \
Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.......Netgear Router Support
ReplyDeleteHi, this is very helpful. I just have one question. Do we need Cisco IOS SSL VPN licenses for this?
ReplyDelete