Wednesday, February 26, 2014

Dual VPC setup AWS cisco 1941 router

In this blog I'm sharing a dual VPC setup that was done with cisco1941 & the AWS cloud. This provides greater access to resources located in the cloud.


1st here's how a single VPC will be present in the  customer portal for Amazon Web Srvcs



With a dual VPC we have the ability to  craft redundant access. The portal will now have 2 VPCs after you configure the  2nd path.


Now after you walk thru the steps you will have a 2nd vpn gateway defined;





The cisco 1941 cfg is also quite easy to build either as either a one or two  router setup. The former is not recommended dual to a single point of failure. Either way, you will download the configurations from the AWS portal. If using 2 routers, the 2 configs will be split between the 2 routers. If your using one single router, just apply the correct vpn key-rings and  tunnel/bgp configurations.



I 'm breaking up the  configurations  in three major steps ( crypto cfg, tunnel & BGP )


==========CRYPTO STUFF===================


!  AWS gateway #1

crypto keyring keyring-vpn-7a6f8b13-0

  pre-shared-key address 72.21.209.225 key ####



! AWS gateway #2

crypto keyring keyring-vpn-7a6f8b13-1

  pre-shared-key address 72.21.209.193 key ####

!

crypto isakmp policy 200

 encr aes

 authentication pre-share

 group 2

 lifetime 28800

!

crypto isakmp policy 201

 encr aes

 authentication pre-share

 group 2

 lifetime 28800

crypto isakmp keepalive 10 10


crypto isakmp profile isakmp-vpn-7a6f8b13-0

   keyring keyring-vpn-7a6f8b13-0

   match identity address 72.21.209.225 255.255.255.255

crypto isakmp profile isakmp-vpn-7a6f8b13-1

   keyring keyring-vpn-7a6f8b13-1

   match identity address 72.21.209.193 255.255.255.255

!

crypto ipsec security-association replay window-size 128

!

crypto ipsec transform-set ipsec-prop-vpn-7a6f8b13-0 esp-aes esp-sha-hmac

crypto ipsec transform-set ipsec-prop-vpn-7a6f8b13-1 esp-aes esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile ipsec-vpn-7a6f8b13-0

 set transform-set ipsec-prop-vpn-7a6f8b13-0

 set pfs group2

!

crypto ipsec profile ipsec-vpn-7a6f8b13-1

 set transform-set ipsec-prop-vpn-7a6f8b13-1

 set pfs group2

!

!






==========TUNNEL STUFF===================





!

interface Tunnel1

 ip address 169.254.255.2 255.255.255.252
 description tunnel to AWS  gateway #1   72.21.209.225

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1396

 ip policy route-map nat_vpn

 tunnel source < your public addres here  for the ISP provider >

 tunnel mode ipsec ipv4

 tunnel destination 72.21.209.225

 tunnel protection ipsec profile ipsec-vpn-7a6f8b13-0

 !

!

interface Tunnel2

 ip address 169.254.255.6 255.255.255.252
 description tunnel to AWS  gateway #2  72.21.209.193

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1396

 ip policy route-map nat_vpn

 tunnel source < your public addres here  for the 2nd ISP provider>

 tunnel mode ipsec ipv4

 tunnel destination 72.21.209.193

 tunnel protection ipsec profile ipsec-vpn-7a6f8b13-1

 !





==========BGP PEERING STUFF=================== 
!

router bgp 65000

 bgp log-neighbor-changes
!
! we define the 2  bgp peers that are being used across the tunnels
!

 neighbor 169.254.255.1 remote-as 7224

 neighbor 169.254.255.1 timers 10 30 30

 neighbor 169.254.255.5 remote-as 7224

 neighbor 169.254.255.5 timers 10 30 30

 !

 address-family ipv4

  no synchronization

  network 0.0.0.0

  neighbor 169.254.255.1 activate

  neighbor 169.254.255.1 default-originate

  neighbor 169.254.255.1 soft-reconfiguration inbound

  neighbor 169.254.255.5 activate

  neighbor 169.254.255.5 default-originate

  neighbor 169.254.255.5 soft-reconfiguration inbound

  no auto-summary

 exit-address-family

!

Things to keep in mind, you have to source the tunnels from 2 unique  sources. 

Ideally you would   buy 2 upstream links & install them  in one of these fashions;


NOTE: the solution on the right is the better of the 2. In the 2nd solution, you would also direct a iBGP session between the 2 peers in your  private BGP-ASN#





Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \

2 comments:

  1. Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.......Netgear Router Support

    ReplyDelete
  2. Hi, this is very helpful. I just have one question. Do we need Cisco IOS SSL VPN licenses for this?

    ReplyDelete