Wednesday, February 26, 2014

Dual VPC setup AWS cisco 1941 router

In this blog I'm sharing a dual VPC setup that was done with cisco1941 & the AWS cloud. This provides greater access to resources located in the cloud.


1st here's how a single VPC will be present in the  customer portal for Amazon Web Srvcs



With a dual VPC we have the ability to  craft redundant access. The portal will now have 2 VPCs after you configure the  2nd path.


Now after you walk thru the steps you will have a 2nd vpn gateway defined;





The cisco 1941 cfg is also quite easy to build either as either a one or two  router setup. The former is not recommended dual to a single point of failure. Either way, you will download the configurations from the AWS portal. If using 2 routers, the 2 configs will be split between the 2 routers. If your using one single router, just apply the correct vpn key-rings and  tunnel/bgp configurations.



I 'm breaking up the  configurations  in three major steps ( crypto cfg, tunnel & BGP )


==========CRYPTO STUFF===================


!  AWS gateway #1

crypto keyring keyring-vpn-7a6f8b13-0

  pre-shared-key address 72.21.209.225 key ####



! AWS gateway #2

crypto keyring keyring-vpn-7a6f8b13-1

  pre-shared-key address 72.21.209.193 key ####

!

crypto isakmp policy 200

 encr aes

 authentication pre-share

 group 2

 lifetime 28800

!

crypto isakmp policy 201

 encr aes

 authentication pre-share

 group 2

 lifetime 28800

crypto isakmp keepalive 10 10


crypto isakmp profile isakmp-vpn-7a6f8b13-0

   keyring keyring-vpn-7a6f8b13-0

   match identity address 72.21.209.225 255.255.255.255

crypto isakmp profile isakmp-vpn-7a6f8b13-1

   keyring keyring-vpn-7a6f8b13-1

   match identity address 72.21.209.193 255.255.255.255

!

crypto ipsec security-association replay window-size 128

!

crypto ipsec transform-set ipsec-prop-vpn-7a6f8b13-0 esp-aes esp-sha-hmac

crypto ipsec transform-set ipsec-prop-vpn-7a6f8b13-1 esp-aes esp-sha-hmac

crypto ipsec df-bit clear

!

crypto ipsec profile ipsec-vpn-7a6f8b13-0

 set transform-set ipsec-prop-vpn-7a6f8b13-0

 set pfs group2

!

crypto ipsec profile ipsec-vpn-7a6f8b13-1

 set transform-set ipsec-prop-vpn-7a6f8b13-1

 set pfs group2

!

!






==========TUNNEL STUFF===================





!

interface Tunnel1

 ip address 169.254.255.2 255.255.255.252
 description tunnel to AWS  gateway #1   72.21.209.225

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1396

 ip policy route-map nat_vpn

 tunnel source < your public addres here  for the ISP provider >

 tunnel mode ipsec ipv4

 tunnel destination 72.21.209.225

 tunnel protection ipsec profile ipsec-vpn-7a6f8b13-0

 !

!

interface Tunnel2

 ip address 169.254.255.6 255.255.255.252
 description tunnel to AWS  gateway #2  72.21.209.193

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1396

 ip policy route-map nat_vpn

 tunnel source < your public addres here  for the 2nd ISP provider>

 tunnel mode ipsec ipv4

 tunnel destination 72.21.209.193

 tunnel protection ipsec profile ipsec-vpn-7a6f8b13-1

 !





==========BGP PEERING STUFF=================== 
!

router bgp 65000

 bgp log-neighbor-changes
!
! we define the 2  bgp peers that are being used across the tunnels
!

 neighbor 169.254.255.1 remote-as 7224

 neighbor 169.254.255.1 timers 10 30 30

 neighbor 169.254.255.5 remote-as 7224

 neighbor 169.254.255.5 timers 10 30 30

 !

 address-family ipv4

  no synchronization

  network 0.0.0.0

  neighbor 169.254.255.1 activate

  neighbor 169.254.255.1 default-originate

  neighbor 169.254.255.1 soft-reconfiguration inbound

  neighbor 169.254.255.5 activate

  neighbor 169.254.255.5 default-originate

  neighbor 169.254.255.5 soft-reconfiguration inbound

  no auto-summary

 exit-address-family

!

Things to keep in mind, you have to source the tunnels from 2 unique  sources. 

Ideally you would   buy 2 upstream links & install them  in one of these fashions;


NOTE: the solution on the right is the better of the 2. In the 2nd solution, you would also direct a iBGP session between the 2 peers in your  private BGP-ASN#





Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
          o
       /     \

4 comments:

  1. Hello, thanks for posting this information, I was trying to find information on this topic –this was very helpful.......Netgear Router Support

    ReplyDelete
  2. Hi, this is very helpful. I just have one question. Do we need Cisco IOS SSL VPN licenses for this?

    ReplyDelete
  3. If you are using AVG antivirus and you face any problems in AVG antivirus now dial our tool free customer care help line no and fix your all antivirus problems now dial our help line no 0800-680-0619 you can call any time 24*7.

    ReplyDelete
  4. There is a chance you're eligible to get a $1,000 Amazon Gift Card.

    ReplyDelete