Introduction
This document describes how to configure an IOS-XE (ASR1K used in the example) IPsec Site-to-Site VPN (Virtual Private Network) connection to AWS (Amazon Web Services) native VPN.
Written by Sam Bibby, Cisco Technical Leader.
Configure AWS
The following steps below are executed through the following AWS menu items.
Step 1.
Create a new VPC, defining a NAME and IPv4 CIDR block in which we will later define the LAN used as our AWS LAN. Select Create VPC.
Step 2.
Create a new subnet ensuring that you have selected the VPC-ID created previously. Define a subnet within the existing IPv4 CIDR block network created previously. In this example, 172.16.66.128/25 is used. Select Create Subnet.
Step 3.
Create a Customer Gateway, defining the Name and setting the IP Address to be the Public IP Address of your IOS-XE Router. Select Create Customer Gateway.
Step 4.
Create a Virtual Private Gateway, setting a Name tag to help identify later. Select Create Virtual Private Gateway.
Select the new Virtual Private Gateway and from the actions drop down select Attach to VPC. Select the VPC created previously and select Yes, Attach.
Step 5.
Create a new VPN Connection, set a friendly Name tag. Select the Virtual Private Gateway as the Target Gateway Type and associate it with the Virtual Private Gateway created previously in Step 4.
For the Customer Gateway, select Existing and associate it with the Customer Gateway created previously in Step 3.
For the Routing Options, ensure to select Static. Enter any IP Prefixes including CIDR notation for any remote networks you expect to traverse the VPN (These are the networks that exist on your IOS-XE Router).
De-select the undesired algorithms that you will not use or configure one your desired IOS-XE platform.
Select Create VPN Connection.
Step 6.
Create a Route Table with a friendly Name and associate it to the VPC created previously in Step 1. Select Create route table.
Select the route table and in the lower panel from the Subnet Associations tab, choose Edit subnet associations. From the Edit subnet associations page, select the subnet created previously. Select the Route Table created previously. Then select save associations.
Select the route table and from the Route Propagation tab, choose Edit route propagation. Select the Virtual Private Gateway created previously and Enable route propagation select Save.
Step 7.
Within the Security Groups, ensure that you have a policy created to allow the desired traffic and Save rules.
Step 8.
From Site-to-Site VPN connections select the VPN Connection that you have created previously in step 5. From the top menu choose Download Configuration.
Choose the desired vendor Cisco and Platform.
Configure IOS-XE
The following steps below are executed on the IOS-XE CLI.
Step 1.
Extract the needed variables from the downloaded AWS template:
- Two keyrings with the PSK (Pre-Shared Keys)
crypto keyring keyring-vpn-000001
pre-shared-key address 192.0.2.50 key secretkey01
!
crypto keyring keyring-vpn-000002
pre-shared-key address 198.51.100.50 key secretkey02
- Two tunnel destinations and interface addresses
interface Tunnel1
ip address 203.0.113.238 255.255.255.252
tunnel destination 192.0.2.50
!
interface Tunnel2
ip address 203.0.113.70 255.255.255.252
tunnel destination 198.51.100.50
Step 2.
Configure the WAN facing port with an IP address if not using DHCP, this this example we are using an optional FDVRF to isolate the WAN port from the enterprise routing space.
vrf definition FVRF
address-family ipv4
!
Interface Gig0/0/0
description To_WAN
vrf forwarding FVRF
ip address 203.0.113.1 255.255.255.0
!
Step 3.
Setup the ikev2 keyrings using the extracted AWS keys and addresses. For the S2S VPN the source IP addresses will be used for matching a key.
!!They keyring name and peer names can be set as you desire.
crypto ikev2 keyring AWS
peer 192.0.2.50_AWS01
!!!Set the address of the AWS peer form the AWS config file (keyrings)
address 192.0.2.50
!!!Set the local and remote PSK's from the AWS config file (keyrings)
pre-shared-key local secretkey01
pre-shared-key remote secretkey02
!
!Setup the second tunnel
peer 198.51.100.50_AWS02
address 198.51.100.50
pre-shared-key local secretkey02
pre-shared-key remote secretkey02
Step 4.
Setup IPsec for the routers towards AWS
!!!Optionally lower the ikev2 MTU to account for the provider network.
crypto ikev2 fragmentation mtu 1200
!
!!!Setup the ikev2 proposal to match what was set in AWS
crypto ikev2 proposal default
encryption aes-gcm-256
prf sha512
group 20
!
!!!Setup the ikev2 policy
crypto ikev2 policy default
match fvrf FVRF
!
!!!Setup the ipsec transform-set to match what was set in AWS
crypto ipsec transform-set ALL-WAN-FLEX-VPN esp-gcm 256
mode transport
!
!!!Setup the ikev2 profile to match what was set in AWS
crypto ikev2 profile default
!!If using a FDVRF define it here.
match fvrf FVRF
!!The two addresses are the extract AWS source IP addresses (used in the keyrings also)
match identity remote address 192.0.2.50 255.255.255.255
match identity remote address 198.51.100.50 255.255.255.255
!!The local address if our source IP address
identity local address 203.0.113.1
!!Define the authentication method and keyring name
authentication local pre-share
authentication remote pre-share
keyring local AWS
dpd 10 2 on-demand
!
!!!Setup the ipsec profile elements
crypto ipsec profile default
set transform-set ALL-WAN-FLEX-VPN
set pfs group20
set ikev2-profile default
Step 5.
Setup the VTI (Virtual Tunnel Interfaces) towards AWS using the extracted AWS keys and addresses
interface tunnel 1
desc TO AWS1
!!If using the FDVRF specify it here
tunnel vrf FVRF
ip address 203.0.113.238 255.255.255.252
!!Specify the configured ipsec profile to use
tunnel protection ipsec profile default
tunnel source 203.0.113.1
!!AWS expects an IPsec IP tunnel, not a GRE tunel
tunnel mode ipsec ipv4
tunnel destination 192.0.2.50
ip mtu 1400
!!optionally adjust this to MTU-Headers
ip tcp adjust-mss 1360
!
interface tunnel 2
desc TO AWS2
tunnel vrf FVRF
ip address 203.0.113.70 255.255.255.252
tunnel protection ipsec profile default
tunnel source 203.0.113.1
tunnel mode ipsec ipv4
tunnel destination 198.51.100.50
ip mtu 1400
ip tcp adjust-mss 1360
Step 6.
As static routing was defined within AWS we need to put the inverse routes to any of the AWS hosted subnets on our IOS-XE device, the example below uses a default with the expectation that more specifics will be learned locally from the LAN (Local Area Network) ports.
The IP SLA's are provided as part of the AWS provided template configuration, here we have leveraged them to check the validity of our default routes.
ip sla 100
icmp-echo 203.0.113.2 source-interface Tunnel1
timeout 1000
frequency 5
exit
!
ip sla schedule 100 life forever start-time now
!
track 100 ip sla 100 reachability
!
ip sla 200
icmp-echo 203.0.113.69 source-interface Tunnel2
timeout 1000
frequency 5
exit
ip sla schedule 200 life forever start-time now
!
track 200 ip sla 200 reachability
!
ip route 0.0.0.0 0.0.0.0 203.0.113.2 track 100
ip route 0.0.0.0 0.0.0.0 169.254.194.237 track 200
!
Verify
Step 1.
Confirm the IOS-XE device establishes the correct phase 1 IKEv2 security associations with the two endpoints on AWS. The state of the SA should be READY & the correct encryption algorithms are being negotiated. The below example we see port 4500 used as the VPN is undergoing NAT traversal, if this was not the case, we would see port 500.
IOSXE_AWS_VPN#show crypto ikev2 sa
IPv4 Crypto IKEv2 SA
Tunnel-id Local Remote fvrf/ivrf Status
2 203.0.113.1/4500 203.0.113.2/4500 FVRF/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA512, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/73 sec
Tunnel-id Local Remote fvrf/ivrf Status
1 203.0.113.1/4500 169.254.194.237/4500 FVRF/none READY
Encr: AES-GCM, keysize: 256, PRF: SHA512, Hash: None, DH Grp:20, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/75 sec
Step 2.
Confirm the IPsec SAs and phase 2 encryption on IOS-XE device. There should be an inbound and outbound SPI installed with the desired encryption algorithms in use for each peer, plus encaps and decaps counters should be incrementing.
IOSXE_AWS_VPN#show crypto ipsec sa | inc Tunnel|endpt|pkts|transform
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 203.0.113.1
#pkts encaps: 108, #pkts encrypt: 108, #pkts digest: 108
#pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 203.0.113.1, remote crypto endpt.: 203.0.113.2
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2, flow_id: SW:2, sibling_flags 80000040, crypto map: Tunnel1-head-0
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 1, flow_id: SW:1, sibling_flags 80000040, crypto map: Tunnel1-head-0
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 203.0.113.1
#pkts encaps: 98, #pkts encrypt: 98, #pkts digest: 98
#pkts decaps: 98, #pkts decrypt: 98, #pkts verify: 98
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
local crypto endpt.: 203.0.113.1, remote crypto endpt.: 169.254.194.237
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 4, flow_id: SW:4, sibling_flags 80000040, crypto map: Tunnel2-head-0
transform: esp-gcm 256 ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 3, flow_id: SW:3, sibling_flags 80000040, crypto map: Tunnel2-head-0
Step 3.
Confirm the tracked objects are up and have a status of "Reachbility is UP'
IOSXE_AWS_VPN#show track
Track 100
IP SLA 100 reachability
Reachability is Up
2 changes, last change 00:09:46
Latest operation return code: OK
Latest RTT (millisecs) 27
Tracked by:
Static IP Routing 0
Track 200
IP SLA 200 reachability
Reachability is Up
2 changes, last change 00:09:36
Latest operation return code: OK
Latest RTT (millisecs) 28
Tracked by:
Static IP Routing 0
Step 4.
In AWS, confirm that the tunnels for the VPN connection are UP via the Site-to-Site VPN connections, select the VPN and check the Status .
