Sample Chapter is provided courtesy of Cisco Press. Chapter Description This chapter introduces strategies that can be used to systematically design a configuring Failover Site-to-site VPN on Cisco Routers functional network, such as the hierarchical network design model, the Cisco Enterprise Architecture, and appropriate device selections. How is the hierarchical network used in small business?
What are the recommendations for designing a network that is scalable? What features in switch hardware are necessary to support small- to medium-sized business network requirements? What types of routers are available for small- to medium-sized business networks? What are the basic configuration settings for a Cisco IOS device?
A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway. The following diagram shows your network, the customer gateway, the VPN connection that goes to the virtual private gateway, and the VPC. There are two lines between the customer gateway and virtual private gateway because the VPN connection consists of two tunnels to provide increased availability for the Amazon VPC service.
If there’s a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn’t interrupted. You can create additional VPN connections to other VPCs using the same customer gateway device. You can reuse the same customer gateway IP address for each of those VPN connections. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection.
AWS VPN endpoints support rekey and can start renegotiations when phase 1 is about to expire if the customer gateway hasn’t sent any renegotiation traffic. For more information about the components of a VPN connection, see VPN Connections in the Amazon VPC User Guide. To protect against a loss of connectivity if your customer gateway becomes unavailable, you can set up a second VPN connection. For more information, see Using Redundant VPN Connections to Provide Failover.
AWS Management Console to create a VPN connection and get the information that you need to configure your customer gateway. Overview of Setting Up a VPN Connection The process of setting up the VPN connection in AWS is covered in the Amazon VPC User Guide. One task in the overall process is to configure the customer gateway. To create the VPN connection, AWS needs information about the customer gateway, and you must configure the customer gateway device itself. Designate an appliance to act as your customer gateway. For more information, see Customer Gateway Devices We’ve Tested and Requirements for Your Customer Gateway.
Get the necessary Network Information, and provide this information to the team that will create the VPN connection in AWS. Create the VPN connection in AWS and get the configuration file for your customer gateway. For more information, see Setting Up an AWS VPN Connection in the Amazon VPC User Guide. Configure your customer gateway using the information from the configuration file. Examples are provided in this guide. Generate traffic from your side of the VPN connection to bring up the VPN tunnel.
Network Information To create a VPN connection in AWS, you need the following information. This information is used to generate a configuration file for the customer gateway. The internet-routable IP address for the customer gateway device’s external interface. For a NAT configuration, traffic sent across a VPN tunnel must not be translated to the customer gateway IP address.
You can use an existing ASN assigned to your network. Otherwise, we assume that the BGP ASN for the customer gateway is 65000. The ASN for the Amazon side of the BGP session. Specified when creating a virtual private gateway. If you do not specify a value, the default ASN applies. For more information, see Virtual Private Gateway.
Pre-shared key to establish the initial IKE Security Association between the virtual private gateway and customer gateway. For more information, see Configuring the VPN Tunnels for Your VPN Connection. The configuration file for your customer gateway includes the values that you specify for the above items. It also contains any additional values required for setting up the VPN tunnels, including the outside IP address for the virtual private gateway. This value is static unless you recreate the VPN connection in AWS. We use BGP routing to determine the path for traffic.
If one customer gateway fails, the virtual private gateway directs all traffic to the working customer gateway. The virtual private gateway routes traffic to the appropriate site and advertises the reachability of one site to all other sites. Then create a VPN connection from each customer gateway to a common virtual private gateway. Use the instructions that follow to configure each customer gateway to connect to the virtual private gateway. For complete instructions, see VPN Connections in the Amazon VPC User Guide.
Configuring Multiple VPN Connections to Your VPC You can create up to ten VPN connections for your VPC. You can use multiple VPN connections to link your remote offices to the same VPC. For example, if you have offices in Los Angeles, Chicago, New York, and Miami, you can link each of these offices to your VPC. You can also use multiple VPN connections to establish redundant customer gateways from a single location. If you need more than ten VPN connections, complete the Request to Increase Amazon VPC Limits form to request an increased limit. When you create multiple VPN connections, the virtual private gateway sends network traffic to the appropriate VPN connection using statically assigned routes or BGP route advertisements, depending upon how the VPN connection was configured.
Statically assigned routes are preferred over BGP advertised routes in cases where identical routes exist in the virtual private gateway. When you have customer gateways at multiple geographic locations, each customer gateway should advertise a unique set of IP ranges specific to the location. When you establish redundant customer gateways at a single location, both gateways should advertise the same IP ranges. The virtual private gateway receives routing information from all customer gateways and calculates the set of preferred paths using the BGP best path selection algorithm.
1.4 Oracle Cryptographic Toolkit Elements
For more information, see Route Priority in the Amazon VPC User Guide. When the prefixes are the same, statically configured VPN connections, if they exist, are preferred. For matching prefixes where each VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred. Alternatively, you can prepend AS_PATH, so that the path is less preferred.
When the AS PATHs are the same length, the path origin is compared. The following diagram shows the configuration of multiple VPNs. Customer Gateway Devices We’ve Tested Your customer gateway can be a physical or software appliance. For information about the specific routers that we’ve tested, see What customer gateway devices are known to work with Amazon VPC?
Connectivity section of the Amazon VPC FAQ. Check Point Security Gateway running R77. Cisco ASA running Cisco ASA 8. Cisco IOS running Cisco IOS 12. If you have one of these devices, but configure it for IPsec in a different way than presented in this guide, feel free to alter our suggested configuration to match your particular needs. Requirements for Your Customer Gateway There are four main parts to the configuration of your customer gateway.
Throughout this guide, we use a symbol for each of these parts to help you understand what you need to do. The following table shows the four parts and the corresponding symbols. If you have a device that isn’t in the preceding list of tested devices, this section describes the requirements the device must meet for you to use it with Amazon VPC. Each VPN connection consists of 2 separate tunnels.
sgeron commented Aug 23, 2016 • edited Edited 1 time sgeron edited Aug 23, 2016 (most recent)
Each tunnel contains an IKE Security Association, an IPsec Security Association, and a BGP Peering. Some devices use policy-based VPN and will create as many SAs as ACL entries. Therefore, you may need to consolidate your rules and then filter so you don’t permit unwanted traffic. The VPN tunnel comes up when traffic is generated from your side of the VPN connection. The IKE Security Association is established first between the virtual private gateway and customer gateway using the pre-shared key as the authenticator. Upon establishment, IKE negotiates an ephemeral key to secure future IKE messages. Proper establishment of an IKE Security Association requires complete agreement among the parameters, including encryption and authentication parameters.
When you create a VPN connection in AWS, you can specify your own pre-shared key for each tunnel, or you can let AWS generate one for you. Traffic between gateways is encrypted and decrypted using this SA. The ephemeral keys used to encrypt traffic within the IPsec SA are automatically rotated by IKE on a regular basis to ensure confidentiality of communications. The encryption function is used to ensure privacy among both IKE and IPsec Security Associations. This hashing function is used to authenticate both IKE and IPsec Security Associations. IKE uses Diffie-Hellman to establish ephemeral keys to secure all communication between customer gateways and virtual private gateways. The use of Dead Peer Detection enables the VPN devices to rapidly identify when a network condition prevents delivery of packets across the internet.
When this occurs, the gateways delete the Security Associations and attempt to create new associations. During this process, the alternate IPsec tunnel is utilized if possible. Your gateway must support the ability to bind the IPsec tunnel to a logical interface. The logical interface contains an IP address used to establish BGP peering to the virtual private gateway. When packets are too large to be transmitted, they must be fragmented.
Conquistadores and Crypto-Jews of Monterrey
We will not reassemble fragmented encrypted packets. Therefore, your VPN device must fragment packets before encapsulating with the VPN headers. The fragments are individually transmitted to the remote host, which reassembles them. BGP is used to exchange routes between the customer gateway and virtual private gateway for devices that use BGP. All BGP traffic is encrypted and transmitted via the IPsec Security Association. BGP is required for both gateways to exchange the IP prefixes reachable through the IPsec SA.
We recommend you use the techniques listed in the following table to minimize problems related to the amount of data that can be transmitted through the IPsec tunnel. TCP packets are often the most prevalent type of packet across IPsec tunnels. Some gateways have the ability to change the TCP Maximum Segment Size parameter. This is an ideal approach, as the packets arriving at the VPN devices are small enough to be encapsulated and transmitted.
If the packets carry the flag, the gateways generate an ICMP Path MTU Exceeded message. In some cases, applications do not contain adequate mechanisms for processing these ICMP messages and reducing the amount of data transmitted in each packet. Some VPN devices have the ability to override the DF flag and fragment packets unconditionally as required. If you have a firewall between your customer gateway and the Internet, see Configuring a Firewall Between the Internet and Your Customer Gateway. If a firewall is in place between the Internet and your gateway, the rules in the following tables must be in place to establish the IPsec tunnels. Rules I1, I2, O1, and O2 enable the transmission of IKE packets.
Create and share RSA public keys if RSA-encr. Authenticate and enroll with CA if RSA-sig. Identify and assign IPsec peer and any High-Availability requirements. Identify requirement for PFS and reference PFS group in crypto map if necessary.
Apply crypto map to crypto interfaces. Indeed, because IPsec is a Layer 3 VPN technology, it was designed to function across multiple Layer 3 hops in order to circumvent many of the scalability and manageability issues in previous VPN alternatives. As such, IPsec deployed over a routed domain will also provide further scalability, flexibility, and availability over and beyond the simple dedicated-circuit model. Site-to-Site VPN Architectural Overview for a Dedicated Circuit Site-to-site IPsec VPNs are typically deployed when two or more autonomous systems wish to communicate with each other over an untrusted media when confidential exchange of data is required. AS, there is only one path between each AS. Cisco IOS Site-to-Site IPsec VPN Configuration The configurations in the following examples were all built using the process described in Figure 3-1 and pertain to the topology depicted in Figure 3-2. Tunnel mode is used to keep the original IP header confidential.
The routers are capable of handling 256-bit AES ESP transforms in hardware. The DH group is 5 in order to accommodate the large key material needed by the AES transform. Strong authentication is required during ISAKMP, so the hash is SHA-1 and the symmetric transform for the IKE SA is 3DES. The preceding VPN considerations describe a relatively strong cryptographic suite. As such, computation resources on the routers must be somewhat substantial to accommodate them.
It is important that one weigh the amount of available computational resources against the organization’s performance and security requirements before building IPsec VPN configurations. Example 3-1 provides a configuration for the AS1-7301A in Figure 3-2. This router’s configuration employs all of the elements necessary to accommodate a site-to-site IPsec VPN, including the IPsec transform, crypto ACL, and IPsec peer. 3-1 esp-aes esp-sha-hmac crypto map AS1VPN 10 ipsec-isakmp set peer 200.
2 set transform-set ivdf3-1 match address 101 set pfs group5 crypto map AS1VPN 20 ipsec-isakmp set peer 200. 10 set transform-set ivdf3-1 match address 102 set pfs group5 access-list 101 permit ip 211. 255 access-list 102 permit ip 211. 3-1 esp-aes esp-sha-hmac crypto map AS2VPN 10 ipsec-isakmp set peer 200. 1 set transform-set ivdf3-1 match address 101 set pfs group5 crypto map AS2VPN 20 ipsec-isakmp set peer 200. 6 set transform-set ivdf3-1 match address 102 set pfs group5 access-list 101 permit ip 212. 3-1 esp-aes esp-sha-hmac crypto map AS3VPN 10 ipsec-isakmp set peer 200.
9 set transform-set ivdf3-1 match address 101 set pfs group5 crypto map AS3VPN 20 ipsec-isakmp set peer 200. 5 set transform-set ivdf3-1 match address 102 set pfs group5 access-list 101 permit ip 213. 255 access-list 102 permit ip 213. Verify the establishment of ISAKMP SAs. Verify the establishment of IPsec SAs. Verify that basic network connectivity has been established over the VPN. Verify that the Crypto Engine is actively participating in IPsec and that protected traffic is being encrypted and decrypted.