! Amazon Web Services ! Virtual Private Cloud ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier and is ! associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-0056e880bc3e56d15 ! Your Virtual Private Gateway ID : vgw-02fc3d649d3b90254 ! Your Customer Gateway ID : cgw-093bf4a2ea808f327 ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! -------------------------------------------------------------------------------- ! IPSec Tunnel #1 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 15.164.80.217 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 15.164.80.217 authentication pre-shared-secret 'NCN1B7Xzjv0NnGOLxFQJMnWBG8FlJnzT' set vpn ipsec site-to-site peer 15.164.80.217 description 'VPC tunnel 1' set vpn ipsec site-to-site peer 15.164.80.217 ike-group 'AWS' set vpn ipsec site-to-site peer 15.164.80.217 local-address '52.76.100.41' set vpn ipsec site-to-site peer 15.164.80.217 vti bind 'vti0' set vpn ipsec site-to-site peer 15.164.80.217 vti esp-group 'AWS' ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' ! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. set interfaces vti vti0 address '169.254.70.182/30' set interfaces vti vti0 description 'VPC tunnel 1' set interfaces vti vti0 mtu '1436' ! -------------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' statement. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65000) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! set protocols bgp 65000 neighbor 169.254.70.181 remote-as '64512' set protocols bgp 65000 neighbor 169.254.70.181 soft-reconfiguration 'inbound' set protocols bgp 65000 neighbor 169.254.70.181 timers holdtime '30' set protocols bgp 65000 neighbor 169.254.70.181 timers keepalive '10' ! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the ! the following line with the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. set protocols bgp 65000 network 0.0.0.0/0 ! -------------------------------------------------------------------------------- ! IPSec Tunnel #2 ! -------------------------------------------------------------------------------- ! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! The address of the external interface for your customer gateway must be a static address. ! Your customer gateway may reside behind a device performing network address translation (NAT). ! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. ! set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer 52.78.188.212 authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer 52.78.188.212 authentication pre-shared-secret 'MfmyxlydtXvvC2FLGmBsqMQlW5q89Z0S' set vpn ipsec site-to-site peer 52.78.188.212 description 'VPC tunnel 2' set vpn ipsec site-to-site peer 52.78.188.212 ike-group 'AWS' set vpn ipsec site-to-site peer 52.78.188.212 local-address '52.76.100.41' set vpn ipsec site-to-site peer 52.78.188.212 vti bind 'vti1' set vpn ipsec site-to-site peer 52.78.188.212 vti esp-group 'AWS' ! #2: IPSec Configuration ! ! The IPSec (Phase 2) proposal defines the protocol, authentication, ! encryption, and lifetime parameters for our IPSec security association. ! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14. ! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24. ! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic". ! set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' ! This option enables IPSec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' ! -------------------------------------------------------------------------------- ! #3: Tunnel Interface Configuration ! ! The tunnel interface is configured with the internal IP address. set interfaces vti vti1 address '169.254.50.254/30' set interfaces vti vti1 description 'VPC tunnel 2' set interfaces vti vti1 mtu '1436' ! -------------------------------------------------------------------------------- ! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' statement. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (65000) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! set protocols bgp 65000 neighbor 169.254.50.253 remote-as '64512' set protocols bgp 65000 neighbor 169.254.50.253 soft-reconfiguration 'inbound' set protocols bgp 65000 neighbor 169.254.50.253 timers holdtime '30' set protocols bgp 65000 neighbor 169.254.50.253 timers keepalive '10' ! To advertise additional prefixes to Amazon VPC, replace the 0.0.0.0/0 from the ! the following line with the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. set protocols bgp 65000 network 0.0.0.0/0 ! Additional Notes and Questions ! - Amazon Virtual Private Cloud Getting Started Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide ! - Amazon Virtual Private Cloud Network Administrator Guide: ! http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide ! - XSL Version: 2009-07-15-1119716