In this tutorial, I would like to share the steps you need to take to configure a dynamic Site-to-Site VPN between AWS and a Cisco router. If you are looking for step-by-step instructions on how to configure a VPN between two Cisco routers, check this post.
- 0. Create a new VPC or use the default VPC
- 1. Create a Virtual Private Gateway
- 2. Create a Customer Gateway
- 3. Create the Site-to-Site VPN connection
- 4. Enable route propagation in the routing table
- 5. Download the VPN configuration
- 6. Configure the IPSec tunnel 1 on the Cisco router
- 7. Configure the IPSec tunnel 2 on the Cisco router
- 8. Configure the BGP protocol on the Cisco router
- 9. Launch an EC2 instance in AWS
- 10. Test the connectivity between your on-premises network and AWS
- 11. Confirm that the traffic is being encrypted
What is a site-to-site VPN? A site-to-site VPN (IPSec) is a secure tunnel which permits you to have secure communication over an insecure transport, like the Internet. In this post, I will configure a dynamic site-to-site VPN between AWS and my on-premises network. To find more about AWS site-to-site VPN, check the AWS Site-to-Site VPN User Guide.
0. Create a new VPC or use the default VPC
You can use the default VPC or create a custom VPC. For step-by-step instructions on how to create a VPC, check this post.
1. Create a Virtual Private Gateway
In order to have a site to site VPN, you need to create a Virtual private gateway. To create the Virtual private gateway, select the VPC from the services list. You will end up in the VPC dashboard.
On the left panel, look for Virtual private network. Under it, you will find the following options:
- Customer gateways
- Virtual private gateways
- Site-to-Site VPN connections
- Client VPN endpoints
Select Virtual private gateways. The ‘Create virtual private gateway’ button is in the upper right corner. Press on it to create a new Virtual private gateway.
Give the Virtual private gateway a name.
You can change the default Autonomous System Number (ASN) in the same window. The default ASN is the private ASN 64512. I will use the default ASN. When ready, press the ‘Create virtual private gateway’ button.
Initially, the VGW (Virtual private gateway) is in a detached state.
You need to attach it to a VPC. You can use the default VPC or create a custom VPC. For step-by-step instructions on how to create a VPC, check this post.
For this project, I will use the default VPC. Select the VGW, press the ‘Actions’ button and choose the option ‘Attach to VPC’.
Select the VPC from the available VPCs and press the ‘Attach to VPC’ button.
The VGW is attaching. Wait a couple of seconds and press the reload button.
I previously deleted a VGW. This is why you see one in the deleted state.
2. Create a Customer Gateway
The next step is to create the Customer gateway. Select Customer gateways from the left panel. I previously deleted a CGW (Customer gateway). This is why you see one in the deleted state.
The ‘Create customer gateway’ button is in the upper right corner. Press on it to create a new customer gateway.
In the new window, add a name for the CGW and the public IP address which is configured on your Cisco router.
When ready, press the ‘Create customer gateway’ button.
3. Create the Site-to-Site VPN connection
In step number three, you will create the Site-to-Site VPN. Select Site-to-Site VPN from the left panel. You will end up in the VPN connections dashboard.
From this window, you can create new Site-to-Site VPN connections. Press on ‘Create VPN connection’ to create a new VPN connection.
In the new window, give the VPN connection a name. Select the target gateway type. I will use the Virtual private gateway in this lab. Select the Customer gateway. Choose the existing CGW.
Choose the routing options. In this project, I am configuring a dynamic Site-to-Site VPN. I will select the Dynamic option.
Optionally, you can change the tunnel options for your VPN. I will use the default tunnel options.
When ready, press the ‘Create VPN connection button’.
Initially, the VPN is in a pending state.
It will take a couple of minutes until the VPN changes to the available state.
4. Enable route propagation in the routing table
Enable the route propagation for your VGW. By doing this, the route table will automatically be updated with the new routes as soon as your VPN is in an up state. When the VPN is in the down state, the route(s) is removed from the routing table.
To enable Route propagation, select the ‘Route propagation’ tab and press the ‘Edit route propagation’ button.
Add the checkbox next to ‘Enable’ and press the ‘Save’ button.
Confirm that the propagation was enabled.
5. Download the VPN configuration
Now, you need to download the sample VPN configuration file provided by AWS and use it as an example to configure your VPN device. You can adjust the configuration according to your needs. The file provided by the AWS team specifies the minimum requirements for a Site-to-Site VPN connection of AES128, SHA1, and Diffie-Hellman group 2 in most AWS Regions.
Press the ‘Download configuration’ button and specify the details for your VPN device.
6. Configure the IPSec tunnel 1 on the Cisco router
Open the file in a text editor and start configuring your VPN device. In my lab, I use a Cisco router. I will start with the configuration of tunnel 1.
Internet Key Exchange (IKE) Configuration
CGW#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CGW(config)#crypto isakmp policy 200
CGW(config-isakmp)# encryption aes 128
CGW(config-isakmp)# authentication pre-share
CGW(config-isakmp)# group 2
CGW(config-isakmp)# lifetime 28800
CGW(config-isakmp)# hash sha
CGW(config-isakmp)#exit
CGW(config)#crypto keyring keyring-vpn-0f3a9a9134e67dadd-0
CGW(conf-keyring)# local-address 154.61.57.125
CGW(conf-keyring)# pre-shared-key address 3.210.65.195 key 7liGpKpEhG.mG7QW2xrBPPQDcu1nKnR1
CGW(conf-keyring)#exit
CGW(config)#crypto isakmp profile isakmp-vpn-0f3a9a9134e67dadd-0
% A profile is deemed incomplete until it has match identity statements
CGW(conf-isa-prof)# local-address 154.61.57.125
CGW(conf-isa-prof)# match identity address 3.210.65.195
CGW(conf-isa-prof)# keyring keyring-vpn-0f3a9a9134e67dadd-0
CGW(conf-isa-prof)#exit
CGW(config)#
IPSec Configuration
CGW(config)#crypto ipsec transform-set ipsec-prop-vpn-0f3a9a9134e67dadd-0 esp-aes 128 esp-sha-hmac
CGW(cfg-crypto-trans)# mode tunnel
CGW(cfg-crypto-trans)#exit
CGW(config)#crypto ipsec profile ipsec-vpn-0f3a9a9134e67dadd-0
CGW(ipsec-profile)# set pfs group2
CGW(ipsec-profile)# set security-association lifetime seconds 3600
CGW(ipsec-profile)# set transform-set ipsec-prop-vpn-0f3a9a9134e67dadd-0
CGW(ipsec-profile)#exit
CGW(config)#
Tunnel Interface Configuration
CGW(config)#interface Tunnel1
CGW(config-if)# ip address 169.254.144.246 255.255.255.252
CGW(config-if)# ip virtual-reassembly
CGW(config-if)# tunnel source 154.61.57.125
CGW(config-if)# tunnel destination 3.210.65.195
CGW(config-if)# tunnel mode ipsec ipv4
CGW(config-if)# tunnel protection ipsec profile ipsec-vpn-0f3a9a9134e67dadd-0
CGW(config-if)# ! This option causes the router to reduce the Maximum Segment Size of
CGW(config-if)# ! TCP packets to prevent packet fragmentation.
CGW(config-if)# ip tcp adjust-mss 1379
CGW(config-if)# no shutdown
CGW(config-if)#exit
CGW(config)#
Confirm the status of the interface tunnel 1
CGW# show int tun1
Tunnel1 is up, line protocol is up
Hardware is Tunnel
Internet address is 169.254.144.246/30
MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation TUNNEL, loopback not set
Keepalive not set
Tunnel source 154.61.57.125, destination 3.210.65.195
Tunnel protocol/transport IPSEC/IP
Tunnel TTL 255
Fast tunneling enabled
Tunnel transmit bandwidth 8000 (kbps)
Tunnel receive bandwidth 8000 (kbps)
Tunnel protection via IPSec (profile "ipsec-vpn-0f3a9a9134e67dadd-0")
Last input never, output never, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/0 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
2 packets input, 120 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
2 packets output, 80 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 output buffer failures, 0 output buffers swapped out
CGW#
7. Configure the IPSec tunnel 2 on the Cisco router
Follow the same steps for configuring the IPSec tunnel 2.
CGW#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CGW(config)#crypto isakmp policy 201
CGW(config-isakmp)# encryption aes 128
CGW(config-isakmp)# authentication pre-share
CGW(config-isakmp)# group 2
CGW(config-isakmp)# lifetime 28800
CGW(config-isakmp)# hash sha
CGW(config-isakmp)#exit
CGW(config)#crypto keyring keyring-vpn-0f3a9a9134e67dadd-1
CGW(conf-keyring)# local-address 154.61.57.125
CGW(conf-keyring)# pre-shared-key address 3.226.151.38 key 5iLS2Vufe3PA.PYeSQjQS9Oee8UOkSI7
CGW(conf-keyring)#exit
CGW(config)#crypto isakmp profile isakmp-vpn-0f3a9a9134e67dadd-1
% A profile is deemed incomplete until it has match identity statements
CGW(conf-isa-prof)# local-address 154.61.57.125
CGW(conf-isa-prof)# match identity address 3.226.151.38
CGW(conf-isa-prof)# keyring keyring-vpn-0f3a9a9134e67dadd-1
CGW(conf-isa-prof)#exit
CGW(config)#crypto ipsec transform-set ipsec-prop-vpn-0f3a9a9134e67dadd-1 esp-aes 128 esp-sha-hmac
CGW(cfg-crypto-trans)# mode tunnel
CGW(cfg-crypto-trans)#exit
CGW(config)#crypto ipsec profile ipsec-vpn-0f3a9a9134e67dadd-1
CGW(ipsec-profile)# set pfs group2
CGW(ipsec-profile)# set security-association lifetime seconds 3600
CGW(ipsec-profile)# set transform-set ipsec-prop-vpn-0f3a9a9134e67dadd-1
CGW(ipsec-profile)#exit
CGW(config)#interface Tunnel2
CGW(config-if)# ip address 169.254.146.130 255.255.255.252
CGW(config-if)# ip virtual-reassembly
CGW(config-if)# tunnel source 154.61.57.125
CGW(config-if)# tunnel destination 3.226.151.38
CGW(config-if)# tunnel mode ipsec ipv4
CGW(config-if)# tunnel protection ipsec profile ipsec-vpn-0f3a9a9134e67dadd-1
CGW(config-if)# ! This option causes the router to reduce the Maximum Segment Size of
CGW(config-if)# ! TCP packets to prevent packet fragmentation.
CGW(config-if)# ip tcp adjust-mss 1379
CGW(config-if)# no shutdown
CGW(config-if)#exit
CGW(config)#
8. Configure the BGP protocol on the Cisco router
Next, you need to configure the BGP protocol on the Cisco router.
CGW#conf term
Enter configuration commands, one per line. End with CNTL/Z.
CGW(config)#
CGW(config)#router bgp 65000
CGW(config-router)# neighbor 169.254.144.245 remote-as 64512
CGW(config-router)# neighbor 169.254.144.245 activate
CGW(config-router)# neighbor 169.254.144.245 timers 10 30 30
CGW(config-router)# address-family ipv4 unicast
CGW(config-router-af)# neighbor 169.254.144.245 remote-as 64512
CGW(config-router-af)# neighbor 169.254.144.245 timers 10 30 30
CGW(config-router-af)# neighbor 169.254.144.245 activate
CGW(config-router-af)# neighbor 169.254.144.245 soft-reconfiguration inbound
CGW(config-router-af)# network 192.168.1.0
CGW(config-router-af)# exit
CGW(config-router)#exit
CGW(config)#
9. Launch an EC2 instance in AWS
After finishing the configuration of your Cisco router, you need to deploy an EC2 instance in your AWS account. I will use this instance for testing the connectivity between the AWS and my on-premises network. For step-by-step instructions on how to create an EC2 instance, check this post.
As you can see, my EC2 instance is running.
10. Test the connectivity between your on-premises network and AWS
The last step is to check the connectivity between your on-premises network and AWS.
I will send some ICMP traffic from my on-premises network to the the EC2 instance.
R2#ping 172.31.29.232
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.31.29.232, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 92/94/96 ms
R2#
I will repeat the same test from the EC2 instance. I will send ICMP traffic to my on-premises network.
[ec2-user@ip-172-31-29-232 ~]$ ping -c 4 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_seq=1 ttl=254 time=94.0 ms
64 bytes from 192.168.1.1: icmp_seq=2 ttl=254 time=95.1 ms
64 bytes from 192.168.1.1: icmp_seq=3 ttl=254 time=97.7 ms
64 bytes from 192.168.1.1: icmp_seq=4 ttl=254 time=94.7 ms
--- 192.168.1.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 93.966/95.366/97.694/1.401 ms
[ec2-user@ip-172-31-29-232 ~]$
11. Confirm that the traffic is being encrypted
Finally, let’s confirm that the traffic is being encrypted.
CGW#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
3.210.65.195 154.61.57.125 QM_IDLE 2008 0 ACTIVE
3.226.151.38 154.61.57.125 QM_IDLE 2009 0 ACTIVE
IPv6 Crypto ISAKMP SA
CGW#show crypto ipsec sa
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 154.61.57.125
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.210.65.195 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 343, #pkts encrypt: 343, #pkts digest: 343
#pkts decaps: 338, #pkts decrypt: 338, #pkts verify: 338
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 154.61.57.125, remote crypto endpt.: 3.210.65.195
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xCED2A5AE(3469911470)
inbound esp sas:
spi: 0xCC0E913A(3423506746)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 39, flow_id: Motorola SEC 2.0:39, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4587444/398)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCED2A5AE(3469911470)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 40, flow_id: Motorola SEC 2.0:40, crypto map: Tunnel1-head-0
sa timing: remaining key lifetime (k/sec): (4587443/397)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 154.61.57.125
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
current_peer 3.226.151.38 port 4500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 27, #pkts encrypt: 27, #pkts digest: 27
#pkts decaps: 23, #pkts decrypt: 23, #pkts verify: 23
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 154.61.57.125, remote crypto endpt.: 3.226.151.38
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
current outbound spi: 0xCC45FBC8(3427138504)
inbound esp sas:
spi: 0xFE07E8DA(4261931226)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 41, flow_id: Motorola SEC 2.0:41, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4485901/863)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xCC45FBC8(3427138504)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 42, flow_id: Motorola SEC 2.0:42, crypto map: Tunnel2-head-0
sa timing: remaining key lifetime (k/sec): (4485900/863)
IV size: 16 bytes
replay detection support: Y replay window size: 128
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
CGW#
CGW#show crypto session
Crypto session current status
Interface: Tunnel1
Profile: isakmp-vpn-0f3a9a9134e67dadd-0
Session status: UP-ACTIVE
Peer: 3.210.65.195 port 4500
IKE SA: local 154.61.57.125/4500 remote 3.210.65.195/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
Interface: Tunnel2
Profile: isakmp-vpn-0f3a9a9134e67dadd-1
Session status: UP-ACTIVE
Peer: 3.226.151.38 port 4500
IKE SA: local 154.61.57.125/4500 remote 3.226.151.38/4500 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0
Active SAs: 2, origin: crypto map
CGW#
Confirm that the BGP session was established and the routes are exchanged between the neighbours.
CGW#show ip bgp summary
BGP router identifier 192.168.1.254, local AS number 65000
BGP table version is 3, main routing table version 3
2 network entries using 240 bytes of memory
2 path entries using 104 bytes of memory
3/2 BGP path/bestpath attribute entries using 372 bytes of memory
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
Bitfield cache entries: current 1 (at peak 1) using 32 bytes of memory
BGP using 772 total bytes of memory
BGP activity 2/0 prefixes, 2/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
169.254.144.245 4 64512 90 91 3 0 0 00:14:21 1
CGW#
CGW#
CGW#show ip route bgp
B 172.31.0.0/16 [20/100] via 169.254.144.245, 00:14:29
CGW#
You can also confirm from the AWS console that the Site-to-Site VPN is up and running.
That’s it! You have learned how to configure a dynamic Site-to-Site VPN between AWS and a Cisco router. If you found this blog post helpful, please like and subscribe for more Cisco networking tutorials. Thank you for reading it!