In this tutorial, I would like to share the steps you need to take to configure a static Site-to-Site VPN between AWS and a Cisco router. If you are looking for step-by-step instructions on how to configure a VPN between two Cisco routers, check this post.

• 0. Create a new VPC or use the default VPC
• 1. Create a Virtual Private Gateway
• 2. Create a Customer Gateway
• 3. Create the Site-to-Site VPN connection
• 4. Enable route propagation or create a static route in the routing table
• 5. Download the VPN configuration
• 6. Configure the IPSec tunnel 1 on the Cisco router
  1. 1: Internet Key Exchange (IKE) Configuration
  2. 2: IPSec Configuration
  3. 3: Tunnel Interface Configuration
  4. 4: Confirm the status of the interface tunnel 1
• 7. Configure the IPSec tunnel 2 on the Cisco router
• 8. Configure the static routes on the Cisco router
• 9. Launch an EC2 instance in AWS
• 10. Test the connectivity between your on-premises network and AWS
• 11. Confirm that the traffic is being encrypted

What is a static site-to-site VPN? A static site-to-site VPN is a secure tunnel(s) which permits you to have secure communication over an insecure transport, like the Internet. In this post, I will configure a static site-to-site VPN between AWS and my on-premises network. To find more about AWS site-to-site VPN, check the AWS Site-to-Site VPN User Guide.

0. Create a new VPC or use the default VPC

You can use the default VPC or create a custom VPC. For step-by-step instructions on how to create a VPC, check this post.

1. Create a Virtual Private Gateway

In order to have a static site to site VPN, you need to create a Virtual private gateway. To create the Virtual private gateway, select the VPC from the services list. You will end up in the VPC dashboard.

On the left panel, look for Virtual private network. Under it, you will find the following options:

• Customer gateways
• Virtual private gateways
• Site-to-Site VPN connections
• Client VPN endpoints

Select Virtual private gateways. The ‘Create virtual private gateway’ button is in the upper right corner. Press on it to create a new Virtual private gateway.

Give the Virtual private gateway a name.

You can change the default Autonomous System Number (ASN) in the same window. The default ASN is the private ASN 64512. I will use the default ASN. When ready, press the ‘Create virtual private gateway’ button.

Initially, the VGW (Virtual private gateway) is in a detached state.

You need to attach it to a VPC. You can use the default VPC or create a custom VPC. For step-by-step instructions on how to create a VPC, check this post.

For this project, I will use the default VPC. Select the VGW, press the ‘Actions’ button and choose the option ‘Attach to VPC’.

Select the VPC from the available VPCs and press the ‘Attach to VPC’ button.

The VGW is attaching. Wait a couple of seconds and press the reload button.

2. Create a Customer Gateway

The next step is to create the Customer gateway. Select Customer gateways from the left panel. I previously created a CGW (Customer gateway). This is why you see one in the available state.

The ‘Create customer gateway’ button is in the upper right corner. Press on it to create a new customer gateway.

In the new window add a name for the CGW and the public IP address which is configured on your Cisco router.

When ready, press the ‘Create customer gateway’ button.

3. Create the Static Site-to-Site VPN connection

In step number three, you will create the static Site-to-Site VPN. Select Site-to-Site VPN from the left panel. You will end up in the VPN connections dashboard.

From this window, you can create new Site-to-Site VPN connections. Press on ‘Create VPN connection’ to create a new VPN connection.

In the new window, give the VPN connection a name. Select the target gateway type. I will use the Virtual private gateway in this lab. Select the Customer gateway. Choose the existing CGW.

Choose the routing options. In this project, I am configuring a static Site-to-Site VPN. I will select the Static option. Add one or more CIDR ranges to advertise to your VPC.

Optionally, you can change the tunnel options for your VPN. I will use the default tunnel options.

When ready, press the ‘Create VPN connection button’.

Initially, the VPN is in a pending state.

It will take a couple of minutes until the VPN changes to the available state.

4. Enable route propagation or create a static route in the routing table

After finishing the Site-to-Site VPN configuration on the AWS side, you need to add a static route for the remote CIDR range (your on-premises subnet which should be reachable over the VPN). Go to the Route table associated with your VPC. Find the ‘Route tables’ in the left pane.

To add a new route, select the route table. Choose the Routes tab and press on the ‘Edit routes’ button.

Press on the ‘Add route’ button to add a new route. I will add a route to the CIDR 192.168.1.0/24 and I will select as the target my VGW.

When ready, press the ‘Save changes’ button.

Another option is to enable the route propagation for your VGW. By doing this the route table will automatically be updated with the new routes as soon as your VPN is in an up state. When the VPN is in the down state the route is removed from the routing table.

First, I will delete the static route added in the previous step. Press on the ‘Edit routes’ button. From the new window, remove the static route added in the last step. When ready, press the ‘Save changes’ button.

To enable Route propagation, select the ‘Route propagation’ tab and press the ‘Edit route propagation’ button.

Add the checkbox next to ‘Enable’ and press the ‘Save’ button.

Confirm that the propagation was enabled.

5. Download the VPN configuration

Now, you need to download the sample VPN configuration file provided by AWS and use it as an example to configure your VPN device. You can adjust the configuration according to your needs. The file provided by the AWS team specifies the minimum requirements for a Site-to-Site VPN connection of AES128, SHA1, and Diffie-Hellman group 2 in most AWS Regions.

Press the ‘Download configuration’ button and specify the details for your VPN device.

6. Configure the IPSec tunnel 1 on the Cisco router

Open the file in a text editor and start configuring your VPN device. In my lab, I use a Cisco router. I will start with the configuration of tunnel 1.

1: Internet Key Exchange (IKE) Configuration

CGW#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CGW(config)#crypto isakmp policy 200
CGW(config-isakmp)#  encryption aes 128
CGW(config-isakmp)#  authentication pre-share
CGW(config-isakmp)#  group 2
CGW(config-isakmp)#  lifetime 28800
CGW(config-isakmp)#  hash sha
CGW(config-isakmp)#exit
CGW(config)#crypto keyring keyring-vpn-0fe2c4614b24720b3-0
CGW(conf-keyring)#  local-address 154.61.57.125
CGW(conf-keyring)#  pre-shared-key address 3.208.32.72 key ZjN7dZ92m6YPhZYVcJxhsHc.Km2FLIjU
CGW(conf-keyring)#exit
CGW(config)#crypto isakmp profile isakmp-vpn-0fe2c4614b24720b3-0
% A profile is deemed incomplete until it has match identity statements
CGW(conf-isa-prof)#  local-address 154.61.57.125
CGW(conf-isa-prof)#  match identity address 3.208.32.72
CGW(conf-isa-prof)#  keyring keyring-vpn-0fe2c4614b24720b3-0
CGW(conf-isa-prof)#exit
CGW(config)#

2: IPSec Configuration

CGW(config)#crypto ipsec transform-set ipsec-prop-vpn-0fe2c4614b24720b3-0 esp-aes 128 esp-sha-hmac
CGW(cfg-crypto-trans)#  mode tunnel
CGW(cfg-crypto-trans)#exit
CGW(config)#
CGW(config)#crypto ipsec profile ipsec-vpn-0fe2c4614b24720b3-0
CGW(ipsec-profile)#  set pfs group2
CGW(ipsec-profile)#  set security-association lifetime seconds 3600
CGW(ipsec-profile)#  set transform-set ipsec-prop-vpn-0fe2c4614b24720b3-0
CGW(ipsec-profile)#exit
CGW(config)#

3: Tunnel Interface Configuration

CGW(config)#interface Tunnel1
CGW(config-if)#  ip address 169.254.161.34 255.255.255.252
CGW(config-if)#  ip virtual-reassembly
CGW(config-if)#  tunnel source 154.61.57.125
CGW(config-if)#  tunnel destination 3.208.32.72
CGW(config-if)#  tunnel mode ipsec ipv4
CGW(config-if)#  tunnel protection ipsec profile ipsec-vpn-0fe2c4614b24720b3-0
CGW(config-if)#  ! This option causes the router to reduce the Maximum Segment Size of
CGW(config-if)#  ! TCP packets to prevent packet fragmentation.
CGW(config-if)#  ip tcp adjust-mss 1379
CGW(config-if)#  no shutdown
CGW(config-if)#exit
CGW(config)#

4: Confirm the status of the interface tunnel 1

CGW#show int tun1
Tunnel1 is up, line protocol is up 
  Hardware is Tunnel
  Internet address is 169.254.161.34/30
  MTU 1514 bytes, BW 9 Kbit/sec, DLY 500000 usec, 
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation TUNNEL, loopback not set
  Keepalive not set
  Tunnel source 154.61.57.125, destination 3.208.32.72
  Tunnel protocol/transport IPSEC/IP
  Tunnel TTL 255
  Fast tunneling enabled
  Tunnel transmit bandwidth 8000 (kbps)
  Tunnel receive bandwidth 8000 (kbps)
  Tunnel protection via IPSec (profile "ipsec-vpn-0fe2c4614b24720b3-0")
  Last input never, output never, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/0 (size/max)
  5 minute input rate 0 bits/sec, 0 packets/sec
  5 minute output rate 0 bits/sec, 0 packets/sec
     0 packets input, 0 bytes, 0 no buffer
     Received 0 broadcasts, 0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
     0 packets output, 0 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 output buffer failures, 0 output buffers swapped out
CGW#

7. Configure the IPSec tunnel 2 on the Cisco router

Follow the same steps for configuring the IPSec tunnel 2.

CGW(config)#crypto isakmp policy 201
CGW(config-isakmp)#  encryption aes 128
CGW(config-isakmp)#  authentication pre-share
CGW(config-isakmp)#  group 2
CGW(config-isakmp)#  lifetime 28800
CGW(config-isakmp)#  hash sha
CGW(config-isakmp)#exit
CGW(config)#crypto keyring keyring-vpn-0fe2c4614b24720b3-1
CGW(conf-keyring)#  local-address 154.61.57.125
CGW(conf-keyring)#  pre-shared-key address 52.4.207.122 key K8iQNUxdYxEgj3rBSx7ZcBeAq2tae_yM
CGW(conf-keyring)#exit
CGW(config)#crypto isakmp profile isakmp-vpn-0fe2c4614b24720b3-1
% A profile is deemed incomplete until it has match identity statements
CGW(conf-isa-prof)#  local-address 154.61.57.125
CGW(conf-isa-prof)#  match identity address 52.4.207.122
CGW(conf-isa-prof)#  keyring keyring-vpn-0fe2c4614b24720b3-1
CGW(conf-isa-prof)#exit
CGW(config)#crypto ipsec transform-set ipsec-prop-vpn-0fe2c4614b24720b3-1 esp-aes 128 esp-sha-hmac
CGW(cfg-crypto-trans)#  mode tunnel
CGW(cfg-crypto-trans)#exit
CGW(config)#crypto ipsec profile ipsec-vpn-0fe2c4614b24720b3-1
CGW(ipsec-profile)#  set pfs group2
CGW(ipsec-profile)#  set security-association lifetime seconds 3600
CGW(ipsec-profile)#  set transform-set ipsec-prop-vpn-0fe2c4614b24720b3-1
CGW(ipsec-profile)#exit
CGW(config)#interface Tunnel2
CGW(config-if)#  ip address 169.254.177.82 255.255.255.252
CGW(config-if)#  ip virtual-reassembly
CGW(config-if)#  tunnel source 154.61.57.125
CGW(config-if)#  tunnel destination 52.4.207.122
CGW(config-if)#  tunnel mode ipsec ipv4
CGW(config-if)#  tunnel protection ipsec profile ipsec-vpn-0fe2c4614b24720b3-1
CGW(config-if)#  ! This option causes the router to reduce the Maximum Segment Size of
CGW(config-if)#  ! TCP packets to prevent packet fragmentation.
CGW(config-if)#  ip tcp adjust-mss 1379
CGW(config-if)#  no shutdown
CGW(config-if)#exit

8. Configure the static routes on the Cisco router

Next, you need to add two static routes for the CIDR block of the VPC.

CGW#conf term
Enter configuration commands, one per line.  End with CNTL/Z.
CGW(config)#
CGW(config)#
CGW(config)#ip route 172.31.0.0 255.255.0.0 Tunnel1 track 100
CGW(config)#ip route 172.31.0.0 255.255.0.0 Tunnel2 track 200
CGW(config)#

9. Launch an EC2 instance in AWS

After finishing the configuration of your Cisco router, you need to deploy an EC2 instance in your AWS account. I will use this instance for testing the connectivity between the AWS and my on-premises network. For step-by-step instructions on how to create an EC2 instance, check this post.

As you can see my EC2 instance is running.

10. Test the connectivity between your on-premises network and AWS

I will start a ping command from an on-premise VM toward an EC2 instance deployed in AWS.

[petru@rhel9 ~]$ ping -c 2 172.31.29.232
PING 172.31.29.232 (172.31.29.232) 56(84) bytes of data.
64 bytes from 172.31.29.232: icmp_seq=1 ttl=125 time=82.3 ms
64 bytes from 172.31.29.232: icmp_seq=2 ttl=125 time=82.1 ms

--- 172.31.29.232 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1002ms
rtt min/avg/max/mdev = 82.073/82.173/82.273/0.100 ms
[petru@rhel9 ~]$

On the AWS EC2 instance I will run a tcpdump command to confirm that the ICMP traffic is reaching the instance.

[ec2-user@ip-172-31-29-232 ~]$ sudo tcpdump -i enX0 icmp
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enX0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
11:55:44.195014 IP ip-172-16-10-101.ec2.internal > ip-172-31-29-232.ec2.internal: ICMP echo request, id 11, seq 1, length 64
11:55:44.195047 IP ip-172-31-29-232.ec2.internal > ip-172-16-10-101.ec2.internal: ICMP echo reply, id 11, seq 1, length 64
11:55:45.196397 IP ip-172-16-10-101.ec2.internal > ip-172-31-29-232.ec2.internal: ICMP echo request, id 11, seq 2, length 64
11:55:45.196420 IP ip-172-31-29-232.ec2.internal > ip-172-16-10-101.ec2.internal: ICMP echo reply, id 11, seq 2, length 64
11:55:45.665119 IP 101.89.137.12 > ip-172-31-29-232.ec2.internal: ICMP echo request, id 4365, seq 99, length 16
11:55:45.665147 IP ip-172-31-29-232.ec2.internal > 101.89.137.12: ICMP echo reply, id 4365, seq 99, length 16
11:58:06.434592 IP ec2-13-214-173-166.ap-southeast-1.compute.amazonaws.com > ip-172-31-29-232.ec2.internal: ICMP echo reply, id 16509, seq 14618, length 8

11. Confirm that the traffic is being encrypted

Finally, let’s confirm that the traffic is being encrypted.

CGW#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id slot status
3.208.32.72     154.61.57.125   QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

CGW#show crypto ipsec sa 

interface: Tunnel1
    Crypto map tag: Tunnel1-head-0, local addr 154.61.57.125

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   current_peer 3.208.32.72 port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 56, #pkts encrypt: 56, #pkts digest: 56
    #pkts decaps: 16, #pkts decrypt: 16, #pkts verify: 16
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 154.61.57.125, remote crypto endpt.: 3.208.32.72
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0
     current outbound spi: 0xC6C33F65(3334684517)

     inbound esp sas:
      spi: 0x3F83AA72(1065593458)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4505434/1920)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 128
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xC6C33F65(3334684517)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Tunnel1-head-0
        sa timing: remaining key lifetime (k/sec): (4505427/1919)
        IV size: 16 bytes
        replay detection support: Y  replay window size: 128
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
CGW#
CGW#show crypto session
Crypto session current status

Interface: Tunnel1
Profile: isakmp-vpn-0fe2c4614b24720b3-0
Session status: UP-ACTIVE     
Peer: 3.208.32.72 port 4500 
  IKE SA: local 154.61.57.125/4500 remote 3.208.32.72/4500 Active 
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 0.0.0.0/0.0.0.0 
        Active SAs: 2, origin: crypto map

CGW#

You can also confirm from the AWS console that the Static Site-to-Site VPN is up and running.

That’s it! You have learned how to configure a Static Site-to-Site VPN between AWS and a Cisco router. If you found this blog post helpful, please like and subscribe for more Cisco networking tutorials. Thank you for reading it!