Forum Discussion

Matthias_59049's avatar
Matthias_59049
Icon for Nimbostratus rankNimbostratus
Oct 14, 2014

IPSec VPN between LTM and AWS VPC

we are tring to build a IPSec VPN between our platform and the VPC (Virtual Private Cloud) from AWS.

We have only a LTM on our side. AWS has many templates for different firewall systems (Cisco, Junipa, Palo Alto, Windows).

The configuration of IKE and IPSec SA is simple with the generic template.

However, difficult is the routing through the tunnel. AWS wants to use the network 169.254.254.0/30 and the LTM says:

01020062:3: IP Address 169.254.254.2 is invalid, link-local address not allowed.

Has anyone build a working tunnel with a LTM to AWS and can describe the solution?

thank you

  • Hmmm, trying to do this with my AWS lab VPC but not having much luck (times out). I'm using a private Static IP Prefix value, are you?

     

  • OK, so, once I'd sorted out my VPG to VPC association and setup a customer gateway I got it setup. I'm seeing proper public IPs for the AWS VPN endpoints: 205.251.233.119 and .120, nothing like 169...

     

    Did you specify the 169 addresses?

     

  • OK, so you said:

    AWS wants to use the network 169.254.254.0/30...
    

    It seems to me you should be using 87.238.85.42 and 87.238.85.46 as the endpoints in your LTM configuration. The 169... addresses must be just examples.

  • This is the Generic Description from the "Download Configuration" Button

    Amazon Web Services
    Virtual Private Cloud
    
    VPN Connection Configuration
    ================================================================================
    AWS utilizes unique identifiers to manipulate the configuration of 
    a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier 
    and is associated with two other identifiers, namely the 
    Customer Gateway Identifier and the Virtual Private Gateway Identifier.
    
    Your VPN Connection ID               : vpn-abcdefgh
    Your Virtual Private Gateway ID          : vgw-abcdefgh
    Your Customer Gateway ID             : cgw-abcdefgh
    
    A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). 
    It is important that both tunnel security associations be configured. 
    
    
    IPSec Tunnel 1
    ================================================================================
    1: Internet Key Exchange Configuration
    
    Configure the IKE SA as follows
      - Authentication Method    : Pre-Shared Key 
      - Pre-Shared Key           : abcdefghijklmnopqrstuvwxyz
      - Authentication Algorithm : sha1
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    
    2: IPSec Configuration
    
    Configure the IPSec SA as follows:
      - Protocol                 : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 3600 seconds
      - Mode                     : tunnel
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    
    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
    recommend configuring DPD on your endpoint as follows:
      - DPD Interval             : 10
      - DPD Retries              : 3
    
    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space, 
    which reduces the amount of space available to transmit application data.
    To limit the impact of this behavior, we recommend the following 
    configuration on your Customer Gateway:
      - TCP MSS Adjustment       : 1387 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation            : Before encryption
    
    3: Tunnel Interface Configuration
    
    Your Customer Gateway must be configured with a tunnel interface that is
    associated with the IPSec tunnel. All traffic transmitted to the tunnel
    interface is encrypted and transmitted to the Virtual Private Gateway.
    
    
    
    The Customer Gateway and Virtual Private Gateway each have two addresses that relate
    to this IPSec tunnel. Each contains an outside address, upon which encrypted
    traffic is exchanged. Each also contain an inside address associated with
    the tunnel interface.
    
    The Customer Gateway outside IP address was provided when the Customer Gateway
    was created. Changing the IP address requires the creation of a new
    Customer Gateway.
    
    The Customer Gateway inside IP address should be configured on your tunnel
    interface. 
    
    Outside IP Addresses:
      - Customer Gateway                : 1xxxxxxxxxxx
      - Virtual Private Gateway         : 87.238.85.42
    
    Inside IP Addresses
      - Customer Gateway                : 169.254.254.2/30
      - Virtual Private Gateway             : 169.254.254.1/30
    
    Configure your tunnel to fragment at the optimal size:
      - Tunnel interface MTU     : 1436 bytes
    
    
    4: Static Routing Configuration:
    
    To route traffic between your internal network and your VPC, 
    you will need a static route added to your router.
    
    Static Route Configuration Options:
    
      - Next hop       : 169.254.254.1
    
    You should add static routes towards your internal network on the VGW.
    The VGW will then send traffic towards your internal network over 
    the tunnels.  
    
    
    
    IPSec Tunnel 2
    ================================================================================
    1: Internet Key Exchange Configuration
    
    Configure the IKE SA as follows
      - Authentication Method    : Pre-Shared Key 
      - Pre-Shared Key           : abcdefghijklmnopqrstuvwxyz
      - Authentication Algorithm : sha1
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    
    2: IPSec Configuration
    
    Configure the IPSec SA as follows:
      - Protocol                 : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 3600 seconds
      - Mode                     : tunnel
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    
    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
    recommend configuring DPD on your endpoint as follows:
      - DPD Interval             : 10
      - DPD Retries              : 3
    
    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space, 
    which reduces the amount of space available to transmit application data.
    To limit the impact of this behavior, we recommend the following 
    configuration on your Customer Gateway:
      - TCP MSS Adjustment       : 1387 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation            : Before encryption
    
    3: Tunnel Interface Configuration
    
    Your Customer Gateway must be configured with a tunnel interface that is
    associated with the IPSec tunnel. All traffic transmitted to the tunnel
    interface is encrypted and transmitted to the Virtual Private Gateway.
    
    
    
    The Customer Gateway and Virtual Private Gateway each have two addresses that relate
    to this IPSec tunnel. Each contains an outside address, upon which encrypted
    traffic is exchanged. Each also contain an inside address associated with
    the tunnel interface.
    
    The Customer Gateway outside IP address was provided when the Customer Gateway
    was created. Changing the IP address requires the creation of a new
    Customer Gateway.
    
    The Customer Gateway inside IP address should be configured on your tunnel
    interface. 
    
    Outside IP Addresses:
      - Customer Gateway                : 1xxxxxxxxxxx
      - Virtual Private Gateway         : 87.238.85.46
    
    Inside IP Addresses
      - Customer Gateway                : 169.254.254.6/30
      - Virtual Private Gateway             : 169.254.254.5/30
    
    Configure your tunnel to fragment at the optimal size:
      - Tunnel interface MTU     : 1436 bytes
    
    
    4: Static Routing Configuration:
    
    To route traffic between your internal network and your VPC, 
    you will need a static route added to your router.
    
    Static Route Configuration Options:
    
      - Next hop       : 169.254.254.5
    
    You should add static routes towards your internal network on the VGW.
    The VGW will then send traffic towards your internal network over 
    the tunnels.  
    
    
    
    
    Additional Notes and Questions
    ================================================================================
    
      - Amazon Virtual Private Cloud Getting Started Guide: 
          http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
      - Amazon Virtual Private Cloud Network Administrator Guide: 
          http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
      - XSL Version: 2009-07-15-1119716
    
  • So, use the VPG IPs and all will be well. No idea what the 'inside' addresses refer to.

     

  • Until today, we have no stabil tunnel between our LTM and AWS.

     

    We build our Tunnel with our Juniper SRX. :(