         | Did this page help you? Yes No Tell us about it... |
Example: Cisco IOS Device
Topics
This section shows an example of the configuration information your integration team gives you if your customer gateway is a Cisco Integrated Services router running Cisco IOS 12.4 (or later) software.
Two diagrams accompany the example configuration: The first diagram shows the high-level layout of the customer gateway, the second diagram supplies details that match the example configuration. You should take the real configuration information that your integration team gives you and apply it to your customer gateway.
A High-Level View of the Customer Gateway
The following diagram shows the general details of your customer gateway. Note that the VPN connection consists of two separate tunnels: Tunnel1 and Tunnel2. Two redundant tunnels provide an increased availability in the case of a device failure.
A Detailed View of the Customer Gateway and an Example Configuration
The diagram in this section gives you a detailed illustration of an example Cisco IOS customer gateway. After the diagram is a corresponding example of the configuration information your integration team should give you. The example configuration contains a set of information for each of the two tunnels you must configure.
In addition, the example configuration refers to these items that you must provide:
YOUR_UPLINK_ADDRESS—The IP address for the Internet-routable external interface on the customer gateway (which must be static and can't be behind a device performing NAT)
YOUR_BGP_ASN—The customer gateway's BGP ASN (we use 65000 by default)
The example configuration includes several dummy values to help you understand how configuration works. For example, we give dummy values for the VPN connection ID (44a8938f), Virtual Private Gateway ID (8db04f81), the IP addresses (e.g., 72.21.209.*, 169.254.255.*), and the remote ASN (7224). The actual configuration information you get will replace the dummy values with real values.
In addition to the configuration changes, you must:
Configure the outside interface
Configure the tunnel interface IDs (referred to as Tunnel1 and Tunnel2 in the example configuration)
Ensure that the Crypto ISAKMP Policy Sequence number is unique
Ensure that the Crypto IPsec Transform Set and the Crypto ISAKMP Policy Sequence are harmonious with any other IPsec tunnels configured on the device
Configure all internal routing (getting traffic between the customer gateway and your local network)
In the following diagram and example configuration the items highlighted in red italic need to be replaced with values that apply to your own particular situation.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
The following configuration information is an example of what your integration team provides you. Many of the values in the following example will be different from the actual configuration information that you receive. You must use the actual values and not the example values shown here, or your implementation will fail. |
! Amazon Web Services ! Virtual Private Cloud ! AWS utilizes unique identifiers to manipulate the configuration of ! a VPN Connection. Each VPN Connection is assigned an identifier ! and is associated with two other identifiers, namely the ! Customer Gateway Identifier and Virtual Private Gateway Identifier. ! ! Your VPN Connection ID : vpn-44a8938f ! Your Virtual Private Gateway ID : vgw-8db04f81 ! Your Customer Gateway ID : cgw-b4dc3961 ! ! ! This configuration consists of two tunnels. Both tunnels must be ! configured on your Customer Gateway. ! ! ------------------------------------------------------------------------- ! IPsec Tunnel #1 ! -------------------------------------------------------------------------! #1: Internet Key Exchange (IKE) Configuration ! ! A policy is established for the supported ISAKMP encryption, ! authentication, Diffie-Hellman, lifetime, and key parameters. ! ! Note that there are a global list of ISAKMP policies, each identified by ! sequence number. This policy is defined as #200, which may conflict with ! an existing policy using the same number. If so, we recommend changing ! the sequence number to avoid conflicts. ! crypto isakmp policy
encryption aes 128 authentication pre-share group 2 lifetime 28800 hash sha exit ! The ISAKMP keyring stores the Pre Shared Key used to authenticate the ! tunnel endpoints. ! crypto keyring keyring-vpn-44a8938f-0 pre-shared-key address 72.21.209.225 key plain-text-password1 exit ! An ISAKMP profile is used to associate the keyring with the particular ! endpoint. ! crypto isakmp profile isakmp-vpn-44a8938f-0 match identity address 72.21.209.225 keyring keyring-vpn-44a8938f-0 exit200! #2: IPsec Configuration ! ! The IPsec transform set defines the encryption, authentication, and IPsec ! mode parameters. ! crypto ipsec transform-set ipsec-prop-vpn-44a8938f-0 esp-aes 128 esp-sha-hmac mode tunnel exit ! The IPsec profile references the IPsec transform set and further defines ! the Diffie-Hellman group and security association lifetime. ! crypto ipsec profile ipsec-vpn-44a8938f-0 set pfs group2 set security-association lifetime seconds 3600 set transform-set ipsec-prop-vpn-44a8938f-0 exit ! Additional parameters of the IPsec configuration are set here. Note that ! these parameters are global and therefore impact other IPsec ! associations. ! This option instructs the router to clear the "Don't Fragment" ! bit from packets that carry this bit and yet must be fragmented, enabling ! them to be fragmented. ! crypto ipsec df-bit clear ! This option enables IPsec Dead Peer Detection, which causes periodic ! messages to be sent to ensure a Security Association remains operational. ! crypto isakmp keepalive 10 10 on-demand ! This configures the gateway's window for accepting out of order ! IPsec packets. A larger window can be helpful if too many packets ! are dropped due to reordering while in transit between gateways. ! crypto ipsec security-association replay window-size 128 ! This option instructs the router to fragment the unencrypted packets ! (prior to encryption). ! crypto ipsec fragmentation before-encryption
! #3: Tunnel Interface Configuration ! ! A tunnel interface is configured to be the logical interface associated ! with the tunnel. All traffic routed to the tunnel interface will be ! encrypted and transmitted to the VPC. Similarly, traffic from the VPC ! will be logically received on this interface. ! ! Association with the IPsec security association is done through the ! "tunnel protection" command. ! ! The address of the interface is configured with the setup for your ! Customer Gateway. If the address changes, the Customer Gateway and VPN ! Connection must be recreated with Amazon VPC. ! interface
ip address 169.254.255.2 255.255.255.252 ip virtual-reassembly tunnel sourceTunnel1tunnel destination 72.21.209.225 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-44a8938f-0 ! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ip tcp adjust-mss 1396 no shutdown exitYOUR_UPLINK_ADDRESS! #4: Border Gateway Protocol (BGP) Configuration ! ! BGP is used within the tunnel to exchange prefixes between the ! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway ! will announce the prefix corresponding to your VPC. ! ! Your Customer Gateway may announce a default route (0.0.0.0/0), ! which can be done with the 'network' statement and ! 'default-originate' statements. ! ! The BGP timers are adjusted to provide more rapid detection of outages. ! ! The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured ! as part of your Customer Gateway. If the ASN must be changed, the ! Customer Gateway and VPN Connection will need to be recreated with AWS. ! router bgp YOUR_BGP_ASN neighbor 169.254.255.1 remote-as 7224 neighbor 169.254.255.1 activate neighbor 169.254.255.1 timers 10 30 30 address-family ipv4 unicast neighbor 169.254.255.1 remote-as 7224 neighbor 169.254.255.1 timers 10 30 30 neighbor 169.254.255.1 default-originate neighbor 169.254.255.1 activate neighbor 169.254.255.1 soft-reconfiguration inbound ! To advertise additional prefixes to Amazon VPC, copy the 'network' statement ! and identify the prefix you wish to advertise. Make sure the prefix is present ! in the routing table of the device with a valid next-hop. network 0.0.0.0 exit exit ! ------------------------------------------------------------------------- ! IPsec Tunnel #2 ! -------------------------------------------------------------------------
encryption aes 128 authentication pre-share group 2 lifetime 28800 hash sha exit ! The ISAKMP keyring stores the Pre Shared Key used to authenticate the ! tunnel endpoints. ! crypto keyring keyring-vpn-44a8938f-1 pre-shared-key address 72.21.209.193 key plain-text-password2 exit ! An ISAKMP profile is used to associate the keyring with the particular ! endpoint. ! crypto isakmp profile isakmp-vpn-44a8938f-1 match identity address 72.21.209.193 keyring keyring-vpn-44a8938f-1 exit201ip address 169.254.255.6 255.255.255.252 ip virtual-reassembly tunnel sourceTunnel2tunnel destination 72.21.209.193 tunnel mode ipsec ipv4 tunnel protection ipsec profile ipsec-vpn-44a8938f-1 ! This option causes the router to reduce the Maximum Segment Size of ! TCP packets to prevent packet fragmentation. ip tcp adjust-mss 1396 no shutdown exitYOUR_UPLINK_ADDRESS
How to Test the Customer Gateway Configuration
You must first test the gateway configuration for each tunnel.
To test the customer gateway configuration for each tunnel
On your customer gateway, determine if the BGP status is Active.
It takes approximately 30 seconds for a BGP peering to become active.
Ensure that the customer gateway is advertising a route to the virtual private gateway. The route may be the default route (0.0.0.0/0) or a more specific route you prefer.
When properly established, your BGP peering should be receiving one route from the virtual private gateway corresponding to the prefix that your VPC integration team specified for the VPC (e.g., 10.0.0.0/24). If the BGP peering is established, you are receiving a prefix, and you are advertising a prefix, your tunnel is configured correctly. Make sure both tunnels are in this state.
Next you must test the connectivity for each tunnel.
| Important |
|---|---|
For the connectivity test to work, you must configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic. |
To test the end-to-end connectivity of each tunnel
Launch an instance of one of the Amazon Linux AMIs into your VPC. They're available in the Quick Start menu when you use the Request Instances Wizard in the AWS Management Console (for more information, see the Amazon Virtual Private Cloud Getting Started Guide).
After the instance is running, get its private IP address (e.g., 10.0.0.4). The console displays the address as part of the instance's details.
On a system in your home network, use the ping command with the instance's IP address. Make sure the computer you ping from is behind the customer gateway. A successful response should be similar to the following:
PROMPT>
ping 10.0.0.4Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
If you ping an instance from your customer gateway router, ensure you are sourcing ping messages from an internal IP address, not a tunnel IP address. Some AMIs will not respond to ping messages from the tunnel IP addresses. |
If your tunnels do not test successfully, see Troubleshooting.
