Example: Generic Customer Gateway
If your customer gateway isn't one of the types discussed earlier in this guide, your integration team will provide
you with generic information that you can use to configure your customer
gateway. This section contains an example of that information.
Two diagrams accompany the example configuration: The first diagram shows the
high-level layout of the customer gateway, the second diagram supplies details that match the example
configuration. You should take the real configuration information that your
integration team gives you and apply it to your customer gateway.
A High-Level View of the Customer Gateway
The following diagram shows the general details of your customer
gateway. Note that the VPN connection consists of two separate tunnels:
Tunnel #1 and Tunnel #2. Two
redundant tunnels provide an increased availability in the case of a
device failure.
A Detailed View of the Customer Gateway and an Example Configuration
The diagram in this section gives you a detailed illustration of an example generic customer gateway.
After the diagram is a corresponding example of the configuration
information you should get from your integration team. It contains a set
of information for each of the two tunnels you must configure.
In addition, the example configuration refers to two items that you must
provide:
YOUR_UPLINK_ADDRESS—The
IP address for the Internet-routable external interface on the
customer gateway (which must be static and can't be behind a device
performing NAT)
YOUR_BGP_ASN—The customer
gateway's BGP ASN
The example configuration includes several dummy values we're using to
help you understand how configuration works. For example, we're using
dummy values for the VPN connection ID (44a8938f), virtual private gateway ID
(8db04f81), the IP addresses (e.g., 72.21.209.*, 169.254.255.*),
and the remote ASN (7224). The actual configuration information you
get will have real values in place of those dummy values.
In the following diagram and example configuration the items highlighted in red italic
need to be replaced with values that apply to
your own particular situation.
Amazon Web Services
Virtual Private Cloud
VPN Connection Configuration
===============================================
AWS utilizes unique identifiers to manipulate the configuration of
a VPN Connection. Each VPN Connection is assigned a VPN identifier
and is associated with two other identifiers, namely the
Customer Gateway Identifier and the Virtual Private Gateway Identifier.
Your VPN Connection ID : vpn-44a8938f
Your Virtual Private Gateway ID : vgw-8db04f81
Your Customer Gateway ID : cgw-b4dc3961
A VPN Connection consists of a pair of IPsec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.
IPsec Tunnel #1
================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : plain-text-password1
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPsec Configuration
Configure the IPsec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPsec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPsec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1396 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPsec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
Additionally, the Virtual Private Gateway and Customer Gateway establish the BGP
peering from your tunnel interface.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPsec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway: : YOUR_UPLINK_ADDRESS
- Virtual Private Gateway : 72.21.209.193
Inside IP Addresses
- Customer Gateway : 169.254.255.6/30
- Virtual Private Gateway : 169.254.255.5/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.
BGP Configuration Options:
- Customer Gateway ASN : YOUR_BGP_ASN
- Virtual Private Gateway ASN : 7224
- Neighbor IP Address : 169.254.255.1
- Neighbor Hold Time : 30
Configure BGP to announce the default route (0.0.0.0/0) to the VPN Connection
Gateway. The Virtual Private Gateway will announce prefixes to your Customer
Gateway based upon the prefixes assigned in the creation of the VPC.
IPsec Tunnel #2
=====================================================
#1: Internet Key Exchange Configuration
Configure the IKE SA as follows
- Authentication Method : Pre-Shared Key
- Pre-Shared Key : plain-text-password2
- Authentication Algorithm : sha1
- Encryption Algorithm : aes-128-cbc
- Lifetime : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy : Diffie-Hellman Group 2
#2: IPsec Configuration
Configure the IPsec SA as follows:
- Protocol : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm : aes-128-cbc
- Lifetime : 3600 seconds
- Mode : tunnel
- Perfect Forward Secrecy : Diffie-Hellman Group 2
IPsec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval : 10
- DPD Retries : 3
IPsec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment : 1396 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation : Before encryption
#3: Tunnel Interface Configuration
Your Customer Gateway must be configured with a tunnel interface that is
associated with the IPsec tunnel. All traffic transmitted to the tunnel
interface is encrypted and transmitted to the Virtual Private Gateway.
Additionally, the Virtual Private Gateway and Customer Gateway establish the BGP
peering from your tunnel interface.
The Customer Gateway and Virtual Private Gateway each have two addresses that relate
to this IPsec tunnel. Each contains an outside address, upon which encrypted
traffic is exchanged. Each also contain an inside address associated with
the tunnel interface.
The Customer Gateway outside IP address was provided when the Customer Gateway
was created. Changing the IP address requires the creation of a new
Customer Gateway.
The Customer Gateway inside IP address should be configured on your tunnel
interface.
Outside IP Addresses:
- Customer Gateway: : YOUR_UPLINK_ADDRESS
- Virtual Private Gateway : 72.21.209.193
Inside IP Addresses
- Customer Gateway : 169.254.255.6/30
- Virtual Private Gateway : 169.254.255.5/30
Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU : 1436 bytes
#4: Border Gateway Protocol (BGP) Configuration:
The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
IP addresses, to exchange routes from the VPC to your home network. Each
BGP router has an Autonomous System Number (ASN). Your ASN was provided
to AWS when the Customer Gateway was created.
BGP Configuration Options:
- Customer Gateway ASN : YOUR_BGP_ASN
- Virtual Private Gateway ASN : 7224
- Neighbor IP Address : 169.254.255.5
- Neighbor Hold Time : 30
Configure BGP to announce the default route (0.0.0.0/0) to the VPN Connection
Gateway. The Virtual Private Gateway will announce prefixes to your Customer
Gateway based upon the prefixes assigned in the creation of the VPC.
Additional Notes and Questions
========================================================
- Amazon Virtual Private Cloud Getting Started Guide:
http://docs.amazonwebservices.com/AWSVPC/latest/GettingStartedGuide
- Amazon Virtual Private Cloud Network Administrator Guide:
http://docs.amazonwebservices.com/AWSVPC/latest/NetworkAdminGuide
How to Test the Customer Gateway Configuration
You must first test the gateway configuration for each tunnel.
To test the customer gateway configuration for each tunnel
On your customer gateway, determine if the BGP status is Active.
It takes approximately 30 seconds for a BGP peering to become active.
Ensure that the customer gateway is advertising a route to the virtual private
gateway. The route may be the default route (0.0.0.0/0) or a more specific route you prefer.
When properly established, your BGP peering should be receiving one route from the virtual private gateway corresponding to the prefix that your VPC integration team specified for the VPC (e.g., 10.0.0.0/24). If the BGP peering is established, you are receiving a prefix, and you are advertising a prefix, your tunnel is configured correctly. Make sure both tunnels are in this state.
Next you must test the connectivity for each tunnel.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|
For the connectivity test to work, you must configure any security group or network ACL in your VPC that filters traffic to the
instance to allow inbound and outbound ICMP traffic. |
To test the end-to-end connectivity of each tunnel
Launch an instance of one of the Amazon Linux AMIs into your VPC. They're
available in the Quick Start menu when you use the Request Instances Wizard in the AWS Management Console (for more information, see
the Amazon Virtual Private Cloud Getting Started Guide).
After the instance is running, get its private IP address (e.g.,
10.0.0.4). The console displays the address as part
of the instance's details.
On a system in your home network, use the ping command with the
instance's IP address. Make sure the computer you ping from is
behind the customer gateway. A successful response should be similar
to the following:
PROMPT> ping 10.0.0.4
Pinging 10.0.0.4 with 32 bytes of data:
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
Ping statistics for 10.0.0.4:
Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
Approximate round trip times in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|
If you ping an instance from your customer gateway router, ensure you are sourcing ping messages from an internal IP address, not a tunnel IP address. Some AMIs will not respond to ping messages from the tunnel IP addresses. |
If your tunnels do not test successfully, see Troubleshooting.
