         | Did this page help you? Yes No Tell us about it... |
Example: Juniper ScreenOS Device
Topics
This section shows an example of the configuration information your integration team gives you if your customer gateway is a Juniper SSG or Netscreen series device running Juniper ScreenOS software.
Two diagrams accompany the example configuration: The first diagram shows the high-level layout of the customer gateway, the second diagram supplies details that match the example configuration. You should take the real configuration information that your integration team gives you and apply it to your customer gateway.
A High-Level View of the Customer Gateway
The following diagram shows the general details of your customer gateway. The VPN connection consists of two separate tunnels: tunnel.1 and tunnel.2. Two redundant tunnels provide an increased availability in the case of a device failure.
A Detailed View of the Customer Gateway and an Example Configuration
The diagram in this section shows an example Juniper ScreenOS customer gateway. After the diagram is a corresponding example of the configuration information your integration team should give you. The example configuration contains information for each of the two tunnels you must configure.
In addition, the example configuration refers to these items that you must provide:
YOUR_UPLINK_ADDRESS—The IP address for the Internet-routable external interface on the customer gateway (the address must be static and can't be behind a device performing NAT)
YOUR_BGP_ASN—The customer gateway's BGP ASN (we use 65000 by default)
The example configuration includes several dummy values to help you understand how configuration works. For example, we give dummy values for the VPN connection ID (44a8938f), virtual private gateway ID (8db04f81), the IP addresses (e.g., 72.21.209.*, 169.254.255.*), and the remote ASN (7224). The actual configuration information you get will replace the dummy values with real values.
You must also configure:
The outside interface (referred to as ethernet0/0 in the example configuration)
The tunnel interface IDs (referred to as tunnel.1 and tunnel.2 in the example configuration)
All internal routing (getting traffic between the customer gateway and your local network)
In the following diagram and example configuration the items highlighted in red italic need to be replaced with values that apply to your own particular situation.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
The following configuration information is an example of what your integration team provides you. Many of the values in the following example will be different from the configuration information that you actually receive. Of course, you must use the actual values and not the example values shown here or your implementation will fail. |
| Important |
|---|---|
The configuration below is appropriate for ScreenOS versions 6.2 and newer. A separate configuration is available for ScreenOS version 6.1. |
# Amazon Web Services # Virtual Private Cloud # # AWS utilizes unique identifiers to manipulate the configuration of a VPN # Connection. Each VPN Connection is assigned a VPN Connection Identifier # and is associated with two other identifiers, namely the Customer Gateway # Identifier and the Virtual Private Gateway Identifier. # # Your VPN Connection ID : vpn-44a8938f # Your Virtual Private Gateway ID : vgw-8db04f81 # Your Customer Gateway ID : cgw-b4dc3961 # # This configuration consists of two tunnels. Both tunnels must be configured # on your Customer Gateway. # # This configuration was tested on a Juniper SSG-5 running ScreenOS 6.3R2. # # -------------------------------------------------------------------------------- # IPsec Tunnel #1 # --------------------------------------------------------------------------------# #1: Internet Key Exchange (IKE) Configuration # # A proposal is established for the supported IKE encryption, authentication, # Diffie-Hellman, and lifetime parameters. # set ike p1-proposal ike-prop-vpn-44a8938f-1 preshare group2 esp aes128 sha-1 second 28800 # The IKE gateway is defined to be the Virtual Private Gateway. The gateway configuration # associates a local interface, remote IP address, and IKE policy. # # This example shows the outside of the tunnel as interface ethernet0/0. This # should be set to the interface that IP address YOUR_UPLINK_ADDRESS is # associated with. # # This address is configured with the setup for your Customer Gateway. If the # address changes, the Customer Gateway and VPN Connection must be recreated. # set ike gateway gw-vpn-44a8938f-1 address 72.21.209.225 id 72.21.209.225 main outgoing-interface
ethernet0/0preshare "plain-text-password1" proposal ike-prop-vpn-44a8938f-1 # Troubleshooting IKE connectivity can be aided by enabling IKE debugging. # To do so, run the following commands: # clear dbuf -- Clear debug buffer # debug ike all -- Enable IKE debugging # get dbuf stream -- View debug messages # undebug all -- Turn off debugging# #2: IPsec Configuration # # The IPsec (Phase 2) proposal defines the protocol, authentication, # encryption, and lifetime parameters for our IPsec security association. # set ike p2-proposal ipsec-prop-vpn-44a8938f-1 group2 esp aes128 sha-1 second 3600 set ike gateway gw-vpn-44a8938f-1 dpd-liveness interval 10 set vpn IPSEC-vpn-44a8938f-1 gateway gw-vpn-44a8938f-1 replay tunnel proposal ipsec-prop-vpn-44a8938f-1
# #3: Tunnel Interface Configuration # # The tunnel interface is configured with the internal IP address. # # To establish connectivity between your internal network and the VPC, you # must have an interface facing your internal network in the "Trust" zone. # set interface tunnel.1 zone Trust set interface tunnel.1 ip 169.254.255.2/30 set interface tunnel.1 mtu 1436 set vpn IPSEC-vpn-44a8938f-1 bind interface tunnel.1 # By default, the router will block asymmetric VPN traffic, which may occur # with this VPN Connection. This occurs, for example, when routing policies # cause traffic to sent from your router to VPC through one IPsec tunnel # while traffic returns from VPC through the other. # # This command allows this traffic to be received by your device. set zone Trust asymmetric-vpn # This option causes the router to reduce the Maximum Segment Size of TCP # packets to prevent packet fragmentation. # set flow vpn-tcp-mss 1396
# #4: Border Gateway Protocol (BGP) Configuration # # BGP is used within the tunnel to exchange prefixes between the Virtual Private Gateway # and your Customer Gateway. The Virtual Private Gateway will announce the prefix # corresponding to your VPC. # # Your Customer Gateway may announce a default route (0.0.0.0/0). # # The BGP timers are adjusted to provide more rapid detection of outages. # # The local BGP Autonomous System Number (ASN) (YOUR_BGP_ASN) is configured # as part of your Customer Gateway. If the ASN must be changed, the # Customer Gateway and VPN Connection will need to be recreated with AWS. # set vrouter trust-vr set max-ecmp-routes 2 set protocol bgp
YOUR_BGP_ASNset hold-time 30 set ipv4 network 0.0.0.0/0 # To advertise additional prefixes to Amazon VPC, copy the 'network' statement and # identify the prefix you wish to advertise (set network X.X.X.X/X). Make sure the # prefix is present in the routing table of the device with a valid next-hop. set ipv4 advertise-def-route set enable set neighbor 169.254.255.1 remote-as 7224 set neighbor 169.254.255.1 enable set ipv4 neighbor 169.254.255.1 activate exit exit set interface tunnel.1 protocol bgp # ------------------------------------------------------------------------- # IPsec Tunnel #2 # -------------------------------------------------------------------------ethernet0/0preshare "plain-text-password2" proposal ike-prop-vpn-44a8938f-2 # Troubleshooting IKE connectivity can be aided by enabling IKE debugging. # To do so, run the following commands: # clear dbuf -- Clear debug buffer # debug ike all -- Enable IKE debugging # get dbuf stream -- View debug messages # undebug all -- Turn off debuggingYOUR_BGP_ASNset hold-time 30 set ipv4 network 0.0.0.0/0 # To advertise additional prefixes to Amazon VPC, copy the 'network' statement and # identify the prefix you wish to advertise (set network X.X.X.X/X). Make sure the # prefix is present in the routing table of the device with a valid next-hop. set ipv4 advertise-def-route set enable set neighbor 169.254.255.5 remote-as 7224 set neighbor 169.254.255.5 enable set ipv4 neighbor 169.254.255.5 activate exit exit set interface tunnel.2 protocol bgp # Additional Notes and Questions # - Amazon Virtual Private Cloud Getting Started Guide: # http://docs.amazonwebservices.com/AWSVPC/latest/GettingStartedGuide # - Amazon Virtual Private Cloud Network Administrator Guide: # http://docs.amazonwebservices.com/AWSVPC/latest/NetworkAdminGuide
How to Test the Customer Gateway Configuration
You must first test the gateway configuration for each tunnel.
To test the customer gateway configuration for each tunnel
On your customer gateway, determine if the BGP status is Active.
It takes approximately 30 seconds for a BGP peering to become active.
Ensure that the customer gateway is advertising a route to the virtual private gateway. The route may be the default route (0.0.0.0/0) or a more specific route you prefer.
When properly established, your BGP peering should be receiving one route from the virtual private gateway corresponding to the prefix that your VPC integration team specified for the VPC (e.g., 10.0.0.0/24). If the BGP peering is established, you are receiving a prefix, and you are advertising a prefix, your tunnel is configured correctly. Make sure both tunnels are in this state.
Next you must test the connectivity for each tunnel.
| Important |
|---|---|
For the connectivity test to work, you must configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic. |
To test the end-to-end connectivity of each tunnel
Launch an instance of one of the Amazon Linux AMIs into your VPC. They're available in the Quick Start menu when you use the Request Instances Wizard in the AWS Management Console (for more information, see the Amazon Virtual Private Cloud Getting Started Guide).
After the instance is running, get its private IP address (e.g., 10.0.0.4). The console displays the address as part of the instance's details.
On a system in your home network, use the ping command with the instance's IP address. Make sure the computer you ping from is behind the customer gateway. A successful response should be similar to the following:
PROMPT>
ping 10.0.0.4Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
![[Note]](http://docs.amazonwebservices.com/docs-common/images/note.png) | Note |
|---|---|
If you ping an instance from your customer gateway router, ensure you are sourcing ping messages from an internal IP address, not a tunnel IP address. Some AMIs will not respond to ping messages from the tunnel IP addresses. |
If your tunnels do not test successfully, see Troubleshooting.
