VPC VPN

1. Amazon Web Services
2. Virtual Private Cloud
3.  
4. VPN Connection Configuration
5. ================================================================================
6. AWS utilizes unique identifiers to manipulate the configuration of
7. a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier
8. and is associated with two other identifiers, namely the
9. Customer Gateway Identifier and the Virtual Private Gateway Identifier.
10.  
11. Your VPN Connection ID : vpn-ID
12. Your Virtual Private Gateway ID : vgw-ID
13. Your Customer Gateway ID : cgw-ID
14.  
15. A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
16. It is important that both tunnel security associations be configured.
17.  
18.  
19. IPSec Tunnel #1
20. ================================================================================
21. #1: Internet Key Exchange Configuration
22.  
23. Configure the IKE SA as follows
24. - Authentication Method : Pre-Shared Key
25. - Pre-Shared Key : PSK1
26. - Authentication Algorithm : sha1
27. - Encryption Algorithm : aes-128-cbc
28. - Lifetime : 28800 seconds
29. - Phase 1 Negotiation Mode : main
30. - Perfect Forward Secrecy : Diffie-Hellman Group 2
31.  
32. #2: IPSec Configuration
33.  
34. Configure the IPSec SA as follows:
35. - Protocol : esp
36. - Authentication Algorithm : hmac-sha1-96
37. - Encryption Algorithm : aes-128-cbc
38. - Lifetime : 3600 seconds
39. - Mode : tunnel
40. - Perfect Forward Secrecy : Diffie-Hellman Group 2
41.  
42. IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
43. recommend configuring DPD on your endpoint as follows:
44. - DPD Interval : 10
45. - DPD Retries : 3
46.  
47. IPSec ESP (Encapsulating Security Payload) inserts additional
48. headers to transmit packets. These headers require additional space,
49. which reduces the amount of space available to transmit application data.
50. To limit the impact of this behavior, we recommend the following
51. configuration on your Customer Gateway:
52. - TCP MSS Adjustment : 1387 bytes
53. - Clear Don't Fragment Bit : enabled
54. - Fragmentation : Before encryption
55.  
56. #3: Tunnel Interface Configuration
57.  
58. Your Customer Gateway must be configured with a tunnel interface that is
59. associated with the IPSec tunnel. All traffic transmitted to the tunnel
60. interface is encrypted and transmitted to the Virtual Private Gateway.
61.  
62.  
63.  
64. The Customer Gateway and Virtual Private Gateway each have two addresses that relate
65. to this IPSec tunnel. Each contains an outside address, upon which encrypted
66. traffic is exchanged. Each also contain an inside address associated with
67. the tunnel interface.
68.  
69. The Customer Gateway outside IP address was provided when the Customer Gateway
70. was created. Changing the IP address requires the creation of a new
71. Customer Gateway.
72.  
73. The Customer Gateway inside IP address should be configured on your tunnel
74. interface.
75.  
76. Outside IP Addresses:
77. - Customer Gateway : 198.51.100.194
78. - Virtual Private Gateway : 203.0.113.224
79.  
80. Inside IP Addresses
81. - Customer Gateway : 192.168.1.74/30
82. - Virtual Private Gateway : 192.168.1.73/30
83.  
84. Configure your tunnel to fragment at the optimal size:
85. - Tunnel interface MTU : 1436 bytes
86.  
87.  
88. #4: Static Routing Configuration:
89.  
90. To route traffic between your internal network and your VPC,
91. you will need a static route added to your router.
92.  
93. Static Route Configuration Options:
94.  
95. - Next hop : 192.168.1.73
96.  
97. You should add static routes towards your internal network on the VGW.
98. The VGW will then send traffic towards your internal network over
99. the tunnels.
100.  
101.  
102.  
103. IPSec Tunnel #2
104. ================================================================================
105. #1: Internet Key Exchange Configuration
106.  
107. Configure the IKE SA as follows
108. - Authentication Method : Pre-Shared Key
109. - Pre-Shared Key : PSK2
110. - Authentication Algorithm : sha1
111. - Encryption Algorithm : aes-128-cbc
112. - Lifetime : 28800 seconds
113. - Phase 1 Negotiation Mode : main
114. - Perfect Forward Secrecy : Diffie-Hellman Group 2
115.  
116. #2: IPSec Configuration
117.  
118. Configure the IPSec SA as follows:
119. - Protocol : esp
120. - Authentication Algorithm : hmac-sha1-96
121. - Encryption Algorithm : aes-128-cbc
122. - Lifetime : 3600 seconds
123. - Mode : tunnel
124. - Perfect Forward Secrecy : Diffie-Hellman Group 2
125.  
126. IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
127. recommend configuring DPD on your endpoint as follows:
128. - DPD Interval : 10
129. - DPD Retries : 3
130.  
131. IPSec ESP (Encapsulating Security Payload) inserts additional
132. headers to transmit packets. These headers require additional space,
133. which reduces the amount of space available to transmit application data.
134. To limit the impact of this behavior, we recommend the following
135. configuration on your Customer Gateway:
136. - TCP MSS Adjustment : 1387 bytes
137. - Clear Don't Fragment Bit : enabled
138. - Fragmentation : Before encryption
139.  
140. #3: Tunnel Interface Configuration
141.  
142. Your Customer Gateway must be configured with a tunnel interface that is
143. associated with the IPSec tunnel. All traffic transmitted to the tunnel
144. interface is encrypted and transmitted to the Virtual Private Gateway.
145.  
146.  
147.  
148. The Customer Gateway and Virtual Private Gateway each have two addresses that relate
149. to this IPSec tunnel. Each contains an outside address, upon which encrypted
150. traffic is exchanged. Each also contain an inside address associated with
151. the tunnel interface.
152.  
153. The Customer Gateway outside IP address was provided when the Customer Gateway
154. was created. Changing the IP address requires the creation of a new
155. Customer Gateway.
156.  
157. The Customer Gateway inside IP address should be configured on your tunnel
158. interface.
159.  
160. Outside IP Addresses:
161. - Customer Gateway : 198.51.100.194
162. - Virtual Private Gateway : 203.0.113.192
163.  
164. Inside IP Addresses
165. - Customer Gateway : 192.168.1.78/30
166. - Virtual Private Gateway : 192.168.1.77/30
167.  
168. Configure your tunnel to fragment at the optimal size:
169. - Tunnel interface MTU : 1436 bytes
170.  
171.  
172. #4: Static Routing Configuration:
173.  
174. To route traffic between your internal network and your VPC,
175. you will need a static route added to your router.
176.  
177. Static Route Configuration Options:
178.  
179. - Next hop : 192.168.1.77
180.  
181. You should add static routes towards your internal network on the VGW.
182. The VGW will then send traffic towards your internal network over
183. the tunnels.
184.  
185.  
186.  
187.  
188. Additional Notes and Questions
189. ================================================================================
190.  
191. - Amazon Virtual Private Cloud Getting Started Guide:
192. http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
193. - Amazon Virtual Private Cloud Network Administrator Guide:
194. http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
195. - XSL Version: 2009-07-15-1119716