API tools faq
paste
Advertisement
hjaltiatlason

Unifi-site-to-site-vpn-Transit-Gateway-two-VPCs

hjaltiatlason
Nov 7th, 2020 (edited)
120
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.53 KB | None | 0 0
raw download clone embed print report
  1. #https://help.ui.com/hc/en-us/articles/115015979787-EdgeRouter-Route-Based-Site-to-Site-VPN-to-AWS-VPC-VTI-over-IKEv1-IPsec-
  2. 1. Enter configuration mode.
  3.  
  4. configure
  5.  
  6. 2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.
  7.  
  8. set vpn ipsec auto-firewall-nat-exclude enable
  9.  
  10.  
  11. 3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
  12.  
  13. set vpn ipsec ike-group FOO0 key-exchange ikev1
  14. set vpn ipsec ike-group FOO0 lifetime 28800
  15. set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
  16. set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
  17. set vpn ipsec ike-group FOO0 proposal 1 hash sha1
  18. set vpn ipsec ike-group FOO0 dead-peer-detection action restart
  19. set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
  20. set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
  21.  
  22. 4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
  23.  
  24. set vpn ipsec esp-group FOO0 lifetime 3600
  25. set vpn ipsec esp-group FOO0 pfs enable
  26. set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
  27. set vpn ipsec esp-group FOO0 proposal 1 hash sha1
  28.  
  29.  
  30. 5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).
  31.  
  32. set vpn ipsec site-to-site peer 52.55.81.123 authentication mode pre-shared-secret
  33. set vpn ipsec site-to-site peer 52.55.81.123 authentication pre-shared-secret <Pre-Shared-key>
  34. set vpn ipsec site-to-site peer 52.55.81.123 connection-type initiate
  35. set vpn ipsec site-to-site peer 52.55.81.123 description ipsec-aws
  36. set vpn ipsec site-to-site peer 52.55.81.123 local-address XXX.My-Router-Publicip.XXX.XXX
  37.  
  38.  
  39. 6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
  40.  
  41. set vpn ipsec site-to-site peer 52.55.81.123 ike-group FOO0
  42. set vpn ipsec site-to-site peer 52.55.81.123 vti bind vti0
  43. set vpn ipsec site-to-site peer 52.55.81.123 vti esp-group FOO0
  44.  
  45.  
  46.  
  47.  
  48. 8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.
  49.  
  50. set interfaces vti vti0 address 169.254.104.21/30
  51.  
  52.  
  53.  
  54.  
  55. 9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
  56.  
  57. set firewall options mss-clamp interface-type vti
  58. set firewall options mss-clamp mss 1379
  59.  
  60.  
  61.  
  62. 10. Create static routes for the remote VPC subnet.
  63.  
  64. set protocols static interface-route 10.16.0.0/16 next-hop-interface vti0
  65. set protocols static interface-route 10.17.0.0/16 next-hop-interface vti0
  66.  
  67.  
  68.  
  69. 11. Commit the changes and save the configuration.
  70.  
  71. commit ; save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!