Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #https://help.ui.com/hc/en-us/articles/115015979787-EdgeRouter-Route-Based-Site-to-Site-VPN-to-AWS-VPC-VTI-over-IKEv1-IPsec-
- 1. Enter configuration mode.
- configure
- 2. Enable the auto-firewall-nat-exclude feature which automatically creates the IPsec firewall/NAT policies in the iptables firewall.
- set vpn ipsec auto-firewall-nat-exclude enable
- 3. Create the IKE / Phase 1 (P1) Security Associations (SAs) and enable Dead Peer Detection (DPD).
- set vpn ipsec ike-group FOO0 key-exchange ikev1
- set vpn ipsec ike-group FOO0 lifetime 28800
- set vpn ipsec ike-group FOO0 proposal 1 dh-group 2
- set vpn ipsec ike-group FOO0 proposal 1 encryption aes128
- set vpn ipsec ike-group FOO0 proposal 1 hash sha1
- set vpn ipsec ike-group FOO0 dead-peer-detection action restart
- set vpn ipsec ike-group FOO0 dead-peer-detection interval 15
- set vpn ipsec ike-group FOO0 dead-peer-detection timeout 30
- 4. Create the ESP / Phase 2 (P2) SAs and enable Perfect Forward Secrecy (PFS).
- set vpn ipsec esp-group FOO0 lifetime 3600
- set vpn ipsec esp-group FOO0 pfs enable
- set vpn ipsec esp-group FOO0 proposal 1 encryption aes128
- set vpn ipsec esp-group FOO0 proposal 1 hash sha1
- 5. Define the first AWS peer address (replace <secret> with the AWS generated passphrase).
- set vpn ipsec site-to-site peer 52.55.81.123 authentication mode pre-shared-secret
- set vpn ipsec site-to-site peer 52.55.81.123 authentication pre-shared-secret <Pre-Shared-key>
- set vpn ipsec site-to-site peer 52.55.81.123 connection-type initiate
- set vpn ipsec site-to-site peer 52.55.81.123 description ipsec-aws
- set vpn ipsec site-to-site peer 52.55.81.123 local-address XXX.My-Router-Publicip.XXX.XXX
- 6. Link the SAs created above to the first AWS peer and bind the VPN to a virtual tunnel interface (vti0).
- set vpn ipsec site-to-site peer 52.55.81.123 ike-group FOO0
- set vpn ipsec site-to-site peer 52.55.81.123 vti bind vti0
- set vpn ipsec site-to-site peer 52.55.81.123 vti esp-group FOO0
- 8. Configure the RFC 3927 IP addresses on the virtual tunnel interfaces.
- set interfaces vti vti0 address 169.254.104.21/30
- 9. Lower the TCP Maximum Segment Size (MSS) on the vti interfaces to 1379.
- set firewall options mss-clamp interface-type vti
- set firewall options mss-clamp mss 1379
- 10. Create static routes for the remote VPC subnet.
- set protocols static interface-route 10.16.0.0/16 next-hop-interface vti0
- set protocols static interface-route 10.17.0.0/16 next-hop-interface vti0
- 11. Commit the changes and save the configuration.
- commit ; save
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement