VPN Configuration Using Cisco CSR v1000: AWS
A Virtual Private Network (VPN) is a technology that creates a safe and encrypted connection over the internet. The application servers and other resources on the private data center are accessible by the remote users through a VPN tunnel with a secure and encrypted form.
There are two types of VPN
- Remote-access VPN
- Site-to-Site VPN
Remote-access VPN
Remote-access VPN uses public internet services to connect remote users with their organization to access the resources on the network. You need to configure a VPN client on the remote user's computer or mobile device to connect to a VPN gateway on the organization network.
Site-to-Site VPN
Site-to-site VPN uses a gateway device to connect the entire network to another network in a different location. For example, small branches connect with the data center of an organization. You can set up a site-to-site VPN connection using public internet and MPLS.
Amazon Web Services uses a site-to-site VPN to connect with the on-premises network. AWS provides few connectivity options to connect your Amazon VPC with remote networks. To know about connectivity options click here.
Here (Figure — 1) AWS uses virtual private gateway and customer gateway to configure AWS Managed VPN connection to connect with On-premises DC. After configuring AWS managed VPN setup you can download the configuration setup file of the On-premises DC gateway. To know more about this setup click here.
In Transit VPC setup (Figure — 2) we use a host-based VPN appliance on the Amazon EC2 instance from the AWS marketplace. To know more about Transit VPC setup click here.
Here Generic Routing Encapsulation (GRE) tunnel is used to connect the VPN connection between the Cisco CSR and On-premises router. In GRE, a virtual tunnel is created between the two endpoints, and packets are sent through the GRE tunnel. Packets traveling from one end to the other end are not encrypted by GRE, but it encapsulates with a GRE header. For protecting the data you must use the IPSec configuration. IPSec encryption involves two steps:
- Configure ISAKMP (IKE Phase 1)
- Configure IPSec (IKE Phase 2)
IKE Phase 1 (Configure ISAKMP)
Internet Key Exchange (IKE) establishes the shared security policy and authenticated keys. Internet Security Association and Key Management Protocol (ISAKMP) is the protocol that specifies the mechanics of the key exchange. ISAKMP generates a hash value and shares it on the other end to check if it is identical. Both the keys should match to initiate the connection.
IKE Phase 2 (Configure IPSec)
IPsec is set at an IP layer, and it is often used to allow secure remote access to the network. IPsec primarily utilizes tunnel mode for creating VPN tunnels. IPsec provides an enhanced level of security on VPN connections by default, by providing authentication, encryption, and compression services at the network level of VPN. For each outgoing IP packet, it is encapsulated and secured using the IPsec packet.
Configuration steps:
- Configure ISAKMP (IKE Phase 1)
2. Next, you need to define a pre-shared key. ISAKMP keyring stores the Pre Shared Key used to authenticate the tunnel endpoints.
3. An ISAKMP profile is used to associate the keyring with the particular endpoint.
4. IPSec Configuration (IKE Phase 2)
5. Create an IPSec profile to refer to the IPSec transform set.
6. Configure the Tunnel interface
Repeat the same steps in the on-premises router, by changing the IP Address,
Note: VPN establishes a virtual connection between two routers. To enable them to communicate, you need to define the routing protocols such as: Static, EIGRP, BGP etc..
to verify the connectivity:
Once the connection is successfully UP, you can access the AWS resources from the on-premises network.
