Description: This document describes how to configure an VPN connection to the Amazon VPC and to propagate the routes dynamically by BGP. For further information on Amazon's Virtual Private Cloud please visit: https://aws.amazon.com/vpc/ Requirements:Procedure:Two IPSec tunnels are for configured for the connection to the Amazon VPC, each one running a BGP session. Amazon stipulates the configuration of two VPN tunnels and two BGP connections for redundancy reasons. After creating the "VPN Connection" in your Amazon VPC interface, you receive the parameters for the VPN tunnels and the necessary data for the configuration of the two BGP sessions. An example configuration can be viewed at the following link: http://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfig.html1) Configuring two VPN connections1.1) Open the the LANCOM router configuration and navigate to VPN → General. Activate the VPN module and set the Establishment of net relationships (SAs) to Collectively with KeepAlive. 1.2) Change to the menu VPN → IKE/IPSec → IKE proposals... 1.3) Click the Add button, enter a meaningful name and set the IKE proposal based on the specifications for your Amazon VPC. 1.4) Change to the menu VPN → IKE/IPSec → IKE proposal lists... Click the add button, enter a meaningful name and add the proposal you created in step 1.3) to this list. 1.5) Change to the menu VPN → IKE/IPSec → IPSec proposals... 1.6) Click the Add button, enter a meaningful name and set the IPSec proposal based on the specifications for your Amazon VPC. 1.7) Change to the menu VPN → IKE/IPSec → IPSec proposal lists... Click the add button, enter a meaningful name and add the proposal you created in step 1.6) to this list. 1.8) Change to the menu VPN → IKE/IPSec → IKE keys and identities... 1.9) Click the Add button and enter the pre-shared key required for your Amazon VPC. Repeat the procedure and to set up the second entry for the second VPN connection. 1.10) Navigate to the menu VPN → IKE/IPSec → Connection parameters... and add new entries to collect the lists, keys, IKE group and PFS group. Your Amazon VPC will inform you about which IKE and PFS group you need to use. Here, you should also create two entries for the two VPN connections. 1.11) Change to the menu VPN → IKE/IPSec → Connection list... 1.12) This is where you create the actual VPN remote peer. Click the Add button and create the first of the two VPN peers. Set the following parameters: - Name of connection: Set any meaningful name for the connection
- Short hold time: 9999
- Dead peer detection: 30 seconds
- Gateway: Here you enter the IP address of the “Virtual Private Gateway” of your Amazon VPC; in our example this is → 72.21.209.193*
- Connection parameters: Here, you select the previously created connection parameters, in our example → AMAZON-VPC1*
- IKE exchange: Main mode
- Rule creation: Manual
- IPv4 rules: RAS-WITH-NETWORK-SELECTION
*These entries must be different for both VPN tunnels. 1.13) Repeat the procedure for the second VPN connection by entering the parameters for the second connection: - Name of connection: Set any meaningful name for the connection
- Short hold time: 9999
- Dead peer detection: 30 seconds
- Gateway: Here you enter the IP address of the “Virtual Private Gateway” of your Amazon VPC; in our example this is → 72.21.209.225*
- Connection parameters: Here, you select the previously created connection parameters, in our example → AMAZON-VPC2*
- IKE exchange: Main mode
- Rule creation: Manual
- IPv4 rules: RAS-WITH-NETWORK-SELECTION
*These entries must be different for both tunnels. 1.14) In our example, we use address 169.254.255.1 for the first tunnel and address 169.254.255.5 for the second tunnel. Navigate to the menu IP router → Routing → IPv4 routing table... and enter a route for each of the VPN tunnels, as illustrated below:
2) Configuring two BGP connections 2.1) As mentioned previously, one or two loopback addresses must first be defined for the BGP connection. To do this, go to the menu IPv4 → General → Loopback addresses... 2.2) Click the Add button, assign a name and, for the LANCOM, enter the address from the /30 subnet that you received as a loopback address when you created the VPN connection in the Amazon VPC. Configure an entry for both /30 subnets2.3) Specify BGP policy 2.3.1) BGP policy is specified in the menu Routing protocols → BGP → BGP policy... 2.3.2) First configure the prepending of your own AS to the AS_PATH attribute under "AS path ...". - To do this, click the Add button, assign any name, and under “Prepend” you type in the work self.
- Under "Prepend count" specify how often you want to prepend your own AS. In our example, we entered 5.
2.3.3) Next, navigate to the Actions... menu and click Add. Here you assign a name for the action and, under AS path, you select the action created previously in step 2.3.2). 2.3.4) Finally, navigate to the menu item Filters... and click Add to create the actual filter. Specify a name for the filter, set the policy to permit and set the action to the action you created in step 2.3.2). You have now created a BGP policy and you can continue with the BGP configuration. 2.4) Navigate to the menu Routing protocols → BGP → BGP instance. Here you enter the AS number configured in the Amazon VPC (default 65000) and set the Router ID to one of the two loopback addresses. 2.5) Navigate to the menu Routing protocols → BGP → Neighbors. 2.6) Click on Add to create the first BGP neighbor. Set the following parameters: - Name: Set any meaningful name for the connection
- IP address: Here you enter the address of the first BGP neighbor as required by the Amazon VPC; in our example this is → 169.254.255.1*
- Source address (opt.): Here you select the loopback address specified in step 2.2). Make sure that you select the correct /30 subnet address that corresponds to the IP address you specified for this neighbor. In our example → BGP1* (169.254.255.2)
- Remote AS: Here you enter the AS from the Amazon VPC → 7224
*These entries must be different for both BGP neighbors. 2.7) Repeat the procedure for the second BGP neighbor and click on Add. Set the following parameters: - Name: Set any meaningful name for the connection
- IP address: Here you enter the address of the second BGP neighbor as required by the Amazon VPC; in our example this is → 169.254.255.5*
- Source address (opt.): Here you select the loopback address specified in step 2.2). Make sure that you select the correct /30 subnet address that corresponds to the IP address you specified for this neighbor. In our example → BGP2* (169.254.255.6)
- Remote AS: Here you enter the AS from the Amazon VPC → 7224
- Inbound policy/Outbound policy: For the second connection, the filter created for the BGP policy in step 2.3) is set as the inbound policy and the outbound policy. In our example this is → FIL-AS_PATH5
*These entries must be different for both BGP neighbors. 2.8) Navigate to the menu Routing protocols → BGP → IPv4 network... and click Add. Here you enter your local network, which is to be propagated over the BGP connection. In our example → 10.38.0.0/16 Setting the type Dynamic ensures that the network is only propagated if it can actually be reached by your device at the moment. 2.9) Now navigate to the menu Routing protocols → BGP → IPv4 address family..., select the DEFAULT entry and click Edit... Set the entry Use self as next hop to Yes. 2.10) To conclude the configuration, you activate the BGP module under Routing protocols → BGP → Border Gateway Protocol (BGP) active.
|