04 May

How to setup VPN between Juniper SRX and AWS Cloud

I’ve said during several conferences where I had a privilege to be a speaker that clouds are one of the futures of computing along with DevOps/SysOps and Machine Learning. But there is no computing if you don’t have the data to compute or you have no way to send it to the cloud in reliable and secure way or you don’t have cloud infrastructure to perform computation. That’s why we need to take a look how to setup VPN between Juniper SRX and AWS Cloud.

I think that hybrid cloud will be the model how many of computer system will work in net few years. Private clouds are not scalable and public clouds cannot address all needs of current systems. So hybrid mode is a solution. But it requires reliable and easy to setup and maintain ways to connect on-premise resourced to public cloud. The technology is here and it’s called VPN.

Usually when we thinks about VPN connecting two sites we think about site-to-site VPN. There are several ways to create such connections, GRE, GREoverIPSec. IPSec to name vew most popular. So there are always two (or more) parties connected via dedicated tunnel which usually is encrypted. At the ends of VPN tunnel you will find usually routers or firewalls.

Configuring the AWS

The VPN configuration is part of VPC in AWS cloud. VPC is just private cloud that contain networking in our isolated environment. VPN configuration consist of three elements:

  1. Customer Gateways – this is definition of customer part of configuration. AWS need to know peer your peer  IP as well as optional ASN number if you’re planning to use BGP to exchange prefixes.
  2. Virtual Private Gateway – This is AWS part of the configuration. Think of it as virtual VPN hub assigned to your VPC
  3. VPN Connections – definition of each VPN links you want to establish

We can create customer gateway manually or let Virtual Private Gateway wizard to configure it for us. There only arguments we need to provide are our IP address and and ASN number if we decide to use dynamic routing using BGP.

Creating Customer Gateway configuration

Creating Customer Gateway configuration

Next is VPN Gateway. To create one we need to go to “Virtual Private Gateway” section in VPC, click “Create Virtual Private Gateway” button and add a tag. Then we need to assign it to selected VPC because when created its not attached

Virtual Private Gateways list

Virtual Private Gateways list

Last part is the VPN connection which we can create in section “VPN Connections”. Because I selected static routing I must define subnets I want to be able to reach using this VPN. We can edit them later. Also here we specify BGP parameters.

Creating VPN connection on AWS

Creating VPN connection on AWS

It can take few minutes to create our VPN configuration.

Fantastic thing is that based on parameters you used to create VPN Connection AWS will create configuration template for your Customer Gateway device. So if you are using Cisco ASA, or ISR, Checkpoint, Juniper, Palo Alto or even Microsoft Windows Server you can easily generate configuration for yourself.  So you have to just adjust configuration to your needs. Also you will wind pre-shared key (PSK) in those configuration files.

AWS will prepare configuration templates for most popular platforms

AWS will prepare configuration templates for most popular platforms

One last thing that require our attention is routing. We need to specify that for subnets accessible via VPN Connection routing should be sent to Virtual Private Gateway.

Adding static routes to VPC

Adding static routes to VPC

Security and redundancy in VPN connectivity between Juniper SRX and AWS Cloud

If you have any experience with IPSec VPNs there should be already red light blinking in your head – “what about the security? I didn’t set any encryption nor authentication algorithm! How peers authenticate each other?”.

Yes, those questions are valid and very important. AWS designers decided that it’s your responsibility to enforce protection you require on your device while AWS side remains flexible with no additional configuration required from engineer. There are of course predefined values that can be set but you can easily say that the most popular ones are available. That also gives us flexibility in configuration – if our device does not support SHA-256 you can still use SHA-1.

Generated configuration has the security parameters set to lowest possible so in most case you really want to update them to the stronger ones.

Each VPN Connection in AWS is redundant and by default two tunnels terminated on two different public IP addresses are provided. You will find them in “Tunnel Details” tab of your VPN Connection

Checking VPN status in AWS

Checking VPN status in AWS

Of course you can configure only one tunnel and run without any redundancy but if you decide to use both proper traffic engineering is your responsibility.

Also remember to update Security Group configuration so traffic from your on-premise network is allowed to server.

Configuring the SRX side of VPN to AWS Cloud

I will use modified template to create single VPN connection to AWS. Take a note I’ve hardened the configuration by changing all parameters

set security ike proposal ike-prop-vpn-2a166661-1 authentication-method pre-shared-keys
set security ike proposal ike-prop-vpn-2a166661-1 authentication-algorithm sha-256
set security ike proposal ike-prop-vpn-2a166661-1 encryption-algorithm aes-256-cbc
set security ike proposal ike-prop-vpn-2a166661-1 lifetime-seconds 28800
set security ike proposal ike-prop-vpn-2a166661-1 dh-group group24
set security ike policy ike-pol-vpn-2a166661-1 mode main
set security ike policy ike-pol-vpn-2a166661-1 proposals ike-prop-vpn-2a166661-1
set security ike policy ike-pol-vpn-2a166661-1 pre-shared-key ascii-text Tr4c6HjZXIRp8gILkx0f1fUQ7HqHYatJ
set security ike gateway gw-vpn-2a166661-1 ike-policy ike-pol-vpn-2a166661-1
set security ike gateway gw-vpn-2a166661-1 external-interface ge-0/0/0.0
set security ike gateway gw-vpn-2a166661-1 address 46.51.198.169
set security ike gateway gw-vpn-2a166661-1 no-nat-traversal
set security ike gateway gw-vpn-2a166661-1 dead-peer-detection interval 10 threshold 3
set security ipsec proposal ipsec-prop-vpn-2a166661-1 protocol esp
set security ipsec proposal ipsec-prop-vpn-2a166661-1 authentication-algorithm hmac-sha-256-128
set security ipsec proposal ipsec-prop-vpn-2a166661-1 encryption-algorithm aes-256-cbc
set security ipsec proposal ipsec-prop-vpn-2a166661-1 lifetime-seconds 3600
set security ipsec policy ipsec-pol-vpn-2a166661-1 perfect-forward-secrecy keys group24
set security ipsec policy ipsec-pol-vpn-2a166661-1 proposals ipsec-prop-vpn-2a166661-1
set security ipsec vpn vpn-2a166661-1 ike gateway gw-vpn-2a166661-1
set security ipsec vpn vpn-2a166661-1 ike ipsec-policy ipsec-pol-vpn-2a166661-1
set security ipsec vpn vpn-2a166661-1 df-bit clear
set interfaces st0.1 family inet address 169.254.20.6/30
set interfaces st0.1 family inet mtu 1436
set security zones security-zone AWSVPN interfaces st0.1
set security ipsec vpn vpn-2a166661-1 bind-interface st0.1
set routing-options static route 10.0.0.0/24 next-hop st0.1
set security policies from-zone LAN to-zone AWSVPN policy PERMIT match source-address any
set security policies from-zone LAN to-zone AWSVPN policy PERMIT match destination-address any
set security policies from-zone LAN to-zone AWSVPN policy PERMIT match application any
set security policies from-zone LAN to-zone AWSVPN policy PERMIT then permit

SRX preferred deployment way is route-based VPN but for devices such as Cisco ASA policy-based deployment is possible.

AWS does not provide tools for troubleshooting at their end. All we can do is checking the Tunnel state under “Tunnel Details” tab. So all troubleshooting have to be performed on Customer Gateway.

Pricing

VPNs in AWS are not free. In almost all regions you pay $0.05 per hour for each connection. That give around $36 per VPN per month plus standard fees for outgoing traffic.

Leave a Reply

%d bloggers like this: