I’ve said during several conferences where I had a privilege to be a speaker that clouds are one of the futures of computing along with DevOps/SysOps and Machine Learning. But there is no computing if you don’t have the data to compute or you have no way to send it to the cloud in reliable and secure way or you don’t have cloud infrastructure to perform computation. That’s why we need to take a look how to setup VPN between Juniper SRX and AWS Cloud.
I think that hybrid cloud will be the model how many of computer system will work in net few years. Private clouds are not scalable and public clouds cannot address all needs of current systems. So hybrid mode is a solution. But it requires reliable and easy to setup and maintain ways to connect on-premise resourced to public cloud. The technology is here and it’s called VPN.
Usually when we thinks about VPN connecting two sites we think about site-to-site VPN. There are several ways to create such connections, GRE, GREoverIPSec. IPSec to name vew most popular. So there are always two (or more) parties connected via dedicated tunnel which usually is encrypted. At the ends of VPN tunnel you will find usually routers or firewalls.
Configuring the AWS
The VPN configuration is part of VPC in AWS cloud. VPC is just private cloud that contain networking in our isolated environment. VPN configuration consist of three elements:
- Customer Gateways – this is definition of customer part of configuration. AWS need to know peer your peer IP as well as optional ASN number if you’re planning to use BGP to exchange prefixes.
- Virtual Private Gateway – This is AWS part of the configuration. Think of it as virtual VPN hub assigned to your VPC
- VPN Connections – definition of each VPN links you want to establish
We can create customer gateway manually or let Virtual Private Gateway wizard to configure it for us. There only arguments we need to provide are our IP address and and ASN number if we decide to use dynamic routing using BGP.
Next is VPN Gateway. To create one we need to go to “Virtual Private Gateway” section in VPC, click “Create Virtual Private Gateway” button and add a tag. Then we need to assign it to selected VPC because when created its not attached
Last part is the VPN connection which we can create in section “VPN Connections”. Because I selected static routing I must define subnets I want to be able to reach using this VPN. We can edit them later. Also here we specify BGP parameters.
It can take few minutes to create our VPN configuration.
Fantastic thing is that based on parameters you used to create VPN Connection AWS will create configuration template for your Customer Gateway device. So if you are using Cisco ASA, or ISR, Checkpoint, Juniper, Palo Alto or even Microsoft Windows Server you can easily generate configuration for yourself. So you have to just adjust configuration to your needs. Also you will wind pre-shared key (PSK) in those configuration files.
One last thing that require our attention is routing. We need to specify that for subnets accessible via VPN Connection routing should be sent to Virtual Private Gateway.
Security and redundancy in VPN connectivity between Juniper SRX and AWS Cloud
If you have any experience with IPSec VPNs there should be already red light blinking in your head – “what about the security? I didn’t set any encryption nor authentication algorithm! How peers authenticate each other?”.
Yes, those questions are valid and very important. AWS designers decided that it’s your responsibility to enforce protection you require on your device while AWS side remains flexible with no additional configuration required from engineer. There are of course predefined values that can be set but you can easily say that the most popular ones are available. That also gives us flexibility in configuration – if our device does not support SHA-256 you can still use SHA-1.
Generated configuration has the security parameters set to lowest possible so in most case you really want to update them to the stronger ones.
Each VPN Connection in AWS is redundant and by default two tunnels terminated on two different public IP addresses are provided. You will find them in “Tunnel Details” tab of your VPN Connection
Of course you can configure only one tunnel and run without any redundancy but if you decide to use both proper traffic engineering is your responsibility.
Also remember to update Security Group configuration so traffic from your on-premise network is allowed to server.
Configuring the SRX side of VPN to AWS Cloud
I will use modified template to create single VPN connection to AWS. Take a note I’ve hardened the configuration by changing all parameters
set security ike proposal ike-prop-vpn-2a166661-1 authentication-method pre-shared-keys set security ike proposal ike-prop-vpn-2a166661-1 authentication-algorithm sha-256 set security ike proposal ike-prop-vpn-2a166661-1 encryption-algorithm aes-256-cbc set security ike proposal ike-prop-vpn-2a166661-1 lifetime-seconds 28800 set security ike proposal ike-prop-vpn-2a166661-1 dh-group group24 set security ike policy ike-pol-vpn-2a166661-1 mode main set security ike policy ike-pol-vpn-2a166661-1 proposals ike-prop-vpn-2a166661-1 set security ike policy ike-pol-vpn-2a166661-1 pre-shared-key ascii-text Tr4c6HjZXIRp8gILkx0f1fUQ7HqHYatJ set security ike gateway gw-vpn-2a166661-1 ike-policy ike-pol-vpn-2a166661-1 set security ike gateway gw-vpn-2a166661-1 external-interface ge-0/0/0.0 set security ike gateway gw-vpn-2a166661-1 address 184.108.40.206 set security ike gateway gw-vpn-2a166661-1 no-nat-traversal set security ike gateway gw-vpn-2a166661-1 dead-peer-detection interval 10 threshold 3 set security ipsec proposal ipsec-prop-vpn-2a166661-1 protocol esp set security ipsec proposal ipsec-prop-vpn-2a166661-1 authentication-algorithm hmac-sha-256-128 set security ipsec proposal ipsec-prop-vpn-2a166661-1 encryption-algorithm aes-256-cbc set security ipsec proposal ipsec-prop-vpn-2a166661-1 lifetime-seconds 3600 set security ipsec policy ipsec-pol-vpn-2a166661-1 perfect-forward-secrecy keys group24 set security ipsec policy ipsec-pol-vpn-2a166661-1 proposals ipsec-prop-vpn-2a166661-1 set security ipsec vpn vpn-2a166661-1 ike gateway gw-vpn-2a166661-1 set security ipsec vpn vpn-2a166661-1 ike ipsec-policy ipsec-pol-vpn-2a166661-1 set security ipsec vpn vpn-2a166661-1 df-bit clear set interfaces st0.1 family inet address 169.254.20.6/30 set interfaces st0.1 family inet mtu 1436 set security zones security-zone AWSVPN interfaces st0.1 set security ipsec vpn vpn-2a166661-1 bind-interface st0.1 set routing-options static route 10.0.0.0/24 next-hop st0.1 set security policies from-zone LAN to-zone AWSVPN policy PERMIT match source-address any set security policies from-zone LAN to-zone AWSVPN policy PERMIT match destination-address any set security policies from-zone LAN to-zone AWSVPN policy PERMIT match application any set security policies from-zone LAN to-zone AWSVPN policy PERMIT then permit
SRX preferred deployment way is route-based VPN but for devices such as Cisco ASA policy-based deployment is possible.
AWS does not provide tools for troubleshooting at their end. All we can do is checking the Tunnel state under “Tunnel Details” tab. So all troubleshooting have to be performed on Customer Gateway.
VPNs in AWS are not free. In almost all regions you pay $0.05 per hour for each connection. That give around $36 per VPN per month plus standard fees for outgoing traffic.