Configuring AWS Site-to-Site VPN connection
To connect your On-Prem System to AWS VPC so it can access resources in that VPC, AWS Site-to-Site VPN is helpful.
NOTE: Both On-prem and VPC should have different CIDR ranges for this to work
- You should be having your subnets, which have route tables associated in this VPC(For custom VPC the route table is able to access only local resources until we give it route to the internet using Internet Gateway. Not required to give any internet access right now).
- Go to VPC > Virtual Private Gateway(left panel).
- Click Create Virtual Private Gateway.
- Give any Name Tag and choose Amazon default ASN(if you have Custom ASN you can provide that accordingly).
- Now it will be in the detached phase. Click Actions and Attach to VPC. Select the VPC that you need to attach to On-Prem.
- When you associated VPC to Gateway, in the route table under the ‘Route Propagation bar you might see that Gateway is showing up with propagate as ‘NO’. Change that to ‘YES’.
Now we need to provide the identity of our On-prem devices to AWS VPC. For that, we will be creating a Customer Gateway.
- Go to VPC > Customer Gateways
- Give a name,
- Routing to static(if you use Dynamic you need to provide the ASN that on-prem network use).
- Provide publicly accessible IP address of that on-prem device
(for demo you an try creating an on-prem system by creating a windows instance in a different region of AWS with VPC configured accordingly to have public routes open and having public IP address assigned. You can then provide that IP in the 4th step)
5. Leave the Certificate ARN as empty. Click ‘Create Customer Gateway’.
Now let’s connect this both using AWS Site-to-Site VPN Connection.
- Go to Site-to-Site VPN connections from left panel
- Create VPN connnection
- Give name tag, for target gateway type choose virtual private gateway.
- Select the VGW
- For Customer Gateway choose existing as we already created it beforehand. If you try to create it here it will take only dynamic as option and you need to provide the ASN number
- For routing option, choose static and enter the CIDR range of your On-Prem Network(if using demo on-prem, use the CIDR range of VPC that has window instance ).
- Leave everything else as default unless you need to use your encryption keys and security features.
- Click create VPN connection
- It will be in pending state initially. Wait until it gets available.
- Once available, under Tunnel details you can see that both the tunnels are DOWN. Once we start the traffic from our windows instance to this VPC this tunnel will get up.
- Now Download the Configuration file by selecting that VPN and clicking the Download Configuration button.
- When we click Download Configuration, we’ll be asked to choose the vendor platform and possibly the software that is currently running on our customer gateway device.
- Choose the appropriate Vendor according to your On-Prem platform. Here for our demo purpose, we are choosing Microsoft, as we are using windows instance.
- For Software choose ‘2012 R2’
- Click Download
- Now open that configuration file:
- Scroll down till you see lines like:
Now in both Scripts for Tunnel 1 and 2, we need to make few changes.
- For Local Tunnel Endpoint: Replace[Windows_Server_Private_IP_address] with your on-prem windows private IP address.
- For Endpoint 1: Replace[Your_Static_Route_IP_Prefix] with CIDR range on On-Prem network
- For Endpoint 2: Replace[Your_Static_Route_IP_Prefix] with CIDR range of On-Net VPC
Now as we are going to run this in Powershell of Windows Server 2019, from the end of each line of script we will replace (^) with (`).
e.g.
Now log into your Windows Server:
- Open PowerShell
- Run the following 2 commands to disable Internet Explorer Enhanced Security Configuration for Administrators:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7–37EF-4b3f-8CFC-4F3A74704073}” -Name “IsInstalled” -Value 0 -ForceStop-Process -Name iexplore -ErrorAction SilentlyContinue
3. To begin configuration for VPN services, run the following 3 commands in Powershell:
Set-NetAdapterAdvancedProperty -DisplayName "IPv4 Checksum Offload" -DisplayValue "Disabled"Set-NetAdapterAdvancedProperty -DisplayName "TCP Checksum Offload (IPv4)" -DisplayValue "Disabled"Set-NetAdapterAdvancedProperty -DisplayName "UDP Checksum Offload (IPv4)" -DisplayValue "Disabled"
4. Now run the following commands:
Invoke-WebRequest https://steveatacg.s3-us-west-1.amazonaws.com/advnetspec/Win2019VPNServerConfig.xml -OutFile c:\config.xml
Install-WindowsFeature -ConfigurationFilePath c:\config.xml -computername $env:COMPUTERNAME -Restart
Install-RemoteAccess -VpnType VpnS2S
doing this on 2019 (and 2016 apparenlty) restricts RRAS management to PS tools. This seems to have no impact on AWS configuration steps
5. Now copy the commands from Configuration File which we edited:
NOTE: Running this command will overwrite any other VPN settings running on the system. Here for demo purpose, we are running on AWS’s Windows Server instance so I don’t have any other VPN connection running. But if you have any other VPN connections required then keep in mind that this is going to Overwrite those VPN settings
Now go to Windows Defender Firewall with Advance Security setting:
- Click on Connection Security Rules, you should see 2 security rules, one for each AWS VPN endpoints. That’s really what we were configuring(2 VPN policies with Active-Passive configuration)
- So whenever traffic from our local network identified by endpoint 1
is sent to the private IP address of our customer gateway device, destined for the IP address range of VPC, our routing and remote access service will use one of these connection security rules.
Only one doesn’t matter which one to establish an IKE and
IPsec tunnel pair to one of the endpoints at AWS.
Once that tunnel has been established, then traffic will be able to flow.
Right now, of course we haven’t sent any traffic.
So if we look down under Monitoring Security Associations,
you’ll see that there is a folder for main mode security associations and
another mode for quick mode, security associations. - We know that main mode is another way of referring to IKE tunnels or phase 1 tunnels and that quick mode is another way of referring to IPsec or
phase 2 tunnels and right now we have no security associations in either node. It’s because we haven’t started any, but we are now at a position to go to our final phase - Now ping the private IP address of any of our On-Net VPC server. Few pings will fail, but if you try again you will see that we would be able to reach that VPC server from our On-Prem windows system. It does take some seconds to get the VPN tunnel established and clearly, it’s longer than the timeout value of the echo-response message.
- We can go back to Windows Defender Firewall to our Security Associations and we see under main mode that we have a security association established. That’s our phase one IKE tunnel and we have a quick mode security association established that’s our phase 2 IPsec tunnel.
- Now go back to On-Net VPC, Site-to-Site VPN connection, select your VPN connection, below in Tunnel details you can see one of the tunnel is up and running.
- The other 1 is still down. Again remember, by default, our 2 tunnel endpoints are used in an active/passive behavior.
- We can go back to our route table and now we will see a route for our on-prem net CIDR range(that’s why we changed route propagation to YES for this to happen). As long as traffic continues to move through the tunnel, this route will remain in the route table, but when the tunnel times out our virtual private gateway will remove that route.
That’s it you have successfully configured AWS Site-to-Site VPN connection from your On-Prem windows system.