Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Oscar_David_Gom
Contributor
Contributor

VSX VPN with AWS

HI

 

I have a R80.10 VSX cluster, one of my VS is manging our VPNS, today I recevied a request of creating a VPN against AWS, they send us a txt file generated from AWS where indicate the step by step for creating it, the problem started with first step: Creating a Tunnel interface, as we are using VSX, that is not supported, so what we do was:

 

1. Creating a Star community

2. Add as the center my VS and for the satellite the interoperable device configured as usual (Public IP, encryption domain, etc).

3. Setting parameters of encryption, etc. as said by txt configuration file from aws.

 

1. Under Security Policies choose "VPN Communities" and click "New", "Star Community".
 2. Choose "General" and provide a name :  vpn-0a265dfe8bec93511. 
 3. For "Center Gateways", add your gateway or cluster.
 4. For "Satellite Gateways", add the interoperable devices that you created before. 
 5. For "Encryption", choose "IKEv1 only". 
 6. In the "Encryption Suite" section, choose "Custom", "Custom Encryption".
 7. Configure the properties as follows:
  Phase 1 Properties - Internet Key Exchange (IKE)
  a. Perform key exchange encryption with: aes128 
  b. Perform data integrity with: sha1

 Phase 2 Properties -IPSEC
 a. Perform IPsec data encryption with: aes128 
 b. Perform data integrity with: sha1 
 
 8. For "Tunnel Management", choose "Set Permanent Tunnels", "On all tunnels in the community". 
 9. In the "VPN Tunnel Sharing" section, choose "One VPN tunnel per Gateway pair". 
 10. Expand "Advanced Settings". For "Shared Secret":  *************
 11. For "Advanced VPN Properties", configure the properties as follows:
   IKE (Phase 1)
   a. Use Diffie-Hellman group: 2 
   b. IKE SA lifetime: 28800 seconds 
    IPSEC (Phase 2) a. Use Perfect Forward Secrecy: Checked b. IPSEC SA Lifetime: 3600 sec 

 12. Click OK to close the VPN Window

4. Configuring tunnel_keep_alive method for dpd.

5. Creating the rule.

6. Installing policies.

Result: VPN is always Down, so my question is, how to configure a vpn against amazon when i'm using VSX?

 

Thanks.

0 Kudos
4 Replies
_Val_
Admin
Admin

0 Kudos
am
Participant

This question keeps popping up and no direct answer has been seen yet. Has anybody been able to create a VPN tunnel between AWS and VSX? And if yes, can you share your setup? Or even between AWS and "nonVTI" VPN with regular CP gateway.

0 Kudos
Hieu_le
Explorer

Have you done it? @Oscar_David_Gom 

0 Kudos
Oscar_David_Gom
Contributor
Contributor

Hi, 

 

Yes, we could stablish the VPN, we configured it as a policy based VPN (mesh, encription domains on fw and interoperable device, permanent tunnel, etc.) and in the guidbedit we changed keep alive method to dpd in both, aws and on prem firewall objects, save changes, install policy and it immediately goes UP. 

 

David.

  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events