Something that I had been meaning to do for a long time was to create a VPN connection between my home lab (a VMware based nested ESXi environment in my basement) to one of my AWS VPCs.
Overview – As this is a simple setup, we’re going to go with a single VPN connection scenario:
There are several prerequisites that you are going to make sure that you have in place before doing this:
A local environment that has a different CIDR block range than your VPC. My local environment is 192.168.1.0/24 and my VPC is 172.31.0.0/16.
A local VM that you can use as your Customer Gateway. For this example, I’m going to use a Windows 2012 box and install the necessary VPN components onto it as we proceed.
At least one instance in your VPC to test with 😉
If you are running firewalls, you need to poke the correct holes (UDP 500 and TCP 50 inbound/outbound) where necessary on your side, as well as allow ICMP (at least) in your VPC.
The steps, in order, are as follows:
Step 1: Create a VPN Connection
Step 2: Download the Configuration File for the VPN Connection
Step 3: Configure the Windows Server
Step 4: Set Up the VPN Tunnel
Step 5: Establish tunnel from Windows (Customer Gateway)
Step 6: Configure the Windows Firewall
Step 7: Enable Dead Gateway Detection
Step 8: Test the VPN Connection
Create a VPN Connection
Create a Virtual Private Gateway on VPC
Attach the VPG to the relevant VPC:
Download the configuration of your newly created VPN Connection:
Configure the Windows Server (Customer Gateway)
To install Routing and Remote Access Services on Windows Server 2012 R2
- Log on to the Windows Server 2012 R2 server.
- Go to the Start menu, and choose Server Manager.
-
Install Routing and Remote Access Services:
- From the Manage menu, choose Add Roles and Features.
- On the Before You Begin page, verify that your server meets the prerequisites, and then choose Next.
- Choose Role-based or feature-based installation, and then choose Next.
- Choose Select a server from the server pool, select your Windows 2012 R2 server, and then choose Next.
- Select Network Policy and Access Services in the list. In the dialog box that displays, choose Add Features to confirm the features that are required for this role.
- In the same list, choose Remote Access, and then choose Next.
- On the Select features page, choose Next.
- On the Network Policy and Access Services page, choose Next. Leave Network Policy Server selected, and choose Next.
- On the Remote Access page, choose Next. On the next page, select DirectAccess and VPN (RAS). In the dialog box that displays, choose Add Features to confirm the features that are required for this role service. In the same list, select Routing, and then choose Next.
- On the Web Server Role (IIS) page, choose Next. Leave the default selection, and choose Next.
- Choose Install. When the installation completes, choose Close.
To configure and enable Routing and Remote Access Server
- On the dashboard, choose Notifications (the flag icon). There should be a task to complete the post-deployment configuration. Choose the Open the Getting Started Wizard link.
- Choose Deploy VPN only.
- In the Routing and Remote Access dialog box, choose the server name, choose Action, and select Configure and Enable Routing and Remote Access.
- In the Routing and Remote Access Server Setup Wizard, on the first page, choose Next.
- On the Configuration page, choose Custom Configuration and Next.
- Choose LAN routing, Next, and Finish.
- When prompted by the Routing and Remote Access dialog box, choose Start service.
Setup the VPN tunnel:
Update your route tables for the VPN connection:
Add a route to your private subnet’s route table with the virtual private gateway as the target, and the Windows server’s network (CIDR range) as the destination.
Enable route propagation for the virtual private gateway. This was the part that hung me up for a bit. My networking is rusty so I had to troubleshoot this for a bit before I got it working properly.
Establish tunnel from Windows (Customer Gateway)
Copy the netsh script from the downloaded configuration file and replace the variables:
That’s the easiest way to do it, you can also do it manually using the following steps (but only do this if the 1st option doesn’t work):
- Open Server Manager, choose Tools, and select Windows Firewall with Advanced Security.
-
Select Connection Security Rules, choose Action, and then New Rule.
- In the New Connection Security Rule wizard, on the Rule Type page, choose Tunnel, and then choose Next.
- On the Tunnel Type page, under What type of tunnel would you like to create, choose Custom configuration. Under Would you like to exempt IPsec-protected connections from this tunnel, leave the default value checked (No. Send all network traffic that matches this connection security rule through the tunnel), and then choose Next.
-
On the Requirements page, choose Require authentication for inbound connections. Do not establish tunnels for outbound connections, and then choose Next.
- On Tunnel Endpoints page, under Which computers are in Endpoint 1, choose Add. Enter the CIDR range of your network (behind your Windows server customer gateway; for example, 172.31.0.0/16 ), and then choose OK. (Note that the range can include the IP address of your customer gateway.)
- Under What is the local tunnel endpoint (closest to computer in Endpoint 1), choose Edit. In the IPv4 address field, enter the private IP address of your Windows server, and then choose OK.
- Under What is the remote tunnel endpoint (closest to computers in Endpoint 2), choose Edit. In the IPv4 address field, enter the IP address of the virtual private gateway for Tunnel 1 from the configuration file (see Remote Tunnel Endpoint), and then choose OK.
-
You must scroll in the dialog box until you locate Which computers are in Endpoint 2. Do not choose Next until you have completed this step, or you won’t be able to connect to your server.
- Confirm that all the settings you’ve specified are correct, and then choose Next.
- On the Authentication Method page, select Advanced, and then choose Customize.
- Under First authentication methods, choose Add.
- Select Preshared key, enter the pre-shared key value from the configuration file, and choose OK.
- Ensure that First authentication is optional is not selected, and choose OK.
- Choose Next.
- On the Profile page, select all three checkboxes: Domain, Private, and Public, and then choose Next.
-
On the Name page, enter a name for your connection rule and then choose Finish.
Configure the Windows Firewall
- Open Server Manager, choose Tools, select Windows Firewall with Advanced Security, and then choose Properties.
- On the IPsec Settings tab, under IPsec exemptions, verify that Exempt ICMP from IPsec is No (default). Verify that IPsec tunnel authorization is None.
- Under IPsec defaults, choose Customize.
- Under Key exchange (Main Mode), select Advanced and then choose Customize.
- In Customize Advanced Key Exchange Settings, under Security methods, verify that these default values are used for the first entry.
- Integrity: SHA-1
- Encryption: AES-CBC 128
- Key exchange algorithm: Diffie-Hellman Group 2
- Under Key lifetimes, verify that Minutes is 480 and Sessions is 0.
- Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then choose OK.
- Under Data protection (Quick Mode), select Advanced, and then choose Customize.
- Select Require encryption for all connection security rules that use these settings.
- Under Data integrity and encryption, leave the default values:
- Protocol: ESP
- Integrity: SHA-1
- Encryption: AES-CBC 128
- Lifetime: 60 minutes
Enable Dead Gateway Detection
Next, you need to configure TCP to detect when a gateway becomes unavailable. You can do this by modifying this registry key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Do not perform this step until you’ve completed the preceding sections. After you change the registry key, you must reboot the server.
- From your Windows server, launch the command prompt or a PowerShell session, and type regedit to start Registry Editor.
- Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand Tcpip, and then expand Parameters.
- From the Edit menu, select New and select DWORD (32-bit) Value.
- Enter the name EnableDeadGWDetect.
- Select EnableDeadGWDetect, and choose Modify from the Edit menu.
- In Value data, enter 1, and then choose OK.
Test the VPN connection!
If you did everything correctly, you should now be able to ping your AWS instance from an on-prem box and vice versa!
If you run into any problems, or I’ve fudged a step here please let me know in the comments J
After going through many blogs, your blogs gave a great info to setup vpn site to site successfully.
I am going through only one issue, If i ping from aws to onprem, there is a ping latency, i mean if you see the sequence ping requests, its not continuous, where in when i off the firewall of RRAS 2012 r2, its continuous, but when i off the firewall, i cant connect to vm thats on aws where i can connect from aws to onprem. any thoughts where the issue is?
here if you see the ping seq is so delayed and it stops
PING 192.168.1.115 (192.168.1.115) 56(84) bytes of data.
64 bytes from 192.168.1.115: icmp_seq=15 ttl=127 time=44.9 ms
When i off the firewall in RRAS, it connection flows
PING 192.168.1.109 (192.168.1.109) 56(84) bytes of data.
64 bytes from 192.168.1.109: icmp_seq=1 ttl=128 time=43.3 ms
64 bytes from 192.168.1.109: icmp_seq=2 ttl=128 time=43.2 ms
64 bytes from 192.168.1.109: icmp_seq=3 ttl=128 time=43.2 ms
64 bytes from 192.168.1.109: icmp_seq=4 ttl=128 time=43.2 ms
64 bytes from 192.168.1.109: icmp_seq=5 ttl=128 time=43.4 ms
64 bytes from 192.168.1.109: icmp_seq=6 ttl=128 time=43.2 ms
Hi Ravi,
Make sure that your route tables on both sides route correctly.
On-prem should route to AWS
AWS should route (for your specific IP range) back to on-prem
Hi,
I have a comment, is the (TCP 50) a correct port to be opened on the firewall for setting up VPN?
I think it should be (IP 50), not (TCP 50).
Please verify this information.
Regards,
I don’t know which ip address is on customer gateway. Is it the elastic ip address you registered or the public ip address of the VPC Internet gateway?
Hi Phi! The customer gateway is your company’s external facing IP address. If you are testing this at home you can go to https://whatismyipaddress.com/ to grab it 🙂