204 Membres 327 Contributions

Open Community

Résolue

Fonctionnalités et système

Virtual Private Cloud trough Arkoon and Amazon

Posée par mmonte mise à jour

Hi,

Has anyone ever tried to build a VPC using Akroon?
Is required for redundancy, a double tunnel that uses BGP for redundancy.
The RFC requests are: 2409, 4301, 3602, 2404, 3706, 4459, 4271 and Bind tunnel to logical interface (route-based VPN)
"Your gateway must support the ability to bind the IPsec tunnel to a logical interface. The logical interface contains an IP address used to establish BGP peering to the virtual private gateway. This logical interface should perform no additional encapsulation (e.g., GRE, IP in IP).Your interface should be set to a 1436 byte Maximum Transmission Unit (MTU). An MTU up to 1500 bytes is supported."

The complete documentation link is:
http://aws.amazon.com/documentation/vpc/

5 réponses

Publié par mmonte

Ciao Xavier,

when Amazon talk about route-based VPN, talk about the possibility to bind the IPsec tunnel to a logical interface.
The logical interface contains an IP address used to establish BGP peering to the virtual private gateway.

On CISCO router are the configuration are like this:

interface Tunnel1
# my route based interface
ip address 169.254.255.2 255.255.255.252
ip virtual-reassembly
# my public IP
tunnel source 85.18.250.182
# amazon public IP
tunnel destination 72.21.209.225
tunnel mode ipsec ipv4
# the VPN profile
tunnel protection ipsec profile ipsec-vpn-44a8938f-0

On Arkoon Manager I can create a Community using only  host, network or "the arkoon special object".
Topology is typically: myLAN===myFIREWALL...remoteLAN===remoteFIREWALL
But in this case it seems to me that the config is: myINTERFACE===myFIREWALL...remoteFIREWALL
How can I make this topology with Arkoon?

Votes : 0

Moyenne : 0

Noter :
Publié par mmonte

Example configuration for generic firewall:

 

VPN Connection Configuration
================================================================================
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs).
It is important that both tunnel security associations be configured.


IPSec Tunnel #1
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
- Authentication Method    : Pre-Shared Key
- Pre-Shared Key           : rlDCck2TbdM9cmAs3LxfK7Bowaq4JTrZ
- Authentication Algorithm : sha1
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
- Protocol                 : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 3600 seconds
- Mode                     : tunnel
- Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval             : 10
- DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment       : 1396 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation            : Before encryption

#3: Tunnel Interface Configuration


Outside IP Addresses:
- Customer Gateway                 : 85.18.250.182
- Virtual Private Gateway            : 87.238.85.40

Inside IP Addresses
- Customer Gateway                 : 169.254.254.2/30
- Virtual Private Gateway             : 169.254.254.1/30

Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU     : 1436 bytes

#4: Border Gateway Protocol (BGP) Configuration:


BGP Configuration Options:
- Customer Gateway ASN              : 65000
- Virtual Private  Gateway ASN          : 9059
- Neighbor IP Address               : 169.254.254.1
- Neighbor Hold Time       : 30


IPSec Tunnel #2
================================================================================
#1: Internet Key Exchange Configuration

Configure the IKE SA as follows
- Authentication Method    : Pre-Shared Key
- Pre-Shared Key           : p5G0eBHTK84.ou6u0gVnjIfJCatUlvnu
- Authentication Algorithm : sha1
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 28800 seconds
- Phase 1 Negotiation Mode : main
- Perfect Forward Secrecy  : Diffie-Hellman Group 2

#2: IPSec Configuration

Configure the IPSec SA as follows:
- Protocol                 : esp
- Authentication Algorithm : hmac-sha1-96
- Encryption Algorithm     : aes-128-cbc
- Lifetime                 : 3600 seconds
- Mode                     : tunnel
- Perfect Forward Secrecy  : Diffie-Hellman Group 2

IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
recommend configuring DPD on your endpoint as follows:
- DPD Interval             : 10
- DPD Retries              : 3

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space,
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following
configuration on your Customer Gateway:
- TCP MSS Adjustment       : 1396 bytes
- Clear Don't Fragment Bit : enabled
- Fragmentation            : Before encryption

#3: Tunnel Interface Configuration

Outside IP Addresses:
- Customer Gateway                 : 85.18.250.182
- Virtual Private Gateway            : 87.238.85.44

Inside IP Addresses
- Customer Gateway                 : 169.254.254.6/30
- Virtual Private Gateway             : 169.254.254.5/30

Configure your tunnel to fragment at the optimal size:
- Tunnel interface MTU     : 1436 bytes

#4: Border Gateway Protocol (BGP) Configuration:


BGP Configuration Options:
- Customer Gateway ASN              : 65000
- Virtual Private  Gateway ASN          : 9059
- Neighbor IP Address               : 169.254.254.5
- Neighbor Hold Time       : 30

Configure BGP to announce routes to the Virtual Private Gateway.

The gateway
will announce prefixes to your customer gateway based upon the prefix you
assigned to the VPC at creation time.


Votes : 0

Moyenne : 0

Noter :
Xavier P. - Arkoon Expert
Publié par Xavier P. - Arkoon

A ticket has been opened with Arkoon support to study this subject...

Votes : 0

Moyenne : 0

Noter :
Xavier P. - Arkoon Expert
Publié par Xavier P. - Arkoon

After investigations, it is possible on NPA or P appliance but not on XPA appliance.

Votes : 0

Moyenne : 0

Noter :

Ajouter un commentaire


Choisissez un fichier sur votre ordinateur :

Messages d'alerte