I found a need to simplify network topologies. With the use of VDI, there is no more need to use tunnels with few exceptions. Between VDI and teleworker phones, things get simple and cheap when it comes to networking. So lets replace Cisco with AWS, PFSense, and Ubiquiti.
- Create a VPC. Make sure to chose a subnet that works for your needs.
- Create a Virtual Private Gateway, and attach to your VPC.
- Start creating customer gateways, found under the VPN Connections section.
PFSense Single Router Site
The current datacenter uses a primary and backup ISP. We broadcast the same subnet over both using BGP. The router is a VM with HA enabled on the hypervisor, so this will be treated as a single site.
- Make sure you are on version 2.4.4-RELEASE or higher. I found problems with BGP on lower versions of PFSense.
- I will not go into great detail here (I need a proper blog for that.) But there are great tutorials for this on the internet already. I will say that the lack of VTI support is a slight issue as you have to specificity the remote subsets in your P2 settings. Otherwise you only learn of routes and nothing more.
Edgrouter Pro Dual Router Site
For my first large remote site, I have gone with dual Edgerouter Pros. One is on a DIA and the other on Broadband for backup. I did reach out to AWS support to determine the best approach. They said their system recognizes path preferences and we should implement rout policies.
This can be set up fairly easily using AWS VPN and BGP. In order to make it super easy to understand, I've made a network diagram (see attachment). In the diagram, a Virtual Private Gateway(VGW) is attached to a VPC. There exist a few remote sites (2 in the diagram) each having 2 routers acting as Customer Gateway(CGW). Each CGW has VPN connection (2 BGP tunnels) with the VGW. In BGP active/active configuration, you can influence how traffic flows between the VPN endpoints. > VGW select the preferred tunnel with shorter AS_PATH prepending. > CGW select the tunnel with higher Local Preference value. You can influence routing by modifying AS_PATH prepending and/or Local Preference value. Please note that this solution works only on route-based VPN. So kindly check if your CGW is configured to use route-based VPN. In the diagram, LP stands for Local Preference. On the basis of the above 2 statements, routing for Remote Site 1 is prioritised as follows: Priority AS Path Local Preference 1 1 400 2 2,2 300 3 3,3,3 200 4 4,4,4,4 100 i.e. Lower AS Path and Higher Local Preference is preferred for traffic flow from VGW to CGW and vice versa respectively. Tunnel with priority 1 will always be preferred. In case this tunnel goes DOWN, then the traffic flow will shift to the next higher priority tunnel i.e. Tunnel 2. This way we can ensure that no routing issues occur. Similarly routing for other sites will work. You may follow a similar architecture for your setup as well. Also, I would like to point out that this architecture will cost effective and fairly simple if only a single VPC is involved in the setup. However, if you wish to have more number of VPCs, then I would recommend you to check out AWS Transit VPC. This solution uses a AWS CloudFormation stack to launch and configure all of the AWS resources for you. A Transit VPC simplifies network management and minimizes the number of connections that you need to set up and manage. I hope this information helps. If you require any further assistance, please feel free to reach out to us. Cheers!
So we will follow this example to setup our site
- The route map needed is as follows (WIP, still testing and may not work).
set policy route-map AWS1 description 'as-path lower-is-better' set policy route-map AWS1 rule 10 action permit set policy route-map AWS1 rule 10 set as-path-prepend 100 set protocols bgp 65002 neighbor 169.254.xxx.xxx route-map import AWS1
- The AWS Vyatta config
set vpn ipsec ike-group AWS lifetime '28800' set vpn ipsec ike-group AWS proposal 1 dh-group '2' set vpn ipsec ike-group AWS proposal 1 encryption 'aes128' set vpn ipsec ike-group AWS proposal 1 hash 'sha1' set vpn ipsec site-to-site peer xx.xxx.xxx.xx authentication mode 'pre-shared-secret' set vpn ipsec site-to-site peer xx.xxx.xxx.xx authentication pre-shared-secret '...' set vpn ipsec site-to-site peer xx.xxx.xxx.xx description 'VPC tunnel 1' set vpn ipsec site-to-site peer xx.xxx.xxx.xx ike-group 'AWS' set vpn ipsec site-to-site peer xx.xxx.xxx.xx local-address 'xxx.xxx.xxx.xxx' set vpn ipsec site-to-site peer xx.xxx.xxx.xx vti bind 'vti0' set vpn ipsec site-to-site peer xx.xxx.xxx.xx vti esp-group 'AWS' set vpn ipsec ipsec-interfaces interface 'eth0' set vpn ipsec esp-group AWS compression 'disable' set vpn ipsec esp-group AWS lifetime '3600' set vpn ipsec esp-group AWS mode 'tunnel' set vpn ipsec esp-group AWS pfs 'enable' set vpn ipsec esp-group AWS proposal 1 encryption 'aes128' set vpn ipsec esp-group AWS proposal 1 hash 'sha1' set vpn ipsec ike-group AWS dead-peer-detection action 'restart' set vpn ipsec ike-group AWS dead-peer-detection interval '15' set vpn ipsec ike-group AWS dead-peer-detection timeout '30' set interfaces vti vti0 address '169.254.xxx.xxx/30' set interfaces vti vti0 description 'VPC tunnel 1' set interfaces vti vti0 mtu '1436' set protocols bgp 65002 neighbor xx.xx.xx.xx remote-as '7224' set protocols bgp 65002 neighbor xx.xx.xx.xx soft-reconfiguration 'inbound' set protocols bgp 65002 neighbor xx.xx.xx.xx timers holdtime '30' set protocols bgp 65002 neighbor xx.xx.xx.xx timers keepalive '10' set protocols bgp 65002 network xx.xx.xx.xx/24