The following configuration will route all traffic, including internet traffic, from the office, over the site to site VPN to AWS, and egress from AWS. This can be useful if centralized content filtering needs to be done and will be located in AWS. This also works for VPCs that are attached to the Transit Gateway.
! interface Ethernet0/0 switchport access vlan 2 ! interface Ethernet0/1 ! interface Vlan1 nameif inside security-level 100 ip address 192.168.168.1 255.255.255.0 ! interface Vlan2 nameif outside security-level 0 ip address 50.50.50.2 255.255.255.248 ! object network inside subnet 192.168.168.0 255.255.255.0 object network obj-amzn subnet 10.10.0.0 255.255.240.0 object network all subnet 0.0.0.0 0.0.0.0 ! access-list outside_access_in extended permit ip host 3.13.125.0 host 50.50.50.2 access-list outside_access_in extended permit ip host 3.130.75.165 host 50.50.50.2 access-list acl-amzn extended permit ip object inside any4 access-list amzn-filter extended permit ip any4 object inside access-list amzn-filter extended deny ip any any ! icmp permit any inside icmp permit any outside ! route outside 0.0.0.0 0.0.0.0 50.50.50.1 1 ! sla monitor 1 type echo protocol ipIcmpEcho 10.10.0.77 interface outside frequency 5 sla monitor schedule 1 life forever start-time now ! crypto ipsec ikev1 transform-set transform-amzn esp-aes esp-sha-hmac crypto ipsec security-association replay window-size 128 crypto ipsec security-association pmtu-aging infinite crypto ipsec df-bit clear-df outside ! crypto map amzn_vpn_map 1 match address acl-amzn crypto map amzn_vpn_map 1 set pfs crypto map amzn_vpn_map 1 set peer 3.13.125.0 3.130.75.165 crypto map amzn_vpn_map 1 set ikev1 transform-set transform-amzn crypto map amzn_vpn_map 1 set security-association lifetime seconds 3600 crypto map amzn_vpn_map interface outside ! crypto ca trustpool policy crypto isakmp identity address crypto ikev1 enable outside crypto ikev1 policy 201 authentication pre-share encryption aes hash sha group 2 lifetime 28800 ! dhcpd address 192.168.168.30-192.168.168.60 inside dhcpd dns 9.9.9.9 interface inside dhcpd enable inside ! group-policy filter internal group-policy filter attributes vpn-filter value amzn-filter ! tunnel-group 3.13.125.0 type ipsec-l2l tunnel-group 3.13.125.0 general-attributes default-group-policy filter tunnel-group 3.13.125.0 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 ! tunnel-group 3.130.75.165 type ipsec-l2l tunnel-group 3.130.75.165 general-attributes default-group-policy filter tunnel-group 3.130.75.165 ipsec-attributes ikev1 pre-shared-key ***** isakmp keepalive threshold 10 retry 10 ! policy-map global_policy class inspection_default ! == icmp was added to the defaults == inspect icmp !
The policy based VPN can be configured via the EdgeRouter web interface, but you will have to put in the VPC CIDR instead of 0.0.0.0/0. You will then need to use the EdgeRotuer CLI to change the remote prefix to 0.0.0.0/0
set interfaces ethernet eth0 address 50.50.50.2/29 set interfaces ethernet eth0 description Internet set interfaces ethernet eth0 duplex auto set interfaces ethernet eth0 firewall in name WAN_IN set interfaces ethernet eth0 firewall local name WAN_LOCAL set interfaces ethernet eth0 speed auto set interfaces ethernet eth1 description Local set interfaces ethernet eth1 duplex auto set interfaces ethernet eth1 speed auto set interfaces switch switch0 address 192.168.168.1/24 set interfaces switch switch0 description Local set interfaces switch switch0 mtu 1500 set interfaces switch switch0 switch-port interface eth1 set interfaces switch switch0 switch-port vlan-aware disable set service dhcp-server disabled false set service dhcp-server shared-network-name LAN authoritative enable set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 default-router 192.168.168.1 set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 dns-server 9.9.9.9 set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 lease 86400 set service dhcp-server shared-network-name LAN subnet 192.168.168.0/24 start 192.168.168.38 stop 192.168.168.243 set system gateway-address 50.50.50.1 set system name-server 9.9.9.9 set vpn ipsec allow-access-to-local-interface disable set vpn ipsec auto-firewall-nat-exclude enable set vpn ipsec esp-group FOO0 compression disable set vpn ipsec esp-group FOO0 lifetime 3600 set vpn ipsec esp-group FOO0 mode tunnel set vpn ipsec esp-group FOO0 pfs enable set vpn ipsec esp-group FOO0 proposal 1 encryption aes128 set vpn ipsec esp-group FOO0 proposal 1 hash sha1 set vpn ipsec esp-group FOO1 compression disable set vpn ipsec esp-group FOO1 lifetime 3600 set vpn ipsec esp-group FOO1 mode tunnel set vpn ipsec esp-group FOO1 pfs enable set vpn ipsec esp-group FOO1 proposal 1 encryption aes128 set vpn ipsec esp-group FOO1 proposal 1 hash sha1 set vpn ipsec ike-group FOO0 ikev2-reauth no set vpn ipsec ike-group FOO0 key-exchange ikev1 set vpn ipsec ike-group FOO0 lifetime 28800 set vpn ipsec ike-group FOO0 proposal 1 dh-group 14 set vpn ipsec ike-group FOO0 proposal 1 encryption aes128 set vpn ipsec ike-group FOO0 proposal 1 hash sha1 set vpn ipsec ike-group FOO1 ikev2-reauth no set vpn ipsec ike-group FOO1 key-exchange ikev1 set vpn ipsec ike-group FOO1 lifetime 28800 set vpn ipsec ike-group FOO1 proposal 1 dh-group 14 set vpn ipsec ike-group FOO1 proposal 1 encryption aes128 set vpn ipsec ike-group FOO1 proposal 1 hash sha1 set vpn ipsec site-to-site peer 3.13.125.0 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 3.13.125.0 authentication pre-shared-secret SyTclcYrs5cK7ik0pRSVGA.MXb12IE5G set vpn ipsec site-to-site peer 3.13.125.0 connection-type initiate set vpn ipsec site-to-site peer 3.13.125.0 description AWS1 set vpn ipsec site-to-site peer 3.13.125.0 ike-group FOO0 set vpn ipsec site-to-site peer 3.13.125.0 ikev2-reauth inherit set vpn ipsec site-to-site peer 3.13.125.0 local-address 50.50.50.2 set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 esp-group FOO0 set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 local prefix 192.168.168.0/24 set vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 remote prefix 0.0.0.0/0 set vpn ipsec site-to-site peer 3.130.75.165 authentication mode pre-shared-secret set vpn ipsec site-to-site peer 3.130.75.165 authentication pre-shared-secret vj9QRycPvViyglu8nucmT2FI2CFNpADM set vpn ipsec site-to-site peer 3.130.75.165 connection-type initiate set vpn ipsec site-to-site peer 3.130.75.165 description AWS2 set vpn ipsec site-to-site peer 3.130.75.165 ike-group FOO1 set vpn ipsec site-to-site peer 3.130.75.165 ikev2-reauth inherit set vpn ipsec site-to-site peer 3.130.75.165 local-address 50.50.50.2 set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 allow-nat-networks disable set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 allow-public-networks disable set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 esp-group FOO1 set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 local prefix 192.168.168.0/24 set vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 remote prefix 0.0.0.0/0 delete service nat
To change from a policy based VPN to a virtual tunnel interface VPN you will need to make the following changes to the policy based VPN configuration.
set interfaces vti vti1 description AWS1 set interfaces vti vti1 address 169.254.93.34/30 set interfaces vti vti2 description AWS2 set interfaces vti vti2 address 169.254.221.246/30 delete vpn ipsec site-to-site peer 3.13.125.0 tunnel 1 set vpn ipsec site-to-site peer 3.13.125.0 vti bind vti1 set vpn ipsec site-to-site peer 3.13.125.0 vti esp-group FOO0 delete vpn ipsec site-to-site peer 3.130.75.165 tunnel 1 set vpn ipsec site-to-site peer 3.130.75.165 vti bind vti2 set vpn ipsec site-to-site peer 3.130.75.165 vti esp-group FOO1 set protocols static route 3.13.125.0/32 next-hop 50.50.50.1 set protocols static route 3.130.75.165/32 next-hop 50.50.50.1 set protocols static interface-route 0.0.0.0/0 next-hop-interface vti0 set protocols static interface-route 0.0.0.0/0 next-hop-interface vti1