This post is used to note down how to setup Managed VPN connection between office to AWS by using Mikrotik RouterBoard. We basically follow instructions of this document and it litterally describes everything we need to know. AWS supports Internet Protocol security (IPsec) VPN connections. Following figure shows the architecture of VPN connection.
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. We can specify the Autonomous System Number (ASN) for the Amazon side of the gateway.
A customer gateway should be a device or software VPN on our side for VPN connection.
we should define following items
- Internet-routable IP address: Our side public IP address
- The type of routing: static or dynamic
One thing we need to know is that VPN connection is initiated by our side.
By using AWS managed VPN, we can have several benefits.
- Fully managed by AWS, and AWS also provides HA for us. we no longer need to worry about VPN disconnection issues while zone down.
- IPSec site-to-site tunnel with AES-256, SHA-2.
In this article, we will try to use BGP routing connecting with AWS managed VPN.
- Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
- Choose Virtual Private Gateways, Create Virtual Private Gateway and create a virtual private gateway.
- attach VPC that you wanna connect to
- Create a Customer Gateway
- choose VPN Connections, Create VPN Connection.
- specify Virtual Private Gateway and Customer Gateway
- Routing Options → BGP
- Route Tables → Route Propagation
- Download configuration file from AWS VPN connections:
- vendor: Mitrotik
- Platform: RouterOS
- Software: 6.36
- Download routerboard script generator from https://github.com/kkc/aws-vpn-mikrotik
- Run script by using ./dynamic-router-config vpn-94e3fff5.txt
- Performing script mikrotik-aws-config at routerboard
Example of routerboard config
If the connection doesn’t work due to some reason, we can try following troubleshooting step.
Verify interesting traffic
- ESP => allow IP protocal 50 open
- IPSEC Phase2 => Verify encryption parameter AES-128 and hashing parameter SHA-1
- IPSEC PHase2 => Lifetime is configured to 3600s or 1hour
- Ensure that perfect forward (PFS) is enabled
- Verify port 500 is not blocked