How to Setup a VPN Connection between the office router and AWS VPN?

How to setup a IPSEC VPN Connection between our office router e.g. Cisco ASA and the AWS VPN endpoints?

AWS Virtual Private Network solutions establish secure connections between our on-premises networks, remote offices, client devices, and the AWS global network. 

AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. 

Each service provides a highly-available, managed, and elastic cloud VPN solution to protect our network traffic.

In this article we'll talk about AWS Site-to-Site VPN.

AWS Site-to-Site VPN 

Network diagram:

on-premise LAN: 192.168.0.0/16 

-----------------------------------------

/ \                         / \

 |                           |

 |  active tunnel            |  passive (standby) tunnel

 |                           |

\ /                         \ /

-----------------------------------------

Router1                    Router 2

VGW - Virtual Gateway 

VPC: 172.16.0.0/16; Route Table: 192.168.0.0/16 ---> VGW-xxxx

Can VPC CIDR and LAN CIDR overlap?

VPN connection consists of two tunnels:

• active (up and running)
• passive (down); if first one goes down, this one will take over

VPC route table will need to be modified so traffic destined for 192.168.0.0/16 to be routed to VGW-xxxx

AWS VPN service consists of 3 components:

• Customer Gateway
• Customer side of the connection e.g. Cisco ASA
• aws_customer_gateway | Resources | hashicorp/aws | Terraform | Terraform Registry
• Virtual Private Gateway 
• Router on the AWS side of the VPN tunnel
• aws_vpn_gateway | Resources | hashicorp/aws | Terraform | Terraform Registry 
• VPN connection itself
• Bundles together info about above two
• aws_vpn_connection | Resources | hashicorp/aws | Terraform | Terraform Registry
• 
  

Creating and configuring a Customer Gateway

Customer Gateway is a resource that we create in AWS that represents the a (customer) gateway device in our on-premises network.

When we create a customer gateway, we provide information about our device to AWS. We or our network administrator must configure the device to work with the site-to-site VPN connection.

We first need to create a Customer Gateway in AWS. We can do that via AWS console or Terraform provider. 

If we click on Create customer gateway, we'll see this form:

Details

• Name tag
• optional
• Creates a tag with a key of 'Name' and a value that we specify.
• Value must be 256 characters or less in length.
• BGP ASN
• The ASN of our customer gateway device.
• e.g. 65000
• Value must be in 1 - 4294967294 range.
• The Border Gateway Protocol (BGP) Autonomous System Number (ASN) in the range of 1 – 4,294,967,294 is supported. We can use an existing public ASN assigned to our network, with the exception of the following:
• 7224 - Reserved in all Regions
• 9059 - Reserved in the eu-west-1 Region
• 10124 - Reserved in the ap-northeast-1 Region
• 17943 - Reserved in the ap-southeast-1 Region
• If we don't have a public ASN, we can use a private ASN in the range of 64,512–65,534 or 4,200,000,000 - 4,294,967,294. The default ASN is 65000.
• It is required if we want to set up dynamic routing. If we want to use static routing, we can use an arbitrary (default) value.
• Where to find BGP ASN for e.g. UDM Pro?
• If we want to use IPSec and dynamic routing, then our router device needs to support BGP over IPSec
• When to use static and when to use dynamic routing?
• IP address
• Specify the IP address for our customer gateway device's external interface. This is internet-routable IP address for our gateway's external interface.
• The address must be static and can't be behind a device performing Network Address Translation (NAT)
• If office router is connected to ISP via e.g. WAN1 connection, this is the IP of that WAN connection 
• Basically, this is the office's public IP address.
• Certificate ARN
• optional
• The ARN of a private certificate provisioned in AWS Certificate Manager (ACM).
• We can select certificate ARN from a drop-down list
• How is this certificate used?
• When to use this certificate?
• Device
• optional
• A name for the customer gateway device.

Creating and configuring a Virtual private gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the site-to-site VPN connection. We create a virtual private gateway and attach it to the VPC we want to use for the site-to-site VPN connection.

A VPN concentrator is a specialized networking device designed to manage numerous secure connections (VPN tunnels) for remote users or sites accessing a central network. It acts as a central point for establishing, processing, and maintaining these connections, enabling large organizations to securely connect many users simultaneously. 

Key Functions:

• Multiple VPN Tunnel Management: VPN concentrators handle a large number of encrypted VPN tunnels simultaneously, allowing multiple users to securely connect to the network. 
• Centralized Security: They provide a central point for managing and enforcing security policies for all remote connections, ensuring consistent protection. 
• Scalability: VPN concentrators are designed to handle a large number of users and connections, making them suitable for large organizations with many remote workers or sites. 
• Traffic Encryption: They encrypt all data transmitted between the remote user and the central network, ensuring secure communication and protecting sensitive information. 
• Enhanced Security Posture: By managing and controlling all VPN connections, they help organizations maintain a strong security posture and minimize risks associated with remote access. 

How it Works:

• 1. Remote User Connection: Remote users initiate a VPN connection, which is then routed to the VPN concentrator. 
• 2. Authentication and Authorization: The concentrator authenticates and authorizes the user, verifying their identity and permissions. 
• 3. Tunnel Establishment: If the user is authorized, the concentrator establishes an encrypted VPN tunnel between the user's device and the central network. 
• 4. Secure Communication: All data transmitted through the tunnel is encrypted, protecting it from eavesdropping or interception. 
• 5. Traffic Management: The concentrator manages and prioritizes traffic within the network, ensuring efficient and secure communication. 

Use Cases:

• Large Enterprises: Companies with numerous remote employees often use VPN concentrators to provide secure access to their internal network. 
• Extranet VPNs: VPN concentrators are also used in extranet setups, where multiple organizations need to securely share resources and information. 
• Large Scale Remote Access: They are ideal for organizations that need to provide secure remote access to a large number of users from various locations. 

In essence, a VPN concentrator is a robust and scalable solution for managing secure remote access in larger organizations, providing the necessary infrastructure for secure and efficient communication across the network

If we click on Create button we'll get this form to fill:

If we select Custom ASN:

Upon creation, VGW will be in detached state. We want to attach it to VPC.

We can select to which VPC we want to attach it to.