0

AWS – Migrate VPN from a virtual private gateway to a transit gateway

When you migrate from setup where you have been using VPG ( Virtual Private Gateway ) to TG ( Transit Gateway ) it might be desirable not to reconfigure the VPN connection.

If you read through documentation it’s possible with just one caveat – tunnel will flip down/up during this process.

First find the details from your current VPN setup:

❯ aws ec2 describe-vpn-connections | jq '.VpnConnections[] | {VpnConnectionId, VpnGatewayId , TransitGatewayId}' 

The above should provide you with information about your VpnID and VpgID

{
  "VpnConnectionId": "vpn-1234567890",
  "VpnGatewayId": "vgw-123456",
  "TransitGatewayId": null
}

Having this info is now sufficient to execute command which will move your VPN connection to transit gateway ( you need to have that ID at hand )

 aws ec2 modify-vpn-connection --vpn-connection-id vpn-1234567890 -transit-gateway-id tgw-1234567890f 

Detailed information you can find in the article here https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-migrate-vpn/

9

Vyos – Site to site VPN using VTI and OSPF

Hey! So today we will be challenging setup of vyos site-to-site VPN. In theory there is nothing really difficult about that one – its just choosing the right options.

What I would really would like to highlight here which I believe is quite useful ( although not always possible to achieve ) is to use VTI ( Virtual Tunnel Interface ) instead of local/remote prefixes ( more reading here ). So let’s get to do it 🙂 All of these commands will be part of single commit.

First we tackle the virtual interface

set interfaces vti vti0 address 10.1.0.1/32
set interfaces vti vti0 description 'VPN_VTI0'

Of course description is optional however I like the system to be well described so other people can also benefit from understanding quickly what and why is it.

Next I fill out phase 1 and phase 2 settings. And here I cannot help much as it will differ per endpoint you are setting your vpn with. So treat this only as point of reference

# Phase 2 
set vpn ipsec esp-group ESP-Default compression 'disable' 
set vpn ipsec esp-group ESP-Default lifetime '3600' 
set vpn ipsec esp-group ESP-Default mode 'tunnel' 
set vpn ipsec esp-group ESP-Default pfs 'dh-group2' 
set vpn ipsec esp-group ESP-Default proposal 1 encryption '3des' 
set vpn ipsec esp-group ESP-Default proposal 1 hash 'sha1' 

# Phase 1 
set vpn ipsec ike-group IKE-Default dead-peer-detection action 'clear' 
set vpn ipsec ike-group IKE-Default dead-peer-detection interval '30' 
set vpn ipsec ike-group IKE-Default dead-peer-detection timeout '90' 
set vpn ipsec ike-group IKE-Default ikev2-reauth 'no' 
set vpn ipsec ike-group IKE-Default key-exchange 'ikev1' 
set vpn ipsec ike-group IKE-Default lifetime '86400' 
set vpn ipsec ike-group IKE-Default proposal 1 dh-group '2' 
set vpn ipsec ike-group IKE-Default proposal 1 encryption 'aes256' 
set vpn ipsec ike-group IKE-Default proposal 1 hash 'sha256'

 

Cool – so we got the base – now we need to define which interface will handle our VPN traffic

set vpn ipsec ipsec-interfaces interface 'eth1' 
set vpn ipsec logging log-modes 'all'

 

And then I move to configuring site-to-site vpn

# Setup the site-2-site config
set vpn ipsec site-to-site peer <remote-IP-address> authentication id '<local-WAN-IP-address>' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication mode 'pre-shared-secret' 
set vpn ipsec site-to-site peer <remote-IP-address> authentication pre-shared-secret 'this-Of-course-Is-Some-paaaassshpraseeee' 
set vpn ipsec site-to-site peer <remote-IP-address> connection-type 'initiate' 
set vpn ipsec site-to-site peer <remote-IP-address> default-esp-group 'ESP-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ike-group 'IKE-Default' 
set vpn ipsec site-to-site peer <remote-IP-address> ikev2-reauth 'inherit' 
set vpn ipsec site-to-site peer <remote-IP-address> local-address '<local-WAN-IP-address>' 

Once done we need to associate our VTI interface with this site to site VPN. This is done by issuing the following

# Make use of our VTI interface
set vpn ipsec site-to-site peer <remote-IP-address> vti bind vti1
set vpn ipsec site-to-site peer <remote-IP-address> vti esp-group ESP-Default

 

Cool – easy wasn’t ? 🙂 Now we can configure OSPF. I did mine this way

set protocols ospf parameters router-id <remote-IP-address>
set protocols ospf area 0.0.0.0 network 192.168.1.0/24
set protocols ospf area 0.0.0.0 network 192.168.2.0/24
set interfaces vti vti0 ip ospf network point-to-point

 

Full config as usual available in github

 

 

Any experience on challenges ? Maybe better ways ? Post in comments!