How to Configure an IPsec IKEv2 VPN to an AWS VPN Gateway with BGP

If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting the private networks through a site-to-site IKEv2 IPsec VPN tunnel. The Amazon virtual private gateway uses two parallel IKEv2 IPsec tunnels to ensure constant connectivity. The subnets behind the VPN gateway are propagated via BGP.

Before You Begin

• Create an Amazon Virtual Private Cloud (VPC).

  The local and remote (VPC) subnets must not overlap. E.g, if your local network is 10.0.1.0/24, do not use 10.0.0.0/16 for your VPC.

  
  

• Create at least one subnet in the VPC.
• The security group of the VPC must allow the desired connections. For more information, see https://docs.aws.amazon.com/en_pv/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-configure-security-groups.

Step 1 - Create the Amazon VPN Gateway

Step 1.1 - Create a Virtual Private Gateway

The Amazon virtual private gateway is the VPN concentrator on the remote side of the IPsec VPN connection.

1. Go to the Amazon VPC Management Console.
2. In the left menu, click Virtual Private Gateways.
3. Click Create Virtual Private Gateway.
   
4. Enter the Name tag for the VPN gateway (e.g., SecureEdge Virtual Private Gateway).
5. Click Create Virtual Private Gateway.
6. Select the newly created virtual private gateway, click Actions and select Attach to VPC.
   
7. Select your VPC from the VPC list, and click Attach to VPC.

The virtual private gateway is now available.

Step 1.2 - Add Your Customer Gateway Configuration

The Amazon customer gateway is your Barracuda SecureEdge appliance on your end of the VPN connection. Specify your external IP address and routing type in the customer gateway configuration:

1. Go to the Amazon VPC Management Console.
2. In the left menu, click Customer Gateways. 
3. Click Create Customer Gateway.
4. Enter the connection information for your appliance: 
   • Name – Enter a name for your device (e.g., My Barracuda SecureEdge).
   • BGP ASN – Enter your BGP ASN number.
   • IP Address – Enter your external IP Address. 
   • Device (Optional) – Enter a name for your device.
     
5. Click Create Customer Gateway.

Your appliance is now registered in the AWS cloud and you can configure VPN connections.

Step 1.3 - Create a VPN Connection

Create a VPN connection with the customer gateway (Your Barracuda SecureEdge) and the Amazon virtual private gateway that you just created. Then, download the VPN configuration file that contains all necessary information for configuring the VPN connection on the SecureEdge.

1. Go to the Amazon VPC Management Console.
2. In the left menu, click Site-to-Site VPN Connections. 
3. Click Create VPN Connection. 
4. In the Create VPN Connection window, enter the configuration information for your VPN connection:
   • Name tag – Enter a name for your VPN connection (e.g., SecureEdgeToAWSCloud).
   • Virtual Private Gateway – Select the virtual private gateway created in Step 1.
   • Customer Gateway – Select the customer gateway created in Step 1.
   • Routing Options – Select Dynamic (requires BGP).
     
5. Click Create VPN Connection. 
6. Once the connection is available in AWS, click Download Configuration.
   
7. Select generic vendor and platform settings for the configuration file: 
   
   • Vendor – Select Generic.
   • Platform – Select Generic.
   • Software – Select Vendor Agnostic.
   • IKE version – Select IKev2.
     

8. Click Download, and save the vpn-<YOUR-VPC-ID>.txt file. The configuration file contains all required information to configure each VPN tunnel and the respective BGP routing options on your SecureEdge appliance.

Step 1.4 - Enable Route Propagation

1. Go to the Amazon VPC Management Console.
2. In the left menu, click Route Tables.
3. Select the route table attached to your VPC used in Step 1.1.
4. Click Route Propagation.
   
5. Click Edit Route Propagation.
   
6. Enable the route propagation for your virtual private gateway created in Step 1.1 by selecting the check box next to it.
   
7. Click Save.

Step 2 - Configure Two Site-to-Site IPsec Tunnels on the Barracuda SecureEdge

Configure two IPsec site-to-site VPN tunnels. Use the IP addresses provided in the Amazon generic VPN configuration file you downloaded at the end of Step 1.

1. Go to https://se.barracudanetworks.com and log in with your existing Barracuda Cloud Control account.

2. In the left menu, click the Tenants/Workspaces icon and select the workspace you want to configure the IPsec IKEv2 tunnel for.

3. Go to Integration > IPsec VPN. The IPsec VPN page opens. To add a tunnel, click Add IPsec Tunnel.

4. For each IPsec tunnel, click Add IPsec Tunnel. The Create IPsec Tunnel window opens. 
   • In the General tab, specify values for the following:
     
     • Enable – Click to enable.
     • Initiates – Click to enable.
   • In the GENERAL  INFORMATION section, specify values for the following: 
     
     • Name – Enter a unique tunnel name. E.g., IPsec Tunnel 1: IPsecAWSTunnel1 and for IPsec Tunnel 2: IPsecAWSTunnel2
     • Description – Enter a brief description.
   • In the AUTHENTICATION section, specify values for the following: 
     
     • Authentication – Select Pre-shared Key.

     • Shared Secret – Enter the Amazon Pre-shared Key.

       • IPsecAWSTunnel1
         

       • IPSecAWSTunnel2
         
         
5. Click Next.
6. In the Source/Destination tab, specify values for the following:
   • Enable BGP – Click to enable.
   • In the SOURCE section, specify values for the following:
     • Type – Select Site.
     • Peer – Select peer. E.g., Dubai
     • WAN Interface – Select WAN interface. E.g., Etisalat
     • Local ID – Enter local ID. E.g., UAE-Etisalat
     • Network Addresses – Enter the Inside IP Address of the customer gateway (without the /30). E.g., IPsec tunnel 1 169.254.124.158 and for IPsec tunnel 2 169.254.209.10.
   • In the DESTINATION section, specify values for the following:
     • Remote Gateway – Enter the Outside IP address of the Virtual Private Gateway.
     • Remote ID – Enter the Outside IP address of the Virtual Private Gateway.
     • Network Address – Enter the Inside IP address of the Virtual Private Gateway. E.g., IPsec tunnel 1 169.254.124.157 and for IPsec tunnel 2 169.254.209.9.
7. Click Next.
8. In the Phases tab, enter the Phase1 and Phase2 encryption settings:
   • Phase 1
     
     
   • Phase 2
     
     

   • The following values are supported for a tunnel to the AWS VPN gateway:

     	Phase 1	Phase 2
     Encryption	AES AES 256	AES AES 256
     Hash	SHA SHA256	SHA SHA256
     DH-Group	Group 2 Group 14 Group 15 Group 16 Group 17 Group 18  Group 22 Group 23 Group 24	Group 2 Group 5 Group 14 Group 15 Group 16 Group 17 Group 18 Group 22 Group 23 Group 24
     Lifetime(sec)	28800	3600

     
     

9. Click Next.
10. In the Network tab, specify the values for the following:
    In the NETWORK SETTINGS section, specify the values for the following: 
    
    • Force UDP Encapsulation – Click to enable.  

    • IKE Reauthentication – Click to disable. 

    In the DEAD PEER DETECTION section, specify the values for the following: 
    • Action When Detected – Select Restart.
    • Delay – Enter 10.


11. Click Save.
12. Verify that your IPsec tunnel configuration has been created successfully and click Finish.

AWS VPN Status in the Amazon AWS Management Interface

1. Go to the Amazon VPC Management Console.
2. In the left menu, click Site-to-Site VPN Connections.
3. Search for your connection created in Step 1.
4. Click Tunnel Details.