If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks with a site-to-site IKEv1 IPsec VPN tunnel. The Amazon virtual private gateway uses one IKEv1 IPsec VPN tunnel in combination with BGP. The second IPsec tunnel offered by the AWS gateway is not used, as the identifier sent by AWS causes rekeying issues, that are not present when only one tunnel is used.
Before You Begin
Create an Amazon Virtual Private Cloud (VPC).
- Create at least one subnet in the VPC.
- Create and configure the Amazon Routing Table.
Step 1. Create the Amazon VPN Gateway
Step 1.1 Create a Virtual Private Gateway
The Amazon virtual private gateway is the VPN concentrator on the remote side of the IPsec VPN connection.
- Go to the Amazon VPC Management Console.
- In the left menu, click Virtual Private Gateways.
- Click Create Virtual Private Gateway.
- Enter the Name tag for the VPN gateway.
- Click Yes, Create.
- Select the newly created virtual private gateway, and click Attach to VPC.
- Select your VPC from the VPC list, and click Yes, Attach.
The virtual private gateway is now available.
Step 1.2. Add Your Customer Gateway Configuration
The Amazon customer gateway is your Barracuda NextGen Firewall F-Series on your end of the VPN connection. Specify your external IP address and routing type in the customer gateway configuration:
- Go to the Amazon VPC Management Console.
- In the left menu, click Customer Gateway.
- Click Create Customer Gateway.
- Enter the connection information for your Barracuda Firewall:
- Name Tag – Enter a name for your device (e.g.,
My Barracuda NextGen Firewall F-Series
). - Routing – Select Dynamic.
- IP Address – Enter your external IP Address. To look up your external IP address, go to CONTROL > Network.
- Name Tag – Enter a name for your device (e.g.,
- Click Yes, Create.
Your Barracuda NextGen Firewall F-Series is now configured in the AWS cloud and can be used to configure VPN connections.
Step 1.3. Create a VPN Connection
Create a VPN connection with the customer gateway and the virtual private gateway that you just created. Then download the VPN configuration file because it contains all the necessary information for configuring the VPN connection on the Barracuda NextGen Firewall F-Series.
- Go to the Amazon VPC Management Console.
- In the left menu, click VPN Connections.
- Click Create VPN Connection.
- In the Create VPN Connection window, enter the configuration information for your VPN connection:
- Name tag – Enter a name for your VPN connection (e.g.,
NG2AWSCloud
). - Virtual Private Gateway – Select the virtual private gateway created in Step 1.
- Routing Options – Select Dynamic (requires BGP).
- Name tag – Enter a name for your VPN connection (e.g.,
- Click Yes, Create.
- Click Download Configuration.
- Select generic vendor and platform settings for the configuration file:
- Vendor – Select Generic.
- Platform – Select Generic.
- Software – Select Vendor Agnostic.
Click Yes, Download, and save the
vpn-
file..txt
Step 2. Configure the IPsec Tunnel on the firewall
Create a next-hop-interface and then configure one IPsec site-to-site VPN tunnel using the settings for the IPsec Tunnel #1. Use the IP addresses provided in the Amazon generic VPN configuration file you downloaded at the end of Step 1.
Step 2.1. Create VPN Next-hop Interfaces
For each IPsec tunnel, a VPN next-hop interface must be created. Use the IP addresses provided in the Amazon generic VPN configuration file you downloaded at the end of Step 1.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings .
- Click Lock.
- Click on Click here for Server Settings.
- Click on the Advanced tab.
- Create a VPN next hop interface for each IPsec tunnel by clicking Add in the VPN Next Hop Interface Configuration section.
- In the VPN Interface Properties window enter:
- VPN Interface Index – Enter a number between 0 and 99. Each interface index number must be unique. E.g., IPsec tunnel1:
10
- MTU – Enter
1436
.
IP Addresses – Enter the Inside IP Address for the Customer Gateway provided by Amazon. E..g, IPsec tunnel1:169.254.254.58/30
- VPN Interface Index – Enter a number between 0 and 99. Each interface index number must be unique. E.g., IPsec tunnel1:
- Click OK.
- In the VPN Interface Properties window enter:
- Click OK.
- Click Send Changes and Activate.
Step 2.2. Configure Two Site-to-Site IPsec Tunnels
Configure a site-to-site IPsec tunnel using the VPN next-hop interface.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site .
- Click on the IPsec IKEv1 Tunnels tab.
- Click Lock.
- For each IPsec tunnel, right-click and click New IPsec IKEv1 tunnel.
- Enter the IPsec tunnel configurations:
- Enter a Name. E.g, IPsec Tunnel 1:
IPsecAWSTunnel1
Enter the Phase 1 and Phase 2 settings:
Phase 1 Phase 2 Encryption AES AES Hash Meth. SHA SHA DH-Group Group2 Group 2 Lifetime(sec) 28800 3600 Perfect Forward Secrecy Enable - In the Local Network s tab:
- Local IKE Gateway – Enter your external IP address. If you are using a dynamic WAN interface enter
0.0.0.0
- ID-type – Select IPV4_ADDR_SUBNET (explicit),
- Explicit Network – Enter
0.0.0.0/0
. - Network Address – Enter the Inside IP Address of the Customer Gateway (without the /30) and click Add. E.g., IPsec tunnel 1
169.254.254.58
- Local IKE Gateway – Enter your external IP address. If you are using a dynamic WAN interface enter
- In the Remote Networks tab:
- Remote IKE Gateway – Enter the Outside IP Address of the Virtual Private Gateway
.
- ID-type – Select IPV4_ADDR_SUBNET (explicit),
- Explicit Network – Enter
0.0.0.0/0
.
- Remote IKE Gateway – Enter the Outside IP Address of the Virtual Private Gateway
- In the Peer Identification tab:
- Shared Secret – Enter the Amazon Pre-Shared Key.
- In the Advanced tab:
- DPD intervals (s) – Enter
10
. - Interface Index – Enter the VPN Next Hop Interface index number you entered in step 1.1. E.g., IPsec tunnel 1
10
VPN Next Hop Routing – Enter the Inside IP address of the Virtual Private Gateway. E.g., IPsec tunnel 1169.254.254.57
- DPD intervals (s) – Enter
- Click OK.
- Enter a Name. E.g, IPsec Tunnel 1:
- Enter the IPsec tunnel configurations:
- Click Send Changes and Activate.
You now have the VPN next-hop interface listed in the Interfaces/IPs section on the CONTROL > Network page and the VPN tunnels on the CONTROL > VPN > STATUS.
Step 3. Configure the BGP Service
Configure BGP routing to learn the subnets on the other side of the VPN tunnels. The BGP route propagated by the second (backup) IPsec tunnel is artificially elongated so traffic is routed per default over the first IP tunnel, as suggested by Amazon.
Step 3.1. Configure Routes to be Advertised via BGP
Only routes with the parameter Advertise set to yes will be propagated via BGP.
- Go to CONFIGURATION > Configuration Tree > Box > Network .
- Click Lock.
- (optional) To propagate the management network, set Advertise Route to yes.
- In the left menu, click on Routing.
- Double-click on the Routes you want to propagate, and set Advertise Route to yes.
- Click OK.
- Click Send Changes and Activate.
Step 3.2. Configure the BGP Routes
Configure the BGP setting for the BGP service on the Barracuda NextGen Firewall F-Series.
- Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings .
- Select yes from the Run BGP Router list.
- Select advertise-learn from the Operations Mode list.
- In the left menu, click BGP Router Setup.
- Enter the AS Number (e.g.,
64555
). - In the Networks table, add the local network(s)(e.g.,
10.10.200.0/24
). - In the left menu, expand Configuration Mode and click Switch to Advanced Mode.
- Click the Set button for the Advanced Settings. The Advanced Settings window opens.
- Set the Hold timer to
30
seconds. - Set the Keep Alive Timer to
10
seconds. - Click OK.
- Click Send Changes and Activate.
Step 3.3. Add a BGP Neighbor for the IPsec Tunnel
To dynamically learn the routing of the neighboring network, set up a BGP neighbor for the VPN next-hop interface.
- In the left menu of the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4.
- Click Lock.
- For each IPsec tunnel, click the plus sign (+) next to the Neighbors table to add a new neighbor.
- Enter a Name for the neighbor. E.g.,
AWS1
andAWS2
- In the Neighbors window, configure the following settings in the Usage and IP section:
- Neighbor IPv4 – Enter the inside IP Address of the Virtual Private Gateway (remote address for the VPN next hop interface on the NextGen Firewall F-Series) E.g., IPsec Tunnel 1:
169.254.254.57
- OSPF Routing Protocol Usage – Select no.
- RIP Routing Protocol Usage – Select no.
- BGP Routing Protocol Usage – Select yes.
- Neighbor IPv4 – Enter the inside IP Address of the Virtual Private Gateway (remote address for the VPN next hop interface on the NextGen Firewall F-Series) E.g., IPsec Tunnel 1:
- In the BGP Parameters section, configure the following settings:
- AS Number: Enter the ASN for the remote network:
9059
- Update Source: Select Interface.vpnr
- Update Source Interface: Enter the vpnr interface for the IPsec tunnels. E.g., IPsec Tunnel 1:
vpnr10
- AS Number: Enter the ASN for the remote network:
- Click OK.
- Click Send Changes and Activate.
Step 4. Create an Access Rule for VPN Traffic
To allow traffic to and from the VPN networks, a pass access rule is needed. You also need to set the Clear DF bit and Force Maximum Segment Size settings according to the Amazon configuration file in the advanced firewall rule settings. You also need to set Reverse Interface (Bi-directional) to Any to allow return traffic using a different VPN tunnel than was used to initiate the connection.
- Create a Pass access rule:
- Bi-Directional – Enable.
- Source – Select the local network(s) you are propagating via BGP.
- Service – Select the service you want to have access to the remote network or ALL for complete access.
- Destination – Select the remote VPC subnet(s).
- Connection Method – Select Original IP.
- In the left menu, click on Advanced.
- In the TCP Policy section, set Force MSS (Maximum Segment Size) to
1350
. - In the Miscellaneous section, set Clear DF Bit to Yes.
- In the Dynamic Interface Handling section, set Reverse Interface (Bi-directional ) to Any.
- Click OK.
- Move the access rule up in the rule list, so that it is the first rule to match the firewall traffic.
- Click Send Changes and Activate.
You now have two IPsec VPN tunnels connecting your F-Series firewalls to the Amazon AWS cloud. Per default, the first IPsec tunnel is chosen. It may take some time for BGP to learn the new routes, in case of a failure.
IPsec Tunnels are connected
BGP Configuration (CONTROL > NETWORK > BGP)
AWS VPN status in the Amazon AWS management interface