AWS VPN Tunnel Connection Not Working

radrexvalera · Wed Aug 28, 2019 11:28 am

Hi Guys.

I currently having sleepless nights with AWS VPN connection.

Scenario :

One of our clients send a downloaded config file ( Step by Step Instructions ) directly from their AWS VPC for us to configure on our Mikrotik CCR1036 running RouterOS 6.44.5. Unfortunately RouterOS 6.36 is the only available option in the drop down menu on AWS.

I tried to follow the said config file but unfortunately we can't still access the tunnel from AWS.

I hope I can get any helful information to figured this out.

Here's the file from AWS.

! Amazon Web Services
! Virtual Private Cloud

==============================================================================
VPN Connection Configuration
==============================================================================

! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.

! Your VPN Connection ID : vpn-#######
! Your Virtual Private Gateway ID : vgw-#######
! Your Customer Gateway ID : cgw-#######

! This configuration consists of two tunnels. Both tunnels must be configured on your Customer Gateway, but only one of those tunnels should be up at any given time.
! Note that Mikrotik RouterOs does not support Active/Active or Active/Standby setup with AWS hosted VPN solution.

! At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.

! This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.
! You can download this utility from: https://mikrotik.com/download

==============================================================================
! IPSec Tunnel #1
==============================================================================

! #1: IPSec Proposal Configuration
!
! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

Go to IP Tab --> IPsec --> Proposals

a. Click on "+" button
b. Name: ipsec-vpn-9414f5fd-0
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok

!---------------------------------------------------------------------------------
! #2: Internet Key Exchange
!
! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".

! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.

Go to IP Tab --> IPsec --> Policies

1) Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: $WAN1 IP
c. SA Dst. Address: $Tunnel1 IP
d. Proposal: ipsec-vpn-9414f5fd-0
e. Select Apply and Ok

! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab --> IPsec --> Policies

3) Click on "+" button and select the General Tab
a. Src. Address: 169.254.34.10
b. Dst. Address: 169.254.34.9

4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: $WAN1 IP
c. SA Dst. Address: $Tunnel1 IP
d. Proposal: ipsec-vpn-9414f5fd-0
e. Select Apply and Ok

Go to IP Tab --> IPsec --> Peers

5) Click on "+" button
a. Address: $Tunnel1 IP
b. Local Address: $WAN1 IP
c. Secret: $Tunnel1 Secret
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok

! ----------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.

Go to IP Tab --> Addresses

a. Click on "+" button
b. Address: 169.254.34.10/30
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok

! ----------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! The local BGP Autonomous System Number (ASN): 65000
! is configured as part of your Customer Gateway. If the ASN must
! be changed, the Customer Gateway and VPN Connection will need to be recreated with AWS.

Go to Routing Tab --> BGP --> Peer

a. Click on "+" button and select the General Tab
b. Name: BGP-vpn-######-0
c. Remote Address: 169.254.34.9
d. Remote AS: 7224
d. Hold Time: 30
e. Keepalive Time: 10
f. Select Apply and Ok

! Your Customer Gateway needs to advertise the local prefixes to AWS. An example for a local prefix with a subnet/mask of 10.0.0.0/16 is provided below:

Go to Routing Tab --> BGP --> Networks

a. Click on "+" button
b. Network: 10.0.0.0/16
c. Select Apply and Ok

! ----------------------------------------------------------------------------
! #5: NAT Exemption
!
! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
! This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab --> Firewall --> NAT

1) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: 169.254.34.10
c. Dst. Address: 169.254.34.9

4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
! It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.
==============================================================================
! IPSec Tunnel #2
==============================================================================

! #1: IPSec Proposal Configuration
!
! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".

Go to IP Tab --> IPsec --> Proposals

a. Click on "+" button
b. Name: ipsec-vpn-#######-1
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok

!---------------------------------------------------------------------------------
! #2: Internet Key Exchange
!
! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".

! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.

Go to IP Tab --> IPsec --> Policies

1) Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: $WAN1 IP
c. SA Dst. Address: $Tunnel2 IP
d. Proposal: ipsec-vpn-9414f5fd-1
e. Select Apply and Ok

! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.

Go to IP Tab --> IPsec --> Policies

3) Click on "+" button and select the General Tab
a. Src. Address: 169.254.33.6
b. Dst. Address: 169.254.33.5

4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: $WAN1 IP
c. SA Dst. Address: $Tunnel2 IP
d. Proposal: ipsec-vpn-9414f5fd-1
e. Select Apply and Ok

Go to IP Tab --> IPsec --> Peers

5) Click on "+" button
a. Address: $Tunnel2 IP
b. Local Address: $WAN1 IP
c. Secret: $Tunnel2 Secret
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok

! ----------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.

Go to IP Tab --> Addresses

a. Click on "+" button
b. Address: 169.254.33.6/30
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok

! ----------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
! The local BGP Autonomous System Number (ASN): 65000
! is configured as part of your Customer Gateway. If the ASN must
! be changed, the Customer Gateway and VPN Connection will need to be recreated with AWS.

Go to Routing Tab --> BGP --> Peer

a. Click on "+" button and select the General Tab
b. Name: BGP-vpn-#######-1
c. Remote Address: 169.254.33.5
d. Remote AS: 7224
d. Hold Time: 30
e. Keepalive Time: 10
f. Select Apply and Ok

! Your Customer Gateway needs to advertise the local prefixes to AWS. An example for a local prefix with a subnet/mask of 10.0.0.0/16 is provided below:

Go to Routing Tab --> BGP --> Networks

a. Click on "+" button
b. Network: 10.0.0.0/16
c. Select Apply and Ok

! ----------------------------------------------------------------------------
! #5: NAT Exemption
!
! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
! This example rule permits all traffic from the local subnet to the VPC subnet.

Go to IP Tab --> Firewall --> NAT

1) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask

2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.

3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: 169.254.33.6
c. Dst. Address: 169.254.33.5

4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok

! Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
! It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.
!---------------------------------------------------------------------------------------
!
! Additional Notes and Questions
! - Amazon Virtual Private Cloud Getting Started Guide:
! http://docs.amazonwebservices.com/Amazo ... artedGuide
! - Amazon Virtual Private Cloud Network Administrator Guide:
! http://docs.amazonwebservices.com/Amazo ... AdminGuide
! - Generic VPN tunnel connectivity Connectivity:
! https://aws.amazon.com/premiumsupport/k ... eshooting/
!
!---------------------------------------------------------------------------------------

sleerf · Fri Sep 27, 2019 4:37 am

I just setup router OS on Amazon Cloud yesterday and the version is 6.44.5 But I nearly thought the same thing you did and installed 6.36. Just before installing I noticed that they were out of order on the dates and when I looked more carefully I discovered that 6.44.5 was there. Hope that helps you.

MIkrotikSolutions · Fri Oct 06, 2023 5:10 pm

Hey guy what do you think of this as a workaround ?
https://medium.com/@autogun/aws-site-to ... 77ca5e50ae

Regards

AWS VPN Tunnel Connection Not Working

AWS VPN Tunnel Connection Not Working

Re: AWS VPN Tunnel Connection Not Working

Re: AWS VPN Tunnel Connection Not Working

Who is online