Quick Configs Juniper – AWS IPsec Site to Site VPN

let's briefly discuss setting up an AWS hip sex side to site VPN connection to a Juniper SRX device so in this example my internal on-premises network is on a one-to-one I think once you say one that 0/24 range my internal interface is that one my external is at zero and my a w s infrastructure is using these external addresses which will be different for yours infrastructure of course and I'm using the internal range over here so the steps that needed to create a awf side of the connection or less and above here and I will show you how to do that so let's get started on the AWS so the first thing that you might want to configure is an AWS instance or a virtual machine in this case I'm using a Windows Server 2012 so you can just select that and go through the steps you will basically end up with if I can close this somehow it's just previous you will basically end up with an instance that is using an internal IP so in this case I'm having an IP on the l1 1731 range and it will also get a Public DNS resolve ball name by default so these ancestors are reachable from the outside by default this instance is associated VPC which is a virtualized network so how do you configure it VPC you just go to services and this is in my history over here you could just select V PC minimize this this is the default V PC that's provided by Amazon at least in my case it was it's using this internal sub my range 11731 this vbc is associated with a specific route table and a network ACL and it consists of the following tree subnets so one seven to thirty one slash twenty thirty to twenty it's one seventy thirty one 16/20 so those three subnets make update the entire virtual network this virtual network is also associated with a router table so I will talk about that later and is associated with a network ACL so network ACL basically specifies what is allowed so in this case everything is allowed and everything is allowed in when we create a instance we also create a security group in this case I have added in all traffic rule as well so by default when you created when the server 2012 virtual machine it will be associated with its own security group and it will have the RDP port enabled by default and everything is allowed outside so in this case I for testing purposes I have enabled all traffic which is of course not required when we create a customer gateway this is the first thing that we want to do when we set up a VPN connection so customer gave me basically points to our internal infrastructure you do that by creating customer gateway you specify the IP address the external IP address of your as racks in this case I'm using static routing you can also use BGP which is dynamic routing and you just give it a name and you click on create the virtual private gateway will point to the other side of the infrastructure which is the AWS virtual networks you create that by specifying here create virtual private gateway you just have to give it a name and then you say attach to VP seed so this one will actually attach to this VBC or here finally you create a VPN connection in this case I've already created it and it's up already because I didn't want to go through and make this a very long video by waiting for it all to come online you create a VPS VPN connection by specifying create VPN connection and you give it a name you associate it with the virtual or the customer gateway that have previously created you can either sell it to dynamic routing or static and when you sell it to static you have to enter in this subnet or your on-premises someone in my case is why I don't want to say one that's zero that's basically it how you create a VPN connection the final step is to verify if those static routes have made it across so otherwise you can add and edit additional static routes over here finally the last step is making sure that we have the routing in place so one part of the routing for this V PC is to the internal network so you can see here we have a local target active route which is 170 31 16 we have a default gateway that's pointing to this igw which stands for Internet gateway however we also need to have this specific route which will allow it to connect to the virtual gateway you can do that in two Matt using two methods you can say edit and you can manually edit here and then point it to the virtual gateway whatever name it might have or you can look here and route propagation so this will show up after referral private gateway has been created and then you could just say edit and propagate and then it will show up here so that's basically what I have done so let's make sure we can have connectivity AWS automatically checks if it has connectivity to the Internet so we can have instance reach ability here so I will be able to manage this device using RDP from the outside but I want to use it I want to connect to it from this private IP so let me note that down so how do you create the as reksai of the connection you just go to the virtual private connections over here and it's right click here and you say download configuration it's like juniper or whatever friend that you might have g-series and insurance typify that's the only option we have so once you do that you will basically get this file so this file is specific to my configuration it has these addresses used by AWS which corresponds with the one that I put over here these will be different for you of course I've added the updated file of this word which basically strips this file of all the necessary information and notes and this is this one over here I added that to the files on onedrive but you have to make sure that to note that these addresses will not be the same for you some other differences that I had to configure what the default or had to change from the default configuration is this external interface so it used to be Gigabit Ethernet that's a default however I had to change it to fast internet because my ass racks does not support gigabit the other thing that we want to make sure that we change let me highlight this is the static route so the static routes point to the secure channel interface so the default one has something like 1006 seen I change that to 1 7 2 31 over here again we have to fancies an interface and over here again we have to want the static route so the AWS config is a lot more extensive teni adjure config because it actually creates two tunnels if one of the tunnels is down I can show it over here as well if one of the tunnels is down the other will take over so you have some form of redundancy over here the other the thing to notice of course that this is a very large effect but we luckily we could just paste it in which is what I've done in my ass racks so if I go to my ass racks I've already set it up set this up so if I run show security like security associations I can see that I have to add tons over here to act on face 1 if I show up sack secure associates I should have for one for each direction for each tunnel so for total so if you go back to this config you can see that it creates to secure tall interfaces and uses the 1 6 9 address range which is very specific to AWS so I'm not a hundred percent sure how that actually works I just paste it in the config and which is very handy of course so if I were if I should show security find zone then I can see that the basic effect actually placed his secure tunnel interfaces in the trust zone that's what's being added to this configuration so we have trust and on trust if you were using it as racks and you have other names like internal-external internet zone wherever it might be you want to update these names to reflect your new zones so but in my case I'm using trust an untrusted secure Tom interface editor to trust zone however just having that configuration in my case was not enough I had to actually manually configure a rule from don't trust to zone trust to allow all because it basically loops through the Juniper config in order to or loops through the Juniper operating says in order to make this connection work guy having this one six nine addresses again I don't I'm not sure how that actually works but I had to add this rule in here otherwise I would not have reach ability so if I run ping whatever that address was let me go back to it copy this and I've sourced it from one I do want to say one that one I should have reach ability to that virtual machine likewise if I open up a remote desktop connection I should be able to connect to it so one other difference so over here we can see that the IP address and the information of that machine one other difference between AWS and address and AWS will automatically create an ICMP final rule which is why this thing over here is working with Azure you had to manually create that rule yourself if you're interested in the advocate fig I have another video about that so that's basically it the one thing to take note of this is that when you download this config you have to strip it from information that is not relevant and you have to manually specify these static routes and the other thing is that you might I have to add this security zone trust farms on trusts in order to make these things work so that's basically it I hope this has been informative thank you

You May Also Like