Introduction

Purpose

Create a secure connection from enterprise data center to the cloud infrastructure. This allows users to access the guest VMs by establishing a VPN connection to the VR of the account form a device in the datacenter of the enterprise. This eliminates the need to establish VPN connections to individual VMsState.

References

Document History

Glossary

Feature Specifications

Requirements

Use cases

Here is the steps to create an site-to-site VPN:

  1. Create a VPC(refer to Inter-VLAN Routing )
  2. Create a customer VPN gateway.
  3. Create a VPN gateway for the VPC.
  4. Create VPN connection from CS VPN gateway to customer VPN gateway. After this step, VPN connection is established.
  5. Destroy VPN connection. 

User can also reset VPN connection, which would disconnect then connect again.

Architecture and Design description

Notes about VPN Connection:

  1. This VPN connection would established a connection between VPC's CIDR specified subnet with all the subnets specified by customer gateway.
  2. All the traffic between VPC's CIDR specified subnet and customer gateways' subnets would considered as VPN traffic.
  3. If DPD is enabled, then dpddelay=30, dpdtimeout=120, dpdaction=restart is set. (Check ipsec.conf about these parameters).
  4. If the VR which is handling VPN connection is restarted, the previous VPN connections would be established again automatically after router boot up(except the connection in Error state).

Web services APIs

UI flow

Current limitation(updated by Aug 31st, 2012):

  1. Don't support isolate network for site-to-site VPN. Only support to use with VPC.
  2. No scalability test.
  3. Source NAT ip would be reused as site 2 site VPN IP.
  4. We don't allow different VPC connect to the same Customer gateway at the same time, even for different accounts, this would implicit following:
    1. Once one user is create a customer gateway ip as a.b.c.d, any other user cannot create the customer gateway with the same ip.
    2. If one user already have one VPC connected to the customer gateway, it's not allowed to have another VPC belong to the same or different user connect to the same customer gateway.

Configuration reference for CISCO router:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 5
crypto isakmp key 123123 address 10.223.165.25 <-----this is VPN gateway ip
!
!
crypto ipsec transform-set proposal4 esp-3des esp-md5-hmac
!
crypto map cmap 2 ipsec-isakmp
set peer 10.223.165.25
set transform-set proposal4
match address 165

ip nat inside source list 185 interface GigabitEthernet0 overload

interface GigabitEthernet0
ip address 10.223.85.18 255.255.255.0
ip access-group 102 in
ip access-group 102 out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
fair-queue
crypto map cmap

access-list 102 permit ip any any

access-list 165 permit ip 172.16.10.0 0.0.0.255 10.10.0.0 0.0.255.255                <- We allow two subnets here
access-list 165 permit ip 192.168.10.0 0.0.0.255 10.10.0.0 0.0.255.255

access-list 185 deny ip 172.16.10.0 0.0.0.255 10.10.0.0 0.0.255.255              <- you need to disable NAT for certain subnet
access-list 185 permit ip 172.16.10.0 0.0.0.255 any

Configuration Reference for Juniper SRX Router

SRX-S2S-VPN.pdf

Comments

Appendix

Appendix A:

Appendix B:

UI Flow