Table of contents
- Create a Site to Site VPN in Lumen Cloud
- Create VPC
- Using CloudFormation Template
- VPN setup with an existing VPC
- VPN Configuration on CLC
- Verify AWS Route Tables
- Custom Configurations
This guide will walk through the different scenarios of connecting to an AWS environment using Site to Site VPN, including connecting to new VPC, existing VPC through console and using a basic CloudFormation template.
Create a Site to Site VPN in Lumen Cloud
Before creating the VPN, a network diagram below would help to identify the VLANs in Lumen cloud and the subnets in AWS to communicate over the site to site VPN.
First is to obtain the public IP address of the Lumen Cloud VPN gateway, this can be obtained from Lumen Cloud portal under Network -> Site to Site VPN. Detail is for the Lumen Cloud Site to Site VPN setup is available here.
The Lumen Cloud end point IP address will be displayed once the desired data center is chosen (see below):
Once the IP address is collected, the next step will be creating the VPN connection for AWS. Depending on the situation, one of the following steps will be required in order to establish the VPN connection:
- For a new AWS environment, a new VPC will be required
- An existing AWS enironment with VPC, a Virtual Private Gateway is needed
A quick view on the configuration on the AWS side:
In the AWS console, go to Services. Click on VPC and select the appropriate AWS region.
Click on Start VPC Wizard
Select either VPC with Private Subnets and Hardware VPN Access or VPC with Public and Private Subnets and Hardware VPN Access. Click Select.
Enter IPv4 CIDR block . This is going to be a /16 IP block that will be created under the VPC.
IPv6 CIDR Block : Select the defaul option, No IPv6 CIDR Block.
Enter VPC name.
(if required) Enter Public subnet's IPv4 CIDR. Enter a /24 IP block to use for the public subnet. This subnet should be within the range of /16 IP clock specied in step a.
Select an availability zone for the subnet.
Enter the Public subnet name
Enter Private subnet's IPv4 CIDR. Enter a /24 IP block to use for the private subnet. This subnet should be within the range of /16 IP clock specied in step a.
Select an availability zone for the subnet.
Enter the Private subnet name.
Configure your VPN.
Enter Customer Gateway IP using the public IP of the Lumen VPN gateway obtained from first step.
Enter Customer Gateway name and VPN Connection name.
Change Routing type to Static
Enter the IP address of the Lumen Cloud VLAN(s) that needs to be communicated over the VLAN and paste it under IP prefix of Static Routes in AWS.
Click Create VPC. This will initiate the VPC.
Select the newly created VPC.
click VPN Connections.
At the bottom left of the screen. Under tunnel details you can see the 2 tunnels created. The status will be down because CLC side of the tunnel has not been configured yet
Once the VPN is created, go to the VPN Connections page under VPC of AWS portal, click on Download Configuration. Pick either "Generic" or "pfSense" from the drop down menu, as both are text file configuration.
Please take note of the following parameters for the Lumen Cloud side VPN configuration:
Your VPN Connection ID : vpn-xxxxxxxx Your Virtual Private Gateway ID : vgw-xxxxxxxx Your Customer Gateway ID : cgw-xxxxxxxx Remote Gateway: xxx.xxx.xxx.xxx Description: Amazon-IKE-vpn-xxxxxxxx-0 Pre-Shared Key: xxxxxxxxxxxxxxxxxxxxxxxxxxxxx Phase 1 Encryption algorithm : aes128 Hash algorithm : sha1 DH key group : 2 Lifetime : 28800 seconds NAT Traversal : Auto Deed Peer Detection : Enable DPD Phase 2 Protocol : ESP Encryption algorigthms :aes128 Hash algorithms : sha1 PFS key group : 2 Lifetime : 3600 seconds
Using CloudFormation Template
An Alternative way to create a VPC with VPN connection is using CloudFormation template, a sample is attached to this knowledge article. CloudFormation templates can be deployed from AWS portal or Cloud Application Manager. For detail on using AWS portal to deploy a CloudFormation template, please refer to this article. When using Cloud Application Manager for CloudFormation templates, please make sure to have the appropriated permissions in the AWS IAM policy, more detail can be found here. The process can be found in this knowledge article.
VPN setup with an existing VPC
Under VPC, Virtual Private Gateways, create a VPG for the VPC if one does not exist
Once it is created, create a VPN connection under VPC on AWS portal
- Name Tag
- Virtual Private Gateway that the VPN is connecting
- Customer Gateway (New for Lumen Cloud)
- IP can be found in Create VPN page on Lumen Cloud (1 per data center)
- BGP ASN (leave as default)
- Routing option: Static
- Enter Lumen Cloud Network(s) that needs to communicate with AWS environment
- Tunnel Options: default
- Using the AWS VPN configuration file, with the information from the file, complete the VPN setup in Lumen Cloud Site to Site VPN setup
VPN Configuration on CLC
From Lumen Cloud portal under Network -> Site to Site VPN. Detail is for the Lumen Cloud Site to Site VPN setup is available here. Pick the VPN endpoint that is configured as part of the AWS VPN configuration and add the Lumen Cloud VLAN(s) as part of the VPN setup for VPN Peer IPv4 Address.
Enter Site Name (this can be the AWS VPN Connection ID) and Device Name (can be anything or using the AWS VPN ID).
VPN Peer IPv4 Address is the Remote Gateway from the configuration file.
Tunnel Encrypted Subnets : Click Add network block. This is the private subnet from the AWS VPC.
Click next: phase 1
Using the VPN configuration file downloaded to complete the next two step
- Protocol Mode - Main
- Encryption Algorithm - AES-128 (can be AES-128, AES-192, AES-256 or 3DES)
- Hashing Algorithm - SHA1(96) (can be SHA1, SHA2 or MD5)
- Pre-Shared Key - Shared Key from the AWS VPN configuration
- Diffie-Hellman Group - Group 2
- Lifetime Value - 8 hours
- DPD State - ON
- NAT-T State - OFF
- IPEC Protocol ESP
- Encryption Algorithm: AES-128
- Hashing Algorithm: SHA1
- PFS Enabled: ON, Group 2
- Lifetime Value: 1 hour
Once the Lumen VPN is created, check on the AWS portal and click on VPN connections. The tunnel should now be UP.
Verify AWS Route Tables
- Once VPN setup is completed, verify the VPC Route Tables is correct, either the default route or the Lumen subnets should be routed through the Virtual Private Network
- Ensure Network ACL and Security Group are configured to allow traffic from the CLC network
- Initiate “ping” or SSH from a CLC server to a server in the AWS network to validate the connectivity
Customers who require custom configuration can leverage our service task. Examples include:
- Redundant VPN Tunnels
- AES256 IPSEC Encryption