Amazon AWS - VPC to Site VPN

Hi guys,

Looking for your solutions to this, i've tried a Mikrotik but it doesn't do Tunnel interfaces for VPN's very well at all, Cisco is a possibility but not desired as the level 1 guys aren't caught up on IOS.

We're after gateways which do IPSec to VPC and handle them well. For those not in the know amazon VPC requires that two tunnels be specified so they can handover when one goes down quickly (Or so i'm told..)

Interesting to hear how people have tackled this.

 

I've done with this Cisco and Openswan.

Openswan is Linux based but has an alright GUI. The configuration is very basic, and even has a fair of dynamic discovery over the vpn (in terms of setup)

Cisco ASA VPN's aren't overly hard to setup either. there are like a zillion guides for beginners and once setup, you rarely need to change much. Also, you could just get them to use ADSM.

If you want specifics re: config examples, just PM me

 

The Sophos UTM/SG's have a AWS VPC component for this exact setup.

https://www.sophos.com/en-us/support/knowledgebase/120922.aspx

 

Cisco works perfectly for this, we run several Cisco to VPC setups, configuration is not the issue. Some clients we simply cannot justify replacing the current routers for Cisco setups so we are looking at mid range/SOHO routers that can handle this.

OpenSWAN is very interesting. Loading it into a micro instance it looks like it's not a huge expense hourly.

But anyone else found soho/mid range routers that handle VPC?

 

draytek apparently works - https://forums.aws.amazon.com/thread.jspa?messageID=577568

2860's are reasonably priced compared to cisco's - and manageable by a fairly decent gui.

 

What problems exactly are you having with Mikrotiks? never had many problems with site-to-site VPN or remote worker dial-in.

 

Other VPN's work (e,g azure, rackspace) for mikrotiks - it just seems to hate AWS/VPC. Mikrotiks don't have virtual tunnel interfaces..

I've bought a Ubiquiti Edgerouter which is based off an older Vyatta release (AWS supported) for $150, these do VTI's apparantly so in theory it should work..

 

https://store.pfsense.org/

?

 

What is connection at these sites?

 

I thought Amazon has there own VPN tool.

You might aswell setup a VPN server in the cloud and connect with that

 

Who cares if level one guys aren't up to speed with Cisco IOS? Why on earth would they be needing to log into the device?

When you create a VPN gateway in aws, the system spits out the config for IOS anyway, pretty much just copy/paste job.

 

Testing with Ubiquiti has been very smooth, the config is 100% identical to Vyatta which can be imported from AWS straight into the CLI - works brilliantly with the VTI's.

 

Another vote here for sophos

 

Configured a Barracuda NG Firewall today that did exactly this.

 

http://www.pcengines.ch/apu1d.htm from:

http://www.pcengines.ch/order1.php?c=4

+ Case, +12V PSU, +mSATA SSD (it's all in there)

Fast, fanless, low power device that runs pfsense and is fairly solid.

Still, something like a Cisco 1921 (CISCO1921-SEC/K9) isn't all that expensive (we sell them for around $1200) and is a real router that supports everything you'd expect from a real router. You can go smaller (800 series) but the performance is pretty crap.

The nice thing about the pcengines gear is that it's cheap enough that you can have a few spare kicking around the office pre-loaded with pfsense, and just pre-configure and ship them should they have an issue with their box onsite (which is pretty much never).

 

Big vote here also for Sophos UTMs. Native support in the AWS Cloud. Brilliant solution

 

The EdgeRouter actually runs Vyatta so it is super easy.

 

Literally, the two are somewhat different now, EdgeOS was forked from Vyatta 6.3.

 

Alternatively grab a copy of VyOS and configure it on hardware of your choosing. Vyatta got munched by Brocade, who promptly decided "screw the OSS world" and made it private and paid. VyOS forked from the latest/last publicly available code, so you should be able to use Vyatta/EdgeRouter configs without [many] changes.