1. OCAU Merchandise is available! Check out our 20th Anniversary Mugs, Classic Logo Shirts and much more! Discussion in this thread.
    Dismiss Notice

Amazon AWS - VPC to Site VPN

Discussion in 'Business & Enterprise Computing' started by Hive, Apr 27, 2015.

  1. Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,402
    Location:
    AvE
    Hi guys,

    Looking for your solutions to this, i've tried a Mikrotik but it doesn't do Tunnel interfaces for VPN's very well at all, Cisco is a possibility but not desired as the level 1 guys aren't caught up on IOS.

    We're after gateways which do IPSec to VPC and handle them well. For those not in the know amazon VPC requires that two tunnels be specified so they can handover when one goes down quickly (Or so i'm told..)

    Interesting to hear how people have tackled this.
     
  2. Miff88

    Miff88 Member

    Joined:
    Nov 10, 2010
    Messages:
    427
    Location:
    Newcastle
    I've done with this Cisco and Openswan.

    Openswan is Linux based but has an alright GUI. The configuration is very basic, and even has a fair of dynamic discovery over the vpn (in terms of setup)

    Cisco ASA VPN's aren't overly hard to setup either. there are like a zillion guides for beginners and once setup, you rarely need to change much. Also, you could just get them to use ADSM.

    If you want specifics re: config examples, just PM me
     
  3. Skitza

    Skitza Member

    Joined:
    Jun 28, 2001
    Messages:
    3,774
    Location:
    In your street
  4. OP
    OP
    Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,402
    Location:
    AvE
    Cisco works perfectly for this, we run several Cisco to VPC setups, configuration is not the issue. Some clients we simply cannot justify replacing the current routers for Cisco setups so we are looking at mid range/SOHO routers that can handle this.

    OpenSWAN is very interesting. Loading it into a micro instance it looks like it's not a huge expense hourly.

    But anyone else found soho/mid range routers that handle VPC?
     
    Last edited: Apr 27, 2015
  5. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    18,647
    Location:
    Brisbane
  6. OMGguru

    OMGguru Member

    Joined:
    Apr 1, 2003
    Messages:
    3,488
    Location:
    CFS
    What problems exactly are you having with Mikrotiks? never had many problems with site-to-site VPN or remote worker dial-in.
     
  7. OP
    OP
    Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,402
    Location:
    AvE
    Other VPN's work (e,g azure, rackspace) for mikrotiks - it just seems to hate AWS/VPC. Mikrotiks don't have virtual tunnel interfaces..

    I've bought a Ubiquiti Edgerouter which is based off an older Vyatta release (AWS supported) for $150, these do VTI's apparantly so in theory it should work..
     
  8. Doc-of-FC

    Doc-of-FC Member

    Joined:
    Aug 30, 2001
    Messages:
    3,396
    Location:
    Canberra
  9. joe_sixpack

    joe_sixpack Member

    Joined:
    Jan 21, 2002
    Messages:
    2,850
    Location:
    Brisbane
    What is connection at these sites?
     
  10. thetron

    thetron Member

    Joined:
    Dec 23, 2001
    Messages:
    8,167
    Location:
    Somewhere over the Rainbo
    I thought Amazon has there own VPN tool.

    You might aswell setup a VPN server in the cloud and connect with that
     
  11. joe_sixpack

    joe_sixpack Member

    Joined:
    Jan 21, 2002
    Messages:
    2,850
    Location:
    Brisbane
    Who cares if level one guys aren't up to speed with Cisco IOS? Why on earth would they be needing to log into the device?

    When you create a VPN gateway in aws, the system spits out the config for IOS anyway, pretty much just copy/paste job.
     
  12. OP
    OP
    Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,402
    Location:
    AvE
    Testing with Ubiquiti has been very smooth, the config is 100% identical to Vyatta which can be imported from AWS straight into the CLI - works brilliantly with the VTI's.
     
    Last edited: May 7, 2015
  13. aza2001

    aza2001 Member

    Joined:
    Sep 14, 2002
    Messages:
    2,016
    Location:
    Northmead
    Another vote here for sophos
     
  14. albeeny

    albeeny Member

    Joined:
    Feb 25, 2002
    Messages:
    127
    Location:
    Syd
    Configured a Barracuda NG Firewall today that did exactly this.
     
  15. ewok85

    ewok85 Member

    Joined:
    Jul 4, 2002
    Messages:
    8,097
    Location:
    Tokyo, Japan
    http://www.pcengines.ch/apu1d.htm from:

    http://www.pcengines.ch/order1.php?c=4

    + Case, +12V PSU, +mSATA SSD (it's all in there)

    Fast, fanless, low power device that runs pfsense and is fairly solid.

    Still, something like a Cisco 1921 (CISCO1921-SEC/K9) isn't all that expensive (we sell them for around $1200) and is a real router that supports everything you'd expect from a real router. You can go smaller (800 series) but the performance is pretty crap.

    The nice thing about the pcengines gear is that it's cheap enough that you can have a few spare kicking around the office pre-loaded with pfsense, and just pre-configure and ship them should they have an issue with their box onsite (which is pretty much never).
     
  16. screwball

    screwball Member

    Joined:
    Feb 9, 2002
    Messages:
    422
    Location:
    Gold Coast
    Big vote here also for Sophos UTMs. Native support in the AWS Cloud. Brilliant solution
     
  17. bugayev

    bugayev Whammy!

    Joined:
    May 15, 2003
    Messages:
    4,092
    Location:
    Melbourne
    The EdgeRouter actually runs Vyatta so it is super easy.
     
  18. OP
    OP
    Hive

    Hive Member

    Joined:
    Jul 8, 2010
    Messages:
    6,402
    Location:
    AvE
    Literally, the two are somewhat different now, EdgeOS was forked from Vyatta 6.3.
     
  19. DavidRa

    DavidRa Member

    Joined:
    Jun 8, 2002
    Messages:
    3,092
    Location:
    NSW Central Coast
    Alternatively grab a copy of VyOS and configure it on hardware of your choosing. Vyatta got munched by Brocade, who promptly decided "screw the OSS world" and made it private and paid. VyOS forked from the latest/last publicly available code, so you should be able to use Vyatta/EdgeRouter configs without [many] changes.
     

Share This Page

Advertisement: