Building a Meraki VPN to Amazon AWS

IFM supplies network engineering services for $NZ200+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!

Amazon AWS charges per VPN connection.  The vMX is very good but if you only have a small number of MX units then it may be too expensive for you. An Ubuntu instance can support a large number of VPN and only needs a t2.micro to do it.

Amazon and Ubuntu Configuration

  1. Log into the EC2 console. Make sure you are in the right region.
  2. Select "Launch Instance" from the EC2 Dashboard.
  3. Select "Ubuntu Server 16.04" 64 bit or better.
  4. Select "t2.micro" and click "Next: Configure Instance Details".
  5. Make sure the right VPC and subnet are selected.
  6. Enable "Terminate Protection".
  7. Click "Next: Add Storage".
  8. Click "Next: Tag Instance".
  9. Enter “VPN” as the name (any name will do).
  10. Click on "Next: Configure Security Group".
  11. In "Security Group Name" enter "VPN" (any name will do).
  12. SSH is already allowed, leave it.
  13. Add "Custom UDP Rule" for 500 (ISAKMP) from Anywhere.
  14. Add "Custom UDP Rule" for 4500 (ISAKMP-NAT) from Anywhere.
  15. Add "Custom Protocol" 50 (ESP) from Anywhere.
  16. Add "All ICMP" from Anywhere.
  17. Add "All Traffic" from the local VPC.
  18. Add "All Traffic" from the remote network.
  19. Click on “Review and Launch”.
  20. Click on “Launch”.
  21. Select an existing keypair, and tick "I acknowledge ...".
  22. Click "Launch Instances".
  23. Go back to the EC2 dashboard.
  24. Go to “Network & Security”, “Elastic IPs”.
  25. Click on “Allocate New Address”, and select “VPC”.
  26. Click on “Yes, Allocate”.
  27. Click on “Associate Address”, and associate it to the new VPN instance. Note that this public IP address is what will be used by remote VPN peers.
  28. Go to “Instances”, tick the instance, and select “Actions”, “Change Source/Dest Check”, and select “Disable”.
  29. SSH into your new instance. You will need to use the SSH key-pair for that client, and use the username “ubuntu”. Make sure you specify to use a “session public key” in SecureCRT.
  30. The new instance needs to have IPv4 routing enabled. Execute this command (if you don't know how to edit using vi then use nano instead):
    sudo vi /etc/sysctl.conf
  31. Uncomment the below line so that it reads:
    net.ipv4.ip_forward = 1
  32. Update the packages database:
    sudo apt-get update
  33. Install the Linux StrongSwan server with this command:
    sudo apt-get install strongswan
  34. Update the software with:
    sudo apt-get upgrade
  35. Edit the global configuration file with this command:
    sudo vi /etc/ipsec.conf
  36. Add a default section, and a connection for each remote site (left is Amazon VPC side, right is the remote site):
    conn %default
      ikelifetime=1440m
      rekeymargin=3m
      keyingtries=%forever
      keyexchange=ikev1
      authby=secret
      dpdaction=restart
      dpddelay=30

    conn remote-site     
      left=%defaultroute
      leftsubnet=10.0.0.0/23 <amazon encryption domain>
      leftid=54.66.209.44 <amazon public IP of VPN server>
      leftfirewall=yes
      right=%any
      rightsubnet=192.168.xx.xx/24 <remote encryption domain> 
      rightid=203.xx.xx.x <remote VPN outside IP address on MX> 
      auto=add
      ike=aes128-sha1-modp1024
      esp=aes128-sha1-modp1024

    “rightid” is the actual IP address configured on the outside of the remote VPN peer. If the remote VPN peer has a public IP address then it will be this (and the same as “right”). If it is behind a device doing NAT, then it will be the private IP address configured on the outside of its interface.
  37. Execute the command:
    sudo vi /etc/ipsec.secrets
    This file contains the pre-shared key for this VPN connection. A sample file will contain the line:
    %any %any : PSK "ckuellalt"
    Note that the space either side of the colon is important.
  38. To make sure everything will restart correctly, I suggest rebooting the entire machine at this instance:
    sudo reboot
  39. From this point onwards, if you change the IPSec config you need to execute this command to make the change take effect:
    sudo service strongswan restart
  40. You can check the log using this command:
    tail /var/log/syslog
  41. You will need to add a route in the VPC route table to the remote subnet via the VPN EC2 instance.

Meraki Configuration

Simply build a "normal" non-Meraki VPN, and select the "Amazon" encryption settings.

https://documentation.meraki.com/MX-Z/Site-to-site_VPN/Site-to-site_VPN_Settings#Non-Meraki_VPN_peers