Building a Meraki VPN to Amazon AWS
IFM supplies network engineering services for $NZ180+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
Amazon AWS charges per VPN connection. The vMX is very good but if you only have a small number of MX units then it may be too expensive for you. An Ubuntu instance can support a large number of VPN and only needs a t2.micro to do it.
Amazon and Ubuntu Configuration
- Log into the EC2 console. Make sure you are in the right region.
- Select "Launch Instance" from the EC2 Dashboard.
- Select "Ubuntu Server 16.04" 64 bit or better.
- Select "t2.micro" and click "Next: Configure Instance Details".
- Make sure the right VPC and subnet are selected.
- Enable "Terminate Protection".
- Click "Next: Add Storage".
- Click "Next: Tag Instance".
- Enter “VPN” as the name (any name will do).
- Click on "Next: Configure Security Group".
- In "Security Group Name" enter "VPN" (any name will do).
- SSH is already allowed, leave it.
- Add "Custom UDP Rule" for 500 (ISAKMP) from Anywhere.
- Add "Custom UDP Rule" for 4500 (ISAKMP-NAT) from Anywhere.
- Add "Custom Protocol" 50 (ESP) from Anywhere.
- Add "All ICMP" from Anywhere.
- Add "All Traffic" from the local VPC.
- Add "All Traffic" from the remote network.
- Click on “Review and Launch”.
- Click on “Launch”.
- Select an existing keypair, and tick "I acknowledge ...".
- Click "Launch Instances".
- Go back to the EC2 dashboard.
- Go to “Network & Security”, “Elastic IPs”.
- Click on “Allocate New Address”, and select “VPC”.
- Click on “Yes, Allocate”.
- Click on “Associate Address”, and associate it to the new VPN instance. Note that this public IP address is what will be used by remote VPN peers.
- Go to “Instances”, tick the instance, and select “Actions”, “Change Source/Dest Check”, and select “Disable”.
- SSH into your new instance. You will need to use the SSH key-pair for that client, and use the username “ubuntu”. Make sure you specify to use a “session public key” in SecureCRT.
- The new instance needs to have IPv4 routing enabled. Execute this command (if you don't know how to edit using vi then use nano instead):
sudo vi /etc/sysctl.conf
- Uncomment the below line so that it reads:
net.ipv4.ip_forward = 1
- Update the packages database:
sudo apt-get update
- Install the Linux StrongSwan server with this command:
sudo apt-get install strongswan
- Update the software with:
sudo apt-get upgrade
- Edit the global configuration file with this command:
sudo vi /etc/ipsec.conf
- Add a default section, and a connection for each remote site (left is Amazon VPC side, right is the remote site):
leftsubnet=10.0.0.0/23 <amazon encryption domain>
leftid=18.104.22.168 <amazon public IP of VPN server>
rightsubnet=192.168.xx.xx/24 <remote encryption domain>
rightid=203.xx.xx.x <remote VPN outside IP address on MX>
“rightid” is the actual IP address configured on the outside of the remote VPN peer. If the remote VPN peer has a public IP address then it will be this (and the same as “right”). If it is behind a device doing NAT, then it will be the private IP address configured on the outside of its interface.
- Execute the command:
sudo vi /etc/ipsec.secrets
This file contains the pre-shared key for this VPN connection. A sample file will contain the line:
%any %any : PSK "ckuellalt"
Note that the space either side of the colon is important.
- To make sure everything will restart correctly, I suggest rebooting the entire machine at this instance:
- From this point onwards, if you change the IPSec config you need to execute this command to make the change take effect:
sudo service strongswan restart
- You can check the log using this command:
- You will need to add a route in the VPC route table to the remote subnet via the VPN EC2 instance.
Simply build a "normal" non-Meraki VPN, and select the "Amazon" encryption settings.