Juniper AWX VPN and BGP
! Amazon Web Services
! Virtual Private Cloud
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
!
! Your VPN Connection ID : vpn-connection-id
! Your Virtual Private Gateway ID : vgw-gateway-id
! Your Customer Gateway ID : vgw-customer-gateway-id
! --------------------------------------------------------------------------------
! IPSec Tunnel #1
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
!
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
! NOTE: If you customized tunnel options when creating or modifying your VPN connection, you may need to modify these sample configurations to match the custom settings for your tunnels.
!
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT).
! To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500.
! If not behind NAT, and you are not using an Accelerated VPN, we recommend disabling NAT-T. If you are using an Accelerated VPN, make sure that NAT-T is enabled.
!
configure
edit network ike crypto-profiles ike-crypto-profiles vpn-connection-id-0
set dh-group group2
set hash sha1
set lifetime seconds 28800
set encryption aes128
top
edit network ike gateway ike-vpn-connection-id-0
set protocol ikev1 dpd interval 10 retry 3 enable yes
set protocol ikev1 ike-crypto-profile vpn-connection-id-0 exchange-mode main
set authentication pre-shared-key key shared-key
set local-address ip 1.1.1.1
set local-address interface ethernet1/1
set peer-address ip 2.2.2.2
top
! #2: IPSec Configuration
!
! The IPSec transform set defines the encryption, authentication, and IPSec
! mode parameters.
!
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
!
edit network ike crypto-profiles ipsec-crypto-profiles ipsec-vpn-connection-id-0
set esp authentication sha1
set esp encryption aes128
set dh-group group2 lifetime seconds 3600
top
! --------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
!
! Association with the IPSec security association is done through the
! "tunnel protection" command.
!
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
!
edit network interface tunnel
set ip 169.254.180.2/30
set units tunnel.1
set mtu 1427
top
edit network tunnel ipsec ipsec-tunnel-1
set auto-key ike-gateway ike-vpn-connection-id-0
set auto-key ipsec-crypto-profile ipsec-vpn-connection-id-0
set tunnel-interface tunnel.1
set anti-replay yes
! --------------------------------------------------------------------------------
! #4: Border Gateway Protocol (BGP) Configuration
!
! BGP is used within the tunnel to exchange prefixes between the
! Virtual Private Gateway and your Customer Gateway. The Virtual Private Gateway
! will announce the prefix corresponding to your VPC.
!
!
!
! The local BGP Autonomous System Number (ASN) (65092)
! is configured as part of your Customer Gateway. If the ASN must
! be changed, the Customer Gateway and VPN Connection will need to be recreated with AWS.
!
edit network virtual-router default protocol bgp
set enable yes
set router-id 1.1.1.1
set local-as 65092
edit peer-group AmazonBGP
edit peer amazon-vpn-connection-id-0
set connection-options keep-alive-interval 10
set connection-options hold-time 30
set enable yes
set local-address ip 169.254.180.2/30
set local-address interface tunnel.1
set peer-as 64512
set peer-address ip 169.254.180.1
top
! Your Customer Gateway may announce a default route (0.0.0.0/0) to us.
edit network virtual-router default protocol bgp policy
set export rules vr-export action allow
set match address-prefix 0.0.0.0/0 exact yes
set used-by AmazonBGP enable yes
top
! To advertise additional prefixes to Amazon VPC, add these prefixes to the 'address-prefix'
! statement and identify the prefix you wish to advertise. Make sure the prefix is present
! in the routing table of the device with a valid next-hop. If you want to advertise
! 192.168.0.0/16 to Amazon, this can be done using the following.
edit network virtual-router default protocol bgp policy
set export rules vr-export action allow
set match address-prefix 192.168.0.0/16 exact yes
set used-by AmazonBGP enable yes
top