Site to Site VPN between Cisco and Azure, AWS and GCP

Meraki VPN Cloud  Watchguard VPN Cloud   Sophos VPN Cloud  Sonicwall VPN Cloud  Palo Alto VPN Cloud  Fortigate VPN Cloud

Site-to-Site VPN Between Azure and a Cisco ASA

Create Virtual Network

  • From the favorites menu select Virtual networks.
  • Click Add.

Create Virtual Machine

  • From the favorites menu select Virtual machines.
  • Click Add.
  • Choose your image.

Create Virtual Network Gateway

  • From the favorites menu select Virtual network gateways.
  • Click Add.
  • Add the necessary settings.
  • Virtual Network - When you add the previously created Virtual Network it will provide you with a Gateway subnet range. This will be used by Azure to build a gateway subnet. Gateway subnets are only used for VPNs within Azure.
  • Public IP - Select 'create new' and then ok.

Create Local Network Gateway

This step may confuse some, as though it is named Local Network Gateway, it represents the remote side (peer/endpoint).

  • From the favorites menu select Virtual network gateways.
  • Click Add.
  • Add the 'IP Address'. This is the remote peer IP.
  • Add the 'Address space'. This is the remote endpoint/endpoints.

Create Connection

  • From the favorites menu select Virtual network gateways.
  • Go to Settings.
  • Click Connections.
  • Click Add.
  • Click Connections.
  • Connection type: site-to-site (IPsec)
  • Gateways: The virtual/local network gateway previously created
  • Shared key (PSK):

CISCO ASA Configuration:

  • Object-Groups:
    First, we configure the object groups for encryption domain endpoints.
  • Encryption Domain:
    We then configure the encryption domain, using the previously created object groups.
  • NAT
    NAT is configured to exclude the traffic to/from the endpoints.
  • Tunnel Group:
    The tunnel group with the pre-shared key is configured.
  • Crypto:
    The encryption domain, peer and phase 2 parameters are then all assigned to a tunnel group.

Azure Connection

To show the status and the throughput totals you can click on the connection from within Virtual network gateways > VNETGW-POLICYVPN > Settings > Connections.

Site-to-Site VPN between Cisco RV and Amazon Web Services

Setting up a Site-to-Site VPN on Amazon Web Services:

  • Create a new VPC, defining an IPv4 CIDR block, in which we will later define the LAN used as our AWS LAN. Select Create.
  • When creating the subnet, ensure that you have selected the VPC created previously. Define a subnet within the existing /16 network created previously.
  • Create a Customer Gateway, defining the IP Address as the Public IP Address of your Cisco RV Router.
  • Create a Virtual Private Gateway - creating a Name tag to help identify later.
  • Attach the Virtual Private Gateway to the VPC created previously.
  • Create a new VPN Connection, selecting the Target Gateway Type Virtual Private Gateway. Associate the VPN Connection with the Virtual Private Gateway created previously.
  • Select Existing Customer Gateway. Select the Customer Gateway created previously.
  • For Routing Options, ensure to select Static. Enter any IP Prefixes including CIDR notation for any remote networks you expect to traverse the VPN.
  • We will not cover any of the Tunnel Options in this guide - select Create VPN Connection.
  • Create a Route Table and associate the VPC created previously. Press Create.
  • Select the Route Table created previously. From the Subnet Associations tab, choose Edit subnet associations.
  • From the Edit subnet associations page, select the subnet created previously. Select the Route Table created previously. Then select save.
  • From the Route Propagation tab, choose Edit route propagation.
  • Select the Virtual Private Gateway created previously.
  • From VPC > Security Groups, ensure that you have a policy created to allow the desired traffic.
  • Select the VPN Connection that you have created previously and choose 'Download Configuration'.

Setting up Site-to-Site on an RV16X/RV26X, RV34X Router:

  • Log in to the router using valid credentials.
  • Navigate to VPN > Ipsec Profiles. This will take you to the Ipsec profile page, press the add icon (+).
  • We will now create our IPSEC profile. When creating the IPsec Profile on your Small Business router, ensure that DH Group 2 is selected for Phase 1.
  • Ensure that your Phase two options match those made in phase one. For AWS DH Group 2 must be used.
  • Press Apply and you will be navigated to the IPSEC page, be sure to press Apply once again.
  • Navigate to VPN< Client to site and on the client to site page press the plus icon (+).
  • When creating the IPsec Site-to-Site Connection, ensure to select the IPsec Profile created in the previous steps. Use the Remote Endpoint type of Static IP and enter the address provided in the exported AWS configuration. Enter the Pre-Shared Key provided in the exported configuration from AWS.
  • Enter the Local Identifier for your Small Business router – this entry should match the Customer Gateway created in AWS. Enter the IP Address and Subnet Mask for your Small Business router – this entry should match the Static IP Prefix added to the VPN Connection in AWS.
  • Enter the Remote Identifier for your AWS connection – this will be listed under Tunnel Details of the AWS Site-to-Site VPN Connection. Enter the IP Address and Subnet Mask for your AWS connection – which was defined during the AWS configuration. Then press Apply.
  • Once on the Ip Site to Site page press Apply.

You have now successfully created a Site-to-Site VPN between CISCO RV series router and your AWS.

Set up VPN between Cisco ASR and Google Cloud VPN

Configure Cisco ASR 1000 for use with the Google Cloud VPN service is to ensure that the following prerequisite conditions have been met:

The Cisco ASR 1000 Series Router IPsec application requires:

  • Advanced Enterprise Services (SLASR1-AES) or Advanced IP Services Technology Package License (SLASR1-AIS).
  • IPsec RTU license (FLASR1-IPsec-RTU).
  • Encryption HW module (ASR1002HX-IPsecHW(=) and ASR1001HX-IPsecW(=)) and Tiered Crypto throughput license which applies to ASR1002-HX and ASR1001-HX chassis only.

IPsec parameters:

For the Cisco ASR 1000 IPsec configuration, the following details will be used:

  • IPSec Mode- Tunnel Mode
  • Auth Protocol- Pre-shared Key
  • Key Exchange- IKEv2
  • Start- Auto
  • Perfect Forward Secrecy (PFS)- Group 16
  • Dead Peer Detection (DPD)- 60 5 periodic

    The IPsec configuration used in this guide is specified below:
  • Encryption- aes-cbc-256 aes-cbc-192 aes-cbc-128
  • Integrity- sha256
  • Diffie-Hellman (DH) - group 16
  • Lifetime - 36,000 seconds (10 hours)

Configuration - Google Cloud

IPsec VPN using dynamic routing:

For dynamic routing you use Cloud Router to establish BGP sessions between the 2 peers.

Using the Cloud Platform Console:

  • Go to the VPN page in the Google Cloud Platform Console.
  • Click Create VPN connection.
  • Populate the following fields for the gateway:
    a. Name- The name of the VPN gateway.
    b. VPC network- The VPC network containing the instances the VPN gateway will serve.
    c. Region- The region where you want to locate the VPN gateway.
    d. IP address- Select a pre-existing static external IP address.
  • Populate fields for at least one tunnel:
    a. Peer IP address - Public IP address of the peer gateway.
    b. IKE version - IKEv2 is preferred, but IKEv1 is supported if that is all the peer gateway can manage.
    c. Shared Secret - Character string used in establishing encryption for that tunnel. You must enter the same shared secret
    into both VPN gateways. If the VPN gateway device on the peer side of the tunnel doesn't generate one automatically, you can
    make one up.
    d. Routing options - Select Dynamic (BGP).
    e. Cloud router - Select Create cloud router, then populate the following fields. When you are done, click Save and
    f. Name - The name of the Cloud Router. This name is displayed in the console and used by the gcloud command-line
    tool to reference the router.
    g. Google ASN - The private ASN (64512 - 65534, 4200000000 - 4294967294) for the router you are configuring. It can be
    any private ASN you are not already using.
    h. BGP session - Click the pencil icon, then populate the following fields. When you are done, click Save and continue.
    i. Name - bgp-peer1
    j. Peer ASN - The private ASN (64512 - 65534, 4200000000 - 4294967294) for the router you are configuring. It can be any
    private ASN you are not already using.
    k. Google BGP IP address - The two BGP interface IP addresses must be link-local IP addresses belonging to the same /30
    subnet in
    l. Peer BGP IP address - See explanation for Google BGP IP address.
  • Click Create to create the gateway, Cloud Router, and all tunnels, though tunnels will not connect until you've configured the peer router as well.
  • This step automatically creates the necessary forwarding rules for the gateway and tunnels.
  • Configure your firewall rules to allow inbound traffic from the peer network subnets, and you must configure the peer network firewall to allow inbound traffic from your Compute Engine prefixes.
    a. Go to the Firewall Rules Page.
    b. Click Create firewall rule.
    c. Populate the following fields:
    1. Name:
    2. VPC network:
    3. Source filter:
    4. Source IP ranges:
    5. Allowed protocols and ports:
  • Click Create.

Configure IKEv2 proposal and policy:

  • Encryption algorithm - set to AES-CBC-256, AES-CBC-192, AES-CBC-128
  • Integrity algorithm - set to SHA256
  • Diffie-Hellman group - set to 16

Configure IKEv2 keyring:

The IKEv2 keyring is associated with an IKEv2 profile and hence, caters to a set of peers that match the IKEv2 profile.

Configure IKEv2 profile:

  • IKEv2 Lifetime: Set to 36,000 seconds
  • DPD: Set to 60 seconds

Configure IPsec security association:

  • IPsec SA lifetime - 1 hour is the recommended value on ASR 1000 router.
  • IPsec SA replay window-size - 1024 is the recommended value on ASR 1000 router.

Configure IPsec transform set:

During the IPsec SA negotiation, the peers agree to use a particular transform set for protecting a particular data flow.

Configure IPsec profile:

  • Perfect Forward Secrecy (PFS) - Set to group16
  • SA Lifetime - Set to 3600 seconds

Configure IPsec static virtual tunnel interface (SVTI):

The recommended value is 1360 when the number of IP MTU bytes is set to 1400.

Configure static or dynamic routing protocol to route traffic into the IPsec tunnel:

Statically route traffic toward the network in Google Cloud to the Tunnel interface.

Saving the configuration:

To save the running configuration and set it as the default startup, run the following command on Cisco IOS terminal:

copy run start;

Advanced VPN configurations

  • Configure VPN redundancy:
    If a Cloud VPN tunnel goes down, it restarts automatically. If an entire virtual device fails, Cloud VPN automatically instantiates a new one with the same configuration, so you don't need to build two Cloud VPN gateways.
  • Cisco ASR:
    Cisco IOS BGP prefer the path with the highest LOCAL-PREF, the BGP routes are set with a value of 100 by default, by setting the LOCAL-PREF to 200 for the routes received from Tunnel1, BGP will choose Tunnel1 as the preferred VPN tunnel to Google Cloud, in the event of Tunnel 1 failure, BGP will reroute the traffic to Tunnel2.
  • Static Routing:
    To ensure symmetry in your traffic flow, you can configure MED to influence the inbound traffic from Google Cloud for the same tunnel you are sending outbound traffic to. Note that lower the MED, higher the preference.

    If you are using static routing then instead of BGP configurations mentioned above, you can change the metric (higher the metric lowers the preference) for your static route as:

    cisco-asr#ip route Tunnel2 10

Google Cloud Configuration:

Google Cloud does ECMP by default so there is no additional configuration required apart from creating x number of tunnels where x depends on your throughput requirements. You can either use a single VPN gateway to create multiple tunnels or create separate VPN gateway for each tunnel.

Actual performance varies depending on the following factors:

  • Network capacity between the two VPN peers.
  • The capabilities of the peer device. See your device's documentation for more information.
  • Packet size. Because processing happens on a per-packet basis, having a significant percentage of smaller packets can reduce overall throughput.
  • High RTT and packet loss rates can greatly reduce throughput for TCP.

Testing the IPsec connection:

The IPsec tunnel can be tested from the router by using ICMP to ping a host on Google Cloud. Be sure to use the inside interface on the ASR 1000.

Google meet iconteams iconDemo iconVast Edge free trial icon
Copyrights © 13 July 2024 All Rights Reserved by Vast Edge Inc.