Introduction

This article guides you through configuring a Site-to-Site VPN between an AWS Transit Gateway with a VPN attachment and a Cisco Firepower firewall. It will also cover exchanging IPv4 routes using BGP to minimize manual effort and control routing advertising using BGP policies. We recommend you use BGP-capable devices, when available, because the BGP protocol offers robust capabilities to assist failover to the second VPN tunnel if the first tunnel goes down. This guide uses the AWS console, but we recommend managing infrastructure components using infrastructure-as-code (IaC) when possible.

This guide covers:

• Creating a Customer Gateway on AWS
• Creating an AWS Site-to-Site VPN connection
• Creating a Site-to-Site VPN connection on a Cisco Firepower firewall
• Creating policy rules that are required to establish a Site-to-Site VPN connection to AWS
• Establishing BGP sessions between your Transit Gateway (TGW) and a Cisco Firepower firewall
• Verifying the connectivity between AWS and the Cisco Firepower firewall across the VPN tunnel

Pre-requisites

• Familiarity with AWS Virtual Private Cloud (VPC), TGW, as well as VPC and TGW route tables.
• A TGW configured in your AWS account.
• VPCs with IPv4 CIDR blocks attached to the TGW.
• Familiarity with BGP. For more information on BGP, please visit this guide.
• A Cisco Firewall running Secure Firewall version 7.X. This guide was written using Cisco Firepower firewalls running Cisco Secure Firewall version 7.4.2.
• Cisco Firepower firewall interfaces are configured with static and publicly routable IPv4 addresses, assigned to security zones, and assigned to a virtual router. If your firewall requires NAT traversal, please review [Vendor VPN NAT traversal article].
• An on-premises IPv4 subnet
• A default route configured on the Cisco Firepower firewall pointing to the internet.

Guide Architecture Overview

Figure 1: An overview of the architecture used in this guide

The above diagram summarizes the architecture used in this guide. In the guide, we have 3 VPCs in with IPv4 CIDRs. The 3 VPCs are attached to the TGW. Each VPC has applications running on port 80 with no access to the internet. The on-premises environment is configured with an IPv6 CIDR block, and the Cisco Firepower firewall has public IPv4 addresses available for use.

Part 1: Configure the Customer Gateway on AWS console

Navigate to VPC > Virtual Private Network > Customer Gateways

Select Create customer gateway:

• Enter the customer gateway Name tag.
  • Enter a BGP ASN (autonomous system number). We are using ASN 65000 for the Cisco Firepower firewall (Customer Gateway) and 64514 for the TGW. For more details about using a BGP ASN on with an AWS Site-to-Site VPN, please refer to this guide.
  • Enter the Public IP address of the Cisco Firepower firewall. In this guide, we are using the Outside interface (eth0/0) on the Cisco Firepower firewall. This address must be an IPv4 address.
  • In this guide, we will use the pre-shared key method for authentication. Do not select a certificate ARN if you are following this guide. For more details about using certificate-based authentication with an AWS Site-to-Site VPN, please refer to this guide.
  • When finished, select Create customer gateway.

Figure 2: Creating the customer gateway

Part 2: Configure the AWS Site-to-Site VPN connection and associate it with the TGW

In this section, we will configure the VPN tunnels. AWS recommends using Internet Key Exchange version 2 (IKEv2) where possible, because of the lower overhead in establishing a tunnel and enhanced health check functionality, as compared to IKEv1. For more information on the benefits of IKEv2 with Cisco Firepower, refer to this guide.

Navigate to VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections

Select Create VPN Connection:

• Enter the VPN connection Name
• Select Transit gateway in Target gateway type and select the desired TGW.
• In the Customer gateway section, choose existing and select the customer gateway that was created in Part 1.
• In the Routing options section, choose Dynamic (require BGP).
• In the Tunnel inside IP version, select IPv4.
• Using an Accelerated Site-to-Site VPN connection is out of scope for this guide. For more details, refer to the User Guide.

Figure 3: Configuring the VPN connection details

• Expand the Tunnel 1 and Tunnel 2 options section.
  • For the Local and Remote IPv4 network CIDR sections, leave the default 0.0.0.0/0. This will be controlled by firewall policy and routing advertisements, addressed in a later section of this guide.
  • Enable the tunnel activity log and tunnel endpoint lifecycle control. AWS Site-to-Site VPN logs provide you with deeper visibility into your Site-to-Site VPN deployments. Site-to-Site VPN connection logs that provide details on IP Security (IPsec) tunnel establishment, IKE negotiations, and dead peer detection (DPD) protocol messages. Tunnel endpoint lifecycle control provides control over the schedule of endpoint replacements.

We recommend being more selective with IKE Phase 1 and Phase 2 parameters. These options can be modified by selecting “Edit tunnel (#) options”. Your decisions will depend on your specific compliance and security requirements. For a list of supported parameters, please refer to the VPN tunnel options documentation. Ensure modifications in this section are applied to both VPN tunnels.

Figure 4: Specifying VPN tunnel encryption options

Encryption algorithms

AWS supports both AES128-GCM-16 and AES256-GCM-16. We recommend AES256-GCM-16 where supported and within requirements.

Integrity algorithms

Integrity algorithms ensure the sender’s identity and also ensure that the message has not been modified in transit. Select your SHA algorithm based on your customer gateway device support and security requirements. If you don’t have specific requirements, then we recommend using SHA-384 because of its performance and security characteristics.

DH group numbers

A Diffie-Hellman (DH) group determines how key material is generated for encryption. As with SHA, we recommend you pick DH groups based on compatibility with your customer gateway device and your security requirements. If you don’t have specific requirements, then we recommend using DH group 20 because of its security characteristics.

IKE version

To establish an IPsec tunnel, the IKE protocol is used. IKE has two iterations: IKEv1 and IKEv2. We recommend using IKEv2, as it gives some key performance optimizations over IKEv1.

For more details on how AWS secures the IPsec tunnel and the shared responsibility model, please refer to this blog post, AWS Site-to-Site VPN, choosing the right options to optimize performance.

After the tunnel creation, a VPN connection summary will be displayed.

Part 3: Configure the site-to-site VPN on the Cisco Firepower firewall

In this section, we will guide you on how to configure your Cisco Firepower firewall tunnel interface.

Create the Route-Based VPN connection

• From FMC, navigate to Firewall→ Site-to-Site VPN connection→ and click add provide a Name and select “Route-based VPN with ”peer-to-peer“ as the topology and click create.

Figure 5: Creating the VPN connection on the Cisco firewall

• Configure the VPN endpoints. Edit the VPN connection. Set the Node A device as “Extranet” and provide the AWS VPN endpoint IP address.

Figure 6: Editing the VPN topology

• Create the Virtual Tunnel Interface (VTI). This can be created by selecting the + symbol next to VTI dropdown menu. Configure the VTI with the inside tunnel IP address. The inside tunnel IP addresses can be found in the AWS console to navigate to VPC > Site-to-Site VPN Connections > vpn-abcde and selecting the Tunnel Details tab**.** Select the outside interface and the corresponding security zone.

Figure 7: Editing the virtual tunnel interface

• Create a new IKEv2 policy with integrity algorithms, encryption algorithms, Diffie-Hellman (DH) group and Lifetime that matches the AWS configuration selected earlier.

Figure 8: Creating the IKEv2 policy

• Select the newly-created IKEv2 policy and enter the pre-shared key. Set the Authentication Type to Pre-shared Manual Key. Leave the hex-based pre-shared key unchecked as the PSK used will be alphanumeric format.

Figure 9: Specifying the VPN pre-shared key

• Create an IKEv2 IPsec proposal with matching encryption and hash on the AWS side for phase 2 and select that for the IPsec proposal. Enable perfect forward secrecy (PFS). PFS is a way of protecting encrypted data from the compromise of keys by creating a new DH key for each session.

Figure 10: Specifying the IKEv2 ESP encryption options

Figure 11: Specifying the IKEv2 ESP hash options

Select the IKEv2 IPsec proposal created and define the Lifetime duration to match AWS side of the configuration.

Figure 12: Applying the IKEv2 IPsec proposal to the VPN tunnel

• Use the Advanced settings menu to configure the DPD timers to match AWS side of the configuration.

Figure 13: Specifying the ISAKMP settings

Every AWS Site-to-Site VPN connection provides 2 tunnel unique endpoints. It is important to configure both tunnels for redundancy. Repeat steps 1-7 in this section to create a second tunnel. Refer to the downloaded AWS VPN configuration for this connection to the endpoint, tunnel IP addresses and pre-shared keys.

Configure BGP routing

In this section, we will configure BGP routing to exchange routes between the firewall and the TGW.

• From the Cisco Firewall Management Center -> Select the Firepower device and edit configuration. Select Routing → General Settings and BGP. Configure the local AS Number if not already and ensure Neighbor timers match AWS side.

Figure 14: Specifying the BGP ASN and other details

• Select Policy Based Routing > BGP > IPv4 and add each of the two BGP neighbors by choosing “Add”. Provide the inside tunnel IP address of AWS side for neighbor IP and AWS side AS Number for neighbor configuration.

Figure 15: Configuring the BGP peers using the inside tunnel IP addresses

• Navigate to the Networks tab and select the networks to advertise to the TGW.

Figure 16: Selecting the networks to advertise from the Cisco firewall to the TGW

• Navigate to the AWS VPN console and verify if the tunnel status is “Up” and BGP routes are received.

Figure 17: Verifying VPN tunnel status

• See that the desired networks are advertised and received at the Firepower device.

Figure 18: Validating BGP information using the Cisco CLI

Verification

If you have instances running in your AWS VPCs, you can now perform connectivity tests. In this example, we have validated that ICMP and HTTP traffic can reach from the on-premises network to our EC2 instances with appropriately-configured security groups, network ACLs and route tables. You can also use the AWS Reachability Analyzer to validate connectivity within the AWS network.

Below is a ping test from the Corporate Data center host behind FTDv to an Amazon EC2 instance in VPC A.

Figure 19: Verifying ICMP connectivity across the VPN tunnel

Cleanup

The intention of this guide was to assist you in configuring a Site-to-Site VPN connection in a production environment. If this was created for temporary purposes, follow these steps to clean up your AWS environment so that you do not incur unnecessary costs.

1. Clean up AWS resources.
   1. Delete the VPN connection.
      1. VPC > Virtual Private Network (VPN) > Site-to-Site VPN connections > Select the VPN connection > from Actions Menu > Select Delete VPN connection.
   2. Delete the customer gateway
      1. VPC > Virtual Private Network (VPN) > Customer gateways > Select the customer gateway > from Actions Menu > Delete customer gateway
2. Clean up the Cisco Firepower firewall configuration.
   1. Go to FMC > Site-to-Site VPN. Select the VPN connection and choose delete.
   2. Go to FMC > Device management. Select FTDv and delete the Tunnel interface associated with the VPN.
   3. Go to FMC > Device management > Routing > BGP > IPv4 > Neighbor and delete the BGP neighbor configuration.

Conclusion

In this guide, we have covered detailed best practices for configuring a Site-to-Site VPN connection between a Cisco Firepower firewall and a TGW with a VPN attachment.

When configuring security settings between a Cisco Firepower firewall and AWS, always refer to the latest AWS Well-Architected Framework Security Pillar documentation, as well as the Cisco Firepower Firewall Management Center Device Configuration Guide.

Authors: Sudha Thillai Govindarajan, Tyler Applebaum

Special thanks to: Pablo Sanchez Carmona