Configuration of Dynamic Routing (BGP) - Based AWS Site-to-Site VPN with MikroTik Router for Secure Data Transmission

Introduction to AWS Site-to-Site VPN:

AWS Site-to-Site VPN is a service provided by Amazon Web Services (AWS) that allows organizations to establish secure, encrypted connections between their on-premises networks and AWS cloud resources. This VPN solution enables seamless and private communication between the organization's data center, office, or remote sites and their Virtual Private Cloud (VPC) in AWS. The setup involves configuring a virtual private gateway in the AWS VPC and a customer gateway on the organization's on-premises network. The customer gateway can be a physical device or a software-based VPN appliance like a CISCO ASA, Palo Alto Firewall, MikroTik router and etc. Once the connections are established, data can be securely transmitted over the Internet between the on-premises network and the AWS VPC.

AWS Site-to-Site VPN uses industry-standard encryption protocols, such as Internet Protocol Security (IPsec), to ensure the confidentiality and integrity of data transmitted between the two networks. By utilizing this service, organizations can extend their on-premises network to the cloud and access AWS resources securely, as if they were part of the same local network. This allows for seamless integration of on-premises and cloud resources, facilitating hybrid cloud architectures and enabling various use cases, such as disaster recovery, data backup, and resource scalability.

MikroTik Router:

MikroTik Router is a brand of network routers and wireless communication devices developed by the Latvian company MikroTik. Founded in 1996, MikroTik has gained a strong reputation for producing high-performance, cost-effective networking solutions. MikroTik routers are known for their robust operating system called RouterOS. RouterOS is a proprietary software that provides advanced routing and networking capabilities, making MikroTik routers suitable for a wide range of applications, from small home networks to large enterprise setups. It runs on the proprietary RouterOS operating system, offering robust routing, firewall, VPN support, Quality of Service (QoS), and hotspot functionality.

Due to their reliability, versatility, and affordability, MikroTik routers have gained popularity among network administrators, Internet Service Providers (ISPs), and businesses of all sizes. They are commonly used in various networking scenarios, including home networks, small and medium-sized businesses, as well as large-scale enterprise networks.

Challenges in Configuring Dynamic Routing (BGP) IPSec VPN Tunnels between MikroTik Router and AWS Cloud:

When configuring a BGP-based VPN tunnel, it is essential to ensure that the IPSec policy permits traffic from the Inside IP associated with your Customer Gateway (169.254.x.y) to the inside IP associated with the Virtual Private Gateway (169.254.x.y). In the context of certain MikroTik Router, the IPsec Policy must propose encryption domain as any (0.0.0.0/0) to any (0.0.0.0/0) over the IPSec tunnel. However, it is crucial to be cautious as MikroTik router's IPSec policies operate below the routing table. Proposing such IPSec policies with "any to any" encryption domains will override all existing routes and create local routing issues, resulting in connectivity problems. To avoid these challenges and ensure proper connectivity, it is recommended to carefully design IPSec policies, considering the specific routing requirements, and avoid generic "any to any" encryption domain proposals. By doing so, potential conflicts and local routing issues can be mitigated, providing a more stable and secure VPN tunnel configuration.

Configurations of AWS Site-to-Site VPN with challenging MikroTik Router:

I. To set up a VPN connection, first configure AWS Cloud side of the connection by referring the following steps:

Step 1: Create a customer gateway Step 2: Create a target gateway Step 3: Configure routing Step 4: Update your security group Step 5: Create a VPN connection Step 6: Download the configuration file

II. Next, configure the VPN connection on MikroTik Router side using downloaded configuration file in Step 6:

** Step 1. IPSec Proposal Configuration:**
An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.

** Step 2. Create an IKE policy permitting traffic from your local subnet to the VPC subnet**

***Important Note: If you are creating a BGP based VPN tunnel, make sure your IPSec policy permitting traffic from the Inside IP associated with your Customer Gateway (169.254.202.14) to the inside IP associated with the Virtual Private Gateway (169.254.202.13). To do that, your customer gateway must propose any (0.0.0.0/0) to any (0.0.0.0/0) over IPSec tunnel. However, in MikroTik router IPSec operates below the routing table and proposing IPSec policy with 0.0.0.0/0 -> 0.0.0.0/0 will overrides all the routes and createlocal routing issues.***To overcome this issue, please implement the following workaround:

Create a first IPSec policy permitting traffic from any (0.0.0.0/0) to any (0.0.0.0/0)

Step 3. Create a second IpSec policy exempting local network from encryption and move this policy on top so that it will have higher priority: (This policy will exempt local network (172.17.0.0/16 ) from main IPSec policy (TS: 0.0.0.0/0==0.0.0.0/0) and prevents local traffic to traverse towards IPSec tunnel)

Step 4. Move the second IPSec policy to top using Mikrotik command line (Winbox GUI doesn't have the option to prioritize policies).

/ip ipsec policy print

! Let's assume you you have 2 policies, primary policy on slot 0 and the secondary policy on slot 1. Type:

move 1 0

Step 5. IKE Profile:
An IKE Profile defines the IPsec parameters for encryption, authentication, Diffie-Hellman, Authentication key and lifetime.

A. Create a IKE profile:

B. Associate profile with peer:

C. Add pre-shared key to authenticate peer:

Step 6. Tunnel Interface Configuration: A tunnel interface is configured to be the logical interface associated with the tunnel. All traffic routed to the tunnel interface will be encrypted and transmitted to the VPC. Similarly, traffic from the VPC will be logically received on this interface.

Step 7. You can add a route for the a VPN endpoint so they route via the public interface as that is what you will use to build VPN.

Step 8. Once IKE and IPSec policies configured VPN tunnel came UP:

Step 9. Configure BGP on MikroTik firewall using Downloaded configuration file: Note: Configure the local BGP Autonomous System Number (ASN) as 65000

A. Configure BGP peer informations as shown in the screenshot.

B. Advertise your local route to AWS over VPN tunnel:

Step 10. Configure NAT Exemption: Note: If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.This example rule permits all traffic from the local subnet to the VPC subnet.

Step 11. Bi-directional Connectivity test: Note: Once VPN tunnel between MikroTik and AWS is now up and then BGP came UP. Ran following connectivity tests:

A. Ping test from AWS Instance to private instance behind MikroTik in other VPC:

B. Ping test from private instance behind MikroTik to AWS:

Conclusion:

In conclusion, configuring a BGP-based IPSec VPN tunnel between a MikroTik Router and AWS Cloud requires careful consideration of IPSec policies workaround. While keeping generic "any to any" encryption domain proposals and prioritizing local policies using command line interface of MikroTik Router is crucial to prevent local routing issues and ensure a stable and secure connection. By adhering to best practices and tailoring encryption domains to specific routing requirements, administrators can establish a robust and efficient VPN tunnel for seamless communication between on-premises networks and AWS cloud resources.

References:

1. How can I configure dynamic routing-based AWS Site-To-Site VPN with a MikroTik router?