I want to use BGP to configure AWS Managed Site-to-Site VPN connectivity between AWS and the MikroTik router.
Resolution
Note: For information on how to optimize AWS VPN performance, see AWS Site-to-Site VPN, choosing the right options to optimize performance.
Prerequisites
Before you begin, make sure:
- You configured a Virtual Private Cloud (VPC) CIDR associated with a virtual private gateway or attached to a transit gateway.
- The VPC CIDR doesn't overlap with the on-premises network CIDR.
Create an AWS Site-to-Site VPN with MikroTik router using BGP routing
- Follow steps 1 to 5 in Getting started with AWS Site-to-Site VPN to configure the AWS side of the VPN connection. Note:
- Verify the Autonomous System Number (ASN) for your customer gateway device. If you choose the default, then AWS provides an ASN for your customer gateway as 65000.
- Select the routing option as dynamic in step 5.
- Open the Amazon VPC Console. Navigate to Site-to-VPN connections.
- Select your VPN connection and download the sample configuration file for the router.
Note: Use this sample file to configure the AWS Site-to-Site VPN on the router.
- Log in to your MikroTik router's user interface using Winbox.
- Configure IPSEC Proposal on the MikroTik router as follows:
IPSEC proposal defines the IPSEC parameters for encryption, authentication, Diffie-Hellman group and lifetime.
Go to IP tab > IPsec > Proposals.
Choose the + button. Then, enter the following:
Name: ipsec-vpn-xxxxxxxxx-0
Auth. Algorithms: sha1
Encr. Algorithms: aes-128-cbc
Lifetime: 01:00:00
PFS Group: modp1024
Select Apply and OK.
Note: Replace <vpn-xxxxxxxxx-0> with your Ipsec VPN address or the name for your VPN.
- Create an IPSEC policy on your MikroTik router in the following manner: IPSEC policy permits traffic from your local subnet to the VPC subnet. The IPSEC policy also permits traffic from the inside tunnel IP of your customer gateway (MikroTik router) and the inside tunnel IP of the AWS VPN tunnel endpoint. The traffic selectors in your IPSEC policy on your MikroTik router can be configured as any (0.0.0.0/0) to any (0.0.0.0/0).
Go to IP tab > IPsec > Policies.
Choose the + button. Then, enter the following:
Address: 0.0.0.0/0
Dst. Address: 0.0.0.0/0
Choose the Action tab
Select Tunnel. Then, enter as follows:
SA Src. Address: WAN/Outside interface
SA Dst. Address: VGW Outside IP
Proposal: ipsec-vpn-xxxxxxxxx-0
Select Apply and OK.
Note: Replace <vpn-xxxxxxxxx-0> with your Ipsec VPN address or the name for your VPN.
- Create an Internet Key Exchange (IKE) profile on your MikroTik router. An IKE profile defines the IKE SA or phase 1 SA parameters for encryption, authentication, Diffie-Hellman group, Authentication key and lifetime.
Go to IP Tab > IPsec >Profile.
Choose the + button. Enter the details as follows:
Profile name: profile-vpn-xxxxxxxxx-0
Hash Algorithm: sha1
Encryption Algorithm: aes-128
DH Group: modp1024
Lifetime: 08:00:0
DPD Interval: 10
DPD Maximum Failures: 3
Select Apply and OK.
Note: Replace <profile-vpn-xxxxxxxxx-0> with your profile's VPN address or the name of the profile.
- Associate the IKE profile with the AWS VPN endpoint (peer):
Go to IP tab >IPsec > Peer. Then, enter the details as follows:
Address: <AWS tunnel IP>
Local Address:<MikroTik IP on the external interface>
Profile: profile-vpn-xxxxxxxxx-0
Exchange Mode: Main
Select Apply and OK.
Note: Replace <AWS tunnel IP> with your AWS tunnel IP address and <MikroTik IP on the external interface) with the associated MikroTik IP address. Replace <profile-vpn-xxxxxxxxx-0> with your profile's VPN address or the name of the profile.
- Add the pre-shared key to authenticate the peers. Pre-shared keys are obtained from the sample configuration file downloaded from the AWS console.
Go to IP tab >IPsec > Identities. Then, enter the details as follows:
Auth Method: Pre-Shared key
Secret: AAAAAAAAAAAAAAAAAA
Select Apply and OK.
- Configure the logical Tunnel interface on the MikroTik router in the following manner: All traffic from the on-premises private network gets routed to the logical tunnel interface. The traffic then gets encrypted and sent to the VPC and vice-versa.
Go to IP tab > Addresses.
Choose the + button. Then, enter the details as follows:
Address: 169.254.X.X.30
Interface: WAN/Outside interface
Select Apply and OK.
- Configure the BGP peers on the MikroTik router to exchange routing prefixes to and from the AWS VPN tunnel endpoints (virtual private gateway or transit gateway) as shown here:
Go to Routing> BGP> Peer.
Choose the + button and select the General tab. Then, enter the details as follows:
Name: BGP-vpn-xxxxxxxxx-0
**Remote Address:**169.254.X.X
Remote AS: 64512
Hold Time: 30
**Keepalive Time:**10
Select Apply and OK.
Note: Replace <BGP-vpn-xxxxxxxxx-0> with your BGP VPN address.
- Advertise local on-premises prefixes. Your customer gateway (MikroTik router) advertises the local prefixes to AWS. An example for a local prefix with a subnet/mask of 10.0.0.0/16 is shown here:
Go to the Routing tab > BGP>Networks.
Choose the + button. Then, enter as follows:
Network: 10.0.0.0/16
Select Apply and OK.
- Set up NAT exemption.
Create a rule that permits traffic from the local subnet to VPC.
Note: If you're performing Network Address Translation (NAT) on your customer gateway, you might need a NAT exemption rule to permit traffic from your local subnet to the VPC subnet, and vice versa. This example rule permits traffic from the local subnet to the VPC subnet.
Go to IP tab > Firewall > NAT.
Choose the + button and select the General tab. Then, enter as follows:
Chain: srcnat
Scr.Address: local subnet/mask
Dst.Address: Amazon Virtual Private Cloud (Amazon VPC) subnet/mask
Choose the Action tab. Then, enter as follows:
Action = accept
Select Apply and OK.
- Create a firewall rule permitting traffic from the inside IP associated with your customer gateway (MikroTik tunnel IP) to the inside IP associated with the AWS tunnel (that is, the virtual private gateway or the transit gateway).
Choose the + button and select the General tab. Then, enter as follows:
Chain: srcnat
Scr. Address: 169.254.X.X
Dst. Address: 169.254.X.X
Choose the Action tab.
Action = accept
Select Apply and OK.
Note: Your customer gateway might have multiple firewall rules that could conflict with the NAT exemption rule. To avoid policy conflicts, position the NAT exemption rules such that they are evaluated in the order in which you set them.