Where I work, we use AWS as our major cloud provider and we have the Mikrotik Routerboard setup for our office network. To access services launched in a private subnet (in our VPC), we setup a VPN connection between our office network and the AWS VPC. It used to work, but for some reason (probably someone who has access to it, messed up the config), it just doesn't work anymore. I brought down everything that was setup on both the AWS side and on Mikrotik, and started from scratch. It shows that the VPN tunnels are up on the AWS S2S Connection created, I also enabled route propagation for the Virtual Private Gateway I created and I also made sure the static routes on the AWS S2S Connection had both the CIDRs of our office network and the AWS VPC. Like I said, it once worked, but for some reason, its not working anymore. Basically, I have done all I think I should and need some help at this point. The only thing I noticed which wasn't so before is the fact that on following the steps for setting up the configuration file downloaded after creating the AWS S2S connection, when I am setting up the second tunnel and I got to :
IPTAB ---> IPSEC ---> Policies, the Policy shows as invalid, and this wasn't the case before. I would appreciate any form of help I can get on this platform, as this has been pending for a whole and is stalling a lot of processes and making the rest quite difficult to carry out. I have put the config file downloaded from AWS
Thanks.
! Amazon Web Services
! Virtual Private Cloud
VPN Connection Configuration
! AWS utilizes unique identifiers to manipulate the configuration of
! a VPN Connection. Each VPN Connection is assigned an identifier and is
! associated with two other identifiers, namely the
! Customer Gateway Identifier and Virtual Private Gateway Identifier.
! Your VPN Connection ID : vpn-08d141c3fd6b51b71
! Your Virtual Private Gateway ID : vgw-016ad674953b130da
! Your Customer Gateway ID : cgw-033891c118beab950
! This configuration consists of two tunnels. Both tunnels must be configured on your Customer Gateway, but only one of those tunnels should be up at any given time.
! Note that Mikrotik RouterOs does not support Active/Active or Active/Standby setup with AWS hosted VPN solution.
! At this time this configuration has only been tested for RouterOS 6.36, but may work with other versions.
! This configuration uses the Winbox utility to configure the IPsec VPN connection. Winbox is a small utility that allows administration of Mikrotik RouterOS using a fast and simple GUI.
! You can download this utility from: https://mikrotik.com/download
! IPSec Tunnel #1
! #1: IPSec Proposal Configuration
!
! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
Go to IP Tab --> IPsec --> Proposals
a. Click on "+" button
b. Name: ipsec-vpn-08d141c3fd6b51b71-0
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok
!---------------------------------------------------------------------------------
! #2: Internet Key Exchange
!
! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".
! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.
Go to IP Tab --> IPsec --> Policies
- Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: our-public-ip
c. SA Dst. Address: 18.184.46.8
d. Proposal: ipsec-vpn-08d141c3fd6b51b71-0
e. Select Apply and Ok
! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.
Go to IP Tab --> IPsec --> Policies
3) Click on "+" button and select the General Tab
a. Src. Address: 169.254.43.50
b. Dst. Address: 169.254.43.49
4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: our-public-ip
c. SA Dst. Address: 18.184.46.8
d. Proposal: ipsec-vpn-08d141c3fd6b51b71-0
e. Select Apply and Ok
Go to IP Tab --> IPsec --> Peers
5) Click on "+" button
a. Address: 18.184.46.8
b. Local Address: our-public-ip
c. Secret: AIKdxv0HYlJJZO8IvT1o2KblazaMsG5v
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok
! ----------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
Go to IP Tab --> Addresses
a. Click on "+" button
b. Address: 169.254.43.50/30
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with a subnet/mask of 10.0.0.0/16 is provided below:
Go to IP Tab --> Routes
a. Click on "+" button and select the General Tab
b. Dst. Address: 10.0.0.0/16
c. Gateway: 169.254.43.49
d. Select Apply and Ok
! ----------------------------------------------------------------------------
! #5: NAT Exemption
!
! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
! This example rule permits all traffic from the local subnet to the VPC subnet.
Go to IP Tab --> Firewall --> NAT
- Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok
! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.
3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: 169.254.43.50
c. Dst. Address: 169.254.43.49
4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok
! Note that there may be multiple firewall rules configured on your Customer Gateway. These rules may be conflicting with the nat exemption rule.
! It is recommended to position the nat exemption rules such that they are evaluated in an order before any other conflicting policy.
! IPSec Tunnel #2
! #1: IPSec Proposal Configuration
!
! An IPsec proposal defines the IPsec parameters for encryption, authentication, Diffie-Hellman, and lifetime.
! Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
Go to IP Tab --> IPsec --> Proposals
a. Click on "+" button
b. Name: ipsec-vpn-08d141c3fd6b51b71-1
c. Auth. Algorithms: sha1
d. Encr. Algorithms: aes-128-cbc
e. Lifetime: 01:00:00
f. PFS Group: modp1024
g. Select Apply and Ok
!---------------------------------------------------------------------------------
! #2: Internet Key Exchange
!
! A policy is established for the supported ISAKMP encryption, authentication, Diffie-Hellman, lifetime,
! and key parameters. The IKE peer is configured with the supported IKE encryption, authentication, Diffie-Hellman, lifetime, and key
! parameters.Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
! Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
! You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH
! groups like 2, 14-18, 22, 23, and 24.
! Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
! The address of the external interface for your customer gateway must be a static address.
! Your customer gateway may reside behind a device performing network address translation (NAT). To
! ensure that NAT traversal (NAT-T) can function, you must use the corresponding IP as the "Local Address".
! Create an IKE policy permitting traffic from your local subnet to the VPC subnet.
Go to IP Tab --> IPsec --> Policies
- Click on "+" button and select the General Tab
a. Src. Address: local subnet/mask
b. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: our-public-ip
c. SA Dst. Address: 18.195.152.6
d. Proposal: ipsec-vpn-08d141c3fd6b51b71-1
e. Select Apply and Ok
! Create an IKE policy permitting traffic from the Inside IP associated with your Customer Gateway to the inside IP associated with the Virtual Private Gateway.
Go to IP Tab --> IPsec --> Policies
3) Click on "+" button and select the General Tab
a. Src. Address: 169.254.43.146
b. Dst. Address: 169.254.43.145
4) Click on Action Tab
a. Select Tunnel
b. SA Src. Address: our-public-ip
c. SA Dst. Address: 18.195.152.6
d. Proposal: ipsec-vpn-08d141c3fd6b51b71-1
e. Select Apply and Ok
Go to IP Tab --> IPsec --> Peers
5) Click on "+" button
a. Address: 18.195.152.6
b. Local Address: our-public-ip
c. Secret: eSNn_G1dBp6NJxf5zEO5sm77GCxSIBku
d. Hash Algorith: sha1
e. Encryption Algorithm: aes-128
d. DH Group: modp1024
f. Lifetime: 08:00:00
g. DPD Interval: 10
h. DPD Maximum Failures: 3
i. Select Apply and Ok
! ----------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
!
! A tunnel interface is configured to be the logical interface associated
! with the tunnel. All traffic routed to the tunnel interface will be
! encrypted and transmitted to the VPC. Similarly, traffic from the VPC
! will be logically received on this interface.
! The address of the interface is configured with the setup for your
! Customer Gateway. If the address changes, the Customer Gateway and VPN
! Connection must be recreated with Amazon VPC.
Go to IP Tab --> Addresses
a. Click on "+" button
b. Address: 169.254.43.146/30
b. Interface: Select the WAN/Outside interface
c. Select Apply and Ok
! ----------------------------------------------------------------------------
! #4 Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with a subnet/mask of 10.0.0.0/16 is provided below:
Go to IP Tab --> Routes
a. Click on "+" button and select the General Tab
b. Dst. Address: 10.0.0.0/16
c. Gateway: 169.254.43.145
d. Select Apply and Ok
! ----------------------------------------------------------------------------
! #5: NAT Exemption
!
! If you are performing NAT on your Customer Gateway, you may have to add a nat exemption rule to permit traffic from your local subnet to the VPC subnet and vice versa.
! This example rule permits all traffic from the local subnet to the VPC subnet.
Go to IP Tab --> Firewall --> NAT
- Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: local subnet/mask
c. Dst. Address: AWS VPC subnet/mask
2) Click on Action Tab
a. Action = accept
b. Select Apply and Ok
! Similarly, create a firewall rule permitting traffic from the Inside IP associated with your Customer Gateway to the IP associated with the Virtual Private Gateway.
3) Click on "+" button and select the General Tab
a. Chain: srcnat
b. Src. Address: 169.254.43.146
c. Dst. Address: 169.254.43.145
4) Click on Action Tab
a. Action = accept
b. Select Apply and Ok