Site-to-Site VPN with Amazon Web Services

Available Languages

Updated:August 13, 2020
Document ID:1597272321864307

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Objective

The objective of this article is to guide you through setting up a Site-to-Site VPN between Cisco RV Series routers and Amazon Web Services.

Applicable Devices | Software Version

Introduction

A Site-to-Site VPN allows a connection to two or more networks, which gives businesses and general users the ability to connect to different networks. Amazon Web Services (AWS) provides many on demand cloud computing platforms including site to site VPNS that allow you to access your AWS platforms. This guide will help you configure the site to site VPN on both the RV16X, RV26X, RV34X router to the Amazon Web Services.

The two parts are as follows:

Setting up Site-to-Site VPN on Amazon Web Services

Setting up Site-to-Site VPN on an RV16X/RV26X, RV34X Router


Setting up a Site-to-Site VPN on Amazon Web Services

Step 1

Create a new VPC, defining an IPv4 CIDR block, in which we will later define the LAN used as our AWS LAN. Select Create.

A screen shot of the Create VPC page with Name Tag as step one and IPV4 CIDR Block as step two.

Step 2

When creating the subnet, ensure that you have selected the VPC created previously. Define a subnet within the existing /16 network created previously. In this example, 172.16.10.0/24 is used.

A screen shot of the Create Subnet with VPC as step one and IPV4 CIDR Block as step two.

Step 3

Create a Customer Gateway, defining the IP Address as the Public IP Address of your Cisco RV Router.

Screen shot of Create Customer Gateway with Name highlighted as step one and IP address as step 2.

Step 4

Create a Virtual Private Gateway – creating a Name tag to help identify later.

Screen Shot of Virtual Private Gateway with Name tag as step 1 and highlighted in green.

Step 5

Attach the Virtual Private Gateway to the VPC created previously.

Screen shot of attach to VPC page. VPC field is in a green box and is marked as step 1.

step 6

Create a new VPN Connection, selecting the Target Gateway Type Virtual Private Gateway. Associate the VPN Connection with the Virtual Private Gateway created previously.

Create VPN connection page, Target Gateway Type, which is step one, is highlighted in a green box with Virtual Private Gateway selected. Virtual Private Gateway is step 2 and shows the VPC that had been created in prior steps.

Step 7

Select Existing Customer Gateway. Select the Customer Gateway created previously.

Customer Gateway is Highlighted in a green box with the option of Existing highlighted and outlined as step one. Customer Gateway is outlined as step two and depicts the customer gateway that was created in previous steps.

Step 8

For Routing Options, ensure to select Static. Enter any IP Prefixes including CIDR notation for any remote networks you expect to traverse the VPN. [These are the networks that exist on your Cisco Router.]

Routing Options is highlighted in a green box with static selected. Static IP prefixes is chosen as step two.

Step 9

We will not cover any of the Tunnel Options in this guide - select Create VPN Connection.

This is a screenshot of the tunnel options of which remain untouched and with the default configurations. The Create VPN Connection button is highlighted to bring to action to go ahead and continue.

Step 10

Create a Route Table and associate the VPC created previously. Press Create.

Screen Shot of Create Route Table page with Name Tag as step 1 and VPC as step 2.

Step 11

Select the Route Table created previously. From the Subnet Associations tab, choose Edit subnet associations.

Screen shot of the select route part of the page. The route that has to be selected is highlighted in a green box and outlined as step one. Edit Subnet associations button is highlighted as step 2 and depicted in a green box.

Step 12

From the Edit subnet associations page, select the subnet created previously. Select the Route Table created previously. Then select save.

Screenshot of the Edit Subnet Associations. Subnet ID is higlighted in a greenbox and is marked as step one. Save button is highlighted in a green box.

Step 13

From the Route Propagation tab, choose Edit route propagation.

Route table ID are is highlighted in a green box and marked as step one. The Rout Propagation tab below is highlighted of which is followed by the Edit Route Propagation button, of which is marked as step two.

Step 14

Select the Virtual Private Gateway created previously.

Screen Shot of the Edit Route propagation section. Next to the area marked a route propagation, under Virtual Private Gateway (VPG), the VPG created prior to this step is higlighted and marked as step one. The save button is highlighted in a green box.

Step 15

From VPC > Security Groups, ensure that you have a policy created to allow the desired traffic.

Note: In this example, we are using a source of 10.0.10.0/24 – which corresponds to the subnet in use on our example RV router.

Screen Shot of the Edit inbound Rules page. The traffic type is higlighted in a green box. Marked as step one is the field where the user would enter the desired traffic IP and subnet they would like to allow.

Step 16

Select the VPN Connection that you have created previously and choose Download Configuration.

Screen shot of area where VPN connection that was created can be found. The VPN connection created is highlighted in a green box and the Download configuration button is also in a green box.

Setting up Site-to-Site on an RV16X/RV26X, RV34X Router

Step 1

Log in to the router using valid credentials.

Router Login Page, with Userame, Password and Login highlighted. Numbered steps included to follow the format of which details would be entered.

Step 2

Navigate to VPN > Ipsec Profiles. This will take you to the Ipsec profile page, press the add icon (+).

The IPSEC Profile Page with the Menu options visible. VPN is step one, with IPSEC Profiles option highlighted as step two. The small plus button on the upper left side of the IPSEC Profiles table is highlighted and marked as step 3.

Step 3

We will now create our IPSEC profile. When creating the IPsec Profile on your Small Business router, ensure that DH Group 2 is selected for Phase 1.

Note: AWS will support lower levels of encryption and authentication – in this example, AES-256 and SHA2-256 are used.

Screen shot of the Add/Edit a New IPSec Profile page, with the profile name and options highlighted in green boxes.

Step 4

Ensure that your Phase two options match those made in phase one. For AWS DH Group 2 must be used.

Screen shot of the Phase II options on the Add/Edit a New IPSec Profile page, options highlighted in green boxes.

Step 5

Press Apply and you will be navigated to the IPSEC page, be sure to press Apply once again.

Screen shot of the IPSEC profiles page with the apply button highlighted in green

Step 6

Navigate to VPN< Client to site and on the client to site page press the plus icon (+).

The Site to Site Page with the Menu options visible. VPN is step one, with Site to Site option highlighted as step two. The small plus button on the upper left side of the Site to site Profiles table is highlighted and marked as step 3.

Step 7

When creating the IPsec Site-to-Site Connection, ensure to select the IPsec Profile created in the previous steps. Use the Remote Endpoint type of Static IP and enter the address provided in the exported AWS configuration. Enter the Pre-Shared Key provided in the exported configuration from AWS.

The Add and edit a new connection page along side the IPSEC configuration made from the AWS configuration. On the Cisco router side of the screenshot, The ipsec profile is highlighted as step one. The remote end point and pre-shared key are marked as step two and three respectively to match the AWS screenshot. The tunnel Group and password are highlighted as step two and three.

Step 8

Enter the Local Identifier for your Small Business router – this entry should match the Customer Gateway created in AWS. Enter the IP Address and Subnet Mask for your Small Business router – this entry should match the Static IP Prefix added to the VPN Connection in AWS. Enter the IP Address and Subnet Mask for your Small Business router – this entry should match the Static IP Prefix added to the VPN Connection in AWS.

Screenshot of the Local Group Setup. Local identifier is marked as step one and the IP address is marked as step 2.

Step 9

Enter the Remote Identifier for your AWS connection – this will be listed under Tunnel Details of the AWS Site-to-Site VPN Connection . Enter the IP Address and Subnet Mask for your AWS connection – which was defined during the AWS configuration. Then press Apply .

Screen Shot of Remote Group Setup section. Remote Identifier is marked as step one and highlighted in a green box. IP address and Subnet mask are marked as step two and are both highlighted in a green box.

Step 10

Once on the Ip Site to Site page press Apply.

Screenshot of Site to Site page with Apply Button highlighted in green.

Conclusion

You have now successfully created a Site to Site VPN between your RV series router and your AWS. For community discussions on Site-to-Site VPN, go to the Cisco Small Business Support Community page and do a search for Site-to-Site VPN.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco