I am running CHR with 6.49.6 software installed.
At the moment trying to implement IPSec connection to AWS.
My LAN network: 192.168.7.0/24
AWS side network: 10.0.0.0/22
Tunnel networks are: 169.254.153.72/30, 169.254.158.28/30
AWS side WAN IPs: 3.69.17.65, 3.124.181.121
My IP is: A.B.C.D
The task is to configure two VPNs to AWS as it should be.
First of all I would like to say, that AWS Support gave info that IPSec policy should be 0.0.0.0/0 <-> 0.0.0.0/0 in order to cover Transform Set (TS) for LAN to LAN and Tunnel network communication.
The reason for that is: AWS supports only one TS per VPN and there is no way to use two TS.
At the moment I am using following configuration which works for LAN to LAN communication:
Code: Select all
/ip address
add address=192.168.7.1/24 interface=ether2 network=192.168.7.0
add address=A.B.C.D/28 interface=ether1 network=A.B.C.E
add address=192.168.7.254 comment="LAN GW" interface=vrrp7 network=192.168.7.254
add address=169.254.153.74/30 interface=ether1 network=169.254.153.72
add address=169.254.158.30/30 interface=ether1 network=169.254.158.28
/ip firewall nat
add action=accept chain=srcnat comment="No NAT for VPN networks" dst-address=169.254.153.73 log=yes src-address=169.254.153.74
add action=accept chain=srcnat dst-address=169.254.158.29 log=yes src-address=169.254.158.30
add action=accept chain=srcnat dst-address=10.0.0.0/22 src-address=192.168.7.0/24
add action=src-nat chain=srcnat comment="LAN outside NAT to VRRP IP A.B.C.D" ipsec-policy=out,none out-interface=ether1 src-address=192.168.7.0/24 to-addresses=A.B.C.D
/ip ipsec policy group
add name=aws
/ip ipsec profile
add dh-group=modp2048 dpd-interval=10s dpd-maximum-failures=3 enc-algorithm=aes-256 hash-algorithm=sha256 lifetime=8h name=profile-aws-vpn nat-traversal=no prf-algorithm=sha256
/ip ipsec peer
add address=3.124.181.121/32 exchange-mode=ike2 local-address=A.B.C.D name=aws-tunnel-2 profile=profile-aws-vpn
add address=3.69.17.65/32 exchange-mode=ike2 local-address=A.B.C.D name=aws-tunnel-1 profile=profile-aws-vpn
/ip ipsec proposal
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc lifetime=1h name=ipsec-aws-vpn pfs-group=modp2048
/routing bgp instance
set default as=65000 router-id=169.254.153.74
/ip ipsec identity
add peer=aws-tunnel-1 policy-template-group=aws secret=<secret1>
add peer=aws-tunnel-2 policy-template-group=aws secret=<secret2>
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
add dst-address=169.254.153.72/30 peer=aws-tunnel-1 proposal=ipsec-aws-vpn src-address=169.254.153.74/32 tunnel=yes
add dst-address=10.0.0.0/22 peer=aws-tunnel-1 proposal=ipsec-aws-vpn src-address=192.168.7.0/24 tunnel=yes
add dst-address=169.254.158.28/30 peer=aws-tunnel-2 proposal=ipsec-aws-vpn src-address=169.254.158.30/32 tunnel=yes
add dst-address=10.0.0.0/22 peer=aws-tunnel-2 proposal=ipsec-aws-vpn src-address=192.168.7.0/24 tunnel=yes
/routing bgp network
add network=192.168.7.0/24
/routing bgp peer
add hold-time=30s keepalive-time=10s name=BGP-vpn-04037c036d133df8d-0 remote-address=169.254.153.73
add hold-time=30s keepalive-time=10s name=BGP-vpn-04037c036d133df8d-1 remote-address=169.254.158.29
Tunnel IPsec works with no phase 2 (logs show wrong TS errors)
And second 192.168.7.0/24 < > 10.0.0.0/22 Tunnel is inactive.
The question is:
how to change this configuration to use 0.0.0.0/0 <> 0.0.0.0/0 IPsec policy.
When I add such a policy router becomes inaccessible.
0.0.0.0/0 variant is as follows:
Code: Select all
/ip ipsec policy
add action=none dst-address=192.168.7.0/24 src-address=0.0.0.0/0
add action=none dst-address=0.0.0.0/0 src-address=169.254.153.72/30
add disabled=yes dst-address=0.0.0.0/0 peer=aws-tunnel-1 proposal=ipsec-aws-vpn src-address=0.0.0.0/0 tunnel=yes