2. VPN Tunnel Configuration File

Download the VPN configuration file from Amazon and fill it in with your Orka network configuration.

🚧

Quick navigation

You are here in the workflow: AWS-Orka Connections | 1. AWS Side of the VPN Tunnel | 2. VPN Tunnel Configuration File | 3. Orka Side of the VPN Tunnel | 4. Verifying the VPN Tunnel | VPN Tunnel Troubleshooting


On this page, jump to: Step 1: Download the file from Amazon | Step 2: Fill in the configuration file

📘

You need:

  • The name Outside from your IP Plan.
  • The IP address for the Private-1 network from your IP Plan.
  • The subnet mask for the Private-1 network from your IP Plan.
  • The IPv4 address of your Amazon VPC.
  • The subnet mask for your Amazon VPC converted from its CIDR notation (i.e. 255.255.0.0 instead of /16).

After you have created your VPN tunnel in Amazon, you need to configure your Cisco firewall to recognize the connection and let traffic into your Orka cluster.

Amazon provides a semi-prefilled configuration file with very detailed instructions. First, you need to download the configuration file and provide the missing information indicated by placeholders. Next, you'll need to feed the configuration into your Cisco ASAv to complete the setup.

Step 1: Download the file from Amazon

  1. Verify that you are logged in your AWS Management Console and you're working in the correct region.
  2. Verify that you have created a tunnel in Amazon.
  3. Navigate to your VPC service. In the VPC service sidebar, locate the Virtual Private Network menu and select Site-to-Site VPN Connections.

  1. In the list, select your newly created VPN connection and click Download Configuration.

  1. Fill in the form and click Download.
    1. For Vendor, select Cisco Systems, Inc..
    2. For Platform, select ASA 5500 Series.
    3. For Software, select ASA 9.x for a policy-based VPN OR ASA 9.7 + VTI for a route-based VPN.

Step 2: Fill in the configuration file

❗️

CAUTION

Unless you have extensive experience with AWS and ASAv configurations, follow the instructions in the configuration file to the letter. Otherwise, your site-to-site VPN might not work as expected.

  1. Open the configuration file in a text editor.
  2. Replace all placeholders with their respective values.
PlaceholderValueDescriptionMore information
<outside_interface>OutsideThe name of the outside interface of your Cisco ASAv device (the Outside network).The IP Plan
<outside_access_in>(Sample) outside_access_inAny unique name. This will be the name for the access control list that permits the creation of the tunnel and the traffic over it.Cisco Documentation: Cisco Access Control Lists
<vpc_subnet>(Sample) 192.168.0.0The IPv4 address of your Amazon VPC (without the subnet mask bit notation).You can get this value by selecting your VPC in AWS > VPC dashboard and checking the Details at the bottom of the screen.
<vpc_subnet_mask>(Sample) 255.255.0.0The subnet mask for your Amazon VPC, converted from its CIDR notation.You can get this value by selecting your VPC in AWS > VPC dashboard and checking the Description at the bottom of the screen. You need to convert the subnet mask bit notation to the correct subnet mask (e.g., the /16 notation converts to a 255.255.0.0 subnet mask).
<amzn_vpn_map>(Sample) amzn_vpn_mapAny unique name for the crypto map. It must not be already in use by any other crypto maps you might have configured.Cisco Doumentation: Configuring Crypto Maps
<sla_monitor_address>(Sample) 192.168.0.1An IP address in your Amazon VPC that can serve as an SLA monitor keeping the site-to-site tunnel alive.You can set this to the <vpc_subnet> address plus one.
<local_subnet>10.221.188.0The IP address for the Private-1 network.The IP Plan
<local_subnet_mask>255.255.255.0The subnet mask for the Private-1 network.The IP Plan
  1. Uncomment the following lines. To uncomment, remove ! at the start of the line.
    • access-list amzn-filter extended permit ip ...
    • object- and nat-related configuration at the end of the config file.
  2. Keep the following line. This ensures the SLA monitor works as expected.
object network obj-SrcNet
	  subnet 0.0.0.0 0.0.0.0

Note that based on your network configuration and requirements, you can modify this line to map to the subnet and the subnet mask for the Private-1 network from your IP Plan. If you choose to modify this line, do not configure the <sla_monitor_address> value.

  1. Change nat (inside,outside) to nat (Private-1,Outside).
  2. (Optional) Delete the remaining commented lines to clean up the file. Commented lines are indicated by ! at the beginning of the line.
  3. Save your changes.

What's next

Feed the complete configuration into your Cisco ASAv,


© 2019-2023 Copyright MacStadium, Inc. – Documentation built with readme.com. Orka is a registered trademark of MacStadium, Inc.