Summary: How to setup a managed VPN into VPN.
Date: Around 2018
Refactor: 20 February 2025: Checked links and formatting.

This page shows some guidance in creating an AWS managed VPN. While configuring this I found the documentation sometimes lacking in information so that's why I created my own, including some troubleshooting and information on using BGP as well as static routing.

Note that this howto is about the amazon part. It does not cover the VPN setup in the on-premise datacenter.

Before you can create a VPN you first need to create a VPC and modify some standard network settings.

Create the VPC:

• Create VPC
  • Name tag: vpn
  • IPv4 CIDR block: 10.125.1.0/24
    • If you will use an AWS network with multiple VPCs (or accounts) you should not use the entire /16 or /8 network that you will use for AWS.
  • No IPv6
  • Tenancy: Default

Create a Subnet:

• Create Subnet
  • Name tag: vpn
  • VPC: vpc-123456789abcdef (name tag: vpn)
  • Availability Zone: No Preference
  • IPv4 CIDR block: 10.125.1.0/24

Modify the security group to allow for ping, http, https, ssh and rdp:

• Update VPC Security Group
  • Set Name tag: vpn
  • Inbound Rules:
    • Allow:
      • HTTP/HTTPS/SSH/RDP from source 0.0.0.0/0
      • ICMP from source 0.0.0.0/0

Note that allowing these ports from all ip addresses is considered bad practice, even when it's not internet facing.

The thing with creating an AWS managed VPN is there are actually two parts. First you configure the amazon part on which you need some information about the on premise environment:

• Public IP Address Primary On Premise VPN Router: 100.100.100.100
• Public IP Address Secondary On Premise VPN Router: 200.200.200.200
• BGP ASN number: 64601
• AWS network: 10.125.0.0/16
  • Watch out: If you will use an AWS network with multiple VPCs (or accounts) you should not use the entire /16 network within your vpn vpc.

Note that the secondary On Premise VPN connection is not required to have a working VPN but if you'll use AWS for a longer period and for production you'll need a secondary connection in case of an emergency.

• For Name, type a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.
  • vpnprimary
• For dynamic routing, for BGP ASN, type the Border Gateway Protocol (BGP) Autonomous System Number (ASN)
  • 64601
• For IP Address, type the static, internet-routable IP address for your customer gateway device. If your customer gateway is behind a NAT device that's enabled for NAT-T, use the public IP address of the NAT device.
  • 100.100.100.100

You have to repeat these steps for each customer gateway (primary and seconday). Note that the BGP ASN will (usually) be the same for both locations

• In the navigation pane, choose Virtual Private Gateways, Create Virtual Private Gateway.
• Type a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.
  • vpngateway
• For ASN, keep the default and it will create one.
  • Write down the number for future reference: 64513
• Choose Create Virtual Private Gateway.
• Select the virtual private gateway that you created, and then choose Actions, Attach to VPC.
• Select your VPC from the list and choose Yes, Attach.

You only have to do this once

• In the navigation pane, choose Route Tables, and then select the route table that's associated with the subnet; by default, this is the main route table for the VPC.
• On the Route Propagation tab in the details pane, choose Edit, select the virtual private gateway that you created in the previous procedure, and then choose Save.

For static routing you must manually enter the static routes used by your VPN connection. To do this, select your route table, choose Routes, Edit.

• For Destination, add the static route used by your VPN connection.
  • These are the On Premise Networks that are being used, for example:
    • 172.30.32.0/20
    • 10.0.0.0/8
• For Target, select the virtual private gateway ID, and choose Save.

You only have to do this once

• In the navigation pane, choose VPN Connections, Create VPN Connection.
• Complete the following information, and then choose Create VPN Connection:
• For Name tag, type a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.
  • vpnprimary
• Select the virtual private gateway that you created earlier.
• Select the customer gateway that you created earlier.
• Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):
• Choose Dynamic (requires BGP)
• Under Tunnel Options,keep the default to have amazon create the subnets and pre shared keys
• It may take a few minutes to create the VPN connection.

You have to do this for each VPN connection (Primary and Secondary)

If your VPN router does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your VPN connection.

• These are the On Premise Networks that are being used, for example:
  • 172.30.32.0/20
  • 10.0.0.0/8

This is not the route table, this is to tell the VPN which networks are allowed over the VPN. If a network is not listed the packets for these networks will be dropped.

For your network team to create the tunnels and the vpn they need quite some information. To provide all the correct information follow these steps:

• When the VPN is ready select the connection and choose Download Configuration.
• In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then choose Yes, Download. For example:
  • Cisco Systems, Inc
  • ISR Series Routers
  • IOS 12.4+

Download the two files and provide them to your network team.

You should create an AWS Linux AMI 2 Instance within the VPC. Make sure it has the correct security group. After starting it it should get an IP address which you can ping.

In case the instance does not work you could make it reachable over the internet:

• Create another instance with an public IP address
• Make sure it uses the security group (for ping and ssh access)
• Create Internet gateway, attach to VPC, create route table (0.0.0.0/0 dest. igw)
• Now you can access the Instance using putty (see resources for more information)

Keep these things in mind:

• Switching from one tunnel to another is really fast. Missing a ping should be considered as exceptional. Most of the times it will not even notice.
• The AWS console has a delay. Sometimes it can take up to a minute to display the correct status

By doing a traceroute you can see which tunnel is being used. You can do a ping to any instance in AWS. If you do a traceroute it will show the Inside IP address of the tunnel on the on premise side. If you found that you can look into the tunnel settings in the VPN connection.

Again, by doing a traceroute you can check if the AWS network is being properly propagated to the on premise network. The trace will stop on the last address before the inside IP address of the tunnel on the on premise side. That means that the on premise network does not know the exact route. This mostly is caused that the route propagation is not being accepted on the on premise side.

If the on premise network is not properly propagating the networks it will show in the VPN Connections a few things differently than normal. The Status will show as DOWN and Details will show as “IPSEC UP”.

https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario4.html
https://docs.aws.amazon.com/vpc/latest/userguide/SetUpVPNConnections.html
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EC2_GetStarted.html?icmpid=docs_ec2_console
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/putty.html