Skip to main content

The Scenario

This document illustrates an example solution to a specific use case. In this AWS use case, a customer needs to connect certain on-prem hosts to certain EC2 instances in a VPC over an IPsec tunnel over the Internet, but the on-prem network range overlaps with the VPC CIDR range, and the requirement from the customer is that no NAT function will be performed on the customer side. In addition, traffic can be initiated from either side. The scenario is described in the following diagram: overlap_rbi 
VPC       CIDR = 10.20.0.0/20, instance-1 in VPC-1 has an IP address 10.24.1.4.
On-Prem   CIDR = 10.20.0.0/20, host-1 in On-Prem has an IP address 10.24.7.101.
The traditional solution is to build an IPsec tunnel between the two networks and use SNAT/DNAT rules to translate each addresses, as demonstrated in this example. Such a solution requires a potentially large number of SNAT/DNAT rules which is difficult to configure and maintain.

The Solution

This solution uses the “network mapped” feature in Site2Cloud which removes the need to configure individual SNAT/DNAT rules. This solution uses a Site2Cloud route-based IPsec tunnel using Virtual Tunnel Interface (VTI) between VPC and On-Prem Router. The packet flow is demonstrated as below:
  1. instance-1 sends a packet to host-1 with a virtual destination IP address, for example 192.24.7.101. From instance-1’s point of view, the destination instance is a virtual address - 192.24.7.101.
  2. When the packet arrives at the VPC-1 gateway, the gateway performs DNAT on the packet to translate the virtual destination IP address to 10.24.7.101 which is the host-1 physical IP address.
  3. The gateway at VPC then translates the packet source IP address (10.24.1.4) to a virtual source IP address (172.24.1.4).
  4. The packet then arrives at the on-prem Cisco IOS Router with a destination IP address of 10.24.7.101 and a source IP address of 172.24.1.4. From host-1’s point of view, instance-1’s address is a virtual IP address - 172.24.1.4.
  5. When host-1 sends a packet to instance-1, the destination is the virtual IP address 172.24.1.4.
  6. When the packet arrives at the VPC-1 gateway over the IPSEC tunnel, the VPC gateway translates its destination IP address from virtual address 172.24.1.4 to 10.24.1.4.
  7. The VPC gateway then translates the source IP address of the packet from 10.24.7.101 to virtual address 192.24.7.101.

The Configuration Steps

Following the Site2Cloud Workflow to Launch Gateways

In Aviatrix CoPilot, create a Transit Gateway. For the above example, a gateway is also launched in VPC/VNet-2 to emulate an on-prem environment.

Creating a Site2Cloud Tunnel

In CoPilot, go to Networking > Connectivity > External Connections (S2C) tab, and create Static Route-Based Unmapped connection.

VPC/VNet-1 gateway-1 side

For the VPC/VNet-1 gateway side, the Local Subnet field should be 192.168.0.43/32, and the Remote Subnet field should be 10.17.7.81/32, as shown below. 500

Configure On-Prem Cisco Router

On the Networking > Connectivity > External Connections (S2C) tab, click the vertical ellipsis 25 and click Download Configuration. In the Download Configuration dialog, select:
  • Cisco from the Vendor dropdown.
  • ISR, ASR, or CSR from the Platform dropdown.
  • IOS(XE) from the Software dropdown.
Click Download. Save the configuration file as a reference for configuring your Cisco IOS router. The following is a sample configuration based on the Site2Cloud configuration above. ios_config_template Either ssh into the Cisco router or connect to it directly through its console port. Apply the following IOS configuration to your router: 
! Aviatrix Site2Cloud configuration template
!
! You need to populate these values throughout the config based on your setup:
! <isakmp_policy_number1>: the isakmp policy number
! <tunnel_number1>: the IPsec tunnel interface number
! <ios_wan_interface1>: the source interface of tunnel packets
! <customer_tunnel_ip1>: any un-used IPv4 address for the tunnel interface
!                        when static routing is used
!
! --------------------------------------------------------------------------------
! IPsec Tunnel
! --------------------------------------------------------------------------------
! #1: Internet Key Exchange (IKE) Configuration
! A policy is established for the supported ISAKMP encryption,
! authentication, Diffie-Hellman, lifetime, and key parameters.
!
crypto keyring 52.40.45.197-20.42.145.156
  pre-shared-key address 20.42.145.156 key <key>
!
crypto isakmp policy 1
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14
 lifetime 28800
crypto isakmp keepalive 10 3 periodic
crypto isakmp profile 52.40.45.197-20.42.145.156
   keyring 52.40.45.197-20.42.145.156
   self-identity address
   match identity address 20.42.145.156 255.255.255.255
!
!---------------------------------------------------------------------------------
! #2: IPsec Configuration
! The IPsec transform set defines the encryption, authentication, and IPsec
! mode parameters.
!
crypto ipsec transform-set 52.40.45.197-20.42.145.156 esp-aes 256 esp-sha256-hmac
 mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile 52.40.45.197-20.42.145.156
 set security-association lifetime seconds 3600
 set transform-set 52.40.45.197-20.42.145.156
 set pfs group14
 set isakmp-profile 52.40.45.197-20.42.145.156
!
!---------------------------------------------------------------------------------------
! #3: Tunnel Interface Configuration
! The virtual tunnel interface is used to communicate with the remote IPsec endpoint
! to establish the IPsec tunnel.
!
interface Tunnel1
 ip address 10.10.10.10 255.255.255.255
 ip mtu 1436
 ip tcp adjust-mss 1387
 tunnel source GigabitEthernet1
 tunnel mode ipsec ipv4
 tunnel destination 20.42.145.156
 tunnel protection ipsec profile 52.40.45.197-20.42.145.156
 ip virtual-reassembly
!
!---------------------------------------------------------------------------------------
! #4: Static Routing Configuration
! The static route directs the traffic to the Aviatrix remote subnets via the tunnel
! interface.
!
ip route 172.24.0.0 255.255.240.0 Tunnel1
!---------------------------------------------------------------------------------------
You can check the Tunnel Status at Diagnostics > Cloud Routes > External Connections.

Testing the Site2Cloud Connection

Make sure your instance’s Security Groups inbound rules are configured properly. From instance-1, you should be able to ping host-1 by “ping 192.24.7.101”. From host-1, you should be able to ping instance-1 by “ping 172.24.1.4”