https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNTunnels.html
AWS Phase II has pfs configured, make sure on-premises (local) FW has pfs enabled
AWS phase I lifetime default is 28800 (8 hours), Phases II default is 3600 seconds, which is the maximum can be specified on AWS.
Note: It's a best practice to avoid using AS Path prepending so that both tunnels have an equal AS PATH value. With an equal AS PATH value, the MED value that AWS sets on the tunnel during VPN tunnel endpoint updates determines tunnel priority.
To ensure that the up tunnel with the lower MED is preferred, ensure that your customer gateway device uses the same Weight and Local Preference values for both tunnels (Weight and Local Preference have higher priority than MED).
ECMP isn't supported for Site-to-Site VPN connections on a virtual private gateway.
ECMP is supported for Site-to-Site VPN connections on a transit gateway.
Configure Route-Based Site-to-Site VPN between Cisco Secure Management Center and AWS VPC
https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/usecase/VPN/b_configure-route-based-site-to-site-vpn-between-cisco-secure-management-center-and-aws-vpc.html
From AWS generated FTD configuration has the following note
! AWS by default , provides two tunnels endpoints per VPN and also dynamically generates different keys for both AWS tunnels.
! At the time of this writing , FMC (version 6.2.3) provides an option to specify only one pre-shared key per topology.
! To have redundancy , please recreate your VPN, and manually specify a common preshared key for both the tunnels on AWS console and then enter the same key in FTD configuration below.
! If you would like only one tunnel to AWS from the CGW , please ignore this warning and continue with the instructions below.
! ------------------------------------------------------------------------------------------------------------------------
There is no change in FTD 7.4.1, only one pre-shared key in one S2S VPN topology
! -----------------------------------------IMPORTANT NOTE-----------------------------------------------------------------
! AWS by default , provides two tunnels endpoints per VPN and also dynamically generates different keys for both AWS tunnels.
! At the time of this writing , Cisco Firepower Management Center (FMC) (version 6.2.3) provides an option to specify only one pre-shared key per topology.
! To have redundancy , please recreate your VPN, and manually specify a common preshared key for both the tunnels on AWS console and then enter the same key in FTD configuration below.
! ------------------------------------------------------------------------------------------------------------------------
In this FTD 7.4.1 lab, still one S2S VPN topology only has one pre-shared key. So if keep one topology, AWS side needs to make the change mentioned above, or we have to create two topologies in FTD.
Below is one topology FTD configuration.
Comments
Post a Comment