Site-to-Site VPN between AWS and my Fritzbox 7490
Hello everyone, I am trying to establish a "Site-to-Site VPN" between AWS/VPC and my Fritzbox using "ipsec.1" (reshared_key). Theoretically this should work as AWS and Fritzbox can use the same algorithms/encryption. But I can't find my error and hope someone here has an idea.
I have rolled out the following in the AWS:
locals {
public_fritzbox_ip = "100.0.0.0" # fake IP
local_cidr = "192.168.23.0/24"
preshared_key = "NvgyYNXXXXXXXXXXXXXXXXXXXXXXXc2j"
}
provider "aws" {
region = "eu-central-1"
profile = "tfprofile"
}
# AWS VPC
# Address: 10.0.0.0
# Netmask: 255.255.0.0
variable "vpc_cidr" {
type = string
default = "10.0.0.0/16"
}
variable "public_subnets" {
type = list(string)
default = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
}
variable "private_subnets" {
type = list(string)
default = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
}
data "aws_availability_zones" "available" {
state = "available"
}
resource "aws_vpc" "main" {
cidr_block = var.vpc_cidr
tags = {
Name = "VPN"
}
}
resource "aws_subnet" "public_subnet" {
count = length(data.aws_availability_zones.available.names)
vpc_id = aws_vpc.main.id
cidr_block = var.public_subnets[count.index]
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = true
tags = {
Name = "VPN Public ${count.index}"
}
}
resource "aws_subnet" "private_subnet" {
count = length(data.aws_availability_zones.available.names)
vpc_id = aws_vpc.main.id
cidr_block = var.private_subnets[count.index]
availability_zone = data.aws_availability_zones.available.names[count.index]
map_public_ip_on_launch = false
tags = {
Name = "VPN Private ${count.index}"
}
}
resource "aws_security_group" "vpn" {
name = "vpn-security-group"
vpc_id = aws_vpc.main.id
ingress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = [aws_vpc.main.cidr_block, local.local_cidr]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_customer_gateway" "cgw" {
bgp_asn = 65000
ip_address = local.public_fritzbox_ip
type = "ipsec.1"
tags = {
Name = "On-Premise Customer Gateway"
}
}
resource "aws_vpn_gateway" "vpngw" {
vpc_id = aws_vpc.main.id
tags = {
Name = "AWS VGW"
}
}
resource "aws_vpn_gateway_attachment" "vpngw_attachment" {
vpc_id = aws_vpc.main.id
vpn_gateway_id = aws_vpn_gateway.vpngw.id
}
resource "aws_vpn_gateway_route_propagation" "routepropagation" {
vpn_gateway_id = aws_vpn_gateway.vpngw.id
route_table_id = aws_vpc.main.main_route_table_id
}
# https://fritzhelp.avm.de/help/de/FRITZ-Box-Fon-WLAN-7490/avm/021/hilfe_vpn_tec_standards
resource "aws_vpn_connection" "vpn" {
vpn_gateway_id = aws_vpn_gateway.vpngw.id
customer_gateway_id = aws_customer_gateway.cgw.id
type = "ipsec.1"
static_routes_only = true
tunnel1_ike_versions = ["ikev1"]
tunnel1_preshared_key = local.preshared_key
tunnel1_phase1_encryption_algorithms = ["AES256"]
tunnel1_phase1_integrity_algorithms = ["SHA1", "SHA2-512"]
tunnel1_phase1_dh_group_numbers = [2, 14, 15]
tunnel1_phase2_encryption_algorithms = ["AES256"]
tunnel1_phase2_integrity_algorithms = ["SHA1", "SHA2-512"]
tunnel2_ike_versions = ["ikev1"]
tunnel2_preshared_key = local.preshared_key
tunnel2_phase1_encryption_algorithms = ["AES256"]
tunnel2_phase1_integrity_algorithms = ["SHA1", "SHA2-512"]
tunnel2_phase1_dh_group_numbers = [2, 14, 15]
tunnel2_phase2_encryption_algorithms = ["AES256"]
tunnel2_phase2_integrity_algorithms = ["SHA1", "SHA2-512"]
}
resource "aws_vpn_connection_route" "onpremNetwork" {
destination_cidr_block = local.local_cidr
vpn_connection_id = aws_vpn_connection.vpn.id
}
output "AWStunnel1IP" {
value = aws_vpn_connection.vpn.tunnel1_address
}
output "AWStunnel2IP" {
value = aws_vpn_connection.vpn.tunnel2_address
}
### Only for testing ##################################################################################################################################
resource "aws_security_group" "allow_ssh" {
name = "allow_ssh"
vpc_id = aws_vpc.main.id
ingress {
description = "SSH Connection"
from_port = 22
to_port = 22
protocol = "tcp"
cidr_blocks = [aws_vpc.main.cidr_block, local.local_cidr]
}
egress {
description = "Needed for yum/dnf updates"
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
}
resource "aws_instance" "testec2" {
ami = "ami-09024b009ae9e7adf"
instance_type = "t3.micro"
tags = {
Name = "testec2"
}
subnet_id = "subnet-0a0879da3672157ba"
vpc_security_group_ids = [aws_security_group.allow_ssh.id, aws_security_group.vpn.id]
user_data = <<EOUD
#!/usr/bin/env bash
echo "%wheel ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/root_wo_password
chmod 440 /etc/sudoers.d/root_wo_password
adduser ansible
usermod -aG wheel ansible
mkdir -p /home/ansible/.ssh
chmod 0700 /home/ansible/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" >> /home/ansible/.ssh/authorized_keys
chmod 0600 /home/ansible/.ssh/authorized_keys
chown -R ansible:ansible /home/ansible
EOUD
}
output "AWSLinuxPrivateIP" {
value = aws_instance.testec2.private_ip
}
I have set up the VPN tunnel in the Fritzbox as follows.
If you have any ideas or suggestions, I would be delighted.
Thank you very much Florian
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Hello Florian,
Reading documentation of FritzBox 7490. I noticed it does not support PFS.
https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7490/3331_Connecting-the-FRITZ-Box-with-a-company-s-VPN-IPSec/
Requirements / Restrictions The FRITZ!Box supports VPN connections according to the IPsec standard with ESP, IKEv1, and pre-shared keys. Authentication Header (AH) and Perfect Forward Security (PFS) are not supported.
For AWS Site to Site VPN to work you need to support PFS it is a requirement, else phase 2/IPsec will fail and tunnels will not come up. https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec.
I would say trying using another router on-prem or a StrongSwan based VPN solution may work for you. https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 9 Monaten- AWS OFFICIALAktualisiert vor 10 Monaten
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
If there are errors, it will help to diagnose issue
Hi Marcin, Thank you for your offer. Unfortunately no, in AWS I only see that the tunnels are "down" and nothing is logged on my Fritzbox. I could try sending the AWS tunnel logs to CloudWatch. Or do you have any other ideas on how I can narrow down the problem? Maybe you can send me a PM and we can look at the technical details. Regards, Florian
You can force to bring tunnel up on Fritzbox then you see some logs from it's point of view.
I tried, but unfortunately no errors or information that would help to narrow down the problem.
Sorry but personally I'm not able to help here there.