By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Site-to-Site VPN between AWS and my Fritzbox 7490

1

Hello everyone, I am trying to establish a "Site-to-Site VPN" between AWS/VPC and my Fritzbox using "ipsec.1" (reshared_key). Theoretically this should work as AWS and Fritzbox can use the same algorithms/encryption. But I can't find my error and hope someone here has an idea.

I have rolled out the following in the AWS:

locals {
  public_fritzbox_ip = "100.0.0.0" # fake IP
  local_cidr         = "192.168.23.0/24"
  preshared_key      = "NvgyYNXXXXXXXXXXXXXXXXXXXXXXXc2j"
}

provider "aws" {
  region  = "eu-central-1"
  profile = "tfprofile"
}

# AWS VPC
# Address: 10.0.0.0
# Netmask: 255.255.0.0
variable "vpc_cidr" {
  type    = string
  default = "10.0.0.0/16"
}

variable "public_subnets" {
  type    = list(string)
  default = ["10.0.0.0/24", "10.0.1.0/24", "10.0.2.0/24"]
}

variable "private_subnets" {
  type    = list(string)
  default = ["10.0.10.0/24", "10.0.11.0/24", "10.0.12.0/24"]
}

data "aws_availability_zones" "available" {
  state = "available"
}

resource "aws_vpc" "main" {
  cidr_block = var.vpc_cidr
  tags = {
    Name = "VPN"
  }
}

resource "aws_subnet" "public_subnet" {
  count                   = length(data.aws_availability_zones.available.names)
  vpc_id                  = aws_vpc.main.id
  cidr_block              = var.public_subnets[count.index]
  availability_zone       = data.aws_availability_zones.available.names[count.index]
  map_public_ip_on_launch = true
  tags = {
    Name = "VPN Public ${count.index}"
  }
}

resource "aws_subnet" "private_subnet" {
  count                   = length(data.aws_availability_zones.available.names)
  vpc_id                  = aws_vpc.main.id
  cidr_block              = var.private_subnets[count.index]
  availability_zone       = data.aws_availability_zones.available.names[count.index]
  map_public_ip_on_launch = false
  tags = {
    Name = "VPN Private ${count.index}"
  }
}

resource "aws_security_group" "vpn" {
  name   = "vpn-security-group"
  vpc_id = aws_vpc.main.id

  ingress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = [aws_vpc.main.cidr_block, local.local_cidr]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_customer_gateway" "cgw" {
  bgp_asn    = 65000
  ip_address = local.public_fritzbox_ip
  type       = "ipsec.1"

  tags = {
    Name = "On-Premise Customer Gateway"
  }
}

resource "aws_vpn_gateway" "vpngw" {
  vpc_id = aws_vpc.main.id

  tags = {
    Name = "AWS VGW"
  }
}

resource "aws_vpn_gateway_attachment" "vpngw_attachment" {
  vpc_id         = aws_vpc.main.id
  vpn_gateway_id = aws_vpn_gateway.vpngw.id
}

resource "aws_vpn_gateway_route_propagation" "routepropagation" {
  vpn_gateway_id = aws_vpn_gateway.vpngw.id
  route_table_id = aws_vpc.main.main_route_table_id
}

# https://fritzhelp.avm.de/help/de/FRITZ-Box-Fon-WLAN-7490/avm/021/hilfe_vpn_tec_standards
resource "aws_vpn_connection" "vpn" {
  vpn_gateway_id      = aws_vpn_gateway.vpngw.id
  customer_gateway_id = aws_customer_gateway.cgw.id
  type                = "ipsec.1"
  static_routes_only  = true

  tunnel1_ike_versions                 = ["ikev1"]
  tunnel1_preshared_key                = local.preshared_key
  tunnel1_phase1_encryption_algorithms = ["AES256"]
  tunnel1_phase1_integrity_algorithms  = ["SHA1", "SHA2-512"]
  tunnel1_phase1_dh_group_numbers      = [2, 14, 15]
  tunnel1_phase2_encryption_algorithms = ["AES256"]
  tunnel1_phase2_integrity_algorithms  = ["SHA1", "SHA2-512"]

  tunnel2_ike_versions                 = ["ikev1"]
  tunnel2_preshared_key                = local.preshared_key
  tunnel2_phase1_encryption_algorithms = ["AES256"]
  tunnel2_phase1_integrity_algorithms  = ["SHA1", "SHA2-512"]
  tunnel2_phase1_dh_group_numbers      = [2, 14, 15]
  tunnel2_phase2_encryption_algorithms = ["AES256"]
  tunnel2_phase2_integrity_algorithms  = ["SHA1", "SHA2-512"]
}

resource "aws_vpn_connection_route" "onpremNetwork" {
  destination_cidr_block = local.local_cidr
  vpn_connection_id      = aws_vpn_connection.vpn.id
}

output "AWStunnel1IP" {
  value = aws_vpn_connection.vpn.tunnel1_address
}

output "AWStunnel2IP" {
  value = aws_vpn_connection.vpn.tunnel2_address
}

### Only for testing ##################################################################################################################################

resource "aws_security_group" "allow_ssh" {
  name   = "allow_ssh"
  vpc_id = aws_vpc.main.id

  ingress {
    description = "SSH Connection"
    from_port   = 22
    to_port     = 22
    protocol    = "tcp"
    cidr_blocks = [aws_vpc.main.cidr_block, local.local_cidr]
  }

  egress {
    description = "Needed for yum/dnf updates"
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }
}

resource "aws_instance" "testec2" {
  ami           = "ami-09024b009ae9e7adf"
  instance_type = "t3.micro"
  tags = {
    Name = "testec2"
  }
  subnet_id              = "subnet-0a0879da3672157ba"
  vpc_security_group_ids = [aws_security_group.allow_ssh.id, aws_security_group.vpn.id]
  user_data              = <<EOUD
#!/usr/bin/env bash
echo "%wheel        ALL=(ALL)       NOPASSWD: ALL" > /etc/sudoers.d/root_wo_password
chmod 440 /etc/sudoers.d/root_wo_password

adduser ansible
usermod -aG wheel ansible

mkdir -p /home/ansible/.ssh
chmod  0700 /home/ansible/.ssh
echo "ssh-ed25519 AAAAC3NzaC1lXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" >> /home/ansible/.ssh/authorized_keys
chmod 0600 /home/ansible/.ssh/authorized_keys
chown -R ansible:ansible /home/ansible
EOUD
}

output "AWSLinuxPrivateIP" {
  value = aws_instance.testec2.private_ip
}

I have set up the VPN tunnel in the Fritzbox as follows. Gib hier eine Bildbeschreibung ein

Gib hier eine Bildbeschreibung ein

If you have any ideas or suggestions, I would be delighted.

Thank you very much Florian

  • Marcin Gondek
    3 months ago

    If there are errors, it will help to diagnose issue

  • Florian
    3 months ago

    Hi Marcin, Thank you for your offer. Unfortunately no, in AWS I only see that the tunnels are "down" and nothing is logged on my Fritzbox. I could try sending the AWS tunnel logs to CloudWatch. Or do you have any other ideas on how I can narrow down the problem? Maybe you can send me a PM and we can look at the technical details. Regards, Florian

  • Marcin Gondek
    3 months ago

    You can force to bring tunnel up on Fritzbox then you see some logs from it's point of view.

  • Florian
    3 months ago

    I tried, but unfortunately no errors or information that would help to narrow down the problem.

  • Marcin Gondek
    3 months ago

    Sorry but personally I'm not able to help here there.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
Florian
asked 3 months ago208 views
1 Answer
1

Hello Florian,

Reading documentation of FritzBox 7490. I noticed it does not support PFS. https://en.avm.de/service/knowledge-base/dok/FRITZ-Box-7490/3331_Connecting-the-FRITZ-Box-with-a-company-s-VPN-IPSec/ Requirements / Restrictions The FRITZ!Box supports VPN connections according to the IPsec standard with ESP, IKEv1, and pre-shared keys. Authentication Header (AH) and Perfect Forward Security (PFS) are not supported.

For AWS Site to Site VPN to work you need to support PFS it is a requirement, else phase 2/IPsec will fail and tunnels will not come up. https://repost.aws/knowledge-center/vpn-tunnel-phase-2-ipsec.

I would say trying using another router on-prem or a StrongSwan based VPN solution may work for you. https://aws.amazon.com/blogs/networking-and-content-delivery/simulating-site-to-site-vpn-customer-gateways-strongswan/

profile pictureAWS
Azeem Ayaz
answered 3 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content