quarta-feira, 4 de janeiro de 2017

Amazon - implementação mikrotik chr

All AWS accounts created after 2013-12-04 supports only EC2-VPC.
Amazon VPC have several options to establish a connection between EC2 instances in VPC and your own network.
As described in documentation section: Amazon Virtual Private Cloud --> User Guide --> VPN Connections, we can create User Network–to–Amazon VPC Connectivity Options connection using:
1. AWS hardware VPN.
2. AWS Direct Connect.
3. AWS VPN CloudHub.
4. Software VPN.

For more information, please read Amazon Virtual Private Cloud Connectivity Options whitepaper.

Here we will discuss fourth option - Software VPN.


If you want to use another option, please read official documentation: Amazon Virtual Private Cloud Documentation or ask on official forum Forum: Amazon Virtual Private Cloud.
Also on Mikrotik forum you can find some working examples and questions without reply:
1. Amazon AWS VPN -- A Working Configuration Example and Bug.
2. Amazon VPC and Mikrotik IPSec Tunnel.
3. Connecting to Amazon Virtual Private Cloud - VPC.
4. IPSec tunnel between RouterOS and Amazon AWS VPC.
5. IPSec VPN to Amazon AWS VPC.
6. AWS VPC Issues.
7. IPSEC VPN to Amazon AWS VPC (for EC2).

1. Amazon VPC.
2. Amazon EC2 instance with CHR RouterOS.
3. Amazon EC2 instance which will be accessible via VPN.

You can find installation instruction in the Wiki: CHR AWS installation.
According to the Wiki, at the moment, CHR is accessible only in us-east1(N. Virginia, ID=ami-3f486355) and eu-west1(EU (Ireland), ID=ami-bef141cd) regions.
Choose appropriate region and start new instance by pressing "Launch instance button":
1. On first step choose AMI from the Community AMIs searching by name "CHR RouterOS" or AMI ID.
2. Instance type by your needs.
3. Select your "Network", and "Subnet" and "IP"(X.X.X.254 as example).
4. Set "Root Volume Size" 1 GB and type "Magnetic".
5. Set your instance "Tag".
6. Setup access to your instance by editing "Security Group".
7. Review your instance and then launch it.

After installation you can attach an elastic IP to the instance that your CHR Router OS will be accessible via static IP.
At this point you can connect to your CHR RouterOS via SSH using key you selected during launch process. And then you can setup admin password and access your router via Winbox.

1. Now your CHR RouterOS is almost ready to work as VPN Gateway. You can setup all suitable type of VPN you need.
2. On second EC2 instance which should be accessible via VPN add static route to your own network via CHR RouterOS.

If you use IPSec you should be aware that you CHR Router OS is behind AWS NAT. This is why you should consider this in IPSec policy and peer creation.
Related forum posts:
1. Feature Request: IPSec: allow manual override of IKE ID.
2. IPSEC behind nat.
3. Help with IPSec NAT-Traversal
4. L2TP/IPsec policy autogeneration when both roadwarrior client and RouterOS device behind NAT issue
5. Cloud Hosted Router: L2TP/IPsec server behind 1:1 NAT on Amazon EC2

Our IPSec with Cisco ASA started only with disabled "NAT-Traversal" and internal "SA Src.Address".

1. We started nano instance on Magnetic Volume.
2. We have done IPSec setup with Cisco ASA 5505 on ASA OS 8.0(4): DH5, SHA,AES128.
3. We got 50-60 Mbit/s with ~ 10% CPU load on CHR RouterOS, on SMB protocol.

1. Instance: nano - $0.0065 per Hour = $4.84.
2. Volume: 1 GB - $0.05 per GB-month of provisioned storage = $0.05.
$0.05 per 1 million I/O requests.
3. Elastic IP: $0.00 for one Elastic IP address associated with a running instance = 0$.
4. Traffic: By your usage.
Data Transfer OUT From Amazon EC2 To Internet: Up to 10 TB / month $0.09 per GB.
Data Transfer IN To Amazon EC2 From Internet: $0.00 per GB.

Total: ~ $4.9 per month(withou traffic).
+ One time payment $45 for CHR licence - 1 Gbit.

Comparing with VPC VPN Gateway:
$0.05 per VPN Connection-hour = $36.

Total: ~ $36 per month(without traffic).

1. It is more easy to setup VPN between EC2 instances and own location using CRH RouterOS.
2. Using of CHR RouterOS is more cheaper than AWS VPN Gateway.
3. On CHR RouterOS you have total control of VPN gateway and access to VPN debug logs.
4. This CHR RouterOS also can be used as NAT Gateway instead of billed separately AWS NAT Gateway.
5. CHR Router OS also can be used in other connection scenarios: "Amazon VPC–to–Amazon VPC Connectivity" or "Internal User-to-Amazon VPC Connectivity".

--- mikrotik chr on AWS

--- acerto do src/dst check


0 comentários: