-1

I have a windows server running on Amazon Web Services wich I need to connect with my office network and access the internet through my office public IP. I'm doing this with Cisco AnyConnect Client and I can connect to de VPN and access internet. The problem I'm having is that the session expires after 23.5 hours and I don't know how to avoid this. If it is not possible, another solution could be a way to reconnect automatically after this time with no user intervention. Is there a way to achieve this?

Roni Berezin
  • 41
  • 1
  • 5
  • Have you looked at alternatives like softether? https://www.softether.org/ It should be a more robust solution and has more features. – hookenz Jan 03 '17 at 21:46
  • I didn't knew it, but i did a short research and I think it's not a good alternative for my case because I don't have a server on my office to run the software. What I need is a connection from my windows server directly to the cisco RV320 router. – Roni Berezin Jan 03 '17 at 23:03
  • You could always use an AWS VPN whose customer gateway was the RV320, if that supports BGP and IPSEC/IKE. This has the additional benefit of applying to the entire network and not being up to the discretion of the local administrator of the EC2 instances. – erik258 Jan 04 '17 at 01:17
  • Thank you @DanFarrell, that was actually my first idea to solve this. I've never done that before and when I reviewed the documentation about AWS VPN it didn't mention that router model. I think it should work but i thought it would be easier to do it with cisco client, maybe I was wrong. I will try to write a script to automatically reconnect the VPN when the timeout is reached, but if I don't succeed I will try your idea. Do you know how to establish a VPN with AWS not only to my office private network so I can access internet trhough my office public IP? – Roni Berezin Jan 04 '17 at 13:32

1 Answers1

0

One option you may find compelling is the AWS VPN Connection service offered as part of AWS VPCs.

An AWS VPN would be configured as an IPSec Tunnel over the internet which could establish a route between the VPC ( or certain subnets in the VPC ) and your corporate networks. This configuration is a lot more complex than a host-based vpn like AnyConnect, but does offer some advantages.

  • in my experience, it's rock solid.
  • the routing is expressed through BGP so you can route some, or all, traffic from the VPC to or through your office (you can also do static routes if so inclined)
  • The routing is all done at the VPC layer, making it something that happens below the ec2 instances. so all your instances get VPN connectivity for free ( or a certain subnet, however you care to configure the routing )
  • that also means it can't be opted out of by not running anyconnect
  • and you don't have to configure every host to have an additional VPN connection

Make no mistake though, this is an advanced feature that isn't trivial to set up. But it's not terribly difficult for an experienced net admin, either.

The link at the top lays out the concepts and also provides several examples for configuring with different kinds of hardware on the corporate side.

erik258
  • 766
  • 5
  • 9
  • Thank you, I managed to get the first tunnel working. Now I need to know how to redirect the traffic originated from aws (only to certain IPs) through my office's public IP. Do you know how can I do that? – Roni Berezin Jan 05 '17 at 21:33
  • Nicely done! You'll want to add a default route - either BGP or static - through the IP of your customer gateway, probably the tunnel IP I'd think. While you're at it, remove the default route you already have through the NAT or Internet gateway. And you'll want to configure NAT for the outbound traffic through your CGW of course, just like you would for all other internet traffic going out. Finally, make sure to get the other tunnel up too, so you have redundency when AWS does network maintenance on your VPN Connection. – erik258 Jan 05 '17 at 21:41
  • Iḿ using static routes because my router doesn't support BGP. The second tunnel is up and now I can ping from my office to AWS but not back. Any idea why? – Roni Berezin Jan 05 '17 at 23:51
  • Do you have routes on both sides? – erik258 Jan 06 '17 at 00:13
  • I think I do. I can ping from my office to a EC2 instance but not back. Actually from the EC2 instance i can ping the router's private address on my Lan but it seems I can't pass that point. – Roni Berezin Jan 06 '17 at 01:15
  • I solved the issue of pinging from amazon to my office and back. What I'm not able to do now is pinging a.b.c.d from amazon that is the final step. I created a static route to a.b.c.d in Amazon making it go through vpn interface but I don't recieve any response. From my office IP I can ping a.b.c.d successfully – Roni Berezin Jan 06 '17 at 04:14
  • do you have nat configured? – erik258 Jan 06 '17 at 16:24
  • I think I don't. What should I check? I made a few more tests that could give a clue of what's failing. When I redirect the traffic from AWS to an specific IP (8.8.8.8) through the VPN, pings stop working. I think my router is dropping those packets. Could it be that thw different network segments used are making the router fail? The Windows Machine on AWS has a private address 172.25.31.147 while my office's network is working on 192.168.0.1/24. – Roni Berezin Jan 07 '17 at 19:31
  • You'll want to add routes to each of those subnets on the opposite sides. Then for nat, your edge router is probably already doing that for hosts on 192.168 - you'll want to add the same config for 172.25. You might getthis automatically, depending on how your routing works. – erik258 Jan 07 '17 at 19:47
  • I've tried that before with no luck. On the AWS side I have these routes: Destination Target Status Propagated 172.31.0.0/16 local Active No 0.0.0.0/0 igw-3c8c2858 Active No 8.8.8.8/32 vgw-7618c068 Active No 192.168.0.0/24 vgw-7618c068 Active Yes – Roni Berezin Jan 07 '17 at 20:16
  • I could't save the whole comment... On the RV320 I have no static routes, but I've tried before with no results. I've you want to take a look here is an online emulator of the RV320 GUI https://www.cisco.com/assets/sol/sb/RV320_Emulators/RV320_Emulator_v1.1.0.09/default.htm Thank you so much for taking your time to help me. – Roni Berezin Jan 07 '17 at 20:23
  • Looks like on the "Advanced Routing" page. We don't use this tech at work, but I _think_ you'll want to add a static route for 172.31/16 on the VPN tunnel device to the IP on the AWS side of the tunnel. – erik258 Jan 08 '17 at 17:18
  • I would focus on getting pings through your private networks first, and then adjusting the NAT, if necessary, to masquerade addresses on the 172.31/16 network too. – erik258 Jan 08 '17 at 17:19