Amazon Virtual Private Cloud
Network Administrator Guide (API Version 2014-10-01)
Did this page help you?  Yes | No |  Tell us about it...
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

Configuring Windows Server 2008 R2 as a Customer Gateway for Your VPC

You can configure Windows Server 2008 R2 as a customer gateway for your VPC. Use the following process whether you are running Windows Server 2008 R2 on an EC2 instance in a VPC, or on your own server:

Prerequisites

Before you begin, make sure that you have the following:

  • Windows Server 2008 R2 on your own network, or on an EC2 instance in a VPC

  • The CIDR range for your network in which the Windows server is located, for example, 172.31.0.0/16

  • The CIDR range for your VPC, for example, 10.0.0.0/16

  • A customer gateway that specifies the IP address of the Windows Server 2008 R2 server

    Note

    The IP address must be static and can't be behind a device performing NAT; if your customer gateway is a Windows server instance, you can use an Elastic IP address.

  • A virtual private gateway attached to your VPC

  • A subnet in your VPC for launching instances that will communicate with the Windows server

  • Routing for your VPN connection:

    • Add a route to your subnet's route table with the virtual private gateway as the target, and the Windows server's network (CIDR range) as the destination.

    • Enable route propagation for the virtual private gateway. For more information about route tables, see Route Tables in the Amazon VPC User Guide.

  • A security group configuration that allows communication between your network and your VPC:

    • If your customer gateway is a Windows server instance in a VPC, its security group requires the following outbound custom protocol rules for IPsec traffic: IP protocol 50, IP protocol 51, and UDP 500. By default, a security group allows all outbound traffic, so this step is only required if the security group's outbound rules have been modified from their original state.

    • For instances that you launch in your VPC, add rules to their security groups that allow inbound RDP or SSH access from your network. This enables you to connect to instances in your VPC from your network. For more information, see Security Groups for Your VPC in the Amazon VPC User Guide.

    • For instances that you launch in your VPC, add a rule to their security groups that allows inbound ICMP access. This enables you to test your VPN connection by pinging an instance in your VPC from your Windows server.

If you launched the Windows server instance from a current Amazon AMI, you might not be able to route traffic from other instances without updating your adapter settings.

To update your adapter settings

  1. From your Windows server instance, open Control Panel, and start the Device Manager.

  2. Expand the Network adapters node.

  3. Right-click the Citrix network adapter, and then click Properties.

  4. On the Advanced tab, disable the IPv4 Checksum Offload, TCP Checksum Offload (IPv4), and UDP Checksum Offload (IPv4) properties, and then click OK.

Step 1: Create a VPN Connection

To create a VPN connection

  1. Open the Amazon VPC console.

  2. In the navigation pane, click VPN Connections, and then click Create VPN Connection.

  3. Select the virtual private gateway and customer gateway from the lists. Select the Static routing option, enter the Static IP Prefixes values for your server's network in CIDR notation (for example, 172.31.0.0/16), and then click Yes, Create.

Step 2: Download the Configuration File for the VPN Connection

To download your configuration file

  1. Click VPN Connections in the navigation pane.

  2. Select your VPN connection, and then click Download Configuration.

  3. Select Microsoft as the vendor, Windows Server as the platform, and 2008 R2 as the software. Click Yes, Download. You can open the file or save it.

Step 3: Configure the Server Using Data from the Configuration File

The configuration file contains a section of information similar to the following example. You’ll see this information presented twice, one time for each tunnel. You'll use this information when configuring the Windows Server 2008 R2 server.

vgw-1a2b3c4d Tunnel1
--------------------------------------------------------------------	
Local Tunnel Endpoint:       203.0.113.1
Remote Tunnel Endpoint:      203.83.222.237
Endpoint 1:                  [Your_Static_Route_IP_Prefix]
Endpoint 2:                  [Your_VPC_CIDR_Block]
Preshared key:               xCjNLsLoCmKsakwcdoR9yX6GsEXAMPLE
Local Tunnel Endpoint

The IP address for the customer gateway - in this case, your Windows server - that terminates the VPN connection on your network's side.

Remote Tunnel Endpoint

One of two IP addresses for the virtual private gateway that terminates the VPN connection on the AWS side.

Endpoint 1

The IP prefix that you specified as a static route when you created the VPN connection. These are the IP addresses on your network that are allowed to use the VPN connection to access your VPC.

Endpoint 2

The IP address range (CIDR block) of the VPC attached to the virtual private gateway (for example 10.0.0.0/16).

Preshared key

The pre-shared key that is used to establish the IPsec VPN connection between Local Tunnel Endpoint and Remote Tunnel Endpoint.

We suggest that you configure both tunnels as part of the VPN connection. Each tunnel connects to a separate VPN concentrator on the Amazon side of the VPN connection. Although only one tunnel at a time is up, the second tunnel automatically establishes itself if the first tunnel goes down. Having redundant tunnels ensure continuous availability in the case of a device failure. Because only one tunnel is available at a time, the AWS Management Console displays a yellow icon indicating that one tunnel is down. This is expected behavior, so there's no action required from you.

With two tunnels configured, if a device failure occurs within AWS, your VPN connection automatically fails over to the second tunnel of the AWS virtual private gateway within a matter of minutes. When you configure your customer gateway, it's important that you configure both tunnels.

Note

From time to time, AWS performs routine maintenance on the virtual private gateway. This maintenance may disable one of the two tunnels of your VPN connection for a brief period of time. Your VPN connection automatically fails over to the second tunnel while we perform this maintenance.

Additional information regarding the Internet Key Exchange (IKE) and IPsec Security Associations (SA) is presented in the downloaded configuration file.  Because the AWS VPC VPN suggested settings are the same as the Windows Server 2008 R2 default IPsec configuration settings, minimal work is needed on your part.

MainModeSecMethods:          DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1 
MainModeKeyLifetime:         480min,0sec 
QuickModeSecMethods:         ESP:SHA1-AES128+60min+100000kb,
                             ESP:SHA1-3D ES+60min+100000kb 
QuickModePFS:                DHGroup2
MainModeSecMethods

The encryption and authentication algorithms for the IKE SA. These are the suggested settings for the VPN connection, and are the default settings for Windows Server 2008 R2 IPsec VPN connections.

MainModeKeyLifetime

The IKE SA key lifetime.  This is the suggested setting for the VPN connection, and is the default setting for Windows Server 2008 R2 IPsec VPN connections.

QuickModeSecMethods

The encryption and authentication algorithms for the IPsec SA. These are the suggested settings for the VPN connection, and are the default settings for Windows Server 2008 R2 IPsec VPN connections.

QuickModePFS

We suggest the use of master key perfect forward secrecy (PFS) for your IPsec sessions.

To configure the Windows Server 2008 R2 server as the customer gateway

  1. Log on to the Windows Server 2008 R2 server.

  2. Click Start, point to All Programs, point to Administrative Tools, and then click Server Manager.

  3. Install Routing and Remote Access Services:

    1. In the Server Manager navigation pane, click Roles.

    2. In the Roles pane, click Add Roles.

    3. On the Before You Begin page, verify that your server meets the prerequisites and then click Next.

    4. On the Select Server Roles page, click Network Policy and Access Services, and then click Next.

    5. On the Network Policy and Access Services page, click Next.

    6. On the Select Role Services page, click Routing and Remote Access Services, leave Remote Access Service and Routing selected, and then click Next.

      Add Roles Wizard: Select Role Services
    7. On the Confirm Installation Selections page, click Install.

    8. When the wizard completes, click Close.

To configure and enable Routing and Remote Access Server

  1. In the Server Manager navigation pane, expand Roles, and then expand Network Policy and Access.

  2. Right-click Routing and Remote Access Server, and then click Configure and Enable Routing and Remote Access.

  3. In the Routing and Remote Access Setup Wizard, on the Welcome page, click Next.

  4. On the Configuration page, click Custom Configuration, and then click Next.

  5. Click LAN routing, and then click Next.

  6. Click Finish.

  7. When prompted by the Routing and Remote Access dialog box, click Start service.

Step 4: Set Up the VPN Tunnel

You can configure the VPN tunnel by running the netsh scripts included in the downloaded configuration file, or by using the New Connection Security Rule Wizard on the Windows server.

Important

We suggest that you use master key perfect forward secrecy (PFS) for your IPsec sessions.  However, you can't enable PFS using the Windows Server 2008 R2 user interface; you can only enable this setting by running the netsh script with qmpfs=dhgroup2. Therefore, you should consider your requirements before you pick an option. For more information, go to Key exchange settings in the Microsoft TechNet Library.

Option 1: Run netsh Script

Copy the netsh script from the downloaded configuration file and replace the variables. The following is an example script.

netsh advfirewall consec add rule Name="VGW-1a2b3c4d Tunnel 1" Enable=Yes ^
Profile=any Type=Static Mode=Tunnel 
LocalTunnelEndpoint=Windows_Server_Private_IP_address ^
RemoteTunnelEndpoint=203.83.222.236 Endpoint1=Static_Route_IP_Prefix ^
Endpoint2=VPC_CIDR_Block Protocol=Any Action=RequireInClearOut ^
Auth1=ComputerPSK Auth1PSK=xCjNLsLoCmKsakwcdoR9yX6Gsexample ^
QMSecMethods=ESP:SHA1-AES128+60min+100000kb ^
ExemptIPsecProtectedConnections=No ApplyAuthz=No QMPFS=dhgroup2

Name: You can replace the suggested name (VGW-1a2b3c4d Tunnel 1) with a name of your choice.

LocalTunnelEndpoint: Enter the private IP address of the Windows server on your network.

Endpoint1: The CIDR block of your network on which the Windows server resides, for example, 172.31.0.0/16

Endpoint2: The CIDR block of your VPC or a subnet in your VPC, for example, 10.0.0.0/16

Run the updated script in a command prompt window. (The ^ enables you to cut and paste wrapped text at the command line.) To set up the second VPN tunnel for this VPN connection, repeat the process using the second netsh script in the configuration file.

For more information about the netsh parameters, go to Netsh AdvFirewall Consec Commands in the Microsoft TechNet Library.

Option 2: Use the Windows Server User Interface

You can also use the Windows server user interface to set up the VPN tunnel. This section guides you through the steps.

Important

You can't enable master key perfect forward secrecy (PFS) using the Windows Server 2008 R2 user interface. Therefore, if you decide to use PFS, you must use the netsh scripts described in option 1 instead of the user interface described in this option.

2.1: Configure a Security Rule for a VPN Tunnel

In this section, you will configure a security rule on your Windows server to create a VPN tunnel.

To configure a security rule for a VPN tunnel

  1. In the Server Manager navigation pane, expand Configuration, and then expand Windows Firewall with Advanced Security.

  2. Right-click Connection Security Rules, and then click New Rule.

  3. In the New Connection Security Rule wizard, on the Rule Type page, click Tunnel, and then click Next.

  4. On the Tunnel Type page, under What type of tunnel would you like to create, click Custom Configuration. Under Would you like to exempt IPsec-protected connections from this tunnel, leave the default value checked (No. Send all network traffic that matches this connection security rule through the tunnel), and then click Next.

  5. On the Requirements page, click Require authentication for inbound connections. Do not establish tunnels for outbound connections, and then click Next.

    Requirements page
  6. On Tunnel Endpoints page, under Which computers are in Endpoint 1, click Add. Enter the CIDR range of your network (behind your Windows server customer gateway), and then click OK. (Note that the range can include the IP address of your customer gateway.)

  7. Under What is the local tunnel endpoint (closest to computer in Endpoint 1), click Edit. Enter the private IP address of your Windows server, and then click OK.

  8. Under What is the remote tunnel endpoint (closest to computers in Endpoint 2), click Edit. Enter the IP address of the virtual private gateway for Tunnel 1 from the configuration file (see Remote Tunnel Endpoint), and then click OK.

    Important

    If you are repeating this procedure for Tunnel 2, be sure to select the endpoint for Tunnel 2.

  9. Under Which computers are in Endpoint 2, click Add. Enter the CIDR block of your VPC, and then click OK.

    Important

    You must scroll in the dialog box until you locate Which computers are in Endpoint 2. Do not click Next until you have completed this step, or you won't be able to connect to your server.

    New Connection Security Rule Wizard: Tunnel Endpoints
  10. Confirm that all the settings you've specified are correct, and then click Next.

  11. On the Authentication Method page, select Advanced, and then click Customize.

  12. Under First authentication methods, click Add.

  13. Select Pre-Shared key, enter the pre-shared key value from the configuration file, and click OK.

    Important

    If you are repeating this procedure for Tunnel 2, be sure to select the pre-shared key for Tunnel 2.

    Add First Authentication Method
  14. Ensure that First authentication is optional is not selected, and click OK.

  15. On the Authentication Method page, click Next.

  16. On the Profile page, select all three check boxes: Domain, Private, and Public, and then click Next.

  17. On the Name page, enter a name for your connection rule, and then click Finish.

    New Connection Security Rule Wizard

Repeat the above procedure, specifying the data for Tunnel 2 from your configuration file.

After you've finished, you’ll have two tunnels configured for your VPN connection.

2.3: Confirm the Tunnel Configuration

To confirm tunnel configuration

  1. In the Server Manager navigation pane, expand the Configuration node, expand Windows Firewall with Advanced Security, and then click Connection Security Rules.

  2. Verify the following for both tunnels:

    • Enabled is Yes

    • Authentication mode is Require inbound and clear outbound

    • Authentication method is Custom

    • Endpoint 1 port is Any

    • Endpoint 2 port is Any

    • Protocol is Any

  3. Double-click the security rule for your first tunnel.

  4. On the Computers tab, verify the following:

    • Under Endpoint 1, the CIDR block range shown matches the CIDR block range of your network.

    • Under Endpoint 2, the CIDR block range shown matches the CIDR block range of your VPC.

  5. On the Authentication tab, under Method, click Customize, and verify that First authentication methods contains the correct pre-shared key from your configuration file for the tunnel, and then click OK.

  6. On the Advanced tab, verify that Domain, Private, and Public are all selected.

  7. Under IPsec tunneling, click Customize. Verify the following IPsec tunneling settings.

    • Use IPsec tunneling is selected.

    • Local tunnel endpoint (closest to Endpoint 1) contains the IP address of your server.

    • Remote tunnel endpoint (closest to Endpoint 2) contains the IP address of the virtual private gateway for this tunnel.

  8. Double-click the security rule for your second tunnel. Repeat steps 4 to 7 for this tunnel.

2.4: Configure the Windows Firewall

After setting up your security rules on your server, configure some basic IPsec settings to work with the virtual private gateway.

To configure the Windows firewall

  1. In the Server Manager navigation pane, right-click Windows Firewall with Advanced Security, and then click Properties.

  2. Click the IPsec Settings tab.

  3. Under IPsec exemptions, verify that Exempt ICMP from IPsec is No (default). Verify that IPsec tunnel authorization is None.

  4. Under IPsec defaults, click Customize.

  5. In the Customize IPsec Settings dialog box, under Key exchange (Main Mode), select Advanced and then click Customize.

  6. In Customize Advanced Key Exchange Settings, under Security methods, verify that these default values are used for the first entry.

    • Integrity: SHA-1

    • Encryption: AES-CBC 128

    • Key exchange algorithm: Diffie-Hellman Group 2

    • Under Key lifetimes, verify that Minutes is 480 and Sessions is 0.

    These settings correspond to these entries in the configuration file:

    MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
    MainModeKeyLifetime: 480min,0sec
    Customize Advanced Key Exchange Settings
  7. Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then click OK.

  8. Under Data protection (Quick Mode), click Advanced, and then click Customize.

  9. Click Require encryption for all connection security rules that use these settings.

  10. Under Data integrity and encryption algorithms, leave the default values:

    • Protocol: ESP

    • Integrity: SHA-1

    • Encryption: AES-CBC 128

    • Lifetime: 60 minutes

    These value correspond to the following entries from the configuration file.

    QuickModeSecMethods: 
    ESP:SHA1-AES128+60min+100000kb,ESP:SHA1-3D ES+60min+100000kb
  11. Click OK to return to the Customize IPsec Settings dialog box and click OK again to save the configuration .

Step 5: Enable Dead Gateway Detection

Next, you need to configure TCP to detect when a gateway becomes unavailable. You can do this by modifying this registry key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Do not perform this step until you’ve completed the preceding sections. After you change the registry key, you must reboot the server.

To enable dead gateway detection

  1. On the server, click Start, and then type regedit to start Registry Editor.

  2. Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand Tcpip, and then expand Parameters.

  3. In the other pane, right-click, point to New, and select DWORD (32-bit) Value.

  4. Enter the name EnableDeadGWDetect.

  5. Right-click EnableDeadGWDetect, and click Modify.

  6. In Value data, enter 1, and then click OK.

  7. Close Registry Editor and reboot the server.

For more information, go to EnableDeadGWDetect in the Microsoft TechNet website.

Step 6: Test the VPN Connection

Get the private IP address of a running instance in your VPC, and then use the ping command from the Windows server to test the VPN connection; for example:

PROMPT> ping 10.0.0.4
		
Pinging 10.0.0.4 with 32 bytes of data:
Reply from 10.0.0.4: bytes=32 time=2ms TTL=62
Reply from 10.0.0.4: bytes=32 time=2ms TTL=62
Reply from 10.0.0.4: bytes=32 time=2ms TTL=62
Reply from 10.0.0.4: bytes=32 time=2ms TTL=62
		
Ping statistics for 10.0.0.4:
	Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
	Minimum = 2ms, Maximum = 2ms, Average = 2ms

In the Amazon VPC console, on the VPN Connections page, select your VPN connection. The first tunnel is in the UP state. The second tunnel should be configured, but it won't be used unless the first tunnel goes down.

It may take a few moments to establish the encrypted tunnels. If the ping command fails, check the following information:

  • Ensure that you have configured your security group rules to allow ICMP to the instance in your VPC. If your Windows server is an EC2 instance, ensure that its security group's outbound rules allow IPsec traffic. For more information, see Prerequisites.

  • Ensure that the operating system on the instance you are pinging is configured to respond to ICMP. We recommend that you use one of the Amazon Linux AMIs.

  • If the instance you are pinging is a Windows instance, log in to the instance and enable inbound ICMPv4 on the Windows firewall.

  • Ensure that you have configured the route tables for your VPC or your subnet correctly. For more information, see Prerequisites.