Tree [94b7ba] master /

File Date Author Commit
LICENSE.txt 2013-12-16 Adam Clark Adam Clark [94b7ba] Initial commit
ManageAWSVPN.tcl 2013-12-16 Adam Clark Adam Clark [94b7ba] Initial commit
README.txt 2013-12-16 Adam Clark Adam Clark [94b7ba] Initial commit

Read Me

Version	Date		Comments
0.1		12/12/2013	Initial Release

Many portions of this software was sourced from tclcloud orginally developed by Patrick Dunnigan

This script is intended for those who have a dynamic IP address but would like to have the
connection to an AWS VPC to remain up when the Public IP Address Changes

The script maintains both Customer Gateways and VPN Connections that are linked to an existing
VPN Gateway.

It is designed to be run from IOS EEM triggered by a Dialer interface coming up or manually 
triggered using "event manager run ManageAWSVPN.tcl"

The dialer coming up is identified by a syslog message that is like:
%DIALER-6-BIND: Interface Vi2 bound to profile Di0

It can also be run from a Linux environment where it will configure ASW for the VPN and provide
the nessasary configuration to apply to enable the services.  To run it under Linux you will ned
to run (RHEL): 
yum install tcl tcllib 

The ::cisco register and namespace configuration line will also need to be commented out

It requires an existing VPN Gateway to be created and tagged under the key "ConnectedTo" with 
either the hostname of the router or whatever is set by the _AWSHostname environment variable
The VPN Gateway will alse need to be setup to propogate routes from the gateway to a routing 
table.  This does not need to be re-created every time.

If debugging the script use termial length 0 and terminal monitor to allow the terminal window to keep up. 

Script Psuedo Code
1. Initialise and gather relevant information from enviromnet variables or command line arguments
2. Identify VPN Gateways that are tagged with ConnectedTo:[hostname|_AWSHostname]
3. Identify VPN Connections linked to the discovered VPN Gateway
4. Identify Customer Gateways linked to the discovered VPN Connection
5  Destroy VPN Connections then Customer Gateways
6. Remove IOS Configuration related to any existing VPN Connections and clean up an other stale
   configuration if the router has gotten out of sync with AWS for some reason.
7. Create a new Customer gateway and tag it for later verification
8. Create a new VPN Connection linking the new Customer Gateway and the discovered VPN Gateway
9  Configure the router for the crypto and BGP information.

The script relies on some external libraries that need to be copied to the router flash drives
All files must be located in the location identified by the  event manager directory user library
configuration option.  The configuration example below uses flash:/tcl/
All files can be copied from the tcllib sources at
or an example location for RHEL is /usr/share/tcl8.5/tcllib-1.11.1/
The following files need to be copied base64.tcl sha1.tcl sha256.tcl uri.tcl

Router#dir flash:/tcl/
Directory of flash:/tcl/

  18  -rw-       11562   Dec 9 2014 14:33:58 +11:00  base64.tcl
  19  -rw-       24228   Dec 9 2014 14:34:06 +11:00  sha1.tcl
  20  -rw-       24722   Dec 9 2014 14:34:12 +11:00  sha256.tcl
  21  -rw-       28896   Dec 9 2014 14:34:20 +11:00  uri.tcl
  22  -rw-         792   Dec 9 2014 15:25:48 +11:00  pkgIndex.tcl
  23  -rw-        6000  Dec 10 2014 11:30:12 +11:00  tls.tcl

This script itself needs to in the location set by event manager directory user policy.  The example
below uses flash:/

The script has a number of environment variables that can be set to change the behaviour at runtime
They can be set with the event manager environment <Key> [<Value>]

The following is a list of environment variables:
Recommended	Name					Default Value	Description
    M			_AWSKey 								API Access Key; this user should only be
														granted the priveliges needed
    M			_AWSSecretKey							API Access Secret Key
	  R			_AWSRegion				default
     			_AWSDebugLevel			0				0; Off 1; High Level Information; 2; More Verbose
														3; The everything
				_AWSPublicInterface		Dialer0			The interface for which you want AWS to connect to
				_AWSTunnel1Num			722401			AWS IPSec Tunnel 1 Number	
				_AWSTunnel2Num			722402			AWS IPSec Tunnel 2 Number
				_AWSSleepBefore			0				Seconds to sleep before doing anything, allows for
	  													Network convergence
	  *			_AWSMaxRun				120				EEM kills off scripts if they run too long.

* Requires a reregister of the EEM policy, eg:														
no event manager policy ManageAWSVPN.tcl
event manager policy ManageAWSVPN.tcl

This script only manages the configuration that is dynamic with each Customer Gateway configuration
Below is the configuration that should be applied prior to running this script
The crypto configuration is identical to that supplied by Amazon with the reduction of the ISAKMP
repeat for each tunnel.

All of the relevant BGP setting are applied to a peer-group.  The script just manages members of the 

crypto isakmp policy 7224
  encryption aes 128
  authentication pre-share
  group 2
  lifetime 28800
  hash sha

crypto ipsec df-bit clear
crypto isakmp keepalive 10 10 on-demand
crypto ipsec security-association replay window-size 128
crypto ipsec fragmentation before-encryption

! Only advertise paths originating from local AS
ip as-path access-list 72 permit ^$

router bgp 65535
 neighbor AWS peer-group
 neighbor AWS remote-as 7224
 neighbor AWS timers 10 30 30
 address-family ipv4
  ! Place any network statements to populate the BGP table
  network x.x.x.x mask y.y.y.y
  neighbor AWS soft-reconfiguration inbound
  neighbor AWS filter-list 72 out

event manager environment _AWSKey <SecretKey>
event manager environment _AWSSecretKey <SecretKey>

event manager directory user policy flash:/
event manager directory user library flash:/tcl/


It is probably ideal to set the region that is closest for the best response times
Description								Region			EC2 Hostname						Preferred Protocol
US East (Northern Virginia) Region  	us-east-1			HTTPS
US West (Oregon) Region					us-west-2			HTTPS
US West (Northern California) Region	us-west-1			HTTPS
EU (Ireland) Region						eu-west-1			HTTPS
Asia Pacific (Singapore) Region			ap-southeast-1	HTTPS
Asia Pacific (Sydney) Region			ap-southeast-2	HTTPS
Asia Pacific (Tokyo) Region				ap-northeast-1	HTTPS
South America (Sao Paulo) Region		sa-east-1			HTTPS

event manager environment _AWSRegion <Region>