Skip to content
This repository has been archived by the owner on May 13, 2021. It is now read-only.

Write isakmp and ipsec policy based on configuration #33

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Write isakmp and ipsec policy based on configuration #33

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 52 additions & 40 deletions deployment/transit-vpc-primary-account-existing-vpc.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -316,26 +316,32 @@
"ios-config-6=\"group 2\"\n",
"ios-config-7=\"lifetime 28800\"\n",
"ios-config-8=\"hash sha\"\n",
"ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-10=\"mode tunnel\"\n",
"ios-config-11=\"crypto ipsec df-bit clear\"\n",
"ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-17=\"set pfs group2\"\n",
"ios-config-18=\"set security-association lifetime seconds 3600\"\n",
"ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-21=\"bgp log-neighbor-changes\"\n",
"ios-config-22=\"ip vrf vpn0\"\n",
"ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-24=\"ip ssh pubkey-chain\"\n",
"ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-28=\"ip ssh maxstartups 1\"\n"
"ios-config-9=\"crypto isakmp policy 214\"\n",
"ios-config-10=\"encryption aes 128\"\n",
"ios-config-11=\"authentication pre-share\"\n",
"ios-config-12=\"group 14\"\n",
"ios-config-13=\"lifetime 28800\"\n",
"ios-config-14=\"hash\"\n",
"ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-16=\"mode tunnel\"\n",
"ios-config-17=\"crypto ipsec df-bit clear\"\n",
"ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-23=\"set pfs group2\"\n",
"ios-config-24=\"set security-association lifetime seconds 3600\"\n",
"ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-27=\"bgp log-neighbor-changes\"\n",
"ios-config-28=\"ip vrf vpn0\"\n",
"ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-30=\"ip ssh pubkey-chain\"\n",
"ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-34=\"ip ssh maxstartups 1\"\n"
]]}}
}
},
Expand Down Expand Up @@ -366,26 +372,32 @@
"ios-config-6=\"group 2\"\n",
"ios-config-7=\"lifetime 28800\"\n",
"ios-config-8=\"hash sha\"\n",
"ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-10=\"mode tunnel\"\n",
"ios-config-11=\"crypto ipsec df-bit clear\"\n",
"ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-17=\"set pfs group2\"\n",
"ios-config-18=\"set security-association lifetime seconds 3600\"\n",
"ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-21=\"bgp log-neighbor-changes\"\n",
"ios-config-22=\"ip vrf vpn0\"\n",
"ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-24=\"ip ssh pubkey-chain\"\n",
"ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-28=\"ip ssh maxstartups 1\"\n"
"ios-config-9=\"crypto isakmp policy 214\"\n",
"ios-config-10=\"encryption aes 128\"\n",
"ios-config-11=\"authentication pre-share\"\n",
"ios-config-12=\"group 14\"\n",
"ios-config-13=\"lifetime 28800\"\n",
"ios-config-14=\"hash\"\n",
"ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-16=\"mode tunnel\"\n",
"ios-config-17=\"crypto ipsec df-bit clear\"\n",
"ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-23=\"set pfs group2\"\n",
"ios-config-24=\"set security-association lifetime seconds 3600\"\n",
"ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-27=\"bgp log-neighbor-changes\"\n",
"ios-config-28=\"ip vrf vpn0\"\n",
"ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-30=\"ip ssh pubkey-chain\"\n",
"ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-34=\"ip ssh maxstartups 1\"\n"
]]}}
}
},
Expand Down
92 changes: 52 additions & 40 deletions deployment/transit-vpc-primary-account.template
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -402,26 +402,32 @@
"ios-config-6=\"group 2\"\n",
"ios-config-7=\"lifetime 28800\"\n",
"ios-config-8=\"hash sha\"\n",
"ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-10=\"mode tunnel\"\n",
"ios-config-11=\"crypto ipsec df-bit clear\"\n",
"ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-17=\"set pfs group2\"\n",
"ios-config-18=\"set security-association lifetime seconds 3600\"\n",
"ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-21=\"bgp log-neighbor-changes\"\n",
"ios-config-22=\"ip vrf vpn0\"\n",
"ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-24=\"ip ssh pubkey-chain\"\n",
"ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-28=\"ip ssh maxstartups 1\"\n"
"ios-config-9=\"crypto isakmp policy 214\"\n",
"ios-config-10=\"encryption aes 128\"\n",
"ios-config-11=\"authentication pre-share\"\n",
"ios-config-12=\"group 14\"\n",
"ios-config-13=\"lifetime 28800\"\n",
"ios-config-14=\"hash\"\n",
"ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-16=\"mode tunnel\"\n",
"ios-config-17=\"crypto ipsec df-bit clear\"\n",
"ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-23=\"set pfs group2\"\n",
"ios-config-24=\"set security-association lifetime seconds 3600\"\n",
"ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-27=\"bgp log-neighbor-changes\"\n",
"ios-config-28=\"ip vrf vpn0\"\n",
"ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-30=\"ip ssh pubkey-chain\"\n",
"ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-34=\"ip ssh maxstartups 1\"\n"
]]}}
}
},
Expand Down Expand Up @@ -452,26 +458,32 @@
"ios-config-6=\"group 2\"\n",
"ios-config-7=\"lifetime 28800\"\n",
"ios-config-8=\"hash sha\"\n",
"ios-config-9=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-10=\"mode tunnel\"\n",
"ios-config-11=\"crypto ipsec df-bit clear\"\n",
"ios-config-12=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-13=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-14=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-15=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-16=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-17=\"set pfs group2\"\n",
"ios-config-18=\"set security-association lifetime seconds 3600\"\n",
"ios-config-19=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-20=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-21=\"bgp log-neighbor-changes\"\n",
"ios-config-22=\"ip vrf vpn0\"\n",
"ios-config-23=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-24=\"ip ssh pubkey-chain\"\n",
"ios-config-25=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-26=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-27=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-28=\"ip ssh maxstartups 1\"\n"
"ios-config-9=\"crypto isakmp policy 214\"\n",
"ios-config-10=\"encryption aes 128\"\n",
"ios-config-11=\"authentication pre-share\"\n",
"ios-config-12=\"group 14\"\n",
"ios-config-13=\"lifetime 28800\"\n",
"ios-config-14=\"hash\"\n",
"ios-config-15=\"crypto ipsec transform-set ipsec-prop-vpn-aws esp-aes 128 esp-sha-hmac\"\n",
"ios-config-16=\"mode tunnel\"\n",
"ios-config-17=\"crypto ipsec df-bit clear\"\n",
"ios-config-18=\"crypto isakmp keepalive 10 10 periodic\"\n",
"ios-config-19=\"crypto ipsec security-association replay window-size 1024\"\n",
"ios-config-20=\"crypto ipsec fragmentation before-encryption\"\n",
"ios-config-21=\"no crypto ipsec nat-transparency udp-encapsulation\"\n",
"ios-config-22=\"crypto ipsec profile ipsec-vpn-aws\"\n",
"ios-config-23=\"set pfs group2\"\n",
"ios-config-24=\"set security-association lifetime seconds 3600\"\n",
"ios-config-25=\"set transform-set ipsec-prop-vpn-aws\"\n",
"ios-config-26=\"router bgp ", { "Ref" : "BgpAsn" },"\"\n",
"ios-config-27=\"bgp log-neighbor-changes\"\n",
"ios-config-28=\"ip vrf vpn0\"\n",
"ios-config-29=\"rd ", { "Ref" : "BgpAsn" }, ":0\"\n",
"ios-config-30=\"ip ssh pubkey-chain\"\n",
"ios-config-31=\"username ", { "Fn::FindInMap" : [ "Function", "Csr", "UserName"]}, "\"\n",
"ios-config-32=\"key-hash ssh-rsa ", { "Fn::GetAtt" : [ "CreateRsaKey", "Fingerprint" ] },"\"\n",
"ios-config-33=\"ip ssh server algorithm authentication publickey\"\n",
"ios-config-34=\"ip ssh maxstartups 1\"\n"
]]}}
}
},
Expand Down
7 changes: 6 additions & 1 deletion source/transit-vpc-push-cisco-config/lambda_function.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -280,6 +280,11 @@ def create_cisco_config(bucket_name, bucket_key, s3_url, bgp_asn, ssh):
config_text.append(' match identity address {}'.format(vpn_gateway_tunnel_outside_address))
config_text.append(' keyring keyring-{}-{}'.format(vpn_connection_id,tunnelId))
config_text.append('exit')
config_text.append('crypto ipsec profile ipsec-{}-{}'.format(vpn_connection_id,tunnelId))
config_text.append(' set pfs {}').format(ipsec_perfect_forward_secrecy))
config_text.append(' set security-association lifetime seconds 3600'.format(vpn_gateway_tunnel_outside_address))
config_text.append(' set transform-set ipsec-prop-vpn-aws)
config_text.append('exit')
config_text.append('interface Tunnel{}'.format(tunnelId))
config_text.append(' description {} from {} to {} for account {}'.format(vpn_connection_id, vpn_gateway_id, customer_gateway_id, account_id))
config_text.append(' ip vrf forwarding {}'.format(vpn_connection_id))
Expand All @@ -288,7 +293,7 @@ def create_cisco_config(bucket_name, bucket_key, s3_url, bgp_asn, ssh):
config_text.append(' tunnel source GigabitEthernet1')
config_text.append(' tunnel destination {} '.format(vpn_gateway_tunnel_outside_address))
config_text.append(' tunnel mode ipsec ipv4')
config_text.append(' tunnel protection ipsec profile ipsec-vpn-aws')
config_text.append(' tunnel protection ipsec profile ipsec-{}-{}'.format(vpn_connection_id,tunnelId))
config_text.append(' ip tcp adjust-mss 1387')
config_text.append(' no shutdown')
config_text.append('exit')
Expand Down