Something that I had been meaning to do for a long time was to create a VPN connection between my home lab (a VMware based nested ESXi environment in my basement) to one of my AWS VPCs.

Overview – As this is a simple setup, we’re going to go with a single VPN connection scenario:

There are several prerequisites that you are going to make sure that you have in place before doing this:



A local environment that has a different CIDR block range than your VPC. My local environment is 192.168.1.0/24 and my VPC is 172.31.0.0/16.

A local VM that you can use as your Customer Gateway. For this example, I’m going to use a Windows 2012 box and install the necessary VPN components onto it as we proceed.

At least one instance in your VPC to test with 😉

If you are running firewalls, you need to poke the correct holes (UDP 500 and TCP 50 inbound/outbound) where necessary on your side, as well as allow ICMP (at least) in your VPC.

The steps, in order, are as follows:

Step 1: Create a VPN Connection

Step 2: Download the Configuration File for the VPN Connection

Step 3: Configure the Windows Server

Step 4: Set Up the VPN Tunnel

Step 5: Establish tunnel from Windows (Customer Gateway)

Step 6: Configure the Windows Firewall

Step 7: Enable Dead Gateway Detection

Step 8: Test the VPN Connection

Create a VPN Connection

Create a Virtual Private Gateway on VPC

Attach the VPG to the relevant VPC:

Download the configuration of your newly created VPN Connection:

Configure the Windows Server (Customer Gateway)

To install Routing and Remote Access Services on Windows Server 2012 R2

Log on to the Windows Server 2012 R2 server. Go to the Start menu, and choose Server Manager. Install Routing and Remote Access Services: From the Manage menu, choose Add Roles and Features. On the Before You Begin page, verify that your server meets the prerequisites, and then choose Next. Choose Role-based or feature-based installation, and then choose Next. Choose Select a server from the server pool, select your Windows 2012 R2 server, and then choose Next. Select Network Policy and Access Services in the list. In the dialog box that displays, choose Add Features to confirm the features that are required for this role. In the same list, choose Remote Access, and then choose Next. On the Select features page, choose Next. On the Network Policy and Access Services page, choose Next. Leave Network Policy Server selected, and choose Next. On the Remote Access page, choose Next. On the next page, select DirectAccess and VPN (RAS). In the dialog box that displays, choose Add Features to confirm the features that are required for this role service. In the same list, select Routing, and then choose Next. On the Web Server Role (IIS) page, choose Next. Leave the default selection, and choose Next. Choose Install. When the installation completes, choose Close.

To configure and enable Routing and Remote Access Server

On the dashboard, choose Notifications (the flag icon). There should be a task to complete the post-deployment configuration. Choose the Open the Getting Started Wizard link. Choose Deploy VPN only. In the Routing and Remote Access dialog box, choose the server name, choose Action, and select Configure and Enable Routing and Remote Access. In the Routing and Remote Access Server Setup Wizard, on the first page, choose Next. On the Configuration page, choose Custom Configuration and Next. Choose LAN routing, Next, and Finish. When prompted by the Routing and Remote Access dialog box, choose Start service.

Setup the VPN tunnel:

Update your route tables for the VPN connection:

Add a route to your private subnet’s route table with the virtual private gateway as the target, and the Windows server’s network (CIDR range) as the destination.

Enable route propagation for the virtual private gateway. This was the part that hung me up for a bit. My networking is rusty so I had to troubleshoot this for a bit before I got it working properly.

Establish tunnel from Windows (Customer Gateway)

Copy the netsh script from the downloaded configuration file and replace the variables:

That’s the easiest way to do it, you can also do it manually using the following steps (but only do this if the 1st option doesn’t work):

Open Server Manager, choose Tools, and select Windows Firewall with Advanced Security. Select Connection Security Rules, choose Action, and then New Rule. In the New Connection Security Rule wizard, on the Rule Type page, choose Tunnel, and then choose Next. On the Tunnel Type page, under What type of tunnel would you like to create, choose Custom configuration. Under Would you like to exempt IPsec-protected connections from this tunnel, leave the default value checked (No. Send all network traffic that matches this connection security rule through the tunnel), and then choose Next. On the Requirements page, choose Require authentication for inbound connections. Do not establish tunnels for outbound connections, and then choose Next. On Tunnel Endpoints page, under Which computers are in Endpoint 1, choose Add. Enter the CIDR range of your network (behind your Windows server customer gateway; for example, 172.31.0.0/16 ), and then choose OK. (Note that the range can include the IP address of your customer gateway.) Under What is the local tunnel endpoint (closest to computer in Endpoint 1), choose Edit. In the IPv4 address field, enter the private IP address of your Windows server, and then choose OK. Under What is the remote tunnel endpoint (closest to computers in Endpoint 2), choose Edit. In the IPv4 address field, enter the IP address of the virtual private gateway for Tunnel 1 from the configuration file (see Remote Tunnel Endpoint), and then choose OK. You must scroll in the dialog box until you locate Which computers are in Endpoint 2. Do not choose Next until you have completed this step, or you won’t be able to connect to your server.



Confirm that all the settings you’ve specified are correct, and then choose Next.

On the Authentication Method page, select Advanced, and then choose Customize.

Under First authentication methods, choose Add.

Select Preshared key, enter the pre-shared key value from the configuration file, and choose OK.

Ensure that First authentication is optional is not selected, and choose OK.

Choose Next.

On the Profile page, select all three checkboxes: Domain, Private, and Public, and then choose Next.

On the Name page, enter a name for your connection rule and then choose Finish.

Configure the Windows Firewall

Open Server Manager, choose Tools, select Windows Firewall with Advanced Security, and then choose Properties. On the IPsec Settings tab, under IPsec exemptions, verify that Exempt ICMP from IPsec is No (default). Verify that IPsec tunnel authorization is None. Under IPsec defaults, choose Customize. Under Key exchange (Main Mode), select Advanced and then choose Customize. In Customize Advanced Key Exchange Settings, under Security methods, verify that these default values are used for the first entry.

Integrity: SHA-1

Encryption: AES-CBC 128

Key exchange algorithm: Diffie-Hellman Group 2

Under Key lifetimes, verify that Minutes is 480 and Sessions is 0.

Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then choose OK. Under Data protection (Quick Mode), select Advanced, and then choose Customize. Select Require encryption for all connection security rules that use these settings. Under Data integrity and encryption, leave the default values:

Protocol: ESP

Integrity: SHA-1

Encryption: AES-CBC 128

Lifetime: 60 minutes

Enable Dead Gateway Detection

Next, you need to configure TCP to detect when a gateway becomes unavailable. You can do this by modifying this registry key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters. Do not perform this step until you’ve completed the preceding sections. After you change the registry key, you must reboot the server.

From your Windows server, launch the command prompt or a PowerShell session, and type regedit to start Registry Editor. Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services, expand Tcpip, and then expand Parameters. From the Edit menu, select New and select DWORD (32-bit) Value. Enter the name EnableDeadGWDetect. Select EnableDeadGWDetect, and choose Modify from the Edit menu. In Value data, enter 1, and then choose OK.

Test the VPN connection!

If you did everything correctly, you should now be able to ping your AWS instance from an on-prem box and vice versa!

If you run into any problems, or I’ve fudged a step here please let me know in the comments J