One if the great features of both AWS and Meraki is the support for third party IPSec VPNs. These VPN tunnels give you a secure way of communicating with your services within AWS or your devices and LAN behind the Meraki MX via private IP, but only needing internet access to create the tunnel. This AWS VPN can be used in a commercial environment, to provide private access to VPC instances and beyond from on premise or from the DC, and can also be a backup link behind a Direct Connect link for use in the case of failure of the Direct Connect service.

In my previous post, I showed how to create a Python application that managed an EC2 instance (to start/stop it) via AWS API calls. For this post series, I am going to build a VPN tunnel from my Meraki MX network to my AWS VPC via API calls to both platforms, so I can connect to the EC2 instance via private IP (in my VPC’s case – to the 172.16.x.x range) rather than having to come in to a public IP.

The steps in this application are taken from the GUI visual setup detailed in this ritcsec post. Its assumed for our code that the VPC is setup, a subnet is created, you have built an EC2 instance (so we can ping it and ssh/rdp to it via the private IP across the tunnel) and have turned ON VPN participation for the LAN subnet(s) on the Meraki (Security-Site to Site-VPN Settings). 

You also need to configure Tags for the VPC and route table as per below, so that the application can find the resources when it searches the list.

The following code uses a few python modules, which need to be installed if not done already:

$ pip install meraki_sdk xmltodict boto3

The following sequence outlines the steps we will take to build this app, and successfully create a VPN tunnel from the Meraki MX to the AWS VPC. The finished app can be downloaded at the end of the last post, for those who want to skip ahead !

# Meraki info step
# ———————————–
# 1. Get MX public IP
#
# AWS VPN creation steps
# ———————————–
# 1. Create Customer Gateway
# 2. Create Virtual Private Gateway
# 3. Attach VGW to VPC
# 4. Create VPN Connection using CGW + VPG
# 5. View Downloaded config with public IP and password
# 6. Add LAN routes to VPN table
# 7. Propogate VPC subnet into VPG
#
# Meraki VPN Creation step
# ————————————
# 1. read existing non Meraki VPN config
# 2. update config with AWS VPN peer detail

Firstly, we will import the required modules and setup the global variables to be used within the subroutines:

from meraki_sdk.meraki_sdk_client import MerakiSdkClient from meraki_sdk.exceptions.api_exception import APIException from meraki_sdk.models.update_organization_third_party_vpn_peers_model import UpdateOrganizationThirdPartyVPNPeersModel from meraki_sdk.models.peer_model import PeerModel

import boto3 import json import time import sys import xmltodict import re

meraki_public_ip = “1.1.1.1” aws_public_ip = “2.2.2.2” my_meraki_lan_subnet = “192.168.1.0/24” # Meraki LAN subnet – must be advertised to VPN on Meraki dashboard (Security->Site-to-Site VPN) [REQUIRED]
org_name = “My ORG NAME”               # Meraki ORG we want to work in [REQUIRED]
network_name = “My Network”             # ORG network we want to configure [REQUIRED] x_cisco_meraki_api_key = ‘XXX’ #  [REQUIRED] vpcTag = “MyVPC”                        # Name tag for my VPC table [REQUIRED] myRegion = “us-east-1” myRouteTable = “MyLanRoute”             # Name tag for my AWS route table [REQUIRED] myPassPhrase = “password” my_aws_lan_subnet = [‘172.31.16.0/20’]  # AWS VPC subnet (VPC->subnets) [REQUIRED]

params = {}

The few items that are key here are:

my_meraki_lan_subnet: this is obtained from the Meraki dashboard, and shows the LAN subnet(s) you have in the Meraki network

org_name: this is the name of your Meraki ORG that has the MX in it

network_name: this is the name of the network in your Meraki ORG that has the MX in it

x_cisco_meraki_api_key: this is the API key of a Meraki dahsboard ADMIN

vpcTag and myRouteTable: these are the tags configured on the VPC and Route table in AWS, which are used to match by the search engine when it looks for them in the list

my_aws_lan_subnet: is the subnet used within the VPC for instances

These variables need to be pre-populated before we run the application. How to set them up can be found in the GUI walkthorugh listed above.

The Meraki API documentation can be found HERE.

Next we are ready to run the main application call, which will check on the org_name being valid, and then run the 3 subroutines:

# Meraki info step [meraki_read()]

# AWS VPN creation steps [aws_vpn()]

# Meraki VPN Creation step [meraki_vpn()]

 meraki_client = MerakiSdkClient(x_cisco_meraki_api_key) # # get Meraki organisation list #     try:         print (“\n— Meraki to AWS VPN Application —\n”)         orgs = meraki_client.organizations.get_organizations()         for organisation in orgs:             print (“ORG ID and Name:”, organisation[“id”], organisation[“name”])             if organisation[“name”] == org_name:                 params[“organization_id”] = organisation[“id”]     except APIException as e:         print(e)         sys.exit(2)     if is_empty(params):         print (org_name, “NOT found in list”)         exit()

    meraki_read()     aws_vpn()          meraki_vpn()

We now have the ORG ID, so can continue to the dashboard and get the network ID and device details (specifically the public IP of the MX unit – needed to setup the AWS VPN)

# # get network list in org #     params[“network_id”] = “”     try:         print (“AP: networks.get_organization_networks. ORG:”, org_name)         nets = meraki_client.networks.get_organization_networks(params)         for network in nets:             print(network[“id”], network[“name”])             if network[“name”] == network_name:                 params[“network_id”] = network[“id”]     except APIException as e:         print(e)

    if is_empty(params[“network_id”]):         print (network_name, “NOT found in list”)         exit()

# # get device list in network #     try:         devices = meraki_client.devices.get_network_devices(params[“network_id”])         for items in devices:             print (items[“model”], items[“lanIp”], items[“firmware”], items[“serial”])             if re.match (“^MX”, items[“model”]):                 network_mx = {‘serial’: items[“serial”], ‘model’: items[“model”]}     except APIException as e:         print(e)

    print (“\n”) # # Get public IP #     try:         collect = {}         collect[‘network_id’] = params[“network_id”]         collect[‘serial’] = network_mx[“serial”]

        mx_uplink = meraki_client.devices.get_network_device_uplink(collect)         print (network_mx[“model”], “Public IPs (WAN1<>WAN2):”, mx_uplink[0][‘publicIp’], “<>”, mx_uplink[1][‘publicIp’])     except APIException as e:         print(e)

    meraki_public_ip = mx_uplink[0][‘publicIp’]

This routine uses the Merkai API calls via the meraki_sdk to get the Public IP. The variables that are returned from the Meraki calls are normally lists or dictionaries, so we just need to iterate through them to get the relevant value we are looking for. You can do a print (variable) if you want to get a full look at all the returned values, or better still – use json.dumps to display it in an easy to ready format with:

# print(json.dumps(response, sort_keys=True, indent=4))

Now that we have the meraki client setup and the public IP obtained for the MX network, we can move on to the steps for the AWS VPN creation.

This code uses the boto3 module, which provides AWSCLI functions via the python application.

The AWS boto3 documentation can be found HERE.

First we need to seetup the AWS Client. Here we define a region, and also use the profile of ‘james’ which has the API authentication setup for AWS to my VPC. I do this so I can have multiple profiles, and call them in the application depending on which VPC I am working in (details on this can be found in the previous EC2 post).

   boto3.setup_default_session(profile_name=’james’)     ec2 = boto3.resource(‘ec2’, region_name=myRegion)     client = boto3.client(‘ec2’, region_name=myRegion)

    filters = [{‘Name’:’tag:Name’, ‘Values’:[vpcTag]}]     vpcs = list(ec2.vpcs.filter(Filters=filters))     for vpc in vpcs:         myVpc = vpc.id         #response = client.describe_vpcs(VpcIds=[vpc.id,])         #print(json.dumps(response, sort_keys=True, indent=4))     print (“\nVPC ID:”, myVpc)

    response = client.describe_route_tables()     for routes in response[“RouteTables”]:         for myTags in routes[“Tags”]:             if myTags[“Key”] == “Name” and myTags[“Value”] == myRouteTable:                 myRouteID = routes[“RouteTableId”]         print (“Route Table ID: “, myRouteID)

Here we now have the boto3 client enabled, as well as the ID of the VPC and  the route table to be used with the VPN

In the next post, we will create the AWS VPN, and then create the Meraki VPN, and confirm they are setup and sending traffic via the private VPN !

AWS to Meraki VPN Tunnel with Python Part1
Tagged on:                 

One thought on “AWS to Meraki VPN Tunnel with Python Part1

Leave a Reply

Your email address will not be published. Required fields are marked *