---
title: "AWS Virtual Gateway"
slug: "configuring-a-site-to-site-ipsec-tunnel-to-aws-virtual-gateway"
updated: 2026-04-07T09:05:20Z
published: 2026-04-07T09:05:20Z
canonical: "support.perimeter81.com/configuring-a-site-to-site-ipsec-tunnel-to-aws-virtual-gateway"
stale: true
---
> ## Documentation Index
> Fetch the complete documentation index at: https://support.perimeter81.com/llms.txt
> Use this file to discover all available pages before exploring further.
# AWS Virtual Gateway
## Introduction
This guide will guide you through the process of establishing a Site-to-Site IPsec tunnel between your Check Point SASE network and your AWS environment.
This configuration is best suited for scenarios where the connection is intended for a single VPC.
If you are dealing with multiple VPCs, please refer to our guide on configuring a Site-to-Site IPsec tunnel to [AWS Transit Gateway](/v1/docs/configuring-a-site-to-site-ipsec-tunnel-to-aws-transit-gateway).
**Breakdown of topics**
1. Pre-requisites
2. Configuration Steps
3. Verifying the Setup
4. Troubleshooting
5. Support Contacts
## Pre-requisites
To successfully follow this guide, you should have:
1. An active Check Point SASE account and network.
2. The Check Point SASE app installed on your devices.
3. An active AWS account with admin permissions.
## Configuration Steps
## Configuring the tunnel in the AWS Console
1. Go to the **VPC section** in the **AWS Console**.
2. Under **Services**, scroll down to **Networking & Content Delivery** and select **VPC**.
3. Under the left menu **Virtual Private Network (VPN)** section, go to **Customer Gateways**.
4. Select **Create Customer Gateway.**
5. Select **static** routing.
6. Fill in the IP Address of the Check Point SASE Gateway. This can be obtained within the Check Point SASE Panel, under **Networks**.
7. Select **Create Customer Gateway**. A message should display indicating the gateway was created successfully.
## Configuring a virtual private gateway
Important
If you already have a virtual private gateway attached to your VPC, skip this section and continue with **Creating a virtual private network connection**.
1. Go back to **Services**, scroll down to **Networking & Content Delivery,** and select **VPC**.
2. On the left side, under **Virtual Private Network (VPN)** select **Virtual Private Gateways**.
****
3. Select **Create Virtual Private Gateway**.
****
4. Type the name of the gateway (for example US_HQ ).
5. Select **ASN** as Amazon's default ASN.
6. Select **Create Virtual Private Gateway**.
.png)
A message should display indicating that the virtual**Private Gateway was created successfully**. 7. Select the newly created gateway and select **Actions**; on the context menu select **Attach to VPC**.
8. From the drop-down menu, select the VPC and select **Yes, Attach**.
## Creating a virtual private network connection
1. Under **Virtual Private Network** in the left menu, go to **Site-to-Site****VPN Connections**.
2. Select **Create VPN Connection**.
****
3. Enter the name tag (for example, US_HQ).
4. Select the created **Virtual Private** Gateway.
5. Under Customer Gateway, select **Existing**.
6. Select the **Customer Gateway** that you have created.
7. Under Routing Options, select **Static**.
8. Fill in your Check Point SASE network subnet (Usually 10.255.0.0/16).ImportantThis address might differ in case you haven't chosen the default subnet mask for your tunnel.
9. Under **Tunnel Options,**in advanced options choose **Edit tunnel options**, and under **DPD timeout** set the value to 60.
Tunnel optionAWS supports various types of Encryption and hash formats for both of the tunnels they are offering, if the tunnel options are set to default (as shown below) it will accept any encryption suite you'd like for the handshake with Check Point SASE.In this screen, you can also select the inside subnets you would like to connect via the tunnel.
10. Select **Create VPN Connection**.
11. A message should display indicating that a VPN**Connection Request was created successfully**.
## Configuring the routing rules to the default gateway
1. Select the **VPC section** in the **AWS Console** and enter the Route table associated with your VPC.
2. For the **Route Tables** menu option, select the routing table that is associated with the VPC you have created for the tunnel.
3. Select **Edit** and add the **new** **static routes** for the subnets below:
Fill in your **Check Point SASE network subnet**listed in the Check Point SASE web portal, in Networks > Gateway > Settings (Usually 10.255.0.0/16)****at the destination field, and your new **VPN Gateway ID** as the target (it will appear under the subcategory Virtual Private Gateway). 4. Select **Save**.
In case you have a customized security group associated with your VPC
Configure your AWS security groups to allow all traffic from Check Point SASE subnets (usually 10.255.0.0/16) or allow only particular traffic using the port and IP restrictions.
## Configuring the tunnel in your Platform
1. Return to **Site-to-Site VPN Connections** and select **Download Configuration**.
2. Fill in the following information, and download the config file:
- Be sure to choose **Strongswan** under ***Vendor***,******and **Ikev2** for ***Ike Version.***
ImportantExamining the configuration file, you may notice that AWS has created two separate tunnels for the same VPN connection, however Check Point SASE utilizes only one of them.
You may randomly choose any of the two, but for consistency purposes and to avoid possible confusion we advise you to use the one that appears first in the file.
3. Go to the Management Platform. Under the **Networks** tab in the left menu, select the name of the network where you'd like to set the tunnel. 
4. Locate the desired gateway, select the three-dotted menu (...), select **Add Tunnel,** and then **IPSec Site-2-Site Tunnel**.
5. Click **Upload File** and upload the configuration file downloaded from the AWS portal. The system automatically populates **Shared Secret**, **Public IP**, and **Remote ID**. 
6. In the **General Settings section**, specify these:
- **Name:** Enter a name for the tunnel.
- **Check Point SASE Gateway Proposal Subnets:** Leave **Any (0.0.0.0/0**) selected here.
- **Remote Gateway Proposal Subnets**: Leave **Any (0.0.0.0/0**) selected here.
.PNG)
7. In the **Advanced Settings** section, **if you selected the default tunnel options on AWS,**enter these :
- **IKE Version:** V2
- **IKE Lifetime:** 8h
- **Tunnel Lifetime:** 1h
- **Dead Peer Detection Delay:** 10s
- **Dead Peer Detection Timeout:** 30s
- **Phase 1**:
- **Encryption****(Phase 1):** aes256
- **Integrity (Phase 1):** sha512
- **Key Exchange Method:** ecp521
- **Phase 2**:
- **Encryption****(Phase 2):** aes256
- **Integrity (Phase 2):** sha512
- **Key Exchange Method****:** ecp521
Verify the tunnel settings under section 3 in the configuration.
8. Click **Add Tunnel**.
9. On your network, select your three dots and click on **Routes Table**:
- Click the **Add Route** button on the top right, then on this popup fill out accordingly (**Tunnel** will match the name above, and **Subnets** will be the subnets you want to reach on the AWS side of the tunnel) and click the **Add Route** button:
- Be sure to click **Apply Configuration** when done.
## Verifying the Setup
After following the above steps, your tunnel should be active. To verify, go to your Check Point SASE dashboard, locate the tunnel you just created, and check the tunnel status. It should indicate that the tunnel is "Up", signifying a successful connection. Next, connect to your network using the Check Point SASE agent and attempt to access one of the resources in your environment.
## Troubleshooting
If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.
## Support Contacts
If you have any difficulties or questions, don't hesitate to contact Check Point SASE's support team. We offer 24/7 chat support on our website at [sase.checkpoint.com](https://www.sase.checkpoint.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.