AWS Transit Gateway allows you to connect multiple VPCs using a single Site-to-Site connection (unlike the AWS Virtual Gateway which requires one Site-to-Site connection per VPC). Inter-region Transit Gateway peering is available in US East (N. Virginia), US East (Ohio), US West (Oregon), EU (Ireland), and EU (Frankfurt) while at the moment in other regions TG is restricted a single region.
In order to establish a Site-To-Site IPSec VPN connection between your AWS server and Perimeter 81 network, please follow the steps below:
Configure the Tunnel in the AWS Console
1. Go to the VPC section in the AWS Console.
2. Under the left side panel Transit Gateways section, go to Transit Gateways Attachments.
3. Select Create Transit Gateway Attachment.
4. Fill in the following information:
- Transit Gateway ID: Choose your Transit Gateway
- Attachment type: VPN
- Customer Gateway ID: New
- IP Address: This can be obtained within the Perimeter81 Panel, under Network
- BGP ASN: Leave default values
- Routing Options: Static
5. Select Create Attachment. This may take several minutes.
6. Under the left menu Virtual Private Network (VPN) section, go to Site-to-Site VPN Connections.
7. Select the Download Configuration. Select Strongswan and select Download.
Configure the Tunnel in the Perimeter 81 Platform
1. Enter your Perimeter 81 Management Platform. Under the Network tab in the left menu, select the name of the network in which you'd like to set the tunnel.
2. Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel and then IPSec Site-2-Site Tunnel.
3. Open the configuration file that you have downloaded. Fill in the following fields according to the file's content: Public IP (appears before the PSK), Remote ID (identical to Remote IP), Shared Secret (appears as PSK).
4. Fill in the following information:
- Name: Enter the name you chose for the tunnel.
- Perimeter 81 Gateway Proposal Subnets: by default, this should be set to 10.255.0.0/16
- Remote Gateway Proposal Subnets: 0.0.0.0/0 or specify according to your customized settings.
At the Advanced Settings section fill in:
- IKE Version: V1
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 30s
- Encryption (Phase 1): aes128
- Encryption (Phase 2): aes128
- Integrity (Phase 1): sha1
- Integrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 1): 2
- Diffie-Hellman Groups (Phase 2): 2
Configure the Routing
1. Go to the VPC section in the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables.
2. In the bottom menu, go to the Routes tab.
3. Select Propagations Tab (choose the transit gateway attachment we created earlier). Select Create propagation.
4. Go to the Routes tab and copy the CIDR that was propagated.
5. Open the Network tab at the Perimeter 81 Management platform. Select the three-dotted menu (...) next to the Network in which you are configuring the tunnel and choose Route Table.
6. Select Add Route, choose the tunnel which we have just configured and paste the internal subnet IP.
7. Select Add route, then Apply Configuration.
8. Go back to the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables.
9. Select the Associations tab at the bottom frame. Select Create association.
10. Choose the transit gateway that we have just created and select Create association.
11. Go to the Propagations and select Create propagation. Choose the newly created attachment and select Create propagation.
12. Return to the AWS VPC Dashboard. Under the Virtual Private Cloud section select Route Tables.
13. Choose the route that relates to the subnet which you'd like to give access to (this can be checked under Subnets). On the bottom frame select the Routes tab.
14. Select Edit Routes. Add a route from your Perimeter 81 network (commonly 10.255.0.0/16) to the transit gateway.