AWS Transit Gateway allows you to connect multiple VPCs (in the same region) using a single Site-to-Site connection (unlike the AWS Virtual Gateway which requires one Site-to-Site connection per VPC).
In order to establish a Site-To-Site IPSec VPN connection between your AWS server and Perimeter 81 network, please follow the steps below:
1. Configure the Tunnel in the AWS Console
- Go to the VPC section in the AWS Console.
- Under the left menu Transit Gateways section, go to Transit Gateways Attachments.
- Click Create Transit Gateway Attachment.
Fill in according to the following:
- Transit Gateway ID: Choose you Transit Gateway
- Attachment type: VPN
- Customer Gateway ID: New
- IP Address: This can be obtained within the Perimeter81 Panel, under Network
- BGP ASN: Leave default values
- Routing Options: Static
- Click Create Attachment. This may take several minutes.
- Under the left menu Virtual Private Network (VPN) section, go to Site-to-Site VPN Connections.
Click Download Configuration. Choose Strongswan and click Download.
2. Configure the Tunnel in the Perimeter 81 Platform
- Enter your Perimeter 81 Management Platform. Under the Network tab in the left menu, click on name of the network in which you'd like to set the tunnel. Locate the desired gateway, click the three dotted icon and press Add Tunnel and then IPSec Site-2-Site Tunnel.
- Open the configuration file that you have downloaded. Fill in the following fields according the file's content: Public IP (appears before the PSK), Remote ID (identical to Remote IP), Shared Secret (appears as PSK). The rest of the fields should be inserted according to the following:
- Name: Enter the name you chose for the tunnel.
- Perimeter 81 Gateway Proposal Subnets: by default this should be set to 10.255.0.0/16
- Remote Gateway Proposal Subnets: 0.0.0.0/0 or specify according to your customised settings.
At the Advanced Settings section fill in:
- IKE Version: V1
- IKE Lifetime: 8h
- Tunnel Lifetime: 1h
- Dead Peer Detection Delay: 10s
- Dead Peer Detection Timeout: 30s
- Encryption (Phase 1): aes128
- Intergrity (Phase 1): sha1
- Diffie-Hellman Groups (Phase 1): 2
- Encryption (Phase 2): aes128
- Intergrity (Phase 2): sha1
- Diffie-Hellman Groups (Phase 2): 2
3. Configure the Routing
- Go to the VPC section in the AWS Console. Under Transit Gateways, click Transit Gateway Route Tables.
- In the bottom Menu, go to the Routes tab.
- Click Create Route (choose the transit gateway attachment we created earlier). Press Create propagation.
- Go to the Routes tab and copy the CIDR that was propagated.
- Open the Network tab at the Perimeter 81 Management platform. Click the three-dotted icon next to the Network in which you are configuring the tunnel and choose Route Table.
- Click Add Route, choose the tunnel which we have just configured and paste the internal subnet IP. Click Add route, then Apply Configuration.
- Go back to the AWS Console. Under Transit Gateways, click Transit Gateway Route Tables.
- Click the Associations tab at the bottom frame. Click Create association.
- Choose the transit gateway that we have just created and click Create association.
- Go to the Propagations and click Create propagation. Choose the newly created attachment and click Create propagation.
- Return to the AWS VPC Dashboard. Under the Virtual Private Cloud section choose Route Tables.
- Choose the route that relates to the subnet which you'd like to give access to (this can be checked under Subnets). On the bottom frame click the Routes tab.
- Click Edit Routes. Add a route from your Perimeter 81 network (commonly 10.255.0.0/16) to the transit gateway.