AWS - Site-to-Site IPSEC

Follow

In order to establish Site-To-Site IPSEC VPN connection between AWS and Perimeter 81 please follow the steps below:

 

A. Create P81 Private Server

  1. You will need first to have a private server defined. If you didn't have this before please follow the steps here: https://docs.perimeter81.com/docs/create-a-private-vpn-server

  2. Write down the IP address of the private server that you just created. You will need it to the second step.

 

B. AWS Configuration

AWS includes few steps throughout the configuration and needs to be applied for every VPC.


  1. Creating VPN Gateway:

    • Create Customer Gateway
    • Create Virtual Private Gateway
    • Create Virtual Private Network Connection
  2. Configure the routing rules to the default gateway.

  3. Allow income connections from P81 local network within the security groups.


1. Creating VPN Gateway

Go to the VPC section in the AWS Console.

  • Under the left menu VPN Connections section, go to Customer Gateways:

    1. Click on Create Customer Gateway
    2. Type the name you will want for the gateway (for example production-p81)
    3. Select static routing
    4. IP Address field - type the IP address of the Perimeter 81 Gateway you have obtained on step A.
    5. Click on Create Customer Gateway
Create Customer Gateway

Create Customer Gateway

  • Under VPN Connections, go to Virtual Private Gateways:

    1. Click on Create Virtual Private Gateway
    2. Type the name you will want for the private gateway (for example production-p81)
    3. Select ASN as Amazon default ASN
    4. Click on Create Virtual Private Gateway
Create Virtual Private Gateway

Create Virtual Private Gateway

  1. Select the created gateway and click on Actions, under context menu select Attach to VPC. Approve by clicking Yes and Attach.
  2. Press button Yes, Attach
  • Under VPN Connections tab from the left menu go to VPN Connections:

    1. Click Create VPN Connection
    2. Enter name tag. For example - Production-P81
    3. Select the created Virtual Private Gateway
    4. Customer Gateway, select Existing
    5. Select created Customer Gateway
    6. Routing Options, select Static
    7. Fill in the following Static IP Prefixes:
      10.255.0.0/16
      please note that the Perimeter 81 network subnet can be changed and it is possible to obtain it within the add tunnel screen.
    8. Tunnel Options leave default
    9. Press Create VPN Connection
    10. Click Create VPN Connection and then click Download Configuration button
 
  1. Add the required information to the Perimeter 81 add tunnel screen like:

a. Remote IP, Remote ID (please fill here the remote IP), shared secret obtained from the configuration file downloaded from the previous step.

2. Configure the routing rules to the default gateway.

  1. Go to the VPC section in the AWS Console.
  2. Under the Route Tables menu item, select the route table that is associated with the VPC you've created the tunnel for.
  3. Go to the Routes Tab
  4. Press button Edit and add new static routes for subnets in the list below and target should be your new VPN Gateway ID, list: 10.255.0.0/16 or your actual Perimeter 81 network subnet.
  5. Press Save button

3. Allow income connections from P81 local network within the security groups.

Configure your AWS security groups to allow all traffic from P81 subnets (10.255.0.0/16) or allow only special traffic using the port or services from this sources.

*4. Add your AWS CIDR (local subnet) to the Perimeter 81 Network routing table and associate it with the new tunnel you created previously.

 

C. Perimeter 81 Settings

a. Go to the Gateway in your network from which you want to create the tunnel to AWS
b. Click on the 3 dots and press "Add Tunnel"
c. Name - Set name for the Tunnel
d. Shared Secret - Put the Shared secret you got from AWS
e. "Public IP" and "Remote ID" - put Azure "Virtual network gateway" Public IP address
f. In "Perimeter 81 Gateway Proposal Subnets" Choose Any or Specific Subnet"
g. In "Remote Gateway Proposal Subnets" put your Azure VNet subnet
h. Advanced Settings:

  • IKE Version - V2
  • IKE Lifetime - 8h
  • Tunnel Lifetime - 1h
  • Dead Peer Detection Delay - 10s
  • Dead Peer Detection Timeout - 30s
  • Encryption (Phase 1) - aes128
  • Integrity (Phase 1) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2 5 14
  • Encryption (Phase 2) - aes128
  • Integrity (Phase 2) - sha1
  • Deffie-Hellman Groups (Phase 1) - 2 5 14
    i. Press "Add Tunnel"
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.