Configuring a Site-to-Site IPSec Tunnel to AWS Virtual Gateway

In order to establish a Site-To-Site IPSec VPN connection between your AWS server and Perimeter 81 network, please follow the steps below:

Configure the Tunnel in the AWS Console 

1. Go to the VPC section in the AWS Console

2. Under Services, scroll down to Networking & Content Delivery and select VPC

3. Under the left menu VPN section, go to Customer Gateways.

4. Select Create Customer Gateway.

5. Type the name of the gateway (for example US_HQ).

6. Select static routing.

7. Fill in the IP Address of the Perimeter 81 Gateway. This can be obtained within the Perimeter81 Panel, under Network.

8. Select Create Customer Gateway.
A message should pop up indicating that the gateway was created successfully.

Configure a Virtual Private Gateway

 1. Go back to Services, scroll down to Networking & Content Delivery and select VPC.


2. On the left side, under Virtual Private Network (VPN) select Virtual Private Gateways.

3. Then, select Create Virtual Private Gateway.

4. Type the name of the gateway (for example US_HQ).

5. Select ASN as Amazon default ASN.

6. Select Create Virtual Private Gateway.

Create Virtual Private Gateway

A message should pop up indicating that the Virtual Private Gateway was created successfully.

7. Select the newly created gateway and select Actions, under context menu select Attach to VPC.

8. From the drop-down menu, select the VPC and select Yes, Attach.

Create Virtual Private Network Connection

1. Under Virtual Private Network in the left menu, go to Site-to-Site VPN Connections.mceclip10.png

2. Select Create VPN Connection.mceclip12.png

3. Enter the name tag (For example US_HQ).

4. Select the created Virtual Private Gateway. 

5. Under Customer Gateway, select Existing

6. Select the Customer Gateway that you have created.

7. Under Routing Options, select Static.

8. Fill in the following Static IP Prefixes:
Please note that this address might differ in case you haven't chosen the default subnet IP for your tunnel.mceclip13.png

9. Under Tunnel Options leave the default values as they are.

10. Select Create VPN Connection.

11. A message should pop up indicating that a VPN Connection Request was created successfully

Configuring the Routing Rules to the Default Gateway

1. Select the VPC section in the AWS Console and enter the Route table associated with your VPC.

2. For the Route Tables menu option, select the routing table that is associated with the VPC you have created for the tunnel.

3. Select Edit and add the new static routes for subnets below:
List: or your Perimeter 81 network subnet
 should be your new VPN Gateway ID

4. Select Save.

Allow incoming connections from Perimeter 81 local network within your security groups:
Configure your AWS security groups to allow all traffic from Perimeter 81 subnets ( or allow only special traffic using the port or services from these sources.

Add your AWS CIDR (local subnet) to the Perimeter 81 Network routing table and associate it with the new tunnel you have created.

Configure the Tunnel in your Perimeter 81 Platform 

1. Return to Site-to-Site VPN Connections and select Download Configuration.
2. Select the type of your device; if your router isn't listed, select Generic.

3. Enter the Perimeter 81 Management Platform. Under the Network tab in the left menu, select the name of the network in which you'd like to set the tunnel.

4. Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel and then IPSec Site-2-Site Tunnel.Screen_Shot_2019-08-27_at_14.06.15.png

5. Open the configuration file that you have downloaded. Fill in the following fields according to the file's content: Public IPRemote ID (identical to Remote IP), Shared Secret. The rest of the fields should be filled in with the following information:


  • Name: Enter the name you chose for the tunnel.
  • Perimeter 81 Gateway Proposal Subnets: by default, this should be set to 
  • Remote Gateway Proposal Subnets: Select specified Subnets. Insert your VPC CIDR.


    At the Advanced Settings section fill in:
  • IKE Version: V2
  • IKE Lifetime: 8h
  • Tunnel Lifetime: 1h
  • Dead Peer Detection Delay: 10s
  • Dead Peer Detection Timeout: 30s
  • Encryption (Phase 1): aes128
  • Encryption (Phase 2): aes128
  • Integrity (Phase 1): sha1
  • Integrity (Phase 2): sha1
  • Diffie-Hellman Groups (Phase 1): 2
  • Diffie-Hellman Groups (Phase 2): 2
2 out of 2 found this helpful



Please sign in to leave a comment.