Configuring a Site-to-Site IPSec Tunnel to AWS Virtual Gateway


In order to establish a Site-To-Site IPSec VPN connection between your AWS server and Perimeter 81 network, please follow the steps below:


1. Configure the Tunnel in the AWS Console 

Configure a Customer Gateway

  1. Go to the VPC section in the AWS Console.
    Under Services, scroll down to Networking & Content Delivery and click VPC.
  2. Under the left menu VPN section, go to Customer Gateways.
  3. Click Create Customer Gateway.
  4. Type the name of the gateway (for example: US_HQ).
  5. Select static routing.
  6. Fill in the IP Address of the Perimeter 81 Gateway. This can be obtained within the Perimeter81 Panel, under Network
  7. Click Create Customer Gateway.
    A message should pop up indicating that the gateway was created successfully.

Configure a Virtual Private Gateway

  1.  Go back to Services, scroll down to Networking & Content Delivery and click VPC.


  2. On the left side, under Virtual Private Network (VPN) click Virtual Private Gateways.

    Then, click Create Virtual Private Gateway.
  3. Type the name of the gateway (for example: US_HQ).
  4. Select ASN as Amazon default ASN.
  5. Click Create Virtual Private Gateway.

    Create Virtual Private Gateway

    A message should pop up indicating that the Virtual Private Gateway was created successfully.
  6. Select the newly created gateway and click Actions, under context menu select Attach to VPC.
  7. From the drop-down menu, select the VPC and click Yes, Attach.

Create Virtual Private Network Connection

  1. Under Virtual Private Network in the left menu, go to Site-to-Site VPN Connections.mceclip10.png
  2. Click Create VPN Connection.mceclip12.png

  3. Enter the name tag (For example: US_HQ).
  4. Select the created Virtual Private Gateway. 
  5. Under Customer Gateway, select Existing
  6. Select the Customer Gateway that you have created.
  7. Under Routing Options, select Static.
  8. Fill in the following Static IP Prefixes:
    Please note that this address might differ in case you haven't chosen the default subnet IP for your tunnel.mceclip13.png
  9. Under Tunnel Options leave the default values as they are.
  10. Click Create VPN Connection.
  11. A message should pop up indicating that a VPN Connection Request was created successfully.

Configuring the Routing Rules to the Default Gateway

  1. Select the VPC section in the AWS Console and enter the Route table associated with your VPC.
  2. For the Route Tables menu option, select the routing table that is associated with the VPC you have created for the tunnel.
  3. Press the Edit button and add the new static routes for subnets below:
    List: or your Perimeter 81 network subnet
     should be your new VPN Gateway ID
  4. Press the Save button.
  5.  Allow incoming connections from Perimeter 81 local network within your security groups:
    Configure your AWS security groups to allow all traffic from Perimeter 81 subnets ( or allow only special traffic using the port or services from these sources.
    *Add your AWS CIDR (local subnet) to the Perimeter 81 Network routing table and associate it with the new tunnel you have created.

2. Configure the Tunnel in your Perimeter 81 Platform 

  1. Return to Site-to-Site VPN Connections and click the Download Configuration button.
  2. Select the type of your device, if your router isn't listed, select Generic.
  3. Enter the your Perimeter 81 Management Platform. Under the Network tab in the left menu, click on name of the network in which you'd like to set the tunnel. Locate the desired gateway, click the three dotted icon and press Add Tunnel and then IPSec Site-2-Site Tunnel.Screen_Shot_2019-08-27_at_14.06.15.png
  4. Open the configuration file that you have downloaded. Fill in the following fields according the file's content: Public IPRemote ID (identical to Remote IP), Shared Secret. The rest of the fields should be inserted according to the following:


  • Name: Enter the name you chose for the tunnel.
  • Perimeter 81 Gateway Proposal Subnets: by default this should be set to 
  • Remote Gateway Proposal Subnets: or specify according to your customised settings.

    At the Advanced Settings section fill in:
  • IKE Version: V2
  • IKE Lifetime: 8h
  • Tunnel Lifetime: 1h
  • Dead Peer Detection Delay: 10s
  • Dead Peer Detection Timeout: 30s
  • Encryption (Phase 1): aes128
  • Intergrity (Phase 1): sha1
  • Diffie-Hellman Groups (Phase 1): 2
  • Encryption (Phase 2): aes128
  • Intergrity (Phase 2): sha1
  • Diffie-Hellman Groups (Phase 2): 2
2 out of 2 found this helpful



Please sign in to leave a comment.