AWS Transit Gateway
  • 08 May 2024
  • 6 Minutes to read
  • Contributors

    AWS Transit Gateway


      Article summary

      Introduction

      This guide will walk you through the process of establishing a Site-to-Site VPN tunnel between your Harmony SASE network and your AWS Transit Gateway environment.

      Note: If you are aiming to connect to a single VPC, refer to this guide: Configuring a Site-to-Site IPSec Tunnel to AWS Virtual Gateway.


      Breakdown of topics


      1. Pre-requisites

      2. Configuration Steps

      3. Verifying the Setup

      4. Troubleshooting

      5. Support Contacts


      Pre-requisites

      To successfully follow this guide, you should have:


      1. An active Harmony SASE account and network.

      2. The Harmony SASE app installed on your devices.

      3. An active AWS account with admin permissions.

      Configuration Steps


      Please follow the steps below:

      • Create the Transit Gateway & Transit Gateway attachments
      • Configuring the tunnel in the AWS console
      • Configuring the tunnel on the Perimeter81 web platform
      • Configuring the routing in the AWS console
      • Configuring the routing on the Perimeter81 web platform 

      Create the Transit Gateway & Transit Gateway attachments

      Create the Transit Gateway

      1. Go to the VPC section in the AWS Console


        360004436499mceclip6.png
      2. Under the left panel, click on Transit Gateways
      3. On the top pane, click on Create transit gateway
      4. Fill in the following information:
      • Name tag - Insert the name of the Transit Gateway.
      • You can keep the default parameters for the rest of the attributes.
      • Click Create transit gateway.

      Create the Transit Gateway Attachments

      About TGW Attachments
      • You may create an attachment for VPCs, other VPNs, and other Peered Transit Gateways sitting on another AWS region.
      • All connected attachments will be able to communicate with each other as defined in the Transit Gateway's routes.

      Create the Transit Gateway VPC attachments

      About VPC Attachments
      • If you already have a Transit Gateway Attachment to your VPC, you may skip this step and go directly to "Create the Transit Gateway VPN attachment." 
      • A single VPC attachment will connect one VPC to the Transit Gateway.
      • You may connect multiple VPC attachments to a single Transit Gateway.

      1. On the left pane, click on Transit Gateway Attachments

      2. On the top pane, click on Create transit gateway attachment

      3. Fill in the following information and click on "Create transit gateway attachment":

      • Name Tag -Insert the name of the Transit Gateway Attachment
      • Transit gateway ID - Pick the newly created Transit gateway
      • Attachment Type - VPC
      • VPC ID - Select the relevant VPC
      • You can keep the default parameters for the rest of the attributes
      Note
      Please repeat the above process for each of the VPCs that you would like to gain access to

      Create the Transit Gateway VPN attachment

      1. On the top pane, click on Create transit gateway attachment
      2. Fill in the following information and click on "Create transit gateway attachment":
        • Transit gateway ID - Pick the newly created Transit gateway
        • Attachment Type - VPN
        • Customer Gateway - New
        • IP address -This should be obtained within the Perimeter81 Admin Console under the relevant Gateway Name.
        • BGP ASN: Leave default values
        • Routing Options: Static
        • Keep the default values for the rest of the attributes
      3. In the bottom right corner, click on "Create transit gateway attachment."

      Configuring the tunnel in the AWS Console

      1. On the left pane, under Virtual Private Network (VPN), click on Site-to-Site VPN Connections
      2. Pick the newly created Transit Gateway VPN connection record
      3. On the top pane, click on Download Configuration.
      4. A pop-up will appear, choose the following and click on Download.

        • Vendor - Strongswan
        • Platform - Ubuntu version
        • Software - Strongswan version
        • Ike Version - Ikev2

      Configuring the tunnel in the Harmony SASE Admin Console

      1. Navigate to your Perimeter81 web platform
      2. On the left pane, click on Networks andselect the network name where you'd like to set the tunnel.
      3.  Locate the desired gateway, select the three-dotted menu (...), select Add Tunnel 
      4. A pop-up will appear; choose IPSec Site-2-Site Tunnel and click Continue
      5. Fill in the following information and click "Add Tunnel."

      Uploading your configuration file

      You can directly upload your AWS configuration to Harmony SASE to save time and configuration mismatches: How to upload an AWS configuration file.

      Manual configuration

      In case you decide to configure the tunnel in the Harmony SASE interface manually, please follow these steps:

      1. Open the configuration file that you have downloaded, select either Tunnel1 or Tunnel2, and copy the following attributes.
        • Name - Enter the name of the tunnel.
        • Shared Secret - Go to the config file, and copy+paste the value marked in yellow; remember to omit the quotation marks.
        • Public IP & Remote IDCopy and Paste the IP marked in red; this is your AWS external IP.
        • Harmony SASE Gateway Proposal Subnets: 0.0.0.0/0.
        • Remote Gateway Proposal Subnets: 0.0.0.0/0.
        • At the Advanced Settings section, fill in the following information:
        • IKE Version: V2
        • IKE Lifetime: 8h
        • Tunnel Lifetime: 1h
        • Dead Peer Detection Delay: 10s
        • Dead Peer Detection Timeout: 30s
        • Encryption(Phase 1): aes256
        • Encryption(Phase 2): aes256
        • Integrity (Phase 1): sha512
        • Integrity (Phase 2): sha512
        • Diffie-Hellman Groups (Phase 1): 21
        • Diffie-Hellman Groups (Phase 2): 21
      2. Configuring the routing on AWS
        • Go to the VPC section in the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables.
        • Select the relevant Transit Gateway Route Table.
      3. In case that your routes are not automatically propagating:
        • On the bottom, click on "Propagations."
        • Verify that all of the Transit Gateway Attachments are included.
          Missing propagations
          If one of theTransit Gateway Attachments is missing a route, click "Create propagation" and add the missing route.
        • On the bottom, click on "Associations."
        • Verify that all of the Transit Gateway Attachments are included (same as the previous step)
          Missing associations
          If one of theTransit Gateway Attachments is missing a route, click "Create propagation" and add the missing route.
        • On the bottom, click "Routes."
        • Click on "Create static route" and fill in the following:
        • CIDR- Insert your Perimeter81 subnet. To find your Perimeter81 network subnet perform the following:
          • Open your Perimeter81 web platform
          • On the left pane, click on Networks -> Networks.
          • Select your network
          • Select the three-dotted menu (...) next to the Network
          • Click on "Edit Network"
        • Choose attachment - Choose the VPN attachment.
      4. On the left pane, under Virtual Private Cloud, click on Route Tables.
      5. Select the Route Table for one of the attached VPCs
      6. On the bottom, click Routes.
      7. Click Edit Routes, and a new window will appear, click on Add route and fill in the following:
        •  Destination: Your Perimeter81 network subnet. The value in the above screenshot is just an example, to find your real Perimeter81 network subnet, follow these steps:
          • Open your Perimeter81 web platform
          • On the left pane, click the Networks menu, then select the Networks option to see all available networks.
          • Select your network
          • Select the three-dotted menu (...) next to the Network
          • Click Edit Network
        • Target = Choose Transit Gateway & pick the relevant Transit Gateway
        • Click Save changes

      Configuring the routing on Perimeter81

      1. Open your Perimeter81 web platform
      2. In the left pane click on "Networks" --> "Networks"
      3. Select your network
        4. Select the three-dotted menu (...) next to the Network
        5. Click on "Route Table"

        6. On the top right corner, click on Add Route
        7. A pop-up will appear, fill in the following and click on "Apply Configuration":
      4. Tunnel - Choose the relevant tunnel
      5. Subnet - Add the CIDRs of the attached VPCs (The VPCs to which you'd like to gain access)

      Verifying the Setup


      After following the above steps, your tunnel should be active.

      To verify, go to your Harmony SASE dashboard, locate the tunnel you just created, and check the tunnel status.

      It should indicate that the tunnel is "Up", signifying a successful connection.

      Next, connect to your network using the Harmony SASE agent and attempt to access one of the resources in your environment.

      Troubleshooting

      If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.


      Support Contacts


      If you have any difficulties or questions, don't hesitate to contact Harmony SASE's support team. We offer 24/7 chat support on our website at [Perimeter81.com](https://www.perimeter81.com/), or you can email us at sase-support@checkpoint.com. We're here to assist you and ensure your VPN tunnel setup is a success.


      Was this article helpful?