Setting up site-to-site on AWS Transit Gateway

Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.


Before you start configuring the VPN connection, make sure that the Transit Gateway is already up and attached to the appropriate VPC. The choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture. If you are not sure, we encourage you to visit AWS's official documentation.


Collecting the tunnel configuration from the AWS Console

1. Go to the VPC section in the AWS Console


2. Under the left side panel Transit Gateways section, go to Transit Gateways Attachments


3. Select Create Transit Gateway Attachment


4. Fill in the following information:


  • Transit Gateway ID: Choose your Transit Gateway
  • Attachment type: VPN
  • Customer Gateway ID: New
  • IP Address: the IP address of your NordLayer dedicated server
  • BGP ASN: Leave default values
  • Routing Options: Static

5. Select Create Attachment. This may take several minutes

6. Under the left menu Virtual Private Network (VPN) section, go to Site-to-Site VPN Connections

7. Select the Download Configuration. Select Strongswan and select Download


Please note, our support team will need this configuration in order to complete the site-to-site tunnel configuration.



Examining the configuration file, you may notice that AWS has created two separate tunnels for the same VPN connection, NordLayer utilizes both of them. Open the configuration file that you have downloaded. We will need the values of Public IP, Remote ID (both identical; marked in red in the attached example) and Shared Secret (marked in yellow).



Configuring the routing

1. Go to the VPC section in the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables

2. In the bottom menu, go to the Routes tab


3. Select Propagations Tab (choose the transit gateway attachment you created earlier).

Verify that your AWS internal CIDR was propagated correctly (this should be done automatically upon the VPN attachment creation. In case the propagation is missing or incorrect, Select Create propagation. Else, move on to step 5


4. Go to the Routes tab and verify that your AWS Internal CIDR  was propagated

5. Click on Create Route and add the NordLayer internal Network CIDR ( to the table


6. Under Transit Gateways, select Transit Gateway Route Tables

7. Select the Associations tab at the bottom frame. Select Create association


8. Choose the transit gateway that you have just created and select Create association


9. Go to the Propagations and select Create propagation. Choose the newly created attachment and select Create propagation

10. Return to the AWS VPC Dashboard. Under the Virtual Private Cloud section select Route Tables


11. Choose the route that relates to the VPC to which you'd like to give access to (this can be checked under Subnet Associations tab). On the bottom frame select the Routes tab


12. Select Edit Routes. Add a route from your network (commonly to the transit gateway


Ending note:

In order to finalize the site-to-site setup on our end, we will need these values (please note, we will need those values for both created tunnels):

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.

Return to top