Setting up site-to-site on AWS Transit Gateway
Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Before you start configuring the VPN connection, make sure that the Transit Gateway is already up and attached to the appropriate VPC. The choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture. If you are not sure, we encourage you to visit AWS's official documentation.
Configuring the tunnel in the AWS Console
1. Go to the VPC section in the AWS Console
2. Under the left side panel Transit Gateways section, go to Transit Gateways Attachments
3. Select Create Transit Gateway Attachment
4. Fill in the following information:
- Transit Gateway ID: Choose your Transit Gateway
- Attachment type: VPN
- Customer Gateway ID: New
- IP Address: the IP address of your NordLayer dedicated server
- BGP ASN: Leave default values
- Routing Options: Static
5. Select Create Attachment. This may take several minutes
6. Under the left menu Virtual Private Network (VPN) section, go to Site-to-Site VPN Connections
7. Select the Download Configuration. Select Strongswan and select Download
Examining the configuration file, you may notice that AWS has created two separate tunnels for the same VPN connection, NordLayer utilizes both of them. Open the configuration file that you have downloaded. We will need the values of Public IP, Remote ID (both identical; marked in red in the attached example) and Shared Secret (marked in yellow).
Configuring the routing
1. Go to the VPC section in the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables
2. In the bottom menu, go to the Routes tab
3. Select Propagations Tab (choose the transit gateway attachment you created earlier).
Verify that your AWS internal CIDR was propagated correctly (this should be done automatically upon the VPN attachment creation. In case the propagation is missing or incorrect, Select Create propagation. Else, move on to step 5
4. Go to the Routes tab and verify that your AWS Internal CIDR was propagated
5. Click on Create Route and add the NordLayer internal Network CIDR (10.6.0.0/20) to the table
6. Under Transit Gateways, select Transit Gateway Route Tables
7. Select the Associations tab at the bottom frame. Select Create association
8. Choose the transit gateway that you have just created and select Create association
9. Go to the Propagations and select Create propagation. Choose the newly created attachment and select Create propagation
10. Return to the AWS VPC Dashboard. Under the Virtual Private Cloud section select Route Tables
11. Choose the route that relates to the VPC to which you'd like to give access to (this can be checked under Subnet Associations tab). On the bottom frame select the Routes tab
12. Select Edit Routes. Add a route from your network (commonly 10.255.0.0/16) to the transit gateway
In order to finalize the site-to-site setup on our end, we will need these values:
- Pre-shared key - you can generate it or we can provide it
- Encryption details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
- Remote gateway/router public IP (must be reachable while connected to the dedicated server)
- Remote subnet and mask (the subnet is used in your local network)
Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)
You can provide all of these values to us securely via privnote.com
In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.