Setting up site-to-site on AWS Virtual Gateway


Note: If you are unsure whether site-to-site is the best solution for you, please take a look at our Remote Access article first. What is more, if your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

 

Configuring the tunnel in the AWS Console

1. Go to the VPC section in the AWS Console

2. Under Services, scroll down to Networking & Content Delivery and select VPC

Screenshot_2021-05-26_at_11.43.52.png

3. Under the left menu VPN section, go to Customer Gateways

Screenshot_2021-05-26_at_11.44.03.png

4. Select Create Customer Gateway

5. Select static routing

6. Fill in the IP Address of your NordLayer dedicated server

7. Select Create Customer Gateway. A message should display indicating the gateway was created successfully

Screenshot_2021-05-26_at_11.44.15.png

 

Configuring a virtual private gateway

If you already have a virtual private gateway attached to your VPC, skip this section and continue at Creating a virtual private network connection.

1. Go back to Services, scroll down to Networking & Content Delivery, and select VPC

Screenshot_2021-05-26_at_11.44.30.png

2. On the left side, under Virtual Private Network (VPN) select Virtual Private Gateways

Screenshot_2021-05-26_at_11.44.43.png

3. Select Create Virtual Private Gateway

Screenshot_2021-05-26_at_11.44.53.png

4. Type the name of the gateway (for example US_HQ)

5. Select ASN as Amazon default ASN

6. Select Create Virtual Private Gateway

Screenshot_2021-05-26_at_11.45.04.png

A message should display indicating that the virtual Private Gateway was created successfully.

7. Select the newly created gateway and select Actions; on the context menu select Attach to VPC

Screenshot_2021-05-26_at_11.45.14.png

8. From the drop-down menu, select the VPC and select Yes, Attach

 

Creating a virtual private network connection

1. Under Virtual Private Network in the left menu, go to Site-to-Site VPN Connections

Screenshot_2021-05-26_at_11.45.24.png

2. Select Create VPN Connection

Screenshot_2021-05-26_at_11.45.34.png

3. Enter the name tag (for example US_HQ)

4. Select the created Virtual Private Gateway

5. Under Customer Gateway, select Existing

6. Select the Customer Gateway that you have created

7. Under Routing Options, select Static

8. Fill in the following Static IP Prefixes: 10.6.0.0/20

Screenshot_2021-05-26_at_11.45.46.png

9. Under Tunnel Options leave the default values as-is

10. Select Create VPN Connection

Screenshot_2021-05-26_at_11.45.56.png

11. A message should display indicating that a VPN Connection Request was created successfully

 

Configuring the routing rules to the default gateway

1. Select the VPC section in the AWS Console and enter the Route table associated with your PC

Screenshot_2021-05-26_at_11.46.07.png

2. For the Route Tables menu option, select the routing table that is associated with the VPC you have created for the tunnel

Screenshot_2021-05-26_at_11.46.18.png

3. Select Edit and add the new static routes for the subnets below:

Screenshot_2021-05-26_at_11.46.29.png

Fill in 10.6.0.0/20 at the destination field and your new VPN Gateway ID as the target (it will appear under the subcategory Virtual Private Gateway).

4. Select Save

In case have a customized security group associated with your VPC

Allow incoming connections from NordLayer local network within your security groups: Configure your AWS security groups to allow all traffic from NordLayer (10.6.0.0/20) or allow only special traffic using the port or services from these sources.

 

Configuring the tunnel in your Platform

1. Return to Site-to-Site VPN Connections and select Download Configuration

Screenshot_2021-05-26_at_11.46.39.png

2. Fill in the following information:

Screenshot_2021-05-26_at_11.46.47.png

Examining the configuration file, you may notice that AWS has created two separate tunnels for the same VPN connection, NordLayer utilizes both of them.

 

Open the configuration file that you have downloaded. We will need the values of Public IP, Remote ID (both identical; marked in red in the attached example) and Shared Secret (marked in yellow).

Screenshot_2021-05-26_at_11.47.01.png

 

Ending note:

In order to finalize the site-to-site setup on our end, we will need these values:

  • Pre-shared key - you can generate it or we can provide it
  • Encryption  details (AES, SHA and DH group) - AES256, SHA256 and DH group 14 are recommended (also must support IKEv2)
  • Remote gateway/router public IP (must be reachable while connected to the dedicated server)
  • Remote subnet and mask (the subnet is used in your local network)

Lastly, it is important to know what device or cloud network is being used (Ubiquiti, Fortigate, AWS, Google Cloud, etc.)

You can provide all of these values to us securely via privnote.com

In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


Return to top