Configure Site-to-Site VPN Between Third Party Private Cloud and AWS

Let’s go into why we need VPNs…..

As we know that each cloud has its own network and if we want to connect two different cloud service providers we need to establish a secure connection between them so that we can access the resources from both ends, and for doing the same we use VPN.

Now, Lets move into the issues which i encountered while establishing the site-to-site VPN connection at AWS side

Here the scenario is,

I want to configure a site-to-site vpn with third party private cloud where the source instances present with static routing

How is it configured?

For configuration first we need some details from there end which we required during configuration of site-to-site VPN on AWS

Parameters to be taken from partners side:

VPN Tunnel Equipment Type, OS/Version, Tunnel Settings, Peer, Encryption Domain, Phase 1 Proposals, Authentication, Tunnel Encryption, Tunnel HASH, Diffie Hellman, Lifetime Measurement, Phase 2 Proposals- Tunnel Encryption, Tunnel HASH, Diffie Hellman, Lifetime Measurement, Perfect Forward Secrecy, Compression

As I received all required parameters next step is

Created Site-to-Site VPN on AWS by following these steps:

• Navigate to AWS Console
• Navigate to VPC
• Click Create Customer Gateway
• Create Customer Gateway
• Select Following Details

• Click on Create Gateway
• Click on Create Virtual Private Gateway
• Click on Create Site-to-site VPN
• Give name select Virtual private Gateway the one we created
• Edit Tunnel setting

Note: Use the same Pre-Shared key which is shared in parameter for tunnel-1

Note: As they gave 5 as a Deffie-Hellmans group, but in AWS 5 is not available so I reverted back to them so they asked me to configure it on 2.

Update other things as given in parameters

Now, I have configured everything and shared my both Tunnel details with them but what happened?

Only one Tunnel is active!

Now the question is why only one?

Here is the solution….

• Both VPN tunnels are Up with static routing. Since the VPN was set up with static routing, there could be asymmetric routing since you cannot control which tunnel AWS uses for outbound traffic to the Partners side of the VPN connection.
• For example, if traffic passes Tunnel_A to AWS, the return traffic may be sent via Tunnel_B back to on-prem. When this occurs, your partner’s firewall will drop the packet due to asymmetric routing. This limitation is only applicable to VPN connections configured with static routing. Since the Partner’s firewall does not support asymmetric routing, I recommended that you shutdown one tunnel
• Whenever AWS needs to carry out maintenance on one of your VPN tunnel, a notification will be sent to you concerning the maintenance schedule. You can see the notification on your Public Health Dashboard (PHD). If the maintenance is scheduled for an active tunnel (say Tunnel_A), then you need to bring up the redundant tunnel (Tunnel_B) to make it active while you shutdown Tunnel_A against the scheduled maintenance.
• This ensures that your data traffic won’t be affected when AWS carries out the tunnel maintenance.
• AWS only supports a pair of security associations (SA) per time. As AWS VPN only allows one pair of SA when communicating through the VPN tunnel, If you configure multiple SAs on CGW(as it is in this case), you may see the VPN traffic to be erratic because only one network (one network address used for creating one SA) will be able to communicate at one time.
• In order to avoid this, I recommend that you modify your encryption domain that is used to identify interesting traffic so that the consolidated network can talk to the VPC. This will allow you to create a single security association and resolve any interruptions.

So, the final decision was to keep 1 Tunnel down from AWS because they using Static routing

This is how all issues are resolved and I am able to configure VPN connection.

While configuring VPN, I encountered with some issues and explained complete process of resolving the same. I hope this blog will help you in resolving your encountered issues too

Thank you..

Please feel free to reach out

consultingteam@ankercloud.com