s2s VPN User Guide
s2s VPN User Guide
s2s VPN User Guide
User Guide
AWS Site-to-Site VPN User Guide
Amazon's trademarks and trade dress may not be used in connection with any product or service that is not
Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or
discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may
or may not be affiliated with, connected to, or sponsored by Amazon.
AWS Site-to-Site VPN User Guide
Table of Contents
What is Site-to-Site VPN ..................................................................................................................... 1
Concepts ................................................................................................................................... 1
Working with Site-to-Site VPN ..................................................................................................... 1
Site-to-Site VPN limitations ......................................................................................................... 2
Pricing ...................................................................................................................................... 2
How AWS Site-to-Site VPN works ........................................................................................................ 3
Site-to-Site VPN Components ...................................................................................................... 3
Virtual private gateway ....................................................................................................... 3
Transit gateway ................................................................................................................. 3
Customer gateway device .................................................................................................... 4
Customer gateway ............................................................................................................. 4
IPv4 and IPv6 support ................................................................................................................ 4
Site-to-Site VPN categories ......................................................................................................... 4
Site-to-Site VPN tunnel options ................................................................................................... 5
Site-to-Site VPN tunnel authentication options .............................................................................. 9
Pre-shared keys ................................................................................................................. 9
Private certificate from AWS Certificate Manager Private Certificate Authority ............................ 9
Site-to-Site VPN tunnel initiation options .................................................................................... 10
VPN tunnel IKE initiation options ....................................................................................... 10
Rules and limitations ........................................................................................................ 10
Working with VPN tunnel initiation options ......................................................................... 11
Endpoint replacements ............................................................................................................. 11
Endpoint replacements during VPN tunnel updates .............................................................. 11
Endpoint replacements during VPN connection modifications ................................................ 11
Customer gateway options ........................................................................................................ 12
Accelerated Site-to-Site VPN connections .................................................................................... 13
Enabling acceleration ........................................................................................................ 13
Rules and restrictions ........................................................................................................ 13
Pricing ............................................................................................................................ 14
Site-to-Site VPN routing options ................................................................................................ 14
Static and dynamic routing ................................................................................................ 14
Route tables and VPN route priority ................................................................................... 15
Routing during VPN tunnel endpoint updates ...................................................................... 16
IPv4 and IPv6 traffic ......................................................................................................... 16
Getting started ................................................................................................................................ 18
Prerequisites ............................................................................................................................ 18
Create a customer gateway ....................................................................................................... 19
Create a target gateway ............................................................................................................ 20
Create a virtual private gateway ......................................................................................... 20
Create a transit gateway ................................................................................................... 20
Configure routing ..................................................................................................................... 20
(Virtual private gateway) Enable route propagation in your route table .................................... 21
(Transit gateway) Add a route to your route table ................................................................ 22
Update your security group ....................................................................................................... 22
Create a Site-to-Site VPN connection .......................................................................................... 22
Download the configuration file ................................................................................................. 23
Configure the customer gateway device ...................................................................................... 24
Architectures .................................................................................................................................... 25
Single and multiple connection examples .................................................................................... 25
Single Site-to-Site VPN connection ..................................................................................... 25
Single Site-to-Site VPN connection with a transit gateway ..................................................... 25
Multiple Site-to-Site VPN connections ................................................................................. 26
Multiple Site-to-Site VPN connections with a transit gateway ................................................. 26
Site-to-Site VPN connection with AWS Direct Connect .......................................................... 27
iii
AWS Site-to-Site VPN User Guide
iv
AWS Site-to-Site VPN User Guide
Step 5: Update the transit gateway routing (required when the new gateway is a transit
gateway) ....................................................................................................................... 110
Step 6: Update the customer gateway ASN (required when the new gateway has a different
ASN from the old gateway) ............................................................................................. 110
Modifying Site-to-Site VPN connection options .......................................................................... 110
Modifying Site-to-Site VPN tunnel options ................................................................................ 110
Editing static routes for a Site-to-Site VPN connection ................................................................ 111
Changing the customer gateway for a Site-to-Site VPN connection ............................................... 112
Replacing compromised credentials .......................................................................................... 112
Rotating Site-to-Site VPN tunnel endpoint certificates ................................................................ 113
Security ......................................................................................................................................... 114
Data protection ...................................................................................................................... 114
Internetwork traffic privacy .............................................................................................. 115
Identity and access management .............................................................................................. 116
IAM policies for your Site-to-Site VPN connection ............................................................... 116
Service-linked role .......................................................................................................... 119
Logging and monitoring .......................................................................................................... 119
Resilience .............................................................................................................................. 120
Two tunnels per VPN connection ...................................................................................... 120
Redundancy ................................................................................................................... 120
Infrastructure security ............................................................................................................. 121
Monitoring your Site-to-Site VPN connection ..................................................................................... 122
Monitoring tools ..................................................................................................................... 122
Automated monitoring tools ............................................................................................ 122
Manual monitoring tools ................................................................................................. 123
Monitoring VPN tunnels using Amazon CloudWatch .................................................................... 123
VPN tunnel metrics and dimensions .................................................................................. 124
Viewing VPN tunnel CloudWatch metrics ........................................................................... 124
Creating CloudWatch alarms to monitor VPN tunnels .......................................................... 125
Monitoring VPN connections using AWS Health events ................................................................ 127
Tunnel endpoint replacement notifications ........................................................................ 127
Single tunnel VPN notifications ........................................................................................ 127
Quotas .......................................................................................................................................... 128
Site-to-Site VPN resources ....................................................................................................... 128
Routes ................................................................................................................................... 128
Bandwidth and throughput ...................................................................................................... 128
Maximum transmission unit (MTU) ............................................................................................ 129
Additional quota resources ...................................................................................................... 129
Document history ........................................................................................................................... 130
v
AWS Site-to-Site VPN User Guide
Concepts
Although the term VPN connection is a general term, in this documentation, a VPN connection refers
to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports
Internet Protocol security (IPsec) VPN connections.
Your Site-to-Site VPN connection is either an AWS Classic VPN or an AWS VPN. For more information, see
Site-to-Site VPN categories (p. 4).
Concepts
The following are the key concepts for Site-to-Site VPN:
• VPN connection: A secure connection between your on-premises equipment and your VPCs.
• VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.
Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.
• Customer gateway: An AWS resource which provides information to AWS about your customer
gateway device.
• Customer gateway device: A physical device or software application on your side of the Site-to-Site
VPN connection.
• Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN
connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side
of the Site-to-Site VPN connection.
• Transit gateway: A transit hub that can be used to interconnect your VPCs and on-premises networks.
You use a transit gateway or virtual private gateway as the gateway for the Amazon side of the Site-
to-Site VPN connection.
• AWS Management Console— Provides a web interface that you can use to access your Site-to-Site
VPN resources.
• AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of AWS services,
including Amazon VPC, and is supported on Windows, macOS, and Linux. For more information, see
AWS Command Line Interface.
• AWS SDKs — Provide language-specific APIs and takes care of many of the connection details, such
as calculating signatures, handling request retries, and error handling. For more information, see AWS
SDKs.
• Query API— Provides low-level API actions that you call using HTTPS requests. Using the Query API
is the most direct way to access Amazon VPC, but it requires that your application handle low-level
details such as generating the hash to sign the request, and error handling. For more information, see
the Amazon EC2 API Reference.
1
AWS Site-to-Site VPN User Guide
Site-to-Site VPN limitations
• IPv6 traffic is not supported for VPN connections on a virtual private gateway.
• An AWS VPN connection does not support Path MTU Discovery.
In addition, take the following into consideration when you use Site-to-Site VPN.
• When connecting your VPCs to a common on-premises network, we recommend that you use non-
overlapping CIDR blocks for your networks.
Pricing
For information about pricing, see VPN pricing.
2
AWS Site-to-Site VPN User Guide
Site-to-Site VPN Components
A Site-to-Site VPN connection consists of the following components. For more information about Site-
to-Site VPN quotas, see Site-to-Site VPN quotas (p. 128).
Contents
• Virtual private gateway (p. 3)
• Transit gateway (p. 3)
• Customer gateway device (p. 4)
• Customer gateway (p. 4)
When you create a virtual private gateway, you can specify the private Autonomous System Number
(ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway
is created with the default ASN (64512). You cannot change the ASN after you've created the virtual
private gateway. To check the ASN for your virtual private gateway, view its details in the Virtual Private
Gateways screen in the Amazon VPC console, or use the describe-vpn-gateways AWS CLI command.
Note
If you created your virtual private gateway before 2018-06-30, the default ASN is 17493 in the
Asia Pacific (Singapore) region, 10124 in the Asia Pacific (Tokyo) region, 9059 in the Europe
(Ireland) region, and 7224 in all other regions.
Transit gateway
A transit gateway is a transit hub that you can use to interconnect your virtual private clouds (VPC) and
on-premises networks. For more information, see Amazon VPC Transit Gateways. You can create a Site-
to-Site VPN connection as an attachment on a transit gateway.
3
AWS Site-to-Site VPN User Guide
Customer gateway device
You can modify the target gateway of a Site-to-Site VPN connection from a virtual private gateway to a
transit gateway. For more information, see the section called “Modifying a Site-to-Site VPN connection's
target gateway” (p. 107).
By default, your customer gateway device must bring up the tunnels for your Site-to-Site VPN
connection by generating traffic and initiating the Internet Key Exchange (IKE) negotiation process. You
can configure your Site-to-Site VPN connection to specify that AWS must initiate the IKE negotiation
process instead. For more information, see Site-to-Site VPN tunnel initiation options (p. 10).
Customer gateway
A customer gateway is a resource that you create in AWS that represents the customer gateway device in
your on-premises network. When you create a customer gateway, you provide information about your
device to AWS. For more information, see the section called “Customer gateway options” (p. 12).
To use Amazon VPC with a Site-to-Site VPN connection, you or your network administrator must also
configure the customer gateway device or application in your remote network. When you create the Site-
to-Site VPN connection, we provide you with the required configuration information and your network
administrator typically performs this configuration. For information about the customer gateway
requirements and configuration, see Your customer gateway device (p. 32).
4
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel options
For information about identifying and migrating your connection, see the section called “Identifying a
Site-to-Site VPN connection” (p. 98) and the section called “Migrating from AWS Classic VPN to AWS
VPN” (p. 99).
The following diagram shows the two tunnels of the Site-to-Site VPN connection.
5
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel options
When you create a Site-to-Site VPN connection, you download a configuration file specific to your
customer gateway device that contains information for configuring the device, including information for
configuring each tunnel. You can optionally specify some of the tunnel options yourself when you create
the Site-to-Site VPN connection. Otherwise, AWS provides default values.
Note
Site-to-Site VPN tunnel endpoints evaluate proposals from your customer gateway starting
with the lowest configured value from the list below, regardless of the proposal order from
the customer gateway. You can use the modify-vpn-connection-options command to
restrict the list of options AWS endpoints will accept. For more information, see modify-vpn-
connection-options in Amazon EC2 Command Line Reference.
The following are the tunnel options that you can configure.
The duration, in seconds, after which DPD timeout occurs. You can specify 30 or higher.
Default: 30
DPD timeout action
The action to take after dead peer detection (DPD) timeout occurs. You can specify the following:
• Clear: End the IKE session when DPD timeout occurs (stop the tunnel and clear the routes)
• None: Take no action when DPD timeout occurs
• Restart: Restart the IKE session when DPD timeout occurs
For more information, see Site-to-Site VPN tunnel initiation options (p. 10).
Default: Clear
IKE versions
The IKE versions that are permitted for the VPN tunnel. You can specify one or more of the default
values.
The range of inside (internal) IPv4 addresses for the VPN tunnel. You can specify a size /30 CIDR
block from the 169.254.0.0/16 range. The CIDR block must be unique across all Site-to-Site VPN
connections that use the same virtual private gateway.
Default: A size /30 IPv4 CIDR block from the 169.254.0.0/16 range.
Inside tunnel IPv6 CIDR
(IPv6 VPN connections only) The range of inside (internal) IPv6 addresses for the VPN tunnel. You
can specify a size /126 CIDR block from the local fd00::/8 range. The CIDR block must be unique
across all Site-to-Site VPN connections that use the same transit gateway.
6
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel options
Default: A size /126 IPv6 CIDR block from the local fd00::/8 range.
Local IPv4 Network CIDR
(IPv4 VPN connection only) The IPv4 CIDR range on the customer gateway (on-premises) side that is
allowed to communicate over the VPN tunnels.
Default: 0.0.0.0/0
Remote IPv4 Network CIDR
(IPv4 VPN connection only) The IPv4 CIDR range on the AWS side that is allowed to communicate
over the VPN tunnels.
Default: 0.0.0.0/0
Local IPv6 Network CIDR
(IPv6 VPN connection only) The IPv6 CIDR range on the customer gateway (on-premises) side that is
allowed to communicate over the VPN tunnels.
Default: ::/0
Remote IPv6 Network CIDR
(IPv6 VPN connection only) The IPv6 CIDR range on the AWS side that is allowed to communicate
over the VPN tunnels.
Default: ::/0
Phase 1 Diffie-Hellman (DH) group numbers
The DH group numbers that are permitted for the VPN tunnel for phase 1 of the IKE negotiations.
You can specify one or more of the default values.
Default: 2, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 2 Diffie-Hellman (DH) group numbers
The DH group numbers that are permitted for the VPN tunnel for phase 2 of the IKE negotiations.
You can specify one or more of the default values.
Default: 2, 5, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24
Phase 1 encryption algorithms
The encryption algorithms that are permitted for the VPN tunnel for phase 1 of the IKE negotiations.
You can specify one or more of the default values.
The encryption algorithms that are permitted for the VPN tunnel for phase 2 IKE negotiations. You
can specify one or more of the default values.
The integrity algorithms that are permitted for the VPN tunnel for phase 1 of the IKE negotiations.
You can specify one or more of the default values.
7
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel options
The integrity algorithms that are permitted for the VPN tunnel for phase 2 of the IKE negotiations.
You can specify one or more of the default values.
The lifetime in seconds for phase 1 of the IKE negotiations. You can specify a number between 900
and 28,800.
The lifetime in seconds for phase 2 of the IKE negotiations. You can specify a number between 900
and 3,600. The number that you specify must be less than the number of seconds for the phase 1
lifetime.
The pre-shared key (PSK) to establish the initial internet key exchange (IKE) security association
between the virtual private gateway and customer gateway.
The PSK must be between 8 and 64 characters in length and cannot start with zero (0). Allowed
characters are alphanumeric characters, periods (.), and underscores (_).
The percentage of the rekey window (determined by the rekey margin time) within which the rekey
time is randomly selected.
Default: 100
Rekey margin time
The margin time in seconds before the phase 2 lifetime expires, during which the AWS side of the
VPN connection performs an IKE rekey.
You can specify a number between 60 and half of the value of the phase 2 lifetime seconds.
The exact time of the rekey is randomly selected based on the value for rekey fuzz.
8
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel authentication options
Default: 1024
Startup action
The action to take when establishing the tunnel for a VPN connection. You can specify the following:
• Start: AWS initiates the IKE negotiation to bring the tunnel up. Only supported if your customer
gateway is configured with an IP address.
• Add: Your customer gateway device must initiate the IKE negotiation to bring the tunnel up.
For more information, see Site-to-Site VPN tunnel initiation options (p. 10).
Default: Add
You can specify the tunnel options when you create a Site-to-Site VPN connection, or you can modify the
tunnel options for an existing VPN connection. You cannot configure tunnel options for an AWS Classic
VPN connection. For more information, see the following topics:
Pre-shared keys
A pre-shared key is the default authentication option.
A pre-shared key is a Site-to-Site VPN tunnel option that you can specify when you create a Site-to-Site
VPN tunnel.
A pre-shared key is a string that you enter when you configure your customer gateway device. If you do
not specify a string, we auto-generate one for you. For more information, see Your customer gateway
device (p. 32).
You must create a private certificate from a subordinate CA using AWS Certificate Manager Private
Certificate Authority (ACM Private CA). To sign the ACM subordinate CA, you can use an ACM Root CA or
an external CA. For more information about creating a private certificate, see Creating and Managing a
Private CA in the AWS Certificate Manager Private Certificate Authority User Guide.
9
AWS Site-to-Site VPN User Guide
Site-to-Site VPN tunnel initiation options
You must create a service-link role to generate and use the certificate for the AWS side of the Site-to-Site
VPN tunnel endpoint. For more information, see the section called “Permissions granted by the service-
linked role” (p. 119).
After you generate the private certificate, you specify the certificate when you create the customer
gateway, and then apply it to your customer gateway device.
If you do not specify the IP address of your customer gateway device, we do not check the IP address.
This operation allows you to move the customer gateway device to a different IP address without having
to re-configure the VPN connection.
• Startup action: The action to take when establishing the VPN tunnel for a new or modified VPN
connection. By default, your customer gateway device initiates the IKE negotiation process to bring the
tunnel up. You can specify that AWS must initiate the IKE negotiation process instead.
• DPD timeout action: The action to take after dead peer detection (DPD) timeout occurs. By default,
the IKE session is stopped, the tunnel goes down, and the routes are removed. You can specify that
AWS must restart the IKE session when DPD timeout occurs, or you can specify that AWS must take no
action when DPD timeout occurs.
You can configure the IKE initiation options for one or both of the VPN tunnels in your Site-to-Site VPN
connection.
• To initiate IKE negotiation, AWS requires the public IP address of your customer gateway device. If
you configured certificate-based authentication for your VPN connection and you did not specify
an IP address when you created the customer gateway resource in AWS, you must create a new
customer gateway and specify the IP address. Then, modify the VPN connection and specify the new
customer gateway. For more information, see Changing the customer gateway for a Site-to-Site VPN
connection (p. 112).
• You cannot configure IKE initiation options for an AWS Classic VPN connection.
• IKE initiation (startup action) from the AWS side of the VPN connection is supported for IKEv2 only.
• If your customer gateway device is behind a firewall or other device using Network Address Translation
(NAT), it must have an identity (IDr) configured. For more information about IDr, see RFC 7296.
If you do not configure IKE initiation from the AWS side for your VPN tunnel and the VPN connection
experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel
might go down. To prevent this, you can use a network monitoring tool to generate keepalive pings.
10
AWS Site-to-Site VPN User Guide
Working with VPN tunnel initiation options
• To create a new VPN connection and specify the VPN tunnel initiation options: Create a Site-to-Site
VPN connection (p. 22)
• To modify the VPN tunnel initiation options for an existing VPN connection: Modifying Site-to-Site
VPN tunnel options (p. 110)
If your tunnel endpoint has been replaced, AWS sends a notification through a Personal Health
Dashboard event. For more information, see Monitoring VPN connections using AWS Health
events (p. 127).
• To apply general upgrades, such as a patches, resiliency improvements, and other enhancements
• To retire underlying hardware
• When automated monitoring determines that a VPN tunnel endpoint is unhealthy
AWS applies tunnel endpoint updates to one tunnel of your VPN connection at a time, during which time
your VPN connection might experience a brief loss of redundancy. It’s therefore important to configure
both tunnels in your VPN connection for high availability.
Modify the target gateway for ModifyVpnConnection Both tunnels are unavailable
the VPN connection (p. 107) while new tunnel endpoints are
provisioned.
11
AWS Site-to-Site VPN User Guide
Customer gateway options
Item Description
(Optional) Internet-routable IP address (static) of The public IP address value must be static. If your
the customer gateway device's external interface. customer gateway is behind a network address
translation (NAT) device that's enabled for NAT
traversal (NAT-T), use the public IP address of
your NAT device, and adjust your firewall rules to
unblock UDP port 4500.
The type of routing—static or dynamic. For more information, see Site-to-Site VPN
routing options (p. 14).
(Dynamic routing only) Border Gateway Protocol You can use an existing public ASN assigned to
(BGP) Autonomous System Number (ASN) of the your network. If you don't have one, you can use
customer gateway. a private ASN in the 64512–65534 range. The
default ASN is 65000.
(Optional) Private certificate from a subordinate If you want to use certificate based
CA using AWS Certificate Manager (ACM) authentication, provide the ARN of an ACM private
certificate that will be used on your customer
gateway device.
12
AWS Site-to-Site VPN User Guide
Accelerated Site-to-Site VPN connections
Item Description
When you choose to use this option, you create an
entirely AWS-hosted private certificate authority
(CA) for internal use by your organization. Both
the root CA certificate and subordinate CA
certificates are stored and managed by ACM
Private CA.
When you create an accelerated VPN connection, we create and manage two accelerators on your behalf,
one for each VPN tunnel. You cannot view or manage these accelerators yourself by using the AWS
Global Accelerator console or APIs.
For information about the AWS Regions that support Accelerated VPN connections, see the AWS
Accelerated Site-to-Site VPN FAQs.
Enabling acceleration
By default, when you create a Site-to-Site VPN connection, acceleration is disabled. You can optionally
enable acceleration when you create a new Site-to-Site VPN attachment on a transit gateway. For more
information and steps, see Creating a transit gateway VPN attachment (p. 103).
Accelerated VPN connections use a separate pool of IP addresses for the tunnel endpoint IP addresses.
The IP addresses for the two VPN tunnels are selected from two separate network zones.
• Acceleration is only supported for Site-to-Site VPN connections that are attached to a transit gateway.
Virtual private gateways do not support accelerated VPN connections.
• An Accelerated Site-to-Site VPN connection cannot be used with an AWS Direct Connect public virtual
interface.
• You cannot turn on or turn off acceleration for an existing Site-to-Site VPN connection. Instead, you
can create a new Site-to-Site VPN connection with acceleration on or off as needed. Then, configure
13
AWS Site-to-Site VPN User Guide
Pricing
your customer gateway device to use the new Site-to-Site VPN connection and delete the old Site-to-
Site VPN connection.
• NAT-traversal (NAT-T) is required for an accelerated VPN connection and is enabled by default. If you
downloaded a configuration file (p. 23) from the Amazon VPC console, check the NAT-T setting and
adjust it if necessary.
• IKE rekeys for accelerated VPN tunnels must be initiated from the customer gateway device to keep
the tunnels up.
• Site-to-Site VPN connections that use certificate-based authentication might not be compatible
with AWS Global Accelerator, due to limited support for packet fragmentation in Global Accelerator.
For more information, see How AWS Global Accelerator works. If you require an accelerated VPN
connection that uses certificate-based authentication, then your customer gateway device must
support IKE fragmentation. Otherwise, do not enable your VPN for acceleration.
Pricing
Hourly charges apply for a Site-to-Site VPN connection. For more information, see AWS VPN pricing.
When you create an accelerated VPN connection, we create and manage two accelerators on your behalf.
You are charged an hourly rate and data transfer costs for each accelerator. For more information, see
AWS Global Accelerator pricing.
• Specify the type of routing that you plan to use (static or dynamic)
• Update the route table for your subnet
There are quotas on the number of routes that you can add to a route table. For more information, see
the Route Tables section in Amazon VPC quotas in the Amazon VPC User Guide.
Topics
• Static and dynamic routing (p. 14)
• Route tables and VPN route priority (p. 15)
• Routing during VPN tunnel endpoint updates (p. 16)
• IPv4 and IPv6 traffic (p. 16)
If you use a device that supports BGP advertising, you don't specify static routes to the Site-to-Site VPN
connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use
a device that doesn't support BGP advertising, you must select static routing and enter the routes (IP
prefixes) for your network that should be communicated to the virtual private gateway.
We recommend that you use BGP-capable devices, when available, because the BGP protocol offers
robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes
14
AWS Site-to-Site VPN User Guide
Route tables and VPN route priority
down. Devices that don't support BGP may also perform health checks to assist failover to the second
tunnel when needed.
You must configure your customer gateway device to route traffic from your on-premises network to the
Site-to-Site VPN connection. The configuration depends on the make and model of your device. For more
information, see Your customer gateway device (p. 32).
We use the most specific route in your route table that matches the traffic to determine how to route the
traffic (longest prefix match). If your route table has overlapping or matching routes, the following rules
apply:
• If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection overlap
with the local route for your VPC, the local route is most preferred even if the propagated routes are
more specific.
• If propagated routes from a Site-to-Site VPN connection or AWS Direct Connect connection have the
same destination CIDR block as other existing static routes (longest prefix match cannot be applied),
we prioritize the static routes whose targets are an internet gateway, a virtual private gateway, a
network interface, an instance ID, a VPC peering connection, a NAT gateway, a transit gateway, or a
gateway VPC endpoint.
For example, the following route table has a static route to an internet gateway, and a propagated route
to a virtual private gateway. Both routes have a destination of 172.31.0.0/24. In this case, all traffic
destined for 172.31.0.0/24 is routed to the internet gateway — it is a static route and therefore takes
priority over the propagated route.
Destination Target
10.0.0.0/16 Local
Only IP prefixes that are known to the virtual private gateway, whether through BGP advertisements or a
static route entry, can receive traffic from your VPC. The virtual private gateway does not route any other
traffic destined outside of received BGP advertisements, static route entries, or its attached VPC CIDR.
Virtual private gateways do not support IPv6 traffic.
When a virtual private gateway receives routing information, it uses path selection to determine how to
route traffic. Longest prefix match applies. If the prefixes are the same, then the virtual private gateway
prioritizes routes as follows, from most preferred to least preferred:
15
AWS Site-to-Site VPN User Guide
Routing during VPN tunnel endpoint updates
Note
We do not recommend using AS PATH prepending, to ensure that both tunnels have equal
AS PATH. This helps to ensure that the multi-exit discriminator (MED) value that we set on a
tunnel during VPN tunnel endpoint updates (p. 16) is used to determine tunnel priority.
• When the AS PATHs are the same length and if the first AS in the AS_SEQUENCE is the same across
multiple paths, multi-exit discriminators (MEDs) are compared. The path with the lowest MED value is
preferred.
Route priority is affected during VPN tunnel endpoint updates (p. 16).
On a Site-to-Site VPN connection, AWS selects one of the two redundant tunnels as the primary egress
path. This selection may change at times, and we strongly recommend that you configure both tunnels
for high availability, and allow asymmetric routing.
For a virtual private gateway, one tunnel across all Site-to-Site VPN connections on the gateway will be
selected. To use more than one tunnel, we recommend exploring Equal Cost Multipath (ECMP), which
is supported for Site-to-Site VPN connections on a transit gateway. For more information, see Transit
gateways in Amazon VPC Transit Gateways. ECMP is not supported for Site-to-Site VPN connections on a
virtual private gateway.
For Site-to-Site VPN connections that use BGP, the primary tunnel can be identified by the multi-exit
discriminator (MED) value. We recommend advertising more specific BGP routes to influence routing
decisions.
For Site-to-Site VPN connections that use static routing, the primary tunnel can be identified by traffic
statistics or metrics.
When we perform updates on one VPN tunnel, we set a lower outbound multi-exit discriminator (MED)
value on the other tunnel. If you have configured your customer gateway device to use both tunnels,
your VPN connection uses the other (up) tunnel during the tunnel endpoint update process.
Note
To ensure that the up tunnel with the lower MED is preferred, ensure that your customer
gateway device uses the same Weight and Local Preference values for both tunnels (Weight and
Local Preference have higher priority than MED).
If you enable IPv6 for the VPN tunnels for your Site-to-Site VPN connection, each tunnel has two CIDR
blocks. One is a size /30 IPv4 CIDR block, and the other is a size /126 IPv6 CIDR block.
16
AWS Site-to-Site VPN User Guide
IPv4 and IPv6 traffic
• IPv6 addresses are only supported for the inside IP addresses of the VPN tunnels. The outside tunnel
IP addresses for the AWS endpoints are IPv4 addresses, and the public IP address of your customer
gateway must be an IPv4 address.
• Site-to-Site VPN connections on a virtual private gateway do not support IPv6.
• You cannot enable IPv6 support for an existing Site-to-Site VPN connection.
• A Site-to-Site VPN connection cannot support both IPv4 and IPv6 traffic.
For more information about creating a VPN connection, see Create a Site-to-Site VPN
connection (p. 22).
17
AWS Site-to-Site VPN User Guide
Prerequisites
Getting started
Use the following procedures to manually set up the AWS Site-to-Site VPN connection. You can create
a Site-to-Site VPN connection with either a virtual private gateway or a transit gateway as the target
gateway.
These procedures assume that you have a VPC with one or more subnets.
For steps to create a Site-to-Site VPN connection on a transit gateway, see Creating a transit gateway
VPN attachment (p. 103).
Prerequisites
You need the following information to set up and configure the components of a Site-to-Site VPN
connection.
Item Information
18
AWS Site-to-Site VPN User Guide
Create a customer gateway
Item Information
For more information, see Customer
gateway options for your Site-to-Site VPN
connection (p. 12).
(Optional) The ASN for the AWS side of the BGP You specify this when you create a virtual private
session gateway or transit gateway. If you do not specify
a value, the default ASN applies. For more
information, see Virtual private gateway (p. 3).
If you plan to use a private certificate to authenticate your VPN, create a private certificate from a
subordinate CA using AWS Certificate Manager Private Certificate Authority. For information about
creating a private certificate, see Creating and managing a private CA in the AWS Certificate Manager
Private Certificate Authority User Guide.
Note
You must specify either an IP address, or the Amazon Resource Name of the private certificate.
• (Optional) For Name, enter a name for your customer gateway. Doing so creates a tag with a key
of Name and the value that you specify.
• For Routing, select the routing type.
• For dynamic routing, for BGP ASN, enter the Border Gateway Protocol (BGP) Autonomous System
Number (ASN).
• (Optional) For IP Address, enter the static, internet-routable IP address for your customer gateway
device. If your customer gateway is behind a NAT device that's enabled for NAT-T, use the public IP
address of the NAT device.
• (Optional) If you want to use a private certificate, for Certificate ARN, choose the Amazon
Resource Name of the private certificate.
19
AWS Site-to-Site VPN User Guide
Create a target gateway
After you create a virtual private gateway, you must attach it to your VPC.
1. In the navigation pane, choose Virtual Private Gateways, Create Virtual Private Gateway.
2. (Optional) Enter a name for your virtual private gateway. Doing so creates a tag with a key of Name
and the value that you specify.
3. For ASN, leave the default selection to use the default Amazon ASN. Otherwise, choose Custom ASN
and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit
ASN, the value must be in the 4200000000 to 4294967294 range.
4. Choose Create Virtual Private Gateway.
5. Select the virtual private gateway that you created, and then choose Actions, Attach to VPC.
6. Select your VPC from the list and choose Yes, Attach.
To attach a virtual private gateway to a VPC using the command line or API
Configure routing
To enable instances in your VPC to reach your customer gateway, you must configure your route table
to include the routes used by your Site-to-Site VPN connection and point them to your virtual private
gateway or transit gateway.
20
AWS Site-to-Site VPN User Guide
(Virtual private gateway) Enable
route propagation in your route table
For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the
route table when the status of the Site-to-Site VPN connection is UP. Similarly, for dynamic routing, the
BGP-advertised routes from your customer gateway are propagated to the route table when the status
of the Site-to-Site VPN connection is UP.
Note
If your connection is interrupted but the VPN connection remains UP, any propagated routes
that are in your route table are not automatically removed. Keep this in mind if, for example,
you want traffic to fail over to a static route. In that case, you might have to disable route
propagation to remove the propagated routes.
1. In the navigation pane, choose Route Tables, and then select the route table that's associated with
the subnet. By default, this is the main route table for the VPC.
2. On the Route Propagation tab in the details pane, choose Edit, select the virtual private gateway
that you created in the previous procedure, and then choose Save.
Note
For static routing, if you do not enable route propagation, you must manually enter the static
routes used by your Site-to-Site VPN connection. To do this, select your route table, choose
Routes, Edit. For Destination, add the static route used by your Site-to-Site VPN connection. For
Target, select the virtual private gateway ID, and choose Save.
1. In the navigation pane, choose Route Tables, and then select the route table that's associated with
the subnet.
2. Choose Route Propagation, Edit. Clear the Propagate check box for the virtual private gateway, and
choose Save.
21
AWS Site-to-Site VPN User Guide
(Transit gateway) Add a route to your route table
If you attach a VPC to your transit gateway and you want to enable resources in the VPC to reach your
customer gateway, you must add a route to your subnet route table to point to the transit gateway.
To add rules to your security group to enable inbound SSH, RDP and ICMP access
1. In the navigation pane, choose Security Groups, and then select the default security group for the
VPC.
2. On the Inbound tab in the details pane, add rules that allow inbound SSH, RDP, and ICMP access
from your network, and then choose Save. For more information about adding inbound rules, see
Adding, removing, and updating rules in the Amazon VPC User Guide.
For more information about working with security groups using the AWS CLI, see Security groups for
your VPC in the Amazon VPC User Guide.
1. In the navigation pane, choose Site-to-Site VPN Connections, Create VPN Connection.
2. (Optional) For Name tag, enter a name for your Site-to-Site VPN connection. Doing so creates a tag
with a key of Name and the value that you specify.
3. For Target Gateway Type, choose either Virtual Private Gateway or Transit Gateway. Then, choose
the virtual private gateway or transit gateway that you created earlier.
4. For Customer Gateway ID, select the customer gateway that you created earlier.
5. Select one of the routing options based on whether your customer gateway device supports Border
Gateway Protocol (BGP):
22
AWS Site-to-Site VPN User Guide
Download the configuration file
• If your customer gateway device supports BGP, choose Dynamic (requires BGP).
• If your customer gateway device does not support BGP, choose Static. For Static IP Prefixes,
specify each IP prefix for the private network of your Site-to-Site VPN connection.
6. (Optional) For Tunnel Inside IP Version, specify whether the VPN tunnels support IPv4 or IPv6
traffic. IPv6 traffic is only supported for VPN connections on a transit gateway.
7. (Optional) For Local IPv4 Network CIDR, specify the IPv4 CIDR range on the customer gateway (on-
premises) side that is allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.
For Remote IPv4 Network CIDR, specify the IPv4 CIDR range on the AWS side that is allowed to
communicate over the VPN tunnels. The default is 0.0.0.0/0.
If you specified IPv6 for Tunnel Inside IP Version, then specify the IPv6 CIDR ranges on the
customer gateway side and AWS side that are allowed to communicate over the VPN tunnels. The
default for both ranges is ::/0.
8. (Optional) For Tunnel Options, you can specify the following information for each tunnel:
• A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.
• If you specified IPv6 for Tunnel Inside IP Version, a /126 IPv6 CIDR block from the fd00::/8
range for the inside tunnel IPv6 addresses.
• The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.
• Advanced tunnel information, which includes the following:
• Encryption algorithms for phases 1 and 2 of the IKE negotiations
• Integrity algorithms for phases 1 and 2 of the IKE negotiations
• Diffie-Hellman groups for phases 1 and 2 of the IKE negotiations
• IKE version
• Phase 1 and 2 lifetimes
• Rekey margin time
• Rekey fuzz
• Replay window size
• Dead peer detection interval
• Dead peer detection timeout action
• Startup action
For more information about these options, see Tunnel options for your Site-to-Site VPN
connection (p. 5).
9. Choose Create VPN Connection. It might take a few minutes to create the Site-to-Site VPN
connection.
23
AWS Site-to-Site VPN User Guide
Configure the customer gateway device
Important
The configuration file is an example only and might not match your intended VPN connection
settings. For example, it specifies the minimum requirements of IKE version 1, AES128, SHA1,
and DH group 2 in most AWS Regions, and IKE version 1, AES128, SHA2, and DH group 14 in
the AWS GovCloud Regions. It also specifies pre-shared keys for authentication (p. 9). You must
modify the example configuration file to take advantage of IKE version 2, additional security
algorithms and DH groups, and private certificates.
If you specified custom tunnel options when creating or modifying your Site-to-Site VPN
connection, modify the example configuration file to match the custom settings for your
tunnels.
The file also contains the value for the outside IP address for the virtual private gateway. This
value is static unless you recreate the VPN connection in AWS.
24
AWS Site-to-Site VPN User Guide
Single and multiple connection examples
• the section called “Single and multiple connection examples” (p. 25)
• the section called “Using redundant Site-to-Site VPN connections to provide failover” (p. 29)
• the section called “AWS VPN CloudHub” (p. 27)
For steps to set up this scenario, see Getting started (p. 18).
25
AWS Site-to-Site VPN User Guide
Multiple Site-to-Site VPN connections
For steps to set up this scenario, see Getting started (p. 18).
You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations
and provide secure communication between sites. For more information, see Providing secure
communication between sites using VPN CloudHub (p. 27).
When you create multiple Site-to-Site VPN connections to a single VPC, you can configure a second
customer gateway to create a redundant connection to the same external location. For more
information, see Using redundant Site-to-Site VPN connections to provide failover (p. 29).
You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations
and provide secure communication between sites.
26
AWS Site-to-Site VPN User Guide
Site-to-Site VPN connection with AWS Direct Connect
When you create multiple Site-to-Site VPN connections to a single transit gateway, you can configure a
second customer gateway to create a redundant connection to the same external location.
27
AWS Site-to-Site VPN User Guide
Overview
connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for
primary or backup connectivity between these remote offices.
Overview
The following diagram shows the VPN CloudHub architecture, with blue dashed lines indicating network
traffic between remote sites being routed over their Site-to-Site VPN connections.
28
AWS Site-to-Site VPN User Guide
Pricing
Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the
AWS VPN CloudHub. For example, your corporate headquarters in New York can have an AWS Direct
Connect connection to the VPC and your branch offices can use Site-to-Site VPN connections to the VPC.
The branch offices in Los Angeles and Miami can send and receive data with each other and with your
corporate headquarters, all using the AWS VPN CloudHub.
Pricing
To use AWS VPN CloudHub, you pay typical Amazon VPC Site-to-Site VPN connection rates. You are
billed the connection rate for each hour that each VPN is connected to the virtual private gateway. When
you send data from one site to another using the AWS VPN CloudHub, there is no cost to send data from
your site to the virtual private gateway. You only pay standard AWS data transfer rates for data that is
relayed from the virtual private gateway to your endpoint.
For example, if you have a site in Los Angeles and a second site in New York and both sites have a Site-
to-Site VPN connection to the virtual private gateway, you pay the per hour rate for each Site-to-Site
VPN connection (so if the rate was $.05 per hour, it would be a total of $.10 per hour). You also pay
the standard AWS data transfer rates for all data that you send from Los Angeles to New York (and
vice versa) that traverses each Site-to-Site VPN connection. Network traffic sent over the Site-to-Site
VPN connection to the virtual private gateway is free but network traffic sent over the Site-to-Site VPN
connection from the virtual private gateway to the endpoint is billed at the standard AWS data transfer
rate.
The following diagram shows the two tunnels of each Site-to-Site VPN connection and two customer
gateways.
29
AWS Site-to-Site VPN User Guide
Using redundant Site-to-Site VPN
connections to provide failover
30
AWS Site-to-Site VPN User Guide
Using redundant Site-to-Site VPN
connections to provide failover
• Set up a second Site-to-Site VPN connection by using the same virtual private gateway and creating a
new customer gateway. The customer gateway IP address for the second Site-to-Site VPN connection
must be publicly accessible.
• Configure a second customer gateway device. Both devices should advertise the same IP ranges to the
virtual private gateway. We use BGP routing to determine the path for traffic. If one customer gateway
device fails, the virtual private gateway directs all traffic to the working customer gateway device.
Dynamically routed Site-to-Site VPN connections use the Border Gateway Protocol (BGP) to exchange
routing information between your customer gateways and the virtual private gateways. Statically routed
Site-to-Site VPN connections require you to enter static routes for the remote network on your side of
the customer gateway. BGP-advertised and statically entered route information allow gateways on both
sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that
you configure your network to use the routing information provided by BGP (if available) to select an
available path. The exact configuration depends on the architecture of your network.
For more information about creating and configuring a customer gateway and a Site-to-Site VPN
connection, see Getting started (p. 18).
31
AWS Site-to-Site VPN User Guide
The following diagram shows your network, the customer gateway device, the VPN connection that
goes to a virtual private gateway (which is attached to your VPC). The two lines between the customer
gateway device and virtual private gateway represent the tunnels for the VPN connection. If there's
a device failure within AWS, your VPN connection automatically fails over to the second tunnel so
that your access isn't interrupted. From time to time, AWS also performs routine maintenance on the
VPN connection which might briefly disable one of the two tunnels of your VPN connection. For more
information, see Site-to-Site VPN tunnel endpoint replacements (p. 11). When you configure your
customer gateway device, it's therefore important that you configure both tunnels.
32
AWS Site-to-Site VPN User Guide
For the steps to set up a VPN connection, see Getting started (p. 18). During this process, you create a
customer gateway resource in AWS, which provides information to AWS about your device, for example,
its public-facing IP address. For more information, see Customer gateway options for your Site-to-
Site VPN connection (p. 12). The customer gateway resource in AWS does not configure or create the
customer gateway device. You must configure the device yourself.
After you create the VPN connection, download the configuration file (p. 23) from the Amazon VPC
console, which contains information specific to your VPN connection. Use this information to configure
your customer gateway device. In some cases, device-specific configuration files are available for devices
that we've tested. Otherwise, you can download the generic configuration file.
33
AWS Site-to-Site VPN User Guide
Example configuration files
If you have one of these devices, but configure it for IPsec in a different way than presented in the
configuration file, you can change our suggested configuration to match your needs. You can get sample
configuration files from either of the following:
• Static configuration: the section called “Example configuration files” (p. 40)
• Dynamic configuration: the section called “Example configuration files” (p. 51)
You can also find software VPN appliances on the AWS Marketplace.
There are four main parts to the configuration of your customer gateway device. The following symbols
represent each part of the configuration.
Internet key exchange (IKE) security association. This is required to exchange keys used to
establish the IPsec security association.
IPsec security association. This handles the tunnel's encryption, authentication, and so
on.
Tunnel interface. This receives traffic going to and from the tunnel.
34
AWS Site-to-Site VPN User Guide
Requirements for your customer gateway device
(Optional) Border Gateway Protocol (BGP) peering. For devices that use BGP, this
exchanges routes between the customer gateway device and the virtual private gateway.
The following table lists the requirements for the customer gateway device, the related RFC (for
reference), and comments about the requirements.
Each VPN connection consists of two separate tunnels. Each tunnel contains an IKE security association,
an IPsec security association, and a BGP peering. You are limited to one unique security association
(SA) pair per tunnel (one inbound and one outbound), and therefore two unique SA pairs in total for
two tunnels (four SAs). Some devices use a policy-based VPN and create as many SAs as ACL entries.
Therefore, you might need to consolidate your rules and then filter so that you don't permit unwanted
traffic.
By default, the VPN tunnel comes up when traffic is generated and the IKE negotiation is initiated from
your side of the VPN connection. You can configure the VPN connection to initiate the IKE negotiation
from the AWS side of the connection instead. For more information, see Site-to-Site VPN tunnel
initiation options (p. 10).
VPN endpoints support rekey and can start renegotiations when phase 1 is about to expire if the
customer gateway device hasn't sent any renegotiation traffic.
Establish IKE security RFC 2409 The IKE security association is established first between
association the virtual private gateway and the customer gateway
RFC 7296 device using a pre-shared key or a private certificate
that uses AWS Certificate Manager Private Certificate
Authority as the authenticator. When established,
IKE negotiates an ephemeral key to secure future IKE
messages. There must be complete agreement among
the parameters, including encryption and authentication
parameters.
Establish IPsec security RFC 4301 Using the IKE ephemeral key, keys are established
associations in Tunnel between the virtual private gateway and the customer
mode gateway device to form an IPsec security association (SA).
Traffic between gateways is encrypted and decrypted
using this SA. The ephemeral keys used to encrypt traffic
35
AWS Site-to-Site VPN User Guide
Requirements for your customer gateway device
Use the AES 128-bit RFC 3602 The encryption function is used to ensure privacy for both
encryption or AES 256-bit IKE and IPsec security associations.
encryption function
Use the SHA-1 or SHA-2 RFC 2404 This hashing function is used to authenticate both IKE
(256) hashing function and IPsec security associations.
Use Diffie-Hellman Perfect RFC 2409 IKE uses Diffie-Hellman to establish ephemeral keys to
Forward Secrecy. secure all communication between customer gateway
devices and virtual private gateways.
Fragment IP packets before RFC 4459 When packets are too large to be transmitted, they
encryption must be fragmented. We do not reassemble fragmented
encrypted packets. Therefore, your VPN device must
fragment packets before encapsulating with the VPN
headers. The fragments are individually transmitted to
the remote host, which reassembles them.
(Dynamically-routed VPN RFC 3706 Dead Peer Detection enables the VPN devices to rapidly
connections) Use IPsec identify when a network condition prevents delivery
Dead Peer Detection of packets across the internet. When this occurs, the
gateways delete the security associations and attempt to
create new associations. During this process, the alternate
IPsec tunnel is used if possible.
(Dynamically-routed VPN None Your device must be able to bind the IPsec tunnel to
connections) Bind tunnel a logical interface. The logical interface contains an IP
to logical interface (route- address that is used to establish BGP peering to the
based VPN) virtual private gateway. This logical interface should
perform no additional encapsulation (for example, GRE
or IP in IP). Your interface should be set to a 1399 byte
Maximum Transmission Unit (MTU).
(Dynamically-routed VPN RFC 4271 BGP is used to exchange routes between the customer
connections) Establish BGP gateway device and the virtual private gateway for
peerings devices that use BGP. All BGP traffic is encrypted and
transmitted via the IPsec Security Association. BGP is
required for both gateways to exchange the IP prefixes
that are reachable through the IPsec SA.
Because the connection encapsulates packets with additional network headers (including IPsec), the
amount of data that can be transmitted in a single packet is reduced. We recommend that you use the
techniques listed in the following table to help you to minimize problems related to the amount of data
that can be transmitted through the IPsec tunnel.
36
AWS Site-to-Site VPN User Guide
Configuring a firewall between the
internet and your customer gateway device
Adjust the maximum RFC 4459 TCP packets are often the most common type of packet
segment size (MSS) of TCP across IPsec tunnels. Some gateways can change the TCP
packets entering the VPN maximum segment size (MSS) parameter. This causes the
tunnel TCP endpoints (clients, servers) to reduce the amount of
data sent with each packet. This is an ideal approach, as
the packets arriving at the VPN devices are small enough
to be encapsulated and transmitted.
Reset the "Don't Fragment" RFC 791 Some packets carry a flag, known as the Don't Fragment
flag on packets (DF) flag, which indicates that the packet should not be
fragmented. If the packets carry the flag, the gateways
generate an ICMP Path MTU Exceeded message. In some
cases, applications do not contain adequate mechanisms
for processing these ICMP messages and for reducing the
amount of data transmitted in each packet. Some VPN
devices can override the DF flag and fragment packets
unconditionally as required. If your customer gateway
device has this ability, we recommend that you use it as
appropriate.
An AWS VPN connection does not support Path MTU Discovery (RFC 1191).
If you have a firewall between your customer gateway device and the internet, see Configuring a firewall
between the internet and your customer gateway device (p. 37).
Input rule I1
Protocol UDP
Destination 500
Input rule I2
37
AWS Site-to-Site VPN User Guide
Configuring a firewall between the
internet and your customer gateway device
Protocol UDP
Input rule I3
Protocol IP 50 (ESP)
Input rule I4
Protocol IP 50 (ESP)
Output rule O1
Protocol UDP
Output rule O2
Protocol UDP
Output rule O3
Protocol IP 50 (ESP)
Output rule O4
38
AWS Site-to-Site VPN User Guide
Multiple VPN connection scenarios
Protocol IP 50 (ESP)
Rules I1, I2, O1, and O2 enable the transmission of IKE packets. Rules I3, I4, O3, and O4 enable the
transmission of IPsec packets that contain the encrypted network traffic.
If you are using NAT traversal (NAT-T) on your device, you must include rules that allow UDP access over
port 4500. Check if your device is advertising NAT-T.
You can create additional VPN connections from your on-premises location to other VPCs using the same
customer gateway device. You can reuse the same customer gateway IP address for each of those VPN
connections.
To protect against a loss of connectivity if your customer gateway device becomes unavailable, you can
set up a second VPN connection using a second customer gateway device. For more information, see
Using redundant Site-to-Site VPN connections to provide failover (p. 29). When you establish redundant
customer gateway devices at a single location, both devices should advertise the same IP ranges.
Multiple customer gateway devices to a single virtual private gateway (AWS VPN CloudHub)
You can establish multiple VPN connections to a single virtual private gateway from multiple customer
gateway devices. This enables you to have multiple locations connected to the AWS VPN CloudHub. For
more information, see Providing secure communication between sites using VPN CloudHub (p. 27). When
you have customer gateway devices at multiple geographic locations, each device should advertise a
unique set of IP ranges specific to the location.
When you create multiple VPN connections, the virtual private gateway sends network traffic to the
appropriate VPN connection using statically assigned routes or BGP route advertisements. Which route
depends on how the VPN connection was configured. Statically assigned routes are preferred over BGP
advertised routes in cases where identical routes exist in the virtual private gateway. If you select the
option to use BGP advertisement, then you cannot specify static routes.
For more information about route priority, see Route tables and VPN route priority (p. 15).
39
AWS Site-to-Site VPN User Guide
Example configuration files
The files use placeholder values for some components. For example, they use:
• Example values for the VPN connection ID and virtual private gateway ID
• Placeholders for the remote (outside) IP address AWS endpoints (AWS_ENDPOINT_1 and
AWS_ENDPOINT_2)
• A placeholder for the IP address for the internet-routable external interface on the customer gateway
device (your-cgw-ip-address)
• Example values for the tunnel inside IP addresses.
In addition to providing placeholder values, the files specify the minimum requirements of IKE
version 1, AES128, SHA1, and DH Group 2 in most AWS Regions. They also specify pre-shared keys for
authentication (p. 9). You must modify the example configuration files to take advantage of IKE version
2, AES256, SHA256, other DH groups such as 2, 14-18, 22, 23, and 24, and private certificates.
The following diagram provides an overview of the different components that are configured on the
customer gateway device. It includes example values for the tunnel interface IP addresses.
40
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
To download a configuration file with values that are specific to your VPN connection configuration, use
the Amazon VPC console. For more information, see Download the configuration file (p. 23).
Check Point
The following are steps for configuring your customer gateway device if your device is a Check Point
Security Gateway device running R77.10 or above, using the Gaia operating system and Check Point
SmartDashboard. You can also refer to the Check Point Security Gateway IPsec VPN to Amazon Web
Services VPC article on the Check Point Support Center.
41
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
The first step is to create the VPN tunnels and provide the private (inside) IP addresses of the
customer gateway and virtual private gateway for each tunnel. To create the first tunnel, use the
information provided under the IPSec Tunnel #1 section of the configuration file. To create the
second tunnel, use the values provided in the IPSec Tunnel #2 section of the configuration file.
1. Open the Gaia portal of your Check Point Security Gateway device.
2. Choose Network Interfaces, Add, VPN tunnel.
3. In the dialog box, configure the settings as follows, and choose OK when you are done:
4. Connect to your security gateway over SSH. If you're using the non-default shell, change to clish
by running the following command: clish
42
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
6. Repeat these steps to create a second tunnel, using the information under the IPSec Tunnel
#2 section of the configuration file.
In this step, specify the static route to the subnet in the VPC for each tunnel to enable you to send
traffic over the tunnel interfaces. The second tunnel enables failover in case there is an issue with
the first tunnel. If an issue is detected, the policy-based static route is removed from the routing
table, and the second route is activated. You must also enable the Check Point gateway to ping the
other end of the tunnel to check if the tunnel is up.
43
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
7. Choose Save.
If you're using a cluster, repeat the preceding steps for the other members of the cluster.
In this step, you create a network object for each VPN tunnel, specifying the public (outside) IP
addresses for the virtual private gateway. You later add these network objects as satellite gateways
for your VPN community. You also need to create an empty group to act as a placeholder for the
VPN domain.
44
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
4. For Name, enter the name that you provided for your tunnel, for example, AWS_VPC_Tunnel_1
or AWS_VPC_Tunnel_2.
5. For IPv4 Address, enter the outside IP address of the virtual private gateway provided in the
configuration file, for example, 54.84.169.196. Save your settings and close the dialog box.
6. In the SmartDashboard, open your gateway properties and in the category pane, choose
Topology.
7. To retrieve the interface configuration, choose Get Topology.
8. In the VPN Domain section, choose Manually defined, and then browse to and select the empty
simple group that you created in step 2. Choose OK.
Note
You can keep any existing VPN domain that you've configured. However, ensure that
the hosts and networks that are used or served by the new VPN connection are not
declared in that VPN domain, especially if the VPN domain is automatically derived.
9. Repeat these steps to create a second network object, using the information under the IPSec
Tunnel #2 section of the configuration file.
Note
If you're using clusters, edit the topology and define the interfaces as cluster interfaces. Use
the IP addresses that are specified in the configuration file.
To create and configure the VPN community, IKE, and IPsec settings
In this step, you create a VPN community on your Check Point gateway, to which you add the
network objects (interoperable devices) for each tunnel. You also configure the Internet Key
Exchange (IKE) and IPsec settings.
1. From your gateway properties, choose IPSec VPN in the category pane.
2. Choose Communities, New, Star Community.
3. Provide a name for your community (for example, AWS_VPN_Star), and then choose Center
Gateways in the category pane.
4. Choose Add, and add your gateway or cluster to the list of participant gateways.
5. In the category pane, choose Satellite Gateways, Add, and then add the interoperable
devices that you created earlier (AWS_VPC_Tunnel_1 and AWS_VPC_Tunnel_2) to the list of
participant gateways.
45
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
6. In the category pane, choose Encryption. In the Encryption Method section, choose IKEv1 only.
In the Encryption Suite section, choose Custom, Custom Encryption.
7. In the dialog box, configure the encryption properties as follows, and choose OK when you're
done:
12. Still in the Advanced Settings category, choose Advanced VPN Properties, configure the
properties as follows, and then choose OK when you're done:
46
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
In this step, you configure a policy with firewall rules and directional match rules that allow
communication between the VPC and the local network. You then install the policy on your gateway.
1. In the SmartDashboard, choose Global Properties for your gateway. In the category pane,
expand VPN, and choose Advanced.
2. Choose Enable VPN Directional Match in VPN Column, and save your changes.
3. In the SmartDashboard, choose Firewall, and create a policy with the following rules:
• Allow the VPC subnet to communicate with the local network over the required protocols.
• Allow the local network to communicate with the VPC subnet over the required protocols.
4. Open the context menu for the cell in the VPN column, and choose Edit Cell.
5. In the VPN Match Conditions dialog box, choose Match traffic in this direction only. Create the
following directional match rules by choosing Add for each, and choose OK when you're done:
• internal_clear > VPN community (The VPN star community that you created earlier, for
example, AWS_VPN_Star)
• VPN community > VPN community
• VPN community > internal_clear
6. In the SmartDashboard, choose Policy, Install.
7. In the dialog box, choose your gateway and choose OK to install the policy.
Your Check Point gateway can use Dead Peer Detection (DPD) to identify when an IKE association is
down. To configure DPD for a permanent tunnel, the permanent tunnel must be configured in the
AWS VPN community (refer to Step 8).
You can update the tunnel_keepalive_method property using the GuiDBedit tool.
1. Open the Check Point SmartDashboard, and choose Security Management Server, Domain
Management Server.
2. Choose File, Database Revision Control... and create a revision snapshot.
3. Close all SmartConsole windows, such as the SmartDashboard, SmartView Tracker, and
SmartView Monitor.
4. Start the GuiBDedit tool. For more information, see the Check Point Database Tool article on the
Check Point Support Center.
5. Choose Security Management Server, Domain Management Server.
6. In the upper left pane, choose Table, Network Objects, network_objects.
47
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
7. In the upper right pane, select the relevant Security Gateway, Cluster object.
8. Press CTRL+F, or use the Search menu to search for the following:
tunnel_keepalive_method.
9. In the lower pane, open the context menu for tunnel_keepalive_method, and choose Edit....
Choose dpd and then choose OK.
10. Repeat steps 7 through 9 for each gateway that's part of the AWS VPN Community.
11. Choose File, Save All.
12. Close the GuiDBedit tool.
13. Open the Check Point SmartDashboard, and choose Security Management Server, Domain
Management Server.
14. Install the policy on the relevant Security Gateway, Cluster object.
For more information, see the New VPN features in R77.10 article on the Check Point Support
Center.
TCP MSS clamping reduces the maximum segment size of TCP packets to prevent packet
fragmentation.
You can verify the tunnel status by running the following command from the command line tool in
expert mode.
vpn tunnelutil
In the options that display, choose 1 to verify the IKE associations and 2 to verify the IPsec
associations.
You can also use the Check Point Smart Tracker Log to verify that packets over the connection are
being encrypted. For example, the following log indicates that a packet to the VPC was sent over
tunnel 1 and was encrypted.
48
AWS Site-to-Site VPN User Guide
User interface procedures for static routing
SonicWALL
The following procedure demonstrates how to configure the VPN tunnels on the SonicWALL device
using the SonicOS management interface.
49
AWS Site-to-Site VPN User Guide
Additional information for Cisco devices
• Shared Secret: Enter the pre-shared key as provided in the configuration file, and enter it
again in Confirm Shared Secret.
• Local IKE ID: Enter the IPv4 address of the customer gateway (the SonicWALL device).
• Peer IKE ID: Enter the IPv4 address of the virtual private gateway (AWS endpoint).
4. On the Network tab, complete the following information:
• Under Local Networks, choose Any address. We recommend this option to prevent
connectivity issues from your local network.
• Under Remote Networks, choose Choose a destination network from list. Create an address
object with the CIDR of your VPC in AWS.
5. On the Proposals tab, complete the following information:
Important
If you created your virtual private gateway before October 2015, you must specify
Diffie-Hellman group 2, AES-128, and SHA1 for both phases.
6. On the Advanced tab, complete the following information:
50
AWS Site-to-Site VPN User Guide
Testing
Cisco ASAs from version 9.7.1 and later support Active/Active mode. When you use these Cisco ASAs,
you can have both tunnels active at the same time. With this redundancy, you should always have
connectivity to your VPC through one of the tunnels.
Testing
For more information about testing your Site-to-Site VPN connection, see Testing the Site-to-Site VPN
connection (p. 104).
51
AWS Site-to-Site VPN User Guide
Example configuration files
The files use placeholder values for some components. For example, they use:
• Example values for the VPN connection ID and virtual private gateway ID
• Placeholders for the remote (outside) IP address AWS endpoints (AWS_ENDPOINT_1 and
AWS_ENDPOINT_2)
• Placeholders for the IP address for the internet-routable external interface on the customer gateway
device (your-cgw-ip-address), and the BGP ASN.
• Example values for the tunnel inside IP addresses.
In addition to providing placeholder values, the files specify the minimum requirements of IKE
version 1, AES128, SHA1, and DH Group 2 in most AWS Regions. They also specify pre-shared keys for
authentication (p. 9). You must modify the example configuration files to take advantage of IKE version
2, AES256, SHA256, other DH groups such as 2, 14-18, 22, 23, and 24, and private certificates.
The following diagram provides an overview of the different components that are configured on the
customer gateway device. It includes example values for the tunnel interface IP addresses.
52
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
To download a configuration file with values that are specific to your VPN connection configuration, you
must use the Amazon VPC console. For more information, see Download the configuration file (p. 23).
Check Point
The following are steps for configuring a Check Point Security Gateway device running R77.10
or above, using the Gaia web portal and Check Point SmartDashboard. You can also refer to the
Amazon Web Services (AWS) VPN BGP article on the Check Point Support Center.
53
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
The first step is to create the VPN tunnels and provide the private (inside) IP addresses of the
customer gateway and virtual private gateway for each tunnel. To create the first tunnel, use the
information provided under the IPSec Tunnel #1 section of the configuration file. To create the
second tunnel, use the values provided in the IPSec Tunnel #2 section of the configuration file.
1. Connect to your security gateway over SSH. If you're using the non-default shell, change to clish
by running the following command: clish
2. Set the customer gateway ASN (the ASN that was provided when the customer gateway was
created in AWS) by running the following command.
set as 65000
3. Create the tunnel interface for the first tunnel, using the information provided under the IPSec
Tunnel #1 section of the configuration file. Provide a unique name for your tunnel, such as
AWS_VPC_Tunnel_1.
4. Repeat these commands to create the second tunnel, using the information provided under the
IPSec Tunnel #2 section of the configuration file. Provide a unique name for your tunnel,
such as AWS_VPC_Tunnel_2.
6. Configure the BGP for the first tunnel, using the information provided IPSec Tunnel #1
section of the configuration file.
7. Configure the BGP for the second tunnel, using the information provided IPSec Tunnel #2
section of the configuration file.
save config
54
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
Next, create a BGP policy that allows the import of routes that are advertised by AWS. Then,
configure your customer gateway to advertise its local routes to AWS.
1. In the Gaia WebUI, choose Advanced Routing, Inbound Route Filters. Choose Add, and select
Add BGP Policy (Based on AS).
2. For Add BGP Policy, select a value between 512 and 1024 in the first field, and enter the virtual
private gateway ASN in the second field (for example, 7224).
3. Choose Save.
The following steps are for distributing local interface routes. You can also redistribute routes from
different sources (for example, static routes, or routes obtained through dynamic routing protocols).
For more information, see the Gaia Advanced Routing R77 Versions Administration Guide.
1. In the Gaia WebUI, choose Advanced Routing, Routing Redistribution. Choose Add
Redistribution From and then select Interface.
2. For To Protocol, select the virtual private gateway ASN (for example, 7224).
3. For Interface, select an internal interface. Choose Save.
Next, create a network object for each VPN tunnel, specifying the public (outside) IP addresses for
the virtual private gateway. You later add these network objects as satellite gateways for your VPN
community. You also need to create an empty group to act as a placeholder for the VPN domain.
55
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
Note
If you're using clusters, edit the topology and define the interfaces as cluster interfaces. Use
the IP addresses that are specified in the configuration file.
To create and configure the VPN community, IKE, and IPsec settings
Next, create a VPN community on your Check Point gateway, to which you add the network objects
(interoperable devices) for each tunnel. You also configure the Internet Key Exchange (IKE) and IPsec
settings.
1. From your gateway properties, choose IPSec VPN in the category pane.
2. Choose Communities, New, Star Community.
3. Provide a name for your community (for example, AWS_VPN_Star), and then choose Center
Gateways in the category pane.
4. Choose Add, and add your gateway or cluster to the list of participant gateways.
5. In the category pane, choose Satellite Gateways, Add, and add the interoperable devices that
you created earlier (AWS_VPC_Tunnel_1 and AWS_VPC_Tunnel_2) to the list of participant
gateways.
6. In the category pane, choose Encryption. In the Encryption Method section, choose IKEv1 for
IPv4 and IKEv2 for IPv6. In the Encryption Suite section, choose Custom, Custom Encryption.
56
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
Note
You must select the IKEv1 for IPv4 and IKEv2 for IPv6 option for IKEv1 functionality.
7. In the dialog box, configure the encryption properties as follows, and then choose OK when
you're done:
12. Still in the Advanced Settings category, choose Advanced VPN Properties, configure the
properties as follows, and then choose OK when you're done:
57
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
Next, configure a policy with firewall rules and directional match rules that allow communication
between the VPC and the local network. You then install the policy on your gateway.
1. In the SmartDashboard, choose Global Properties for your gateway. In the category pane,
expand VPN, and choose Advanced.
2. Choose Enable VPN Directional Match in VPN Column, and choose OK.
3. In the SmartDashboard, choose Firewall, and create a policy with the following rules:
• Allow the VPC subnet to communicate with the local network over the required protocols.
• Allow the local network to communicate with the VPC subnet over the required protocols.
4. Open the context menu for the cell in the VPN column, and choose Edit Cell.
5. In the VPN Match Conditions dialog box, choose Match traffic in this direction only. Create the
following directional match rules by choosing Add for each, and then choose OK when you're
done:
• internal_clear > VPN community (The VPN star community that you created earlier, for
example, AWS_VPN_Star)
• VPN community > VPN community
• VPN community > internal_clear
6. In the SmartDashboard, choose Policy, Install.
7. In the dialog box, choose your gateway and choose OK to install the policy.
Your Check Point gateway can use Dead Peer Detection (DPD) to identify when an IKE association is
down. To configure DPD for a permanent tunnel, the permanent tunnel must be configured in the
AWS VPN community.
You can update the tunnel_keepalive_method property using the GuiDBedit tool.
1. Open the Check Point SmartDashboard, and choose Security Management Server, Domain
Management Server.
2. Choose File, Database Revision Control... and create a revision snapshot.
3. Close all SmartConsole windows, such as the SmartDashboard, SmartView Tracker, and
SmartView Monitor.
4. Start the GuiBDedit tool. For more information, see the Check Point Database Tool article on the
Check Point Support Center.
58
AWS Site-to-Site VPN User Guide
User interface procedures for dynamic routing
For more information, see the New VPN features in R77.10 article on the Check Point Support
Center.
TCP MSS clamping reduces the maximum segment size of TCP packets to prevent packet
fragmentation.
You can verify the tunnel status by running the following command from the command line tool in
expert mode.
vpn tunnelutil
In the options that display, choose 1 to verify the IKE associations and 2 to verify the IPsec
associations.
You can also use the Check Point Smart Tracker Log to verify that packets over the connection are
being encrypted. For example, the following log indicates that a packet to the VPC was sent over
tunnel 1 and was encrypted.
59
AWS Site-to-Site VPN User Guide
Additional information for Cisco devices
SonicWALL
You can configure a SonicWALL device using the SonicOS management interface. For
more information about configuring the tunnels, see User interface procedures for static
routing (p. 41).
You cannot configure BGP for the device using the management interface. Instead, use the
command line instructions provided in the example configuration file, under the section named BGP.
Cisco ASAs from version 9.7.1 and later support Active/Active mode. When you use these Cisco ASAs,
you can have both tunnels active at the same time. With this redundancy, you should always have
connectivity to your VPC through one of the tunnels.
60
AWS Site-to-Site VPN User Guide
Additional information for Juniper devices
Testing
For more information about testing your Site-to-Site VPN connection, see Testing the Site-to-Site VPN
connection (p. 104).
Topics
• Configuring your Windows instance (p. 62)
• Step 1: Create a VPN connection and configure your VPC (p. 62)
• Step 2: Download the configuration file for the VPN connection (p. 63)
• Step 3: Configure the Windows Server (p. 64)
• Step 4: Set up the VPN tunnel (p. 65)
• Step 5: Enable dead gateway detection (p. 71)
• Step 6: Test the VPN connection (p. 71)
61
AWS Site-to-Site VPN User Guide
Configuring your Windows instance
Take note of the CIDR range of the network in which your Windows instance is located, for example,
172.31.0.0/16.
1. Create a virtual private gateway and attach it to your VPC. For more information, see Create a virtual
private gateway (p. 20).
2. Create a VPN connection and new customer gateway. For the customer gateway, specify the public IP
address of your Windows Server. For the VPN connection, choose static routing, and then enter the
CIDR range for your network in which the Windows Server is located, for example, 172.31.0.0/16.
For more information, see Create a Site-to-Site VPN connection (p. 22).
After you create the VPN connection, configure the VPC to enable communication over the VPN
connection.
• Create a private subnet in your VPC (if you don't have one already) for launching instances to
communicate with the Windows Server. For more information, see Creating a subnet in your VPC.
Note
A private subnet is a subnet that does not have a route to an internet gateway. The routing for
this subnet is described in the next item.
62
AWS Site-to-Site VPN User Guide
Step 2: Download the configuration
file for the VPN connection
The configuration file contains a section of information similar to the following example. You see this
information presented twice, one time for each tunnel.
vgw-1a2b3c4d Tunnel1
--------------------------------------------------------------------
Local Tunnel Endpoint: 203.0.113.1
Remote Tunnel Endpoint: 203.83.222.237
Endpoint 1: [Your_Static_Route_IP_Prefix]
Endpoint 2: [Your_VPC_CIDR_Block]
Preshared key: xCjNLsLoCmKsakwcdoR9yX6GsEXAMPLE
The IP address for the customer gateway—in this case, your Windows Server—that terminates the
VPN connection on your network's side. If your customer gateway device is an EC2 instance, this is
the instance's private IP address.
Remote Tunnel Endpoint
One of two IP addresses for the virtual private gateway that terminates the VPN connection on the
AWS side of the connection.
Endpoint 1
The IP prefix that you specified as a static route when you created the VPN connection. These are the
IP addresses in your network that are allowed to use the VPN connection to access your VPC.
63
AWS Site-to-Site VPN User Guide
Step 3: Configure the Windows Server
Endpoint 2
The IP address range (CIDR block) of the VPC that is attached to the virtual private gateway (for
example 10.0.0.0/16).
Preshared key
The pre-shared key that is used to establish the IPsec VPN connection between Local Tunnel
Endpoint and Remote Tunnel Endpoint.
We suggest that you configure both tunnels as part of the VPN connection. Each tunnel connects to a
separate VPN concentrator on the Amazon side of the VPN connection. Although only one tunnel at
a time is up, the second tunnel automatically establishes itself if the first tunnel goes down. Having
redundant tunnels ensure continuous availability in the case of a device failure. Because only one tunnel
is available at a time, the Amazon VPC console indicates that one tunnel is down. This is expected
behavior, so there's no action required from you.
With two tunnels configured, if a device failure occurs within AWS, your VPN connection automatically
fails over to the second tunnel of the virtual private gateway within a matter of minutes. When you
configure your customer gateway device, it's important that you configure both tunnels.
Note
From time to time, AWS performs routine maintenance on the virtual private gateway. This
maintenance might disable one of the two tunnels of your VPN connection for a brief period of
time. Your VPN connection automatically fails over to the second tunnel while we perform this
maintenance.
Additional information regarding the Internet Key Exchange (IKE) and IPsec Security Associations (SA) is
presented in the downloaded configuration file.
MainModeSecMethods: DHGroup2-AES128-SHA1
MainModeKeyLifetime: 480min,0sess
QuickModeSecMethods: ESP:SHA1-AES128+60min+100000kb
QuickModePFS: DHGroup2
MainModeSecMethods
The encryption and authentication algorithms for the IKE SA. These are the suggested settings for
the VPN connection, and are the default settings for Windows Server IPsec VPN connections.
MainModeKeyLifetime
The IKE SA key lifetime. This is the suggested setting for the VPN connection, and is the default
setting for Windows Server IPsec VPN connections.
QuickModeSecMethods
The encryption and authentication algorithms for the IPsec SA. These are the suggested settings for
the VPN connection, and are the default settings for Windows Server IPsec VPN connections.
QuickModePFS
We suggest that you use master key perfect forward secrecy (PFS) for your IPsec sessions.
64
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
1. On the dashboard, choose Notifications (the flag icon). There should be a task to complete the post-
deployment configuration. Choose the Open the Getting Started Wizard link.
2. Choose Deploy VPN only.
3. In the Routing and Remote Access dialog box, choose the server name, choose Action, and then
select Configure and Enable Routing and Remote Access.
4. In the Routing and Remote Access Server Setup Wizard, on the first page, choose Next.
5. On the Configuration page, choose Custom Configuration, Next.
6. Choose LAN routing, Next, Finish.
7. When prompted by the Routing and Remote Access dialog box, choose Start service.
Options
• Option 1: Run the netsh script (p. 66)
• Option 2: Use the Windows Server user interface (p. 66)
65
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
Name: You can replace the suggested name (vgw-1a2b3c4d Tunnel 1) with a name of your choice.
LocalTunnelEndpoint: Enter the private IP address of the Windows Server on your network.
Endpoint1: The CIDR block of your network on which the Windows Server resides, for example,
172.31.0.0/16. Surround this value with double quotes (").
Endpoint2: The CIDR block of your VPC or a subnet in your VPC, for example, 10.0.0.0/16. Surround
this value with double quotes (").
Run the updated script in a command prompt window on your Windows Server. (The ^ enables you
to cut and paste wrapped text at the command line.) To set up the second VPN tunnel for this VPN
connection, repeat the process using the second netsh script in the configuration file.
When you are done, go to Configure the Windows firewall (p. 70).
For more information about the netsh parameters, see Netsh AdvFirewall Consec Commands in the
Microsoft TechNet Library.
Topics
• Configure a security rule for a VPN tunnel (p. 66)
• Confirm the tunnel configuration (p. 69)
• Enable master key perfect forward secrecy (p. 69)
• Configure the Windows firewall (p. 70)
1. Open Server Manager, choose Tools, and then select Windows Defender Firewall with Advanced
Security.
66
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
2. Select Connection Security Rules, choose Action, and then New Rule.
3. In the New Connection Security Rule wizard, on the Rule Type page, choose Tunnel, and then
choose Next.
4. On the Tunnel Type page, under What type of tunnel would you like to create, choose Custom
configuration. Under Would you like to exempt IPsec-protected connections from this tunnel,
leave the default value checked (No. Send all network traffic that matches this connection
security rule through the tunnel), and then choose Next.
5. On the Requirements page, choose Require authentication for inbound connections. Do not
establish tunnels for outbound connections, and then choose Next.
6. On the Tunnel Endpoints page, under Which computers are in Endpoint 1, choose Add. Enter the
CIDR range of your network (behind your Windows Server customer gateway device; for example,
172.31.0.0/16), and then choose OK. The range can include the IP address of your customer
gateway device.
7. Under What is the local tunnel endpoint (closest to computer in Endpoint 1), choose Edit. In the
IPv4 address field, enter the private IP address of your Windows Server, and then choose OK.
8. Under What is the remote tunnel endpoint (closest to computers in Endpoint 2), choose Edit. In
the IPv4 address field, enter the IP address of the virtual private gateway for Tunnel 1 from the
configuration file (see Remote Tunnel Endpoint), and then choose OK.
Important
If you are repeating this procedure for Tunnel 2, be sure to select the endpoint for Tunnel 2.
9. Under Which computers are in Endpoint 2, choose Add. In the This IP address or subnet field,
enter the CIDR block of your VPC, and then choose OK.
Important
You must scroll in the dialog box until you locate Which computers are in Endpoint 2. Do
not choose Next until you have completed this step, or you won't be able to connect to your
server.
67
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
10. Confirm that all of the settings you've specified are correct and then choose Next.
11. On the Authentication Method page, select Advanced and choose Customize.
12. Under First authentication methods, choose Add.
13. Select Preshared key, enter the pre-shared key value from the configuration file and then choose
OK.
Important
If you are repeating this procedure for Tunnel 2, be sure to select the pre-shared key for
Tunnel 2.
14. Ensure that First authentication is optional is not selected, and choose OK.
15. Choose Next.
16. On the Profile page, select all three check boxes: Domain, Private, and Public. Choose Next.
68
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
17. On the Name page, enter a name for your connection rule; for example, VPN to AWS Tunnel 1,
and then choose Finish.
Repeat the preceding procedure, specifying the data for Tunnel 2 from your configuration file.
After you've finished, you’ll have two tunnels configured for your VPN connection.
1. Open Server Manager, choose Tools, select Windows Firewall with Advanced Security, and then
select Connection Security Rules.
2. Verify the following for both tunnels:
• Enabled is Yes
• Endpoint 1 is the CIDR block for your network
• Endpoint 2 is the CIDR block of your VPC
• Authentication mode is Require inbound and clear outbound
• Authentication method is Custom
• Endpoint 1 port is Any
• Endpoint 2 port is Any
• Protocol is Any
3. Select the first rule and choose Properties.
4. On the Authentication tab, under Method, choose Customize. Verify that First authentication
methods contains the correct pre-shared key from your configuration file for the tunnel, and then
choose OK.
5. On the Advanced tab, verify that Domain, Private, and Public are all selected.
6. Under IPsec tunneling, choose Customize. Verify the following IPsec tunneling settings, and then
choose OK and OK again to close the dialog box.
69
AWS Site-to-Site VPN User Guide
Step 4: Set up the VPN tunnel
3. Repeat step 2 for the second tunnel, this time replacing rule_name with the name that you gave
the second connection rule.
1. Open Server Manager, choose Tools, select Windows Defender Firewall with Advanced Security,
and then choose Properties.
2. On the IPsec Settings tab, under IPsec exemptions, verify that Exempt ICMP from IPsec is No
(default). Verify that IPsec tunnel authorization is None.
3. Under IPsec defaults, choose Customize.
4. Under Key exchange (Main Mode), select Advanced and then choose Customize.
5. In Customize Advanced Key Exchange Settings, under Security methods, verify that the following
default values are used for the first entry:
• Integrity: SHA-1
• Encryption: AES-CBC 128
• Key exchange algorithm: Diffie-Hellman Group 2
• Under Key lifetimes, verify that Minutes is 480 and Sessions is 0.
MainModeSecMethods: DHGroup2-AES128-SHA1,DHGroup2-3DES-SHA1
MainModeKeyLifetime: 480min,0sec
6. Under Key exchange options, select Use Diffie-Hellman for enhanced security, and then choose
OK.
7. Under Data protection (Quick Mode), select Advanced, and then choose Customize.
8. Select Require encryption for all connection security rules that use these settings.
9. Under Data integrity and encryption, leave the default values:
• Protocol: ESP
• Integrity: SHA-1
• Encryption: AES-CBC 128
• Lifetime: 60 minutes
These values correspond to the following entry from the configuration file.
QuickModeSecMethods:
ESP:SHA1-AES128+60min+100000kb
10. Choose OK to return to the Customize IPsec Settings dialog box and choose OK again to save the
configuration.
70
AWS Site-to-Site VPN User Guide
Step 5: Enable dead gateway detection
1. From your Windows Server, launch the command prompt or a PowerShell session, and enter regedit
to start Registry Editor.
2. Expand HKEY_LOCAL_MACHINE, expand SYSTEM, expand CurrentControlSet, expand Services,
expand Tcpip, and then expand Parameters.
3. From the Edit menu, select New and select DWORD (32-bit) Value.
4. Enter the name EnableDeadGWDetect.
5. Select EnableDeadGWDetect and choose Edit, Modify.
6. In Value data, enter 1, and then choose OK.
7. Close the Registry Editor and reboot the server.
For steps to test the VPN connection, see Testing the Site-to-Site VPN connection (p. 104).
• Ensure that you have configured your security group rules to allow ICMP to the instance in your VPC.
If your Windows Server is an EC2 instance, ensure that its security group's outbound rules allow IPsec
traffic. For more information, see Configuring your Windows instance (p. 62).
• Ensure that the operating system on the instance you are pinging is configured to respond to ICMP. We
recommend that you use one of the Amazon Linux AMIs.
• If the instance you are pinging is a Windows instance, connect to the instance and enable inbound
ICMPv4 on the Windows firewall.
• Ensure that you have configured the route tables correctly for your VPC or your subnet. For more
information, see Step 1: Create a VPN connection and configure your VPC (p. 62).
• If your customer gateway device is an EC2 instance, ensure that you've disabled source/destination
checking for the instance. For more information, see Configuring your Windows instance (p. 62).
In the Amazon VPC console, on the VPN Connections page, select your VPN connection. The first tunnel
is in the UP state. The second tunnel should be configured, but it isn't used unless the first tunnel goes
down. It may take a few moments to establish the encrypted tunnels.
71
AWS Site-to-Site VPN User Guide
Device with BGP
For general testing instructions, see Testing the Site-to-Site VPN connection (p. 104).
Topics
• Troubleshooting connectivity when using Border Gateway Protocol (p. 72)
• Troubleshooting connectivity without Border Gateway Protocol (p. 75)
• Troubleshooting Cisco ASA customer gateway device connectivity (p. 77)
• Troubleshooting Cisco IOS customer gateway device connectivity (p. 80)
• Troubleshooting Cisco IOS customer gateway device without Border Gateway Protocol
connectivity (p. 85)
• Troubleshooting Juniper JunOS customer gateway device connectivity (p. 89)
• Troubleshooting Juniper ScreenOS customer gateway device connectivity (p. 92)
• Troubleshooting Yamaha customer gateway device connectivity (p. 94)
Additional resources
72
AWS Site-to-Site VPN User Guide
Device with BGP
73
AWS Site-to-Site VPN User Guide
Device with BGP
An IKE security association is required to exchange keys that are used to establish the
IPsec security association.
If no IKE security association exists, review your IKE configuration settings. You must
configure the encryption, authentication, perfect forward secrecy, and mode parameters
as listed in the configuration file.
An IPsec SA is the tunnel itself. Query your customer gateway device to determine if
an IPsec SA is active. Ensure that you configure the encryption, authentication, perfect
forward secrecy, and mode parameters as listed in the configuration file.
Tunnel Confirm that the required firewall rules are set up (for a list of the rules, see Configuring
a firewall between the internet and your customer gateway device (p. 37)). If they are,
move forward.
Each side of the tunnel has an IP address as specified in the configuration file. The virtual
private gateway address is the address used as the BGP neighbor address. From your
customer gateway device, ping this address to determine if IP traffic is being properly
encrypted and decrypted.
If the ping isn't successful, review your tunnel interface configuration to make sure that
the proper IP address is configured.
If the tunnels are not in this state, review your BGP configuration.
If the BGP peering is established, you are receiving a prefix, and you are advertising a
prefix, your tunnel is configured correctly. Make sure that both tunnels are in this state.
74
AWS Site-to-Site VPN User Guide
Device without BGP
75
AWS Site-to-Site VPN User Guide
Device without BGP
76
AWS Site-to-Site VPN User Guide
Cisco ASA
An IKE security association is required to exchange keys that are used to establish the
IPsec security association.
If no IKE security association exists, review your IKE configuration settings. You must
configure the encryption, authentication, perfect forward secrecy, and mode parameters
as listed in the configuration file.
An IPsec SA is the tunnel itself. Query your customer gateway device to determine if
an IPsec SA is active. Ensure that you configure the encryption, authentication, perfect
forward secrecy, and mode parameters as listed in the configuration file.
Tunnel Confirm that the required firewall rules are set up (for a list of the rules, see Configuring
a firewall between the internet and your customer gateway device (p. 37)). If they are,
move forward.
Each side of the tunnel has an IP address as specified in the configuration file. The virtual
private gateway address is the address used as the BGP neighbor address. From your
customer gateway device, ping this address to determine if IP traffic is being properly
encrypted and decrypted.
If the ping isn't successful, review your tunnel interface configuration to make sure that
the proper IP address is configured.
If the tunnels are not in this state, review your device configuration.
Make sure that both tunnels are in this state, and you're done.
77
AWS Site-to-Site VPN User Guide
Cisco ASA
Important
Some Cisco ASAs only support Active/Standby mode. When you use these Cisco ASAs, you can
have only one active tunnel at a time. The other standby tunnel becomes active only if the first
tunnel becomes unavailable. The standby tunnel might produce the following error in your log
files, which can be ignored: Rejecting IPSec tunnel: no matching crypto map entry
for remote proxy 0.0.0.0/0.0.0.0/0/0 local proxy 0.0.0.0/0.0.0.0/0/0 on
interface outside .
IKE
Use the following command. The response shows a customer gateway device with IKE configured
correctly.
Active SA: 2
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 2
You should see one or more lines containing an src value for the remote gateway that is specified in
the tunnels. The state value should be MM_ACTIVE and status should be ACTIVE. The absence of an
entry, or any entry in another state, indicates that IKE is not configured properly.
For further troubleshooting, run the following commands to enable log messages that provide
diagnostic information.
IPsec
Use the following command. The response shows a customer gateway device with IPsec configured
correctly.
interface: outside
Crypto map tag: VPN_crypto_map_name, seq num: 2, local addr: 172.25.50.101
78
AWS Site-to-Site VPN User Guide
Cisco ASA
For each tunnel interface, you should see both inbound esp sas and outbound esp sas. This
assumes that an SA is listed (for example, spi: 0x48B456A6), and that IPsec is configured correctly.
In Cisco ASA, the IPsec only comes up after interesting traffic (traffic that should be encrypted) is sent. To
always keep the IPsec active, we recommend configuring an SLA monitor. The SLA monitor continues to
send interesting traffic, keeping the IPsec active.
You can also use the following ping command to force your IPsec to start negotiation and go up.
ping ec2_instance_ip_address
79
AWS Site-to-Site VPN User Guide
Cisco IOS
Routing
Ping the other end of the tunnel. If this is working, then your IPsec should be established. If this is not
working, check your access lists, and refer to the previous IPsec section.
If you are not able to reach your instances, check the following information.
1. Verify that the access list is configured to allow traffic that is associated with the crypto map.
3. Verify that the access list is correct. The following example access list allows all internal traffic to the
VPC subnet 10.0.0.0/16.
4. Run a traceroute from the Cisco ASA device, to see if it reaches the Amazon routers (for example,
AWS_ENDPOINT_1/AWS_ENDPOINT_2).
If this reaches the Amazon router, then check the static routes that you added in the Amazon VPC
console, and also the security groups for the particular instances.
5. For further troubleshooting, review the configuration.
IKE
Use the following command. The response shows a customer gateway device with IKE configured
correctly.
80
AWS Site-to-Site VPN User Guide
Cisco IOS
You should see one or more lines containing an src value for the remote gateway that is specified in the
tunnels. The state should be QM_IDLE and status should be ACTIVE. The absence of an entry, or any
entry in another state, indicate that IKE is not configured properly.
For further troubleshooting, run the following commands to enable log messages that provide
diagnostic information.
IPsec
Use the following command. The response shows a customer gateway device with IPsec configured
correctly.
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 192.168.37.160
inbound ah sas:
81
AWS Site-to-Site VPN User Guide
Cisco IOS
outbound ah sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 174.78.144.73
inbound ah sas:
outbound ah sas:
For each tunnel interface, you should see both inbound esp sas and outbound esp sas. Assuming
an SA is listed (spi: 0xF95D2F3C, for example) and the Status is ACTIVE, IPsec is configured
correctly.
82
AWS Site-to-Site VPN User Guide
Cisco IOS
Tunnel
First, check that you have the necessary firewall rules in place. For more information, see Configuring a
firewall between the internet and your customer gateway device (p. 37).
If your firewall rules are set up correctly, then continue troubleshooting with the following command.
Make sure that the line protocol is up. Check that the tunnel source IP address, source interface,
and destination respectively match the tunnel configuration for the customer gateway device outside IP
address, interface, and virtual private gateway outside IP address. Make sure that Tunnel protection
via IPSec is present. Run the command on both tunnel interfaces. To resolve any problems, review the
configuration and check the physical connections to your customer gateway device.
Also use the following command, replacing 169.254.255.1 with the inside IP address of your virtual
private gateway.
83
AWS Site-to-Site VPN User Guide
Cisco IOS
BGP
Use the following command.
Both neighbors should be listed. For each, you should see a State/PfxRcd value of 1.
If the BGP peering is up, verify that your customer gateway device is advertising the default route
(0.0.0.0/0) to the VPC.
Additionally, ensure that you're receiving the prefix corresponding to your VPC from the virtual private
gateway.
84
AWS Site-to-Site VPN User Guide
Cisco IOS without BGP
IKE
Use the following command. The response shows a customer gateway device with IKE configured
correctly.
You should see one or more lines containing an src value for the remote gateway that is specified in the
tunnels. The state should be QM_IDLE and status should be ACTIVE. The absence of an entry, or any
entry in another state, indicates that IKE is not configured properly.
For further troubleshooting, run the following commands to enable log messages that provide
diagnostic information.
IPsec
Use the following command. The response shows a customer gateway device with IPsec configured
correctly.
interface: Tunnel1
Crypto map tag: Tunnel1-head-0, local addr 174.78.144.73
85
AWS Site-to-Site VPN User Guide
Cisco IOS without BGP
inbound ah sas:
outbound ah sas:
interface: Tunnel2
Crypto map tag: Tunnel2-head-0, local addr 205.251.233.122
inbound ah sas:
86
AWS Site-to-Site VPN User Guide
Cisco IOS without BGP
outbound ah sas:
For each tunnel interface, you should see both an inbound esp sas and outbound esp sas. This
assumes that an SA is listed (for example, spi: 0x48B456A6), that the status is ACTIVE, and that IPsec
is configured correctly.
Tunnel
First, check that you have the necessary firewall rules in place. For more information, see Configuring a
firewall between the internet and your customer gateway device (p. 37).
If your firewall rules are set up correctly, then continue troubleshooting with the following command.
87
AWS Site-to-Site VPN User Guide
Cisco IOS without BGP
Make sure that the line protocol is up. Check that the tunnel source IP address, source interface, and
destination respectively match the tunnel configuration for the customer gateway device outside IP
address, interface, and virtual private gateway outside IP address. Make sure that Tunnel protection
through IPSec is present. Run the command on both tunnel interfaces. To resolve any problems,
review the configuration and check the physical connections to your customer gateway device.
You can also use the following command, replacing 169.254.249.18 with the inside IP address of your
virtual private gateway.
Routing
To see your static route table, use the following command.
You should see that the static route for the VPC CIDR through both tunnels exists. If it does not exist, add
the static routes as follows.
88
AWS Site-to-Site VPN User Guide
Juniper JunOS
The value for Number of successes indicates whether the SLA monitor has been set up successfully.
IKE
Use the following command. The response shows a customer gateway device with IKE configured
correctly.
You should see one or more lines containing a remote address of the remote gateway specified in the
tunnels. The State should be UP. The absence of an entry, or any entry in another state (such as DOWN),
is an indication that IKE is not configured properly.
For further troubleshooting, enable the IKE trace options as recommended in the example configuration
file. Then run the following command to print a variety of debugging messages to the screen.
From an external host, you can retrieve the entire log file with the following command.
scp username@router.hostname:/var/log/kmd
IPsec
Use the following command. The response shows a customer gateway device with IPsec configured
correctly.
89
AWS Site-to-Site VPN User Guide
Juniper JunOS
Specifically, you should see at least two lines per gateway address (corresponding to the remote
gateway). The carets at the beginning of each line (< >) indicate the direction of traffic for the particular
entry. The output has separate lines for inbound traffic ("<", traffic from the virtual private gateway to
this customer gateway device) and outbound traffic (">").
For further troubleshooting, enable the IKE traceoptions (for more information, see the preceding
section about IKE).
Tunnel
First, double-check that you have the necessary firewall rules in place. For a list of rules, see Configuring
a firewall between the internet and your customer gateway device (p. 37).
If your firewall rules are set up correctly, then continue troubleshooting with the following command.
Make sure that the Security: Zone is correct, and that the Local address matches the customer
gateway device tunnel inside address.
Next, use the following command, replacing 169.254.255.1 with the inside IP address of your virtual
private gateway. Your results should look like the response shown here.
BGP
Run the following command.
90
AWS Site-to-Site VPN User Guide
Juniper JunOS
For further troubleshooting, use the following command, replacing 169.254.255.1 with the inside IP
address of your virtual private gateway.
Here you should see Received prefixes and Advertised prefixes listed at 1 each. This should be
within the Table inet.0 section.
If the State is not Established, check the Last State and Last Error for details of what is
required to correct the problem.
If the BGP peering is up, verify that your customer gateway device is advertising the default route
(0.0.0.0/0) to the VPC.
91
AWS Site-to-Site VPN User Guide
Juniper ScreenOS
* 0.0.0.0/0 Self I
Additionally, make sure that you're receiving the prefix that corresponds to your VPC from the virtual
private gateway.
ssg5-serial-> get sa
You should see one or more lines containing a remote address of the remote gateway that is specified
in the tunnels. The Sta value should be A/- and SPI should be a hexadecimal number other than
00000000. Entries in other states indicate that IKE is not configured properly.
For further troubleshooting, enable the IKE trace options (as recommended in the example configuration
file).
Tunnel
First, double-check that you have the necessary firewall rules in place. For a list of rules, see Configuring
a firewall between the internet and your customer gateway device (p. 37).
If your firewall rules are set up correctly, then continue troubleshooting with the following command.
Interface tunnel.1:
description tunnel.1
number 20, if_info 1768, if_index 1, mode route
link ready
vsys Root, zone Trust, vr trust-vr
admin mtu 1500, operating mtu 1500, default mtu 1500
92
AWS Site-to-Site VPN User Guide
Juniper ScreenOS
*ip 169.254.255.2/30
*manage ip 169.254.255.2
route-deny disable
bound vpn:
IPSEC-1
pmtu-v4 disabled
ping disabled, telnet disabled, SSH disabled, SNMP disabled
web disabled, ident-reset disabled, SSL disabled
OSPF disabled BGP enabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
NHRP disabled
bandwidth: physical 0kbps, configured egress [gbw 0kbps mbw 0kbps]
configured ingress mbw 0kbps, current bw 0kbps
total allocated gbw 0kbps
Make sure that you see link:ready, and that the IP address matches the customer gateway device
tunnel inside address.
Next, use the following command, replacing 169.254.255.1 with the inside IP address of your virtual
private gateway. Your results should look like the response shown here.
BGP
Run the following command.
The state of both BGP peers should be ESTABLISH, which means that the BGP connection to the virtual
private gateway is active.
For further troubleshooting, use the following command, replacing 169.254.255.1 with the inside IP
address of your virtual private gateway.
93
AWS Site-to-Site VPN User Guide
Yamaha
connection state: ESTABLISH, connection id: 18 retry interval: node default(120s), cur
retry time 15s
configured hold time: node default(90s), configured keepalive: node default(30s)
configured adv-interval: default(30s)
designated local IP: n/a
local IP address/port: 169.254.255.2/13946, remote IP address/port: 169.254.255.1/179
router ID of peer: 169.254.255.1, remote AS: 7224
negotiated hold time: 30s, negotiated keepalive interval: 10s
route map in name: , route map out name:
weight: 100 (default)
self as next hop: disable
send default route to peer: disable
ignore default route from peer: disable
send community path attribute: no
reflector client: no
Neighbor Capabilities:
Route refresh: advertised and received
Address family IPv4 Unicast: advertised and received
force reconnect is disable
total messages to peer: 106, from peer: 106
update messages to peer: 6, from peer: 4
Tx queue length 0, Tx queue HWM: 1
route-refresh messages to peer: 0, from peer: 0
last reset 00:05:33 ago, due to BGP send Notification(Hold Timer Expired)(code 4 : subcode
0)
number of total successful connections: 4
connected: 2 minutes 6 seconds
Elapsed time since last update: 2 minutes 6 seconds
If the BGP peering is up, verify that your customer gateway device is advertising the default route
(0.0.0.0/0) to the VPC. This command applies to ScreenOS version 6.2.0 and higher.
Additionally, ensure that you're receiving the prefix that corresponds to your VPC from the virtual private
gateway. This command applies to ScreenOS version 6.2.0 and higher.
94
AWS Site-to-Site VPN User Guide
Yamaha
IKE
Run the following command. The response shows a customer gateway device with IKE configured
correctly.
You should see a line containing a remote-id value for the remote gateway that is specified in the
tunnels. You can list all of the security associations (SAs) by omitting the tunnel number.
For further troubleshooting, run the following commands to enable DEBUG level log messages that
provide diagnostic information.
# syslog debug on
# ipsec ike log message-info payload-info key-info
IPsec
Run the following command. The response shows a customer gateway device with IPsec configured
correctly.
SPI: 6b ce fd 8a d5 30 9b 02 0c f3 87 52 4a 87 6e 77
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[2] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: send
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: a6 67 47 47
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[3] Duration: 1719s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Direction: receive
Protocol: ESP (Mode: tunnel)
Algorithm: AES-CBC (for Auth.: HMAC-SHA)
SPI: 6b 98 69 2b
95
AWS Site-to-Site VPN User Guide
Yamaha
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
SA[4] Duration: 10681s
Local ID: YOUR_LOCAL_NETWORK_ADDRESS
Remote ID: 72.21.209.225
Protocol: IKE
Algorithm: AES-CBC, SHA-1, MODP 1024bit
SPI: e8 45 55 38 90 45 3f 67 a8 74 ca 71 ba bb 75 ee
Key: ** ** ** ** ** (confidential) ** ** ** ** **
----------------------------------------------------
For each tunnel interface, you should see both receive sas and send sas.
# syslog debug on
# ipsec ike log message-info payload-info key-info
Tunnel
First, check that you have the necessary firewall rules in place. For a list of rules, see Configuring a
firewall between the internet and your customer gateway device (p. 37).
If your firewall rules are set up correctly, then continue troubleshooting with the following command.
TUNNEL[1]:
Description:
Interface type: IPsec
Current status is Online.
from 2011/08/15 18:19:45.
5 hours 7 minutes 58 seconds connection.
Received: (IPv4) 3933 packets [244941 octets]
(IPv6) 0 packet [0 octet]
Transmitted: (IPv4) 3933 packets [241407 octets]
(IPv6) 0 packet [0 octet]
Make sure that the current status value is online and that Interface type is IPsec. Make sure to
run the command on both tunnel interfaces. To resolve any problems here, review the configuration.
BGP
Run the following command.
96
AWS Site-to-Site VPN User Guide
Yamaha
Both neighbors should be listed. For each, you should see a BGP state value of Active.
If the BGP peering is up, verify that your customer gateway device is advertising the default route
(0.0.0.0/0) to the VPC.
Total routes: 1
*: valid route
Network Next Hop Metric LocPrf Path
* default 0.0.0.0 0 IGP
Additionally, ensure that you're receiving the prefix that corresponds to your VPC from the virtual private
gateway.
# show ip route
97
AWS Site-to-Site VPN User Guide
Identifying a Site-to-Site VPN connection
Contents
• Identifying a Site-to-Site VPN connection (p. 98)
• Migrating from AWS Classic VPN to AWS VPN (p. 99)
• Creating a transit gateway VPN attachment (p. 103)
• Testing the Site-to-Site VPN connection (p. 104)
• Deleting a Site-to-Site VPN connection (p. 105)
• Modifying a Site-to-Site VPN connection's target gateway (p. 107)
• Modifying Site-to-Site VPN connection options (p. 110)
• Modifying Site-to-Site VPN tunnel options (p. 110)
• Editing static routes for a Site-to-Site VPN connection (p. 111)
• Changing the customer gateway for a Site-to-Site VPN connection (p. 112)
• Replacing compromised credentials (p. 112)
• Rotating Site-to-Site VPN tunnel endpoint certificates (p. 113)
• You can use the describe-vpn-connections AWS CLI command. In the output that's returned, take
note of the Category value. A value of VPN indicates an AWS VPN connection. A value of VPN-
Classic indicates an AWS Classic VPN connection.
In the following example, the Site-to-Site VPN connection is an AWS VPN connection.
{
"VpnConnections": [
{
"VpnConnectionId": "vpn-1a2b3c4d",
...
98
AWS Site-to-Site VPN User Guide
Migrating from AWS Classic VPN to AWS VPN
"State": "available",
"VpnGatewayId": "vgw-11aa22bb",
"CustomerGatewayId": "cgw-ab12cd34",
"Type": "ipsec.1",
"Category": "VPN"
}
]
}
If you use an AWS Classic VPN connection as a backup for your AWS Direct Connect connection, you can
delete and recreate the Site-to-Site VPN connection (option 3). During the procedure for option 3, there
is zero downtime on the AWS Direct Connect private virtual interface.
If your existing virtual private gateway is associated with multiple Site-to-Site VPN connections, you
must recreate each Site-to-Site VPN connection for the new virtual private gateway. If there are multiple
AWS Direct Connect private virtual interfaces attached to your virtual private gateway, you must recreate
each private virtual interface for the new virtual private gateway. For more information, see Creating a
virtual interface in the AWS Direct Connect User Guide.
If your existing Site-to-Site VPN connection is an AWS VPN connection, you cannot migrate to an AWS
Classic VPN connection.
Topics
• Option 1: Migrate directly to a new virtual private gateway (p. 99)
• Option 2: Migrate using a transit gateway (p. 101)
• Option 3: (Backup VPN connections for AWS Direct Connect) Delete and recreate the VPN
connection (p. 103)
99
AWS Site-to-Site VPN User Guide
Option 1: Migrate directly to a new virtual private gateway
• Virtual Private Gateway: Select the virtual private gateway that you created in the previous step.
• Customer Gateway: Choose Existing, and select the existing customer gateway for your current
AWS Classic VPN connection.
• Specify the routing options as required.
4. Select the new Site-to-Site VPN connection and choose Download Configuration. Download the
appropriate configuration file for your customer gateway device.
5. Use the configuration file to configure VPN tunnels on your customer gateway device. For more
information, see Your customer gateway device (p. 32). Do not enable the tunnels yet. Contact your
vendor if you need guidance on keeping the newly configured tunnels disabled.
6. (Optional) Create test VPC and attach the virtual private gateway to the test VPC. Change the
encryption domain/source destination addresses as required, and test connectivity from a host in
your local network to a test instance in the test VPC.
7. If you are using route propagation for your route table, choose Route Tables in the navigation pane.
Select the route table for your VPC, and choose Route Propagation, Edit. Clear the check box for the
old virtual private gateway and choose Save.
Note
From this step onwards, connectivity is interrupted until the new virtual private gateway is
attached and the new Site-to-Site VPN connection is active.
8. In the navigation pane, choose Virtual Private Gateways. Select the old virtual private gateway
and choose Actions, Detach from VPC, Yes, Detach. Select the new virtual private gateway, and
choose Actions, Attach to VPC. Specify the VPC for your Site-to-Site VPN connection, and choose
Yes, Attach.
9. In the navigation pane, choose Route Tables. Select the route table for your VPC and do one of the
following:
• If you are using route propagation, choose Route Propagation, Edit. Select the new virtual private
gateway that's attached to the VPC and choose Save.
• If you are using static routes, choose Routes, Edit. Modify the route to point to the new virtual
private gateway, and choose Save.
10. Enable the new tunnels on your customer gateway device and disable the old tunnels. To bring the
tunnel up, you must initiate the connection from your local network.
If applicable, check your route table to ensure that the routes are being propagated. The routes
propagate to the route table when the status of the VPN tunnel is UP.
Note
If you need to revert to your previous configuration, detach the new virtual private gateway
and follow steps 8 and 9 to re-attach the old virtual private gateway and update your
routes.
11. If you no longer need your AWS Classic VPN connection and do not want to continue incurring
charges for it, remove the previous tunnel configurations from your customer gateway device, and
delete the Site-to-Site VPN connection. To do this, go to Site-to-Site VPN Connections, select the
Site-to-Site VPN connection, and choose Delete.
Important
After you've deleted the AWS Classic VPN connection, you cannot revert or migrate your
new AWS VPN connection back to an AWS Classic VPN connection.
100
AWS Site-to-Site VPN User Guide
Option 2: Migrate using a transit gateway
Alternatively, you can use this option to migrate your Site-to-Site VPN connection directly to a transit
gateway. In this case, you create your new VPN connection on the transit gateway instead of creating it
on a new virtual private gateway.
• For Transit Gateway ID, choose the transit gateway you created.
• For VPC ID, choose the VPC to attach to the transit gateway.
4. Choose Create Transit Gateway Attachment again, specify the following information, and choose
Create attachment.
• For Transit Gateway ID, choose the transit gateway you created.
• For Attachment type, choose VPN.
• For Customer Gateway ID, choose the customer gateway for your existing Site-to-Site VPN
connection, and choose the required routing option.
1. In the navigation pane, choose Virtual Private Gateways, Create Virtual Private Gateway and
create a new virtual private gateway.
2. In the navigation pane, choose Site-to-Site VPN Connections, Create VPN Connection.
3. For Virtual Private Gateway, choose the virtual private gateway you created.
4. For Customer Gateway ID, choose the existing customer gateway for your existing Site-to-Site VPN
connection, and specify the type of routing. Choose Create VPN Connection.
5. Select your new Site-to-Site VPN connection and choose Download Configuration to download the
example configuration file. Configure the VPN connection on your customer gateway device, but do
not route any traffic yet (do not create any static routes or filter out BGP announcements).
101
AWS Site-to-Site VPN User Guide
Option 2: Migrate using a transit gateway
1. Configure your customer gateway device to use the VPN connection on the transit gateway (specify
a static route or allow BGP announcements, as needed). This starts asymmetric traffic routing.
2. In the navigation pane, choose Route Tables, select the route table for your VPC, and choose
Actions, Edit routes.
3. Add routes that point to your on-premises network and choose the transit gateway as the target.
For the destination routes, enter more specific routes, for example, if your on-premises network
is 10.0.0.0/16, create a route that points to 10.0.0.0/17 and another route that points to
10.0.128.0/17. Asymmetric traffic routing stops and all traffic is routed through the transit
gateway.
Note
If you're migrating your VPN connection to a transit gateway instead of a new virtual
private gateway, you can stop here.
4. In the navigation pane, choose Virtual Private Gateways.
5. Select the old virtual private gateway that's attached to your VPC, and choose Actions, Detach from
VPC. Choose Yes, Detach.
6. Select the new virtual private gateway that you created earlier, and choose Actions, Attach to VPC.
Choose your VPC, and choose Yes, Attach.
7. In the navigation pane, choose Route Tables. Select the route table for your VPC, and choose Route
Propagation, Edit route propagation. Choose the check box for the new virtual private gateway and
choose Save. Verify that the route is propagated to your VPC route table.
8. Configure your customer gateway device to use the new virtual private gateway and route traffic
from your on-premise network to your VPC, using static routes or BGP. This starts asymmetric
routing.
9. In the navigation pane, choose Route Tables. Select the route table for your VPC, and choose
Actions, Edit routes. Delete the more specific routes to your transit gateway. This stops the
asymmetric traffic flow and all traffic is routed through your new Site-to-Site VPN connection.
Step 4: Clean up
If you no longer need your AWS Classic VPN connection, you can delete it. If you migrated to a new
virtual private gateway, you can also delete the transit gateway VPN connection and the transit gateway
that you created for the migration.
1. On your customer gateway device, remove the configuration for the temporary VPN connection on
the transit gateway, and the configuration for the old VPN connection.
2. In the navigation pane, choose Site-to-Site VPN Connections, select your old Site-to-Site VPN
connection, and choose Actions, Delete.
3. In the navigation pane, choose Virtual Private Gateways, select your old virtual private gateway,
and choose Actions, Delete Virtual Private Gateway. If you migrated your VPN connection to a
transit gateway, you can stop here.
4. In the navigation pane, choose Site-to-Site VPN Connections and select the transit gateway VPN
connection. Choose Actions, Delete.
5. In the navigation pane, choose Transit Gateway Attachments, and select the VPC attachment.
Choose Actions, Delete.
6. In the navigation pane, choose Transit Gateways and select your transit gateway. Choose Actions,
Delete.
102
AWS Site-to-Site VPN User Guide
Option 3: (Backup VPN connections for AWS Direct
Connect) Delete and recreate the VPN connection
• Virtual Private Gateway: Choose the virtual private gateway that you used for the AWS Classic
VPN connection.
• Customer Gateway: Choose Existing, and select the existing customer gateway for your current
AWS Classic VPN connection.
• Specify the routing options as required.
6. Select the new Site-to-Site VPN connection and choose Download Configuration. Download the
appropriate configuration file for your customer gateway device.
7. Use the configuration file to configure VPN tunnels on your customer gateway device. For more
information, see Your customer gateway device (p. 32).
8. Enable the new tunnels on your customer gateway device. To bring the tunnels up, you must initiate
the connection from your local network.
If applicable, check your route tables to ensure that the routes are being propagated. The routes
propagate to the route table when the status of the VPN tunnel is UP.
103
AWS Site-to-Site VPN User Guide
Testing the Site-to-Site VPN connection
If your customer gateway is behind a network address translation (NAT) device that's enabled
for NAT traversal (NAT-T), use the public IP address of your NAT device, and adjust your firewall
rules to unblock UDP port 4500.
• To create a customer gateway, choose New.
For IP Address, enter a static public IP address. For BGP ASN, enter the Border Gateway
Protocol (BGP) Autonomous System Number (ASN) of your customer gateway. For Certificate
ARN, choose the ARN of your private certificate (if using certificate-based authentication).
If you enable acceleration, we create two accelerators that are used by your VPN connection.
Additional charges apply.
7. For Tunnel Options, see Tunnel options for your Site-to-Site VPN connection (p. 5).
8. Choose Create VPN Connection.
Use the create-vpn-connection command and specify the transit gateway ID for the --transit-
gateway-id option.
• Use an AMI that responds to ping requests. We recommend that you use one of the Amazon Linux
AMIs.
• Configure any security group or network ACL in your VPC that filters traffic to the instance to allow
inbound and outbound ICMP traffic. This enables the instance to receive ping requests.
• If you are using instances running Windows Server, connect to the instance and enable inbound
ICMPv4 on the Windows firewall in order to ping the instance.
• (Static routing) Ensure that the customer gateway device has a static route to your VPC, and that your
VPN connection has a static route so that traffic can get back to your customer gateway device.
• (Dynamic routing) Ensure that the BGP status on your customer gateway device is established. It
takes approximately 30 seconds for a BGP peering session to be established. Ensure that routes are
advertised with BGP correctly and showing in the subnet route table, so that traffic can get back to
your customer gateway. Make sure that both tunnels are configured with BGP routing.
104
AWS Site-to-Site VPN User Guide
Deleting a Site-to-Site VPN connection
• Ensure that you have configured routing in your subnet route tables for the VPN connection.
To test connectivity
ping 10.0.0.4
To test tunnel failover, you can temporarily disable one of the tunnels on your customer gateway
device, and repeat the above step. You cannot disable a tunnel on the AWS side of the VPN
connection.
To test the connection from AWS to your on-premises network, you can use SSH or RDP to connect to
your instance from your network. You can then run the ping command with the private IP address of
another computer in your network, to verify that both sides of the connection can initiate and receive
requests.
For more information about how to connect to a Linux instance, see Connect to your Linux instance
in the Amazon EC2 User Guide for Linux Instances. For more information about how to connect to a
Windows instance, see Connect to your Windows instance in the Amazon EC2 User Guide for Windows
Instances.
105
AWS Site-to-Site VPN User Guide
Deleting a Site-to-Site VPN connection
associated with the Site-to-Site VPN connection. If you no longer need the customer gateway and virtual
private gateway, you can delete them.
Important
If you delete your Site-to-Site VPN connection and then create a new one, you have to
download a new configuration file and reconfigure the customer gateway device.
Topics
• Deleting a Site-to-Site VPN connection (p. 106)
• Deleting a customer gateway (p. 106)
• Detaching and deleting a virtual private gateway (p. 106)
106
AWS Site-to-Site VPN User Guide
Modifying a Site-to-Site VPN connection's target gateway
If you no longer require a detached virtual private gateway, you can delete it. You can't delete a virtual
private gateway that's still attached to a VPC.
After you modify the target gateway, your Site-to-Site VPN connection will be temporarily unavailable
for a brief period while we provision the new endpoints.
The following tasks help you complete the migration to a new gateway.
Tasks
• Step 1: Create the transit gateway (p. 108)
• Step 2: Delete your static routes (required for a static VPN connection migrating to a transit
gateway) (p. 108)
107
AWS Site-to-Site VPN User Guide
Step 1: Create the transit gateway
If the new target gateway is a transit gateway, attach the VPCs to the transit gateway. For information
about VPC attachments, see Transit gateway attachments to a VPC in Amazon VPC Transit Gateways.
When you modify the target from a virtual private gateway to a transit gateway, you can optionally set
the transit gateway ASN to be the same value as the virtual private gateway ASN. If you choose to have a
different ASN, then you must set the ASN on your customer gateway device to the transit gateway ASN.
For more information, see the section called “Step 6: Update the customer gateway ASN (required when
the new gateway has a different ASN from the old gateway)” (p. 110).
You must delete the static routes before you migrate to the new gateway.
Tip
Keep a copy of the static route before you delete it. You will need to add back these routes to
the transit gateway after the VPN connection migration is complete.
108
AWS Site-to-Site VPN User Guide
Step 4: Update VPC route tables
[Virtual private gateway] For Target VPN Gateway ID, choose the virtual private gateway ID.
[Transit Gateway] For Target transit gateway ID, choose the transit gateway ID.
5. Choose Save.
Virtual private gateway with Transit gateway Add a route that points to the
propagated routes transit gateway ID.
Virtual private gateway with Virtual private gateway with There is no action required.
propagated routes propagated routes
Virtual gateway with propagated Virtual private gateway with Add an entry that contains the
routes static route new virtual private gateway ID.
Virtual gateway with static Transit gateway Update the VPC route table and
routes change the entry that contains
to the virtual private gateway ID
to the transit gateway ID.
Virtual gateway with static Virtual private gateway with Update the entry that points
routes static routes to the virtual private gateway
ID to be the new virtual private
gateway ID.
Virtual gateway with static Virtual private gateway with Delete the entry that contains
routes propagated routes the virtual private gateway ID.
Transit Gateway Virtual private gateway with Update the entry that contains
static routes the transit gateway to the
virtual private gateway ID.
Transit Gateway Virtual private gateway with Delete the entry that contains
propagated routes the transit gateway ID.
109
AWS Site-to-Site VPN User Guide
Step 5: Update the transit gateway routing (required
when the new gateway is a transit gateway)
• The IPv4 CIDR ranges on the local (customer gateway) side and the remote (AWS) side of the VPN
connection that can communicate over the VPN tunnels. The default is 0.0.0.0/0 for both ranges.
• The IPv6 CIDR ranges on the local (customer gateway) and the remote (AWS) side of the VPN
connection that can communicate over the VPN tunnels. The default is ::/0 for both ranges.
When you modify the VPN connection options, the VPN endpoint IP addresses on the AWS side do not
change, and the tunnel options do not change. Your VPN connection will be temporarily unavailable for a
brief period while the VPN connection is updated.
To modify the VPN connection options using the command line or API
110
AWS Site-to-Site VPN User Guide
Editing static routes for a Site-to-Site VPN connection
Important
When you modify a VPN tunnel, connectivity over the tunnel is interrupted for up to several
minutes. Ensure that you plan for the expected downtime.
To modify the VPN tunnel options using the command line or API
• (AWS CLI) Use describe-vpn-connections to view the current tunnel options, and modify-vpn-tunnel-
options to modify the tunnel options.
• (Amazon EC2 Query API) Use DescribeVpnConnections to view the current tunnel options, and
ModifyVpnTunnelOptions to modify the tunnel options.
Note
If you have not enabled route propagation for your route table, you must manually update
the routes in your route table to reflect the updated static IP prefixes in your Site-to-Site VPN
connection. For more information, see (Virtual private gateway) Enable route propagation in
your route table (p. 21).
For a Site-to-Site VPN connection on a transit gateway, you add, modify, or remove the static routes in
the transit gateway route table. For more information, see Transit gateway route tables.
111
AWS Site-to-Site VPN User Guide
Changing the customer gateway
for a Site-to-Site VPN connection
After you change the customer gateway, your Site-to-Site VPN connection will be temporarily
unavailable for a brief period while we provision the new endpoints.
You can modify the tunnel options for the Site-to-Site VPN connection and specify a new IKE pre-shared
key for each tunnel. For more information, see Modifying Site-to-Site VPN tunnel options (p. 110).
Alternatively, you can delete the Site-to-Site VPN connection. For more information, see Deleting a Site-
to-Site VPN connection (p. 105). You don't need to delete the VPC or the virtual private gateway. Then,
create a new Site-to-Site VPN connection using the same virtual private gateway, and configure the
new keys on your customer gateway device. You can specify your own pre-shared keys for the tunnels
or let AWS generate new pre-shared keys for you. For more information, see Create a Site-to-Site VPN
connection (p. 22). The tunnel's inside and outside addresses might change when you recreate the Site-
to-Site VPN connection.
To change the certificate for the AWS side of the tunnel endpoint
112
AWS Site-to-Site VPN User Guide
Rotating Site-to-Site VPN tunnel endpoint certificates
Rotate the certificate. For more information, see the section called “Rotating Site-to-Site VPN tunnel
endpoint certificates” (p. 113).
1. Create a new certificate. For information about creating an ACM certificate, see Getting started in
the AWS Certificate Manager User Guide.
2. Add the certificate to the customer gateway device.
To rotate the Site-to-Site VPN tunnel endpoint certificate using the console
To rotate the Site-to-Site VPN tunnel endpoint certificate using the AWS CLI
113
AWS Site-to-Site VPN User Guide
Data protection
Security is a shared responsibility between AWS and you. The shared responsibility model describes this
as security of the cloud and security in the cloud:
• Security of the cloud – AWS is responsible for protecting the infrastructure that runs AWS services in
the AWS Cloud. AWS also provides you with services that you can use securely. Third-party auditors
regularly test and verify the effectiveness of our security as part of the AWS Compliance Programs.
To learn about the compliance programs that apply to Site-to-Site VPN, see AWS Services in Scope by
Compliance Program.
• Security in the cloud – Your responsibility is determined by the AWS service that you use. You are also
responsible for other factors including the sensitivity of your data, your company’s requirements, and
applicable laws and regulations.
Site-to-Site VPN is part of the Amazon VPC service. For more information about security in Amazon VPC,
see Security in the Amazon VPC User Guide.
The following topics show you how to configure specific components of Site-to-Site VPN to meet your
security and compliance objectives.
Contents
• Data protection in AWS Site-to-Site VPN (p. 114)
• Identity and access management for AWS Site-to-Site VPN (p. 116)
• Logging and monitoring (p. 119)
• Resilience in AWS Site-to-Site VPN (p. 120)
• Infrastructure security in AWS Site-to-Site VPN (p. 121)
For data protection purposes, we recommend that you protect AWS account credentials and set up
individual user accounts with AWS Identity and Access Management (IAM). That way each user is given
only the permissions necessary to fulfill their job duties. We also recommend that you secure your data
in the following ways:
114
AWS Site-to-Site VPN User Guide
Internetwork traffic privacy
We strongly recommend that you never put sensitive identifying information, such as your customers'
account numbers, into free-form fields such as a Name field. This includes when you work with Site-to-
Site VPN or other AWS services using the console, API, AWS CLI, or AWS SDKs. Any data that you enter
into Site-to-Site VPN or other services might get picked up for inclusion in diagnostic logs. When you
provide a URL to an external server, don't include credentials information in the URL to validate your
request to that server.
When you create a Site-to-Site VPN connection, we generate configuration information that you use
to set up your customer gateway device, including the pre-shared keys (if applicable). To prevent
unauthorized access to the configuration information, ensure that you grant IAM users only the
permissions that they need. If you download the configuration file from the Amazon VPC console, only
distribute it to the users who will configure the customer gateway device. For more information, see the
following topics:
Each Site-to-Site VPN connection consists of two encrypted IPsec VPN tunnels that link AWS and your
network. Traffic in each tunnel can be encrypted with AES128 or AES256 and use Diffie-Hellman groups
for key exchange, providing Perfect Forward Secrecy. AWS authenticates with SHA1 or SHA2 hashing
functions.
Instances in your VPC do not require a public IP address to connect to resources on the other side of
your Site-to-Site VPN connection. Instances can route their internet traffic through the Site-to-Site
VPN connection to your on-premises network. They can then access the internet through your existing
outbound traffic points and your network security and monitoring devices.
• Tunnel options for your Site-to-Site VPN connection (p. 5): Provides information about the IPsec and
Internet Key Exchange (IKE) options that are available for each tunnel.
• Site-to-Site VPN tunnel authentication options (p. 9): Provides information about the authentication
options for your VPN tunnel endpoints.
• Requirements for your customer gateway device (p. 34): Provides information about the requirements
for the customer gateway device on your side of the VPN connection.
115
AWS Site-to-Site VPN User Guide
Identity and access management
• Providing secure communication between sites using VPN CloudHub (p. 27): If you have multiple Site-
to-Site VPN connections, you can provide secure communication between your on-premises sites by
using the AWS VPN CloudHub.
By default, IAM users do not have permission to create, view, or modify AWS resources. To allow an IAM
user to access resources, such as Site-to-Site VPN connections, virtual private gateways, and customer
gateways, and to perform tasks, you must:
• Create an IAM policy that grants the IAM user permission to use the specific resources and API actions
that they need
• Attach the policy to the IAM user or the group to which the IAM user belongs
When you attach a policy to a user or group of users, it allows or denies the users permission to perform
the specified tasks on the specified resources.
Site-to-Site VPN is part of Amazon VPC, which shares its API namespace with Amazon EC2. To work with
Site-to-Site VPN connections, virtual private gateways, and customer gateways, one of the following
AWS managed policies might meet your needs:
• PowerUserAccess
• ReadOnlyAccess
• AmazonEC2FullAccess
• AmazonEC2ReadOnlyAccess
Take care when granting users permission to use the ec2:DescribeVpnConnections action.
This action enables users to view customer gateway configuration information for Site-to-Site VPN
connections in your account.
For more examples, see Identity and Access Management for Amazon VPC in the Amazon VPC User Guide
and IAM Policies for Amazon EC2 in the Amazon EC2 User Guide.
The following actions support resource-level permissions for the VPN connection resource:
• ec2:CreateVpnConnection
• ec2:ModifyVpnConnection
• ec2:ModifyVpnTunnelOptions
116
AWS Site-to-Site VPN User Guide
IAM policies for your Site-to-Site VPN connection
ec2:Phase1DHGroupNumbers
The Diffie-Hellman 2, 14, 15, 16, 17, 18, 19, Numeric
groups that are 20, 21, 22, 23, 24
permitted for the VPN
tunnel for the phase 1
IKE negotiations.
ec2:Phase2DHGroupNumbers
The Diffie-Hellman 2, 5, 14, 15, 16, 17, 18, Numeric
groups that are 22, 23, 24
permitted for the VPN
tunnel for the phase 2
IKE negotiations.
ec2:Phase1EncryptionAlgorithms
The encryption AES128, AES256, String
algorithms that are AES128-GCM-16,
permitted for the VPN AES256-GCM-16
tunnel for the phase 1
IKE negotiations.
ec2:Phase2EncryptionAlgorithms
The encryption AES128, AES256 String
algorithms that are
permitted for the VPN
tunnel for the phase 2
IKE negotiations.
ec2:Phase1IntegrityAlgorithms
The integrity SHA1, SHA2-256 String
algorithms that are
permitted for the VPN
tunnel for the phase 1
IKE negotiations.
ec2:Phase2IntegrityAlgorithms
The integrity SHA1, SHA2-384, String
algorithms that are SHA2-256, SHA2-512
permitted for the VPN
117
AWS Site-to-Site VPN User Guide
IAM policies for your Site-to-Site VPN connection
ec2:Phase1LifetimeSeconds
The lifetime in seconds An integer between 900 Numeric
for phase 1 of the IKE and 28,800
negotiation.
ec2:Phase2LifetimeSeconds
The lifetime in seconds An integer between 900 Numeric
for phase 2 of the IKE and 3,600
negotiation.
ec2:RekeyMarginTimeSeconds
The margin time before An integer from 60 and Numeric
the phase 2 lifetime above
expires, during which
AWS performs an IKE
rekey.
You can allow or deny specific values for each supported condition key using IAM condition operators.
For more information, see IAM JSON policy elements: condition in the IAM User Guide.
The following example policy enables users to create VPN connections, but only VPN connections with
static routing types.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "statement1",
"Effect": "Allow",
"Action": [
"ec2:CreateVpnConnection"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:RoutingType": [
"static"
]
}
}
118
AWS Site-to-Site VPN User Guide
Service-linked role
}
]
}
• acm:ExportCertificate
• acm:DescribeCertificatee
• acm:ListCertificates
• acm-pca:DescribeCertificateAuthority
For a Site-to-Site VPN user to create a service-linked role on your behalf, you must have the required
permissions. For information about service-linked roles, see Service-linked role permissions in the IAM
User Guide.
You can delete this service-linked role only after you delete all customer gateways that have an
associated ACM private certificate. This ensures that you cannot inadvertently remove permission to
access your ACM certificates in use by Site-to-Site VPN connections.
You can use the IAM console, the IAM CLI, or the IAM API to delete service-linked roles. For information
about deleting service-linked roles, see Deleting a service-linked role in the IAM User Guide.
After you delete AWSServiceRoleForVPCS2SVPN, Amazon VPC creates the role again for a customer
gateway with an associated ACM private certificate.
119
AWS Site-to-Site VPN User Guide
Resilience
solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools
for monitoring your resources and responding to potential incidents.
Amazon CloudWatch
Amazon CloudWatch monitors your AWS resources and the applications that you run on AWS in real time.
You can collect and track metrics for your Site-to-Site VPN tunnels, and set alarms that notify you or
take actions when a specified metric reaches a threshold that you specify. For more information, see
Monitoring your Site-to-Site VPN connection (p. 122).
AWS CloudTrail
AWS CloudTrail captures Amazon EC2 API calls and related events made by or on behalf of your AWS
account. It then delivers the log files to an Amazon S3 bucket that you specify. For more information, see
Logging Amazon EC2, Amazon EBS, and Amazon VPC API calls with AWS CloudTrail in the Amazon EC2
API Reference.
AWS Trusted Advisor draws upon best practices learned from serving hundreds of thousands of AWS
customers. Trusted Advisor inspects your AWS environment, and then makes recommendations when
opportunities exist to save money, improve system availability and performance, or help close security
gaps.
Trusted Advisor has a check for VPN tunnel redundancy, which checks the number of tunnels that are
active for each of your VPN connections.
For more information, see AWS Trusted Advisor in the AWS Support User Guide.
For more information about AWS Regions and Availability Zones, see AWS Global Infrastructure.
In addition to the AWS global infrastructure, Site-to-Site VPN offers features to help support your data
resiliency and backup needs.
Redundancy
To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set
up a second Site-to-Site VPN connection. For more information, see the following topics:
120
AWS Site-to-Site VPN User Guide
Infrastructure security
You use AWS published API calls to access Site-to-Site VPN through the network. Clients must support
Transport Layer Security (TLS) 1.0 or later. We recommend TLS 1.2 or later. Clients must also support
cipher suites with perfect forward secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve
Ephemeral Diffie-Hellman (ECDHE). Most modern systems such as Java 7 and later support these modes.
Additionally, requests must be signed by using an access key ID and a secret access key that is associated
with an IAM principal. Or you can use the AWS Security Token Service (AWS STS) to generate temporary
security credentials to sign requests.
121
AWS Site-to-Site VPN User Guide
Monitoring tools
The next step is to establish a baseline for normal VPN performance in your environment, by measuring
performance at various times and under different load conditions. As you monitor your VPN, store
historical monitoring data so that you can compare it with current performance data, identify normal
performance patterns and performance anomalies, and devise methods to address issues.
Contents
• Monitoring tools (p. 122)
• Monitoring VPN tunnels using Amazon CloudWatch (p. 123)
• Monitoring VPN connections using AWS Health events (p. 127)
Monitoring tools
AWS provides various tools that you can use to monitor a Site-to-Site VPN connection. You can configure
some of these tools to do the monitoring for you, while some of the tools require manual intervention.
We recommend that you automate monitoring tasks as much as possible.
• Amazon CloudWatch Alarms – Watch a single metric over a time period that you specify, and perform
one or more actions based on the value of the metric relative to a given threshold over a number of
122
AWS Site-to-Site VPN User Guide
Manual monitoring tools
time periods. The action is a notification sent to an Amazon SNS topic. CloudWatch alarms do not
invoke actions simply because they are in a particular state; the state must have changed and been
maintained for a specified number of periods. For more information, see Monitoring VPN tunnels using
Amazon CloudWatch (p. 123).
• AWS CloudTrail Log Monitoring – Share log files between accounts, monitor CloudTrail log files in real
time by sending them to CloudWatch Logs, write log processing applications in Java, and validate that
your log files have not changed after delivery by CloudTrail. For more information, see Logging API
Calls Using AWS CloudTrail in the Amazon EC2 API Reference and Working with CloudTrail log files in
the AWS CloudTrail User Guide.
• AWS Health events – Receive alerts and notifications related to changes in the health of your Site-to-
Site VPN tunnels, best practice configuration recommendations, or when approaching scaling limits.
Use events on the Personal Health Dashboard to trigger automated failovers, reduce troubleshooting
time, or optimize connections for high availability. For more information, see Monitoring VPN
connections using AWS Health events (p. 127).
123
AWS Site-to-Site VPN User Guide
VPN tunnel metrics and dimensions
Metric Description
Units: Bytes
TunnelDataOut The bytes sent from the AWS side of the connection
through the VPN tunnel. Each metric data point
represents the number of bytes sent after the previous
data point. Use the Sum statistic to show the total
number of bytes sent during the period.
Units: Bytes
Dimension Description
VpnId Filters the metric data by the Site-to-Site VPN connection ID.
TunnelIpAddress Filters the metric data by the IP address of the tunnel for the virtual
private gateway.
124
AWS Site-to-Site VPN User Guide
Creating CloudWatch alarms to monitor VPN tunnels
For example, you can create an alarm that monitors the state of a VPN tunnel and sends a notification
when the tunnel state is DOWN for 3 datapoints within 15 minutes.
• To monitor when both tunnels are down, for Whenever, choose Lower/Equal (<=) , and then enter
0.5.
• To monitor the DOWN state for either tunnel, for Whenever, choose Lower (<), and then enter 1.
8. Under Select an SNS topic, select an existing notification list or create a new one. Choose Next.
9. Enter a name and description for your alarm. Choose Next.
10. Check the settings for your alarm, and then choose Create alarm.
You can create an alarm that monitors the state of the Site-to-Site VPN connection. For example, you
can create an alarm that sends a notification when the status of one or both tunnels is DOWN for one 5-
minute period.
125
AWS Site-to-Site VPN User Guide
Creating CloudWatch alarms to monitor VPN tunnels
Alternatively, if you've configured your Site-to-Site VPN connection so that both tunnels are up, you
can specify a statistic of Minimum to send a notification when at least one tunnel is down.
7. For Whenever, choose Lower/Equal (<=) and enter 0 (or 0.5 for when at least one tunnel is down).
Choose Next.
8. Under Select an SNS topic, select an existing notification list or choose New list to create a new
one. Choose Next.
9. Enter a name and description for your alarm. Choose Next.
10. Check the settings for your alarm, and then choose Create alarm.
You can also create alarms that monitor the amount of traffic coming in or leaving the VPN tunnel. For
example, the following alarm monitors the amount of traffic coming into the VPN tunnel from your
network, and sends a notification when the number of bytes reaches a threshold of 5,000,000 during a
15 minute period.
The following alarm monitors the amount of traffic leaving the VPN tunnel to your network, and sends a
notification when the number of bytes is less than 1,000,000 during a 15 minute period.
For more examples of creating alarms, see Creating Amazon CloudWatch alarms in the Amazon
CloudWatch User Guide.
126
AWS Site-to-Site VPN User Guide
Monitoring VPN connections using AWS Health events
The Personal Health Dashboard provides the following types of notifications for your VPN connections:
When a tunnel endpoint replacement is complete, AWS sends the Tunnel endpoint replacement
notification through a Personal Health Dashboard event.
127
AWS Site-to-Site VPN User Guide
Site-to-Site VPN resources
You can attach only one virtual private gateway to a VPC at a time. To connect the same Site-to-Site
VPN connection to multiple VPCs, we recommend that you explore using a transit gateway instead. For
more information, see Transit gateways in Amazon VPC Transit Gateways.
• Site-to-Site VPN connections per Region: 50
• Site-to-Site VPN connections per virtual private gateway: 10
Routes
• Dynamic routes advertised from a customer gateway device to a Site-to-Site VPN connection on a
virtual private gateway: 100
Advertised route sources include VPC routes, other VPN routes, and routes from AWS Direct Connect
virtual interfaces.
Advertised routes come from the route table that's associated with the VPN attachment.
This quota cannot be increased. For Site-to-Site VPN connections on a transit gateway, you can use
ECMP to get higher VPN bandwidth by aggregating multiple VPN tunnels. To use ECMP, the VPN
connection must be configured for dynamic routing. ECMP is not supported on VPN connections that
use static routing. For more information, see Transit gateways.
• Maximum packets per second (PPS) per VPN tunnel: 140,000
128
AWS Site-to-Site VPN User Guide
Maximum transmission unit (MTU)
Jumbo frames are not supported. For more information, see Jumbo frames in the Amazon EC2 User
Guide for Linux Instances.
• We recommend that you set the maximum segment size (MSS) on your customer gateway device to
1359 when using the SHA2-384 or SHA2-512 hashing algorithms.
Note
A Site-to-Site VPN connection does not support Path MTU Discovery.
For additional VPC quotas, see Amazon VPC quotas in the Amazon VPC User Guide.
129
AWS Site-to-Site VPN User Guide
Document history
The following table describes the AWS Site-to-Site VPN User Guide updates.
VPN tunnel initiation You can configure your VPN August 27, 2020
tunnels so that AWS brings up
the tunnels.
Modify VPN connection options You can modify the connection August 27, 2020
options for your Site-to-Site VPN
connection.
Additional security algorithms You can apply additional security August 14, 2020
algorithms to your VPN tunnels.
IPv6 support Your VPN tunnels can support August 12, 2020
IPv6 traffic inside the tunnels.
Merge AWS Site-to-Site VPN This release merges the contents March 31, 2020
guides of the AWS Site-to-Site VPN
Network Administrator Guide
into this guide.
Modify AWS Site-to-Site VPN You can modify the options for August 29, 2019
tunnel options a VPN tunnel in a AWS Site-to-
Site VPN connection. You can
also configure additional tunnel
options.
AWS Certificate Manager Private You can use a private certificate August 15, 2019
Certificate Authority private from AWS Certificate Manager
certificate support Private Certificate Authority to
authenticate your VPN.
New Site-to-Site VPN User This release separates the AWS December 18, 2018
Guide (p. 130) Site-to-Site VPN (previously
known as AWS Managed VPN)
content from the Amazon VPC
User Guide.
Modify the target gateway You can modify the target December 18, 2018
gateway of AWS Site-to-Site
VPN connection.
130
AWS Site-to-Site VPN User Guide
VPN tunnel options You can specify inside tunnel October 3, 2017
CIDR blocks and custom pre-
shared keys for your VPN
tunnels.
VPN enhancements (p. 130) A VPN connection now supports October 28, 2015
the AES 256-bit encryption
function, SHA-256 hashing
function, NAT traversal, and
additional Diffie-Hellman groups
during Phase 1 and Phase 2 of
a connection. In addition, you
can now use the same customer
gateway IP address for each VPN
connection that uses the same
customer gateway device.
VPN connections using static You can create IPsec VPN September 13, 2012
routing configuration (p. 130) connections to Amazon
VPC using static routing
configurations. Previously, VPN
connections required the use of
the Border Gateway Protocol
(BGP). We now support both
types of connections and you
can now establish connectivity
from devices that do not support
BGP, including Cisco ASA and
Microsoft Windows Server 2008
R2.
AWS VPN CloudHub You can securely communicate September 29, 2011
and redundant VPN from one site to another with
connections (p. 130) or without a VPC. You can use
redundant VPN connections
to provide a fault-tolerant
connection to your VPC.
131