TABLE OF CONTENTS1. Introduction 2. Configuring AWS3. Configuring the Firewall4. Checking the connection status5. Summary6. CloudThat8. Frequently Asked Questions
Site-to-site VPN connections are usually made between two remote networks, a cloud provider or an on-premises network. It allows for secure communication between remote resources and connects multiple resources at different offices. IPsec connections are secured by key exchange, authentication, encryption, and encryption. This provides enhanced security for data transfer.
This type of connection is permanent and can be used for a long time. Other network connections, such as remote access VPN, can be temporarily used to connect to certain applications for a brief time.
There are some benefits to IP-sec site-to-site VPNs:
Connect to remote resources from either the cloud provider’s side or at your office location
This tool helps to identify network drives
Configure routing for improved security
Today, I will detail the steps to connect AWS site to site VPN connections to any third-party firewall and network environment. These steps will cover the basics of connecting almost any local network to AWS. In today’s example I would use the SOPHOSXG firewall.
Let’s take a look at the steps required to connect AWS VPN to a network environment of third parties:
2. Configuring AWS
Create a custom VPC in AWS portal
Create a customer portal. Give a name to your customer gateway. In our demo, routing is static. Enter the Firewall’s public IP Address of your on-premises Firewall in IP address. We are not choosing any certificates or devices. You can choose if you have the requirement
Create a virtual private gateway and attach it to your VPC.
Create a Site to-site VPN connection. Enter the name of the connection.Choose a virtual private gateway that we created earlier.Choose a customer gateway that we created earlier.Tunnel within IP version: IPv4LocalIPv4: Same subnet as your on-premises resources.Remote IPv4 : Your AWS subnet.
Download the configuration fileChoose vendor and platform as generic if your network is not mentioned in the optionThe configuration file is in text format, which you can use for the configuration at your on-premises firewall/environment.The text file contains information like:VPN connection ID, Virtual private-gateway ID, IKE version, Encryption algorithm type,DH group and pre-shared key for both IPsec tunnel 1 and 2 and much more
3. Configuring the Firewall
We used SOPHOSXG firewall to configure our on-premises network environment. Go to the admin page for your network environment
Navigate to Configure> VPN
Sophos XG firewall uses an IPsec Policy to create the VPN connection
You will need to configure the details for Phase 1.
Methods for encryption and authentication
You will also need to configure a Phase-2 at Sophos XG with the same settings
Other information can be found in the configuration file that we downloaded in step 1.
To connect to AWS cloud environment, add a VPN IPsec tunnel to your network. Give it a descriptive name
Type of connection as a tunnel interface
Select the policy that we created in the previous step
Type of authentication
Local ID: Enter the public IP address of the on-premises network to get Local ID
Remote ID: Enter the VPC-CIDR block of AWS Custom VPC that we created
4. Checking the connection status
Everything is completed according to the basic configuration for your VPN tunnel. The connection status will change to UP and Running. This will also be displayed in the AWS site-to-site VPN conne