Setup site-to-site tunnel with AWS Virtual Private Gateway

This article describes how to set up a VPN tunnel between a UTunnel server and AWS Virtual Private Gateway.

First, let's finish the AWS Virtual Private Gateway configuration. Primarily, there are 4 steps involved in setting up a Virtual Private Gateway:

  1. Create a customer gateway
  2. Create a Virtual private gateway
  3. Create a site-to-site VPN connection
  4. Update the routing table

Creating a customer gateway: To get this done, log in to the AWS console and navigate to the Services > VPC page. Then click on the Customer Gateways menu under the VIRTUAL PRIVATE NETWORK section.

Setup site-to-site tunnel with AWS Virtual Private Gateway navigate to Customer Gateways in AWS console

Click on the Create customer gateway button at the top-right corner and fill out the form as shown below:

Name tag: Give a desired name for the customer gateway
BGP ASN: 65000
IP address: IP Address of the UTunnel VPN Server

Setup site-to-site tunnel with AWS Virtual Private Gateway  create customer gateway

Set all other parameters to the default and click on Create customer gateway button at bottom of the page.

Creating a virtual private gateway: Click on the Virtual private gateways menu on the left side.

Setup site-to-site tunnel with AWS Virtual Private Gateway click on virtual private gateway

Click on the Create virtual private gateway button at the top-right corner and fill the form as shown below:

Name tag: Give a desired name for the virtual private gateway
Autonomous System Number (ASN): Amazon default ASN

Setup site-to-site tunnel with AWS Virtual Private Gateway create virtual private gateway

Setting up the site-to-site VPN connection: We need to attach the newly created Virtual private gateway to your VPC that you need to expose across the tunnel. Select the virtual private gateway and navigate to Actions > Attach to VPC.

Setup site-to-site tunnel with AWS Virtual Private Gateway navigate to attach to VPC

Select the VPC from the drop-down menu and attach it.

Setup site-to-site tunnel with AWS Virtual Private Gateway attach the VPC

Next, we can create the Site-to-site VPN connection. Click on the Site-to-site VPN connections menu on the left side pane.

Setup site-to-site tunnel with AWS Virtual Private Gateway navigate to site-to-site VPN connection

Click on the Create VPN connection button at the top-right corner and fill out the form as shown below:

Name tag: Give a desired name for the VPN connection
Target gateway type: Virtual private gateway
Virtual private gateway: Select the private gateway from the drop-down menu
Customer gateway: Existing
Customer gateway ID: Select gateway ID from the drop-down menu
Routing options: Static
Static IP prefixes: Add subnets behind the UTunnel server
Remote IPv4 network CIDR: AWS VPC CIDR

Setup site-to-site tunnel with AWS Virtual Private Gateway create VPN connection

setup aws site to site vpn tunnel remote ipv4 network cidr

We are done with the private gateway setup.

Next, download the VPN configuration. We need to extract the remote gateway IP Address and pre-shared key from it, as we need them while configuring the UTunnel side.

 

Setup site-to-site tunnel with AWS Virtual Private Gateway download VPN configuration

Download the configuration for Strongswan with the following selection:

Setup site-to-site tunnel with AWS Virtual Private Gateway download configuration for Strongswan

Next, we need to update the routing table for the VPC. Make sure that the routes are added to send the packets destined for the subnets behind the UTunnel server through the virtual private gateway.

UTunnel side configuration

Before starting with the tunnel configuration, get the remote gateway IP address (the second one in the file, as highlighted below) and pre-shared key from the downloaded configuration file. The configuration file will have configuration instructions for the primary and secondary tunnels. At this point, we support only the single tunnel configuration, so let's grab details for the first tunnel from the configuration file.

Setup site-to-site tunnel with AWS Virtual Private Gateway get remote gateway IP address and pre-shared key

Now, login to your organization's dashboard, navigate to the Site-to-Site tab and click on CREATE TUNNEL button. Fill out the form as shown below:

Type: TUNNEL WITH NON-UTUNNEL SERVER
Tunnel Name: A desired name for the tunnel
Local Server: Select the UTunnel server to build the tunnel with
Remote IP: IP address of the AWS gateway. Find it from the downloaded configuration file.
Enter PSK: Enter the pre-shared key obtained from the configuration file.

Setup site-to-site tunnel with AWS Virtual Private Gateway fill out UTunnel create tunnel form
Setup site-to-site tunnel with AWS Virtual Private Gateway fill out pre-shared key

Select the newly created tunnel to update it with local and remote subnets (encryption domains).

Setup site-to-site tunnel with AWS Virtual Private Gateway update local and remote subnets

Subnets behind LOCAL: Define subnets behind the UTunnel server here
Subnets behind REMOTE: Define your VPC CIDR here

We are all set! You can go ahead and start the tunnel now.

 

Popular Support Articles

Setup site-to-site tunnel with Sophos XG Firewall

Site-to-Site tunnel with Fortinet Firewall

How to Create Site-to-Site Tunnel with UniFi OS