Connect your AWS assets to Cato Cloud with Amazon Virtual Private Gateway

This article describes how to connect to AWS using a single non-redundant VPN connection. Though it's quick and simple, for production environments, we recommend you use dual tunnels with BGP for maximum redundancy.

This article covers the goal of connecting your AWS assets to Cato Cloud with Amazon Virtual Private Gateway for a single VPN connection with static routes.

1.png

Amazon Terminology:

Virtual Private Gateway

A virtual private gateway is the VPN endpoint on the Amazon side of the VPN connection.

Customer Gateway

A customer gateway is a physical device or software application on your side of the VPN connection. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. For more info aboutAmazon VPG (Virtual Private Gateway)

Step-by-Step configuration guide:

Let's say we have a working service (VPC, public subnet, Internet Gateway, etc.) on AWS under VPC 'Hen-GAOC-VPC' and we want to connect it through Cato Cloud.

1) In the Cato Management Application, go to Network > IP Allocation and either setup a new IP closest to the location of the AWS asset (you may also use an existing IP if already assigned). In this example, we've assigned another IP in Singapore:

 

360001837098-mceclip1.png

2) In AWS, navigate to VPC > Virtual Private Network (VPN) > Customer Gateways and create a Customer Gateway:

  • Name it as "Cato" + Cato IP location

  • IP address (enter the IP address which was assigned in the previous IP allocation section)

360001750917-mceclip2.png

3) Navigate to VPC > Virtual Private Network (VPN) > Virtual Private Gateways, create a Virtual Private Gateway and attach it to the VPC:

360001837318-mceclip3.png
360001837338-mceclip4.png
360001837358-mceclip5.png

4) Navigate to VPC > Virtual Private Network (VPN) > Site-to-Site VPN Connections and create a VPN Connection:

  • Choose the Virtual Private Gateway which was created in section 3

  • Choose the Customer Gateway which was created in section 2

  • Set the Routing Options to "Static"

  • In the Static IP Prefixes section, set the network behind the Customer Gateway, aka Cato (in the following example we are traversing all the traffic via Cato - common use case)

  • Tunnel options can be left blank (automatically generated by Amazon)

360001751137-mceclip6.png

5) Choose the VPN Connection we've just created and click on Download Configuration:

  • Choose vendor "Generic"

  • Download the configuration

360001751357-mceclip8.png

6) Open the configuration file and search for pre-shared key (we will need it soon):

360001751377-mceclip9.png

7) Navigate to VPC >Virtual Private Network (VPN) > Site-to-Site VPN Connections. Once the State is Available, check the Tunnel details in the lower lefthand corner of the page, and copy the Outside IP address of the Amazon Tunnel 1.

360001840538-mceclip11.png

8) In the Cato Management Application, go to Network > Sites and click New :

  • Choose the site type

  • Under Connection Type, choose IPsec IKEv1 (Cato-Initiated)

  • Select the relevant country

  • Configure the relevant VPC range in Native Range

360001840738-mceclip12.png

9) Once the site created, scroll down to the IPsec section:

  • Service Type: "AWS"

  • Set the Primary Source IP to the IP which we allocated before

  • Set the Primary Destination IP to the IP picked from section 7

  • Set the password which was picked from section 6
    Note: For IKEv2 tunnels, it is recommended to configure multiple active tunnels. For more information see Configure IPsec IKEv2 with Multiple Active Tunnels.

360001821057-mceclip0.png

10) Save and scroll down to Show connection details

  • The Status should show Connected.

11) In AWS, navigate to VPC > Route Tables. Choose VPC's Route Table, Route Propagation:

  • Edit the existing entry, enable Propagation, and save

360001912858-mceclip4.png

12) On the same Route Table, go to Routes and remove (if you have) the old Internet gateway 0.0.0.0 entry. This ensures that all the traffic traversed via Cato.

Was this article helpful?

11 out of 13 found this helpful

3 comments

Date Votes
  • Comment author
    Michael Saw Keeper of positive, active, and healthy conversations. Community moderator Only 42 of these badges will be awarded. They are reserved for people who have played a key role in helping build the Cato Community through their contributions! Community Pioneer

    "Cato-Initiated IPSec" is found under Services.

  • Comment author
    Neal Pandit

    I have found this very useful for VPC setup. 

  • Comment author
    Daniel Virkler

    It is imperative to identify and utilize the correct PSK when inserting into the Cato configuration.

    The AWS configuration that is downloaded has two separate PSKs, one for each tunnel. If you are familiar with Cisco or another specific vendor, downloading the configuration in that format is easier to read as it has the tunnel correlation inline with the required PSK. 

    Tunnel #1

    tunnel-group 3.209.164.154 type ipsec-l2l
    tunnel-group 3.209.164.154 ipsec-attributes
      ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>

    Tunnel #2

    tunnel-group 52.204.177.208 type ipsec-l2l
    tunnel-group 52.204.177.208 ipsec-attributes
      ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>