This article describes how to connect to AWS using a single non-redundant VPN connection. Though it's quick and simple, for production environments, we recommend you use dual tunnels with BGP for maximum redundancy.
This article covers the goal of connecting your AWS assets to Cato Cloud with Amazon Virtual Private Gateway for a single VPN connection with static routes.
Amazon Terminology:
Virtual Private Gateway
A virtual private gateway is the VPN endpoint on the Amazon side of the VPN connection.
Customer Gateway
A customer gateway is a physical device or software application on your side of the VPN connection. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. For more info aboutAmazon VPG (Virtual Private Gateway)
Step-by-Step configuration guide:
Let's say we have a working service (VPC, public subnet, Internet Gateway, etc.) on AWS under VPC 'Hen-GAOC-VPC' and we want to connect it through Cato Cloud.
1) In the Cato Management Application, go to Network > IP Allocation and either setup a new IP closest to the location of the AWS asset (you may also use an existing IP if already assigned). In the example, we've assigned another IP in Singapore:
In the example, we've assigned another IP in Singapore:
2) In AWS, navigate to VPC > Virtual Private Network (VPN) > Customer Gateways and create a Customer Gateway:
-
Name it as "Cato" + Cato IP location
-
IP address (enter the IP address which was assigned in the previous IP allocation section)
3) Navigate to VPC > Virtual Private Network (VPN) > Virtual Private Gateways, create a Virtual Private Gateway and attach it to the VPC:
4) Navigate to VPC > Virtual Private Network (VPN) > Site-to-Site VPN Connections and create a VPN Connection:
-
Choose the Virtual Private Gateway which was created in section 3
-
Choose the Customer Gateway which was created in section 2
-
Set the Routing Options to "Static"
-
In the Static IP Prefixes section, set the network behind the Customer Gateway, aka Cato (in the following example we are traversing all the traffic via Cato - common use case)
-
Tunnel options can be left blank (automatically generated by Amazon)
5) Choose the VPN Connection we've just created and click on Download Configuration:
-
Choose vendor "Generic"
-
Download the configuration
6) Open the configuration file and search for pre-shared key (we will need it soon):
7) Navigate to VPC >Virtual Private Network (VPN) > Site-to-Site VPN Connections. Once the State is Available, check the Tunnel details in the lower lefthand corner of the page, and copy the Outside IP address of the Amazon Tunnel 1.
8) In the Cato Management Application, go to Network > Sites and click New :
-
Choose the site type
-
Under Connection Type, choose IPsec IKEv1 (Cato-Initiated)
-
Select the relevant country
-
Configure the relevant VPC range in Native Range
9) Once the site created, scroll down to the IPsec section:
-
Service Type: "AWS"
-
Set the Primary Source IP to the IP which we allocated before
-
Set the Primary Destination IP to the IP picked from section 7
-
Set the password which was picked from section 6
10) Save and scroll down to Show connection details
-
The Status should show Connected.
11) In AWS, navigate to VPC > Route Tables. Choose VPC's Route Table, Route Propagation:
-
Edit the existing entry, enable Propagation, and save
12) On the same Route Table, go to Routes and remove (if you have) the old Internet gateway 0.0.0.0 entry. This ensures that all the traffic traversed via Cato.
3 comments
"Cato-Initiated IPSec" is found under Services.
I have found this very useful for VPC setup.
It is imperative to identify and utilize the correct PSK when inserting into the Cato configuration.
The AWS configuration that is downloaded has two separate PSKs, one for each tunnel. If you are familiar with Cisco or another specific vendor, downloading the configuration in that format is easier to read as it has the tunnel correlation inline with the required PSK.
Tunnel #1
tunnel-group 3.209.164.154 type ipsec-l2l
tunnel-group 3.209.164.154 ipsec-attributes
ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>
Tunnel #2
tunnel-group 52.204.177.208 type ipsec-l2l
tunnel-group 52.204.177.208 ipsec-attributes
ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>
Please sign in to leave a comment.