Connect your AWS assets to Cato Cloud with Amazon Virtual Private Gateway

!! March 1st, 2019 Update !! This article describes how to connect to AWS using a single non-redundant VPN connection. Though it's quick and simple, for production environments it's recommended to use dual tunnels with BGP for maximum redundancy.

This article covers the goal of connecting your AWS assets to Cato Cloud with Amazon Virtual Private Gateway for a single VPN connection with static routes.



Amazon Terminology:

Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.

Customer Gateway

A customer gateway is a physical device or software application on your side of the VPN connection. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. For more info about Amazon VPG (Virtual Private Gateway)

Step-by-Step configuration guide:

Let's say we have a working services (VPC, public subnet, Internet Gateway, etc.) on AWS under VPC 'Hen-GAOC-VPC' and we want to connect it through Cato Cloud.

1) Go to Cato Management > Configuration > Global Settings > IP Allocation and setup new IP by selecting the closest location to the AWS asset (you may also use an existing IP if already assigned):

In the example, we've assigned another IP in Singapore:


2) Go to AWS > VPN > Customer Gateways and create Customer Gateway:

  • Name it as "Cato" + Cato IP location
  • Choose routing "Static"
  • IP address (enter the IP address which was assigned in the previous IP allocation section)


3) Go to AWS > VPN > Virtual Private Gateways and create Virtual Private Gateway and attach it to the VPC:




4) Go to AWS > VPN > Site-to-Site VPN Connections and create new VPN Connection:

  • Choose the Virtual Private Gateway which was created on section 3
  • Choose the Customer Gateway which was created on section 2
  • Set the Routing Options to "Static"
  • In the Static IP Prefixes section, set the network behind the Customer Gateway, aka Cato (in the following example we are traversing all the traffic via Cato - common use case)
  • Tunnel options can be left blank (automatically generated by Amazon)



5) Choose the VPN Connection we've just created and click on Download Configuration:

  • Choose vendor "Generic"
  • Download the configuration




6) Open the configuration file and search for the pre-shared key (we will need it soon):


7) Go back to AWS > VPN > Site-to-Site VPN Connections and watch the VPN connection which was created. Refresh it till the state show 'available'


Once it's ready, check the Tunnel Details. Copy one of the Amazon outside IPs


8) Go to Cato Management > Configuration > Sites create new site:

  • Choose the site type
  • Choose "IPsec IKEv1 (Cato-Initiated)"
  • Select the relevant country
  • Configure the relevant VPC range under in Native Range



9) Once the site created, scroll down to the IPsec section:

  • Service Type: "AWS"
  • Set the Primary Source IP to the IP which we allocated before
  • Set the Primary Destination IP to the IP picked from section 7
  • Set the password which was picked from section 6

10) Save and scroll down to Show connection details

  • The expected state is connected 'True'.



11) Go to AWS > VPC > Route Tables. Choose VPC's Route Table, Route Propagation:

  • Edit the existing entry, select "Propagate" and save



12) On the same Route Table, go to Routes and remove (if you have) the old Internet gateway entry. This would make sure that all the traffic traversed via Cato.

Was this article helpful?


  • Comment author
    Michael Saw

    "Cato-Initiated IPSec" is found under Services.

  • Comment author
    Neal Pandit

    I have found this very useful for VPC setup. 

  • Comment author
    Daniel Virkler

    It is imperative to identify and utilize the correct PSK when inserting into the Cato configuration.

    The AWS configuration that is downloaded has two separate PSKs, one for each tunnel. If you are familiar with Cisco or another specific vendor, downloading the configuration in that format is easier to read as it has the tunnel correlation inline with the required PSK. 

    Tunnel #1

    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
      ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>

    Tunnel #2

    tunnel-group type ipsec-l2l
    tunnel-group ipsec-attributes
      ikev1 pre-shared-key <PSK HERE--32-Character & 3 cases>

Add your comment