Redundant VPN Connection to AWS Using BGP

Following the original article on connecting your AWS assets to Cato, the article below elaborates on the extended BGP functionality. BGP functionality allows having a redundant VPN connection to AWS cloud in order to assure maximum redundancy.

Configuring BGP with AWS

This procedures explains how to set up an IKEv1 or IKEv2 site that uses BGP to connect to AWS.

  1. Ensure you have at least 2 Public IP addresses in the Cato Management Application (Network > IP Allocation):

  2. In AWS, create a Virtual Private Gateway:

  3. Then, navigate to the Your VPN Dashboard > Create VPC. From here create your new VPC:

  4. Then, navigate to the Customer Gateways. Create a 2 Customer Gateways using the new IP address allocated above (in the same AWS region):

    a. Name - needs to recognizable to you.

    b. IP Address - these are Public IP address that you have been allocated in the Cato Management Application.

    c. VPC - for each customer Gateway you will need to ensure you select the same VPC.

  5. Then, navigate to 'Site-To-Site VPN Connections' and create 2 VPN Connections (1 to each of the new Customer Gateways you have just created):

    a.Name Tag - Descriptive Name

    b. Customer Gateway - Here select one of the Customer Gateways you created

    c.Routing Option - Select Dynamic (BGP)

    d.Tunnel Options - You stipulate the Tunnel IP's if required but if left as default AWS will use 169.x.x.x range.


    Note: AWS uses the Tunnel IP to create the BGP peer with Cato over the IPsec tunnel.

  6. Click on Download Configuration for each of the new VPN Connections you have just set up:

  7. Within this file get the following information to help set up the Cato Management Application:

    a. Pre-Shared Key

    b. BGP Configuration (Private IP Address and ASN)

  8. Now within the Cato Management Application, navigate to the Site you want to set up IPsec/BGP...

    a. The set up here is exactly the same as you would for a standard IPsec site except you need to add the private IP address's that you have in the AWS configuration you downloaded earlier.
         Example of IKEv1 site:

        Example of IKEv2 site:

    b. Next, in the BGP section, enter the following:

    i. ASN's

    ii. Private IP's

    iii. Routing Information


    Note: The tunnel with the lower Metric will be the preferred route.

  9. To check the status of the BGP connection select Show BGP Status.

  10. To check in AWS, navigate to Site-to-Site Connection > Select your VPC connection > Tunnel Details. From here you can see if the VPN connection is and if BGP routes have been propagated to AWS.

  11. Note: If you want to see what routes have been publish to the AWS site go to Route Table > Find Your Routing Table > Select Routes.


Testing BGP Failover

Although Amazon does not support failover test within AWS platform, BGP failover test can be done using the Cato Management Application:

  1. From behind a Socket site or connecting with the Cato Client, ping a host within the AWS environment.

  2. In the Cato Management Application, go to the IPsec site with BGP.

  3. Change the IP address to create a failover:

    Make sure that you save the original IP address, you need it after the test is completed.

    1. In the BGP section, for the primary connection, change the Cato or Neighbor's IP address:

    2. In the IPsec section, change the Private IPs for Cato or Neighbor to the same IP address in the previous step.

    3. Click Save.

  4. The pings start to drop and then the connection fails over and you see that the BGP failover is working correctly.

  5. To fail back to the primary link, change the BGP and IPsec IP address back to the original settings, After a few dropped pings the connection falls back to the primary connection.

Was this article helpful?

1 out of 1 found this helpful

1 comment

  • Comment author
    Yaakov Simon

    Updated article to include IKEv2 sites

Add your comment