Cato Networks Knowledge Base

Setting up a Cato-Initiated IPsec to Your AWS Transit Gateway

  • Updated

Overview

The AWS Transit Gateway provides full-mesh VPC interconnectivity and allows you to access all your Virtual Private Clouds (VPCs) with a single VPN connection. You can setup primary and secondary Cato-initiated IPsec tunnels to your AWS Transit Gateway with BGP to provide robust high availability. Cato influences the BGP route metrics so that the primary tunnel is always the preferred pathway, and if it becomes disconnected, traffic is immediately routed over the secondary tunnel.

Note: ECMP is not supported by Cato and should be disabled if creating a new AWS Transit Gateway.

360002843337-image-0.png

Term

Description

Virtual Private Gateway

The VPN concentrator on the Amazon side of the VPN connection.

Customer Gateway

A physical device or software application on your side of the VPN connection. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. In this context, the Cato PoP is the Customer Gateway.

Creating the Primary Tunnel between the Transit Gateway and your PoP

In the following procedure, we will connect through the Cato Cloud to the AWS Transit Gateway.

To create a tunnel between the Transit Gateway and your PoP through the Cato Cloud:

  1. In the Cato Management Application, select a Cato allocated IP address for the site.

    1. From the navigation menu, click Network > IP Allocation.

      IP_Allocation.png
    2. Select a location. A unique IP is allocated by Cato Networks.

      The number of unique IPs that you can obtain is determined by your license. For additional IPs, contact your reseller or sales@catonetworks.com.

    3. Click Save.

  2. In the AWS console, create the Transit Gateway Attachment.

    1. Open the VPC service, then in the navigation pane scroll down to Transit Gateways and click Transit Gateway Attachments.

    2. Click Create Transit Gateway Attachment.

      360002843357-image-3.png
    3. Configure the Transit Gateway Attachment as follows:

      • Transit Gateway ID: select the Transit Gateway you want to connect to Cato.

      • Attachment type: VPN

      • Customer Gateway: New

      • IP Address: enter the Cato allocated IP address (from above).

      • BGP ASN: 64515

      • Routing options: Dynamic (requires BGP)

        360002923618-image-4.png
    4. Click Create attachment.

    5. Click Close.

  3. Create a VPN connection and download the configuration file.

    1. In the VPC navigation pane, scroll up to Virtual Private Network (VPN) and click Site-to-Site VPN Connections.

    2. Select the checkbox of the VPN Connection that was created in the previous step and click Download Configuration.

      360002923638-image-5.png
    3. Configure the settings as follows:

      • Vendor: Generic

      • Platform: Generic

      • Software: Vendor Agnostic

        360002843397-image-6.png
    4. Click Download.

    5. Open the downloaded file and note the following items under the IPsec Tunnel #1 section:

      • Pre-Shared Key

        360002843377-image-7.png
      • Outside IP Addresses- Virtual Private Gateway

        360002923678-image-8.png
      • Inside IP Addresses - Customer Gateway and Virtual Private Gateway

        360002843417-image-9.png
      • BGP Configuration Options - Virtual Private Gateway ASN and Neighbor IP Address

        360002923658-image-10.png
  4. In the Cato Management Application, create and configure the IPsec site.

    1. From the navigation menu, click Network > Sites and click New.

      The Add Site panel opens,

    2. Configure the site settings as follows:

      • Name: AWS TGW (example)

      • Type: Cloud Data Center

      • Connection Type: IPsec IKEv1 (Cato-Initiated)

      • Country: The country in which the configured site is located.

      • State: The state if the country is the United States.

      • License: Select the appropriate license.

      • Native Range: Any one of your AWS VPC subnets.

        360002843437-image-13.png
    3. Click Apply, and then click Save.

    4. From the Sites screen, click the new AWS site.

    5. From the navigation menu, click Site Configuration > IPsec and in the General section, select AWS.

    6. Expand the Primary section, and configure the following settings:

      • Service Type: AWS

      • Primary Source (Egress) IP: the unique IP address allocated in step 3 above.

      • Site IP: the Virtual Private Gateway Outside IP Address from the AWS configuration file.

      • Bandwidth (Downstream and Upstream): the bandwidth according to the site license.

      • Private IPs

        • Site: the Virtual Private Gateway Inside IP Address from the AWS configuration file.

        • Cato: the Customer Gateway Inside IP Address from the AWS configuration file.

      • Set/Change Primary Password: the Pre-Shared Key from the AWS configuration file

        360002923758-image-14.png
    7. Click Save.

  5. Configure the BGP settings for the site.

    In the Configuration panel, click BGP, click (Add BGP Neighbor), and then define the following parameters:

    1. From the navigation menu, select Site Configuration > BGP.

    2. Click New. The Add Rule panel opens.

    3. Configure the General settings:

      • Description: AWS TWG #1 (example)

      • ASN Settings

        • Peer: the Virtual Private Gateway ASN from the AWS configuration file

        • Cato: ASN for the Cato Cloud

      • IP > Peer: The Neighbor IP address from the AWS configuration file

    4. Configure the Policy settings for the BGP routes:

      • Select the options for the routes that you want to advertise (Default route and/or All routes) and the routes that you want to accept (Dynamic routes).

      Add_BGP_Rule.png
    5. Click Apply, and then click Save.

  6. Confirm the connectivity status of the IPsec tunnel and the BGP routes are Connected.

    1. From the navigation pane, select IPsec and then click Connection Status.

    2. From the navigation pane, select BGP and then click Show BGP Status.

      Note: Cato routes propagate to the AWS Transit Gateway routing table but not the VPC routing tables. Create routes back to your on-premises networks in each VPC using the Transit Gateway as the target as shown in the procedure below.

  7. In your AWS console, in the Navigation pane scroll to Virtual Private Cloud and click Route Tables.

  8. Select a route table associate with a VPC you want to access through the Transit Gateway, click the Routes tab, and then click Edit Routes.

    360002923778-image-18.png
  9. Click Add route, and then configure the settings as follows:

    • Destination: enter a subnet of your local network. This can be a summary route.

    • Target: Select the Transit Gateway.

      360002923798-image-19.png
  10. Repeat the previous step to create routes for all your local networks that need access to the VPC.

  11. Click Save routes.

  12. Repeat steps 8 - 11 for each VPC that you need to access through the Transit Gateway.

Creating the Redundant Tunnel between the Transit Gateway and the Cato PoP

When setting up an AWS VPN connection, AWS provides two VPN tunnels per ustomer Gateway. While this provides redundancy on the AWS side, it does not provide redundancy on the Cato Cloud side, since both tunnels must be connected to the same PoP.

To provide redundancy for both the Cato Cloud and AWS, you must create two Customer Gateways in AWS, then define one tunnel from one Customer Gateway for the primary tunnel and one tunnel from the other Customer Gateway for the secondary tunnel. This allows you to configure the primary and secondary tunnels on PoPs in different locations.

The following procedure describes how to configure a secondary tunnel in both AWS Console and the Cato Management Application.

Note

Note: This procedure assumes that in the Cato Management Application you already configured one tunnel to the AWS Transit Gateway, as described in Creating the Primary Tunnel between the Transit Gateway and your POP.

To create a redundant tunnel between the Transit Gateway and your PoP through the Cato Cloud:

  1. In the Cato Management Application, select a Cato allocated IP address for the site.

    1. From the navigation menu, click Network > IP Allocation.

      IP_Allocation.png
    2. Select a location. A unique IP is allocated by Cato Networks.

      The number of unique IPs that you can obtain is determined by your license. For additional IPs, contact your reseller or sales@catonetworks.com.

    3. Click Save.

  2. In the AWS console, create the Transit Gateway Attachment.

    1. Open the VPC service, then in the navigation pane scroll down to Transit Gateways and click Transit Gateway Attachments.

    2. Click Create Transit Gateway Attachment.

    3. Configure the Transit Gateway Attachment as follows:

      • Transit Gateway ID: select the Transit Gateway you want to connect to Cato.

      • Attachment type: VPN

      • Customer Gateway: New

      • IP Address: enter the Cato allocated IP address (from above).

      • BGP ASN: 64515

      • Routing options: Dynamic (requires BGP)

        360002923618-image-4.png
    4. Click Create attachment.

    5. Click Close.

  3. Create a VPN connection and download the configuration file.

    1. In the VPC navigation pane, scroll up to Virtual Private Network (VPN) and click Site-to-Site VPN Connections.

    2. Select the checkbox of the VPN Connection that was created in the previous step and click Download Configuration.

      360002923878-image-21.png
    3. Configure the settings as follows:

      • Vendor: Generic

      • Platform: Generic

      • Software: Vendor Agnostic

        360002843397-image-6.png
    4. Click Download.

    5. Open the downloaded file and note the following items under the IPsec Tunnel #1 section:

      • Pre-Shared Key

        360002843377-image-7.png
      • Outside IP Addresses- Virtual Private Gateway

        360002923678-image-8.png
      • Inside IP Addresses - Customer Gateway and Virtual Private Gateway

        360002843417-image-9.png
      • BGP Configuration Options - Virtual Private Gateway ASN and Neighbor IP Address

        360002923658-image-10.png
  4. In the Cato Management Application, configure the AWS Transit Gateway IPsec site for redundant tunnels.

    1. From the navigation menu, click Network > Sites and click the AWS Transit Gateway IPsec site.

    2. From the navigation menu, click Site Configuration > IPsec and in the General section, select AWS.

    3. Expand the Secondary section and configure the following settings:

      • Primary Source (Egress) IP: the unique IP address allocated by Cato.

      • Site IP: the Virtual Private Gateway Outside IP Address from the AWS configuration file.

      • Bandwidth (Downstream and Upstream): the bandwidth according to the site license.

      • Private IPs

        • Site: the Virtual Private Gateway Inside IP Address from the AWS configuration file.

        • Cato: the Customer Gateway Inside IP Address from the AWS configuration file.

      • Set/Change Primary Password: the Pre-Shared Key from the AWS configuration file

        AWS_IPsec_Secondary.png
    4. Click Save.

  5. Configure the BGP settings for the for the redundant tunnel for the site.

    1. From the navigation menu, select Site Configuration > BGP.

    2. Click New. The Add Rule panel opens.

    3. Configure the General settings:

      • Description: AWS TWG #2 (example)

      • ASN Settings

        • Peer: the Virtual Private Gateway ASN from the AWS configuration file

        • Cato: ASN for the Cato Cloud

      • IP > Peer: The Neighbor IP address from the AWS configuration file

    4. Configure the Policy settings for the BGP routes:

      • Select the options for the routes that you want to advertise (Default route and/or All routes) and the routes that you want to accept (Dynamic routes).

    5. Click Apply, and then click Save.

      AWS_TWG_2_BGP_Rules.png
  6. Confirm the connectivity status of the IPsec tunnel and the BGP routes are Connected.

    1. From the navigation pane, select IPsec and then click Connection Status.

    2. From the navigation pane, select BGP and then click Show BGP Status and check status of the secondary tunnel.

      Note: Cato routes propagate to the AWS Transit Gateway routing table but not the VPC routing tables. Create routes back to your on-premises networks in each VPC using the Transit Gateway as the target as shown in the procedure below.

Was this article helpful?

2 out of 2 found this helpful

Comments

0 comments

Please sign in to leave a comment.