We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Attention

Barracuda CloudGen Firewall version 8.0 is a cloud-only version. It is currently not available for on-premises deployments and can only be deployed in Microsoft Azure, Amazon Web Services, or Google Cloud Platform public clouds.

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

  • Last updated on

If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting the private networks through a site-to-site IKEv1 IPsec VPN tunnel. The Amazon virtual private gateway uses two parallel IKEv1 IPsec tunnels to ensure constant connectivity. The subnets behind the VPN Gateway are propagated via BGP.

Additional Amazon AWS charges apply. For more information, see Amazon's monthly pricing calculator at http://calculator.s3.amazonaws.com/calc5.html.

Amazon_VPN_Gateway.png

Before You Begin

  • Create an Amazon Virtual Private Cloud (VPC).

    The local and remote (VPC) subnets must not overlap. E.g, if your local network is 10.0.1.0/24, do not use 10.0.0.0/16 for your VPC.

  • Create at least one subnet in the VPC.
  • Create and configure the Amazon Routing Table.

Step 1 - Create the Amazon VPN Gateway

Step 1.1 - Create a Virtual Private Gateway

The Amazon virtual private gateway is the VPN concentrator on the remote side of the IPsec VPN connection.

  1. Go to the Amazon VPC Management Console.
  2. In the left menu, click Virtual Private Gateways.
  3. Click Create Virtual Private Gateway.
  4. Enter the Name tag for the VPN gateway (e.g., Campus Virtual Private Gateway).
  5. Click  Create Virtual Private Gateway.
  6. Select the newly created virtual private gateway, click Actions and select Attach to VPC.
  7. Select your VPC from the VPC list, and click Yes, Attach.

The virtual private gateway is now available.

IPsecAWS01.png

Step 1.2 - Add Your Customer Gateway Configuration

The Amazon customer gateway is your Barracuda CloudGen Firewall on your end of the VPN connection. Specify your external IP address and routing type in the customer gateway configuration:

  1. Go to the Amazon VPC Management Console.
  2. In the left menu, click Customer Gateways. 
  3. Click Create Customer Gateway.
  4. Enter the connection information for your firewall: 
    • Name – Enter a name for your device (e.g., My Barracuda CloudGen Firewall).
    • Routing – Select Dynamic.
    • BGP ASN – Enter your BGP ASN number.
    • IP Address – Enter your external IP Address. To look up your external IP address, go to CONTROL > Network
      IPsecAWS02.png
  5. Click Create Customer Gateway.

Your firewall is now registered in the AWS cloud and you can configure VPN connections.

Step 1.3 - Create a VPN Connection

Create a VPN connection with the Customer Gateway (Your CloudGen Firewall) and the Amazon Virtual Private Gateway that you just created. Then download the VPN configuration file that contains all necessary information for configuring the VPN connection on the firewall.

The Amazon VPN configuration file is different for every VPN connection.

  1. Go to the Amazon VPC Management Console.
  2. In the left menu, click Site-to-Site VPN Connections. 
  3. Click Create VPN Connection. 
  4. In the Create VPN Connection window, enter the configuration information for your VPN connection:
    • Name tag – Enter a name for your VPN connection (e.g., CGF2AWSCloud).
    • Virtual Private Gateway – Select the virtual private gateway created in Step 1.
    • Customer Gateway – Select the customer gateway created in Step 1.
    • Routing Options – Select Dynamic (requires BGP).
      IPsecAWS04.png
  5. Click Create VPN Connection
  6. Once the connection is available in AWS, click Download Configuration.
  7. Select generic vendor and platform settings for the configuration file: 
    • Vendor – Select Generic
    • Platform – Select Generic.
    • Software – Select Vendor Agnostic.
      IPsecAWS05.png
  8. Click Download, and save the vpn-<YOUR-VPC-ID>.txt file. The configuration file contains all required information to configure each VPN tunnel and the respective BGP routing options on your CloudGen Firewall.

    Amazon Web Services
    Virtual Private Cloud
    VPN Connection Configuration
    ================================================================================
    AWS utilizes unique identifiers to manipulate the configuration of 
    a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier 
    and is associated with two other identifiers, namely the 
    Customer Gateway Identifier and the Virtual Private Gateway Identifier.
    Your VPN Connection ID		         : vpn-0ecaaf229f6f6ac19
    Your Virtual Private Gateway ID          : vgw-0ff8e8f1dfda22155
    Your Customer Gateway ID    		 : cgw-02b3f3b1bc6bc80f2
    		
    A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). 
    It is important that both tunnel security associations be configured. 
    				
    IPSec Tunnel #1
    ================================================================================
    #1: Internet Key Exchange Configuration
    		
    Configure the IKE SA as follows:
    Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
    Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
    You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
    Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
    The address of the external interface for your customer gateway must be a static address.
    Your customer gateway may reside behind a device performing network address translation (NAT).
    To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
      - IKE version              : IKEv1 
      - Authentication Method    : Pre-Shared Key 
      - Pre-Shared Key           : dRdvabnwIMIZfQiT0kVELqow8HFi50f4
      - Authentication Algorithm : sha1
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Diffie-Hellman           : Group 2
    #2: IPSec Configuration
    Configure the IPSec SA as follows:
    Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
    Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
    Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
      - Protocol                 : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 3600 seconds
      - Mode                     : tunnel
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    	
    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
    recommend configuring DPD on your endpoint as follows:
      - DPD Interval             : 10
      - DPD Retries              : 3
    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space, 
    which reduces the amount of space available to transmit application data.
    To limit the impact of this behavior, we recommend the following 
    configuration on your Customer Gateway:
      - TCP MSS Adjustment       : 1379 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation            : Before encryption
    #3: Tunnel Interface Configuration
    Your Customer Gateway must be configured with a tunnel interface that is
    associated with the IPSec tunnel. All traffic transmitted to the tunnel
    interface is encrypted and transmitted to the Virtual Private Gateway.
    The Customer Gateway and Virtual Private Gateway each have two addresses that relate
    to this IPSec tunnel. Each contains an outside address, upon which encrypted
    traffic is exchanged. Each also contain an inside address associated with
    the tunnel interface.
     
    The Customer Gateway outside IP address was provided when the Customer Gateway
    was created. Changing the IP address requires the creation of a new
    Customer Gateway.
    The Customer Gateway inside IP address should be configured on your tunnel
    interface. 
    Outside IP Addresses:
      - Customer Gateway 		        : 54.229.1.87 
      - Virtual Private Gateway	        : 18.194.201.195
    		
    Inside IP Addresses
      - Customer Gateway         		: 169.254.41.130/30
      - Virtual Private Gateway             : 169.254.41.129/30
    Configure your tunnel to fragment at the optimal size:
      - Tunnel interface MTU     : 1436 bytes
        
    #4: Border Gateway Protocol (BGP) Configuration:
    The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
    IP addresses, to exchange routes from the VPC to your home network. Each
    BGP router has an Autonomous System Number (ASN). Your ASN was provided 
    to AWS when the Customer Gateway was created.
    BGP Configuration Options:
      - Customer Gateway ASN	          : 64555 
      - Virtual Private  Gateway ASN          : 64512
      - Neighbor IP Address     		  : 169.254.41.129
      - Neighbor Hold Time       : 30
    Configure BGP to announce routes to the Virtual Private Gateway. The gateway
    will announce prefixes to your customer gateway based upon the prefix you 
    assigned to the VPC at creation time.
    				
    IPSec Tunnel #2
    ================================================================================
    #1: Internet Key Exchange Configuration
    		
    Configure the IKE SA as follows:
    Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2.
    Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
    You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24.
    Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
    The address of the external interface for your customer gateway must be a static address.
    Your customer gateway may reside behind a device performing network address translation (NAT).
    To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall !rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T.
      - IKE version              : IKEv1 
      - Authentication Method    : Pre-Shared Key 
      - Pre-Shared Key           : ZTis8pZYWY6NuXcPhKN3JArCpz.b.YC1
      - Authentication Algorithm : sha1
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 28800 seconds
      - Phase 1 Negotiation Mode : main
      - Diffie-Hellman           : Group 2
    #2: IPSec Configuration
    Configure the IPSec SA as follows:
    Category "VPN" connections in the GovCloud region have a minimum requirement of AES128, SHA2, and DH Group 14.
    Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
    Higher parameters are only available for VPNs of category "VPN," and not for "VPN-Classic".
      - Protocol                 : esp
      - Authentication Algorithm : hmac-sha1-96
      - Encryption Algorithm     : aes-128-cbc
      - Lifetime                 : 3600 seconds
      - Mode                     : tunnel
      - Perfect Forward Secrecy  : Diffie-Hellman Group 2
    	
    IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We
    recommend configuring DPD on your endpoint as follows:
      - DPD Interval             : 10
      - DPD Retries              : 3
    IPSec ESP (Encapsulating Security Payload) inserts additional
    headers to transmit packets. These headers require additional space, 
    which reduces the amount of space available to transmit application data.
    To limit the impact of this behavior, we recommend the following 
    configuration on your Customer Gateway:
      - TCP MSS Adjustment       : 1379 bytes
      - Clear Don't Fragment Bit : enabled
      - Fragmentation            : Before encryption
    #3: Tunnel Interface Configuration
    Your Customer Gateway must be configured with a tunnel interface that is
    associated with the IPSec tunnel. All traffic transmitted to the tunnel
    interface is encrypted and transmitted to the Virtual Private Gateway.
    The Customer Gateway and Virtual Private Gateway each have two addresses that relate
    to this IPSec tunnel. Each contains an outside address, upon which encrypted
    traffic is exchanged. Each also contain an inside address associated with
    the tunnel interface.
     
    The Customer Gateway outside IP address was provided when the Customer Gateway
    was created. Changing the IP address requires the creation of a new
    Customer Gateway.
    The Customer Gateway inside IP address should be configured on your tunnel
    interface. 
    Outside IP Addresses:
      - Customer Gateway 		        : 54.229.1.87 
      - Virtual Private Gateway	        : 52.59.31.229
    		
    Inside IP Addresses
      - Customer Gateway         		: 169.254.40.206/30
      - Virtual Private Gateway             : 169.254.40.205/30
    Configure your tunnel to fragment at the optimal size:
      - Tunnel interface MTU     : 1436 bytes
        
    #4: Border Gateway Protocol (BGP) Configuration:
    The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside
    IP addresses, to exchange routes from the VPC to your home network. Each
    BGP router has an Autonomous System Number (ASN). Your ASN was provided 
    to AWS when the Customer Gateway was created.
    BGP Configuration Options:
      - Customer Gateway ASN	          : 64555 
      - Virtual Private  Gateway ASN          : 64512
      - Neighbor IP Address     		  : 169.254.40.205
      - Neighbor Hold Time       : 30
    Configure BGP to announce routes to the Virtual Private Gateway. The gateway
    will announce prefixes to your customer gateway based upon the prefix you 
    assigned to the VPC at creation time.
     
     
    Additional Notes and Questions
    ================================================================================
      - Amazon Virtual Private Cloud Getting Started Guide: 
          http://docs.amazonwebservices.com/AmazonVPC/latest/GettingStartedGuide
      - Amazon Virtual Private Cloud Network Administrator Guide: 
          http://docs.amazonwebservices.com/AmazonVPC/latest/NetworkAdminGuide
      - XSL Version: 2009-07-15-1119716
    

Step 2 - Configure IPsec Tunnels on the Barracuda CloudGen Firewall

For each IPsec tunnel, create a next-hop-interface and then configure two IPsec site-to-site VPN tunnel. Use the IP addresses provided in the Amazon generic VPN configuration file you downloaded at the end of Step 1.

Step 2.1 - Create VPN Next-hop Interfaces

For each IPsec tunnel, a VPN next-hop interface must be created. Use the IP addresses provided in the Amazon generic VPN configuration file you downloaded at the end of Step 1.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > VPN Settings.
  2. Click Lock.
  3. Click on Click here for Server Settings.
  4. Click on the Advanced tab. 
    next_hopVPN00.png
  5. Create a VPN next hop interface for each IPsec tunnel by clicking Add in the VPN Next Hop Interface Configuration  section.
    1. In the VPN Interface Properties window enter: 
      • VPN Interface Index – Enter a number between 0 and 99. Each interface index number must be unique. E.g., IPsec tunnel1: 10 and IPsec tunnel: 11
      • MTU   Enter 1436
      • IP Addresses  Enter the Inside IP Address of the Customer Gateway provided by Amazon. E.g., IPsec tunnel1: 169.254.254.58/30, IPsec tunnel 2: 169.254.254.62/30 
    2. Click OK.
    next_hopVPN01.png
  6. Click OK.
  7. Click Send Changes and Activate.

You must also introduce the next-hop-interface IP addresses on the CloudGen Firewall as Additional IP's in the Server Properties configuration on the Virtual Server.

Step 2.2. Configure Two Site-to-Site IPsec Tunnels

Configure two site-to-site IPsec tunnels using the VPN next-hop interfaces. Make sure to use the correct IP addresses and corresponding next-hop interfaces listed in the Amazon generic VPN configuration file for each tunnel.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > VPN-Service > Site to Site.
  2. Click on the IPSEC IKEv1 Tunnels tab.
  3. Click Lock
  4. For each IPsec tunnel, right-click and click  New IPsec IKEv1 tunnel.
    1. Enter the IPsec tunnel configurations: 
      1. Enter a Name. E.g, IPsec Tunnel 1: IPsecAWSTunnel1 and for IPsec Tunnel 2: IPsecAWSTunnel2 
      2. Enter the Phase 1 and Phase 2 settings:

         Phase 1Phase 2
        EncryptionAESAES
        Hash Meth.SHASHA
        DH-GroupGroup 2Group 2
        Lifetime(sec)288003600
        Perfect Forward Secrecy-Enable
      3. In the Local Networktab:
        • Local IKE  Gateway – Enter your external IP address. If you are using a dynamic WAN interface enter 0.0.0.0
        • Network Address – Enter the Inside IP Address of the Customer Gateway (without the /30) and click Add. E.g., IPsec tunnel 1 169.254.254.58 and for IPsec tunnel 2 169.254.254.62.
      4. In the Remote Networks tab: 
        • Remote IKE Gateway – Enter the Outside IP Address of the Virtual Private Gateway.
      5. In the Peer Identification tab: 
        • Shared Secret – Enter the Amazon Pre-Shared Key
      6. In the Advanced tab: 
        • DPD intervals (s) – Enter 10
        • Interface Index  Enter the VPN Next Hop Interface index number you entered in step 1.1. E.g., IPsec tunnel 1 10 and for IPsec tunnel 2 11
        • VPN Next Hop Routing – Enter the Inside IP address of the Virtual Private Gateway. E.g., IPsec tunnel 1 169.254.254.57 and for IPsec tunnel 2 169.254.254.61
        • Phase 2 Lifetime Adjust (sec) – Enter -1300. This setting ensures that the firewall initiates rekeying.
      7. Click OK
        IPsecTunnel1.png IPsecTunnel2.png
  5. Click Send Changes and Activate

You now have two VPN next-hop interfaces listed in the Interfaces/IPs section on the CONTROL > Network page and the VPN tunnels on the VPN > STATUS page.

next_hopVPN01.png

IPsecTunnel03.png

Step 3. Configure the BGP Service

Configure BGP routing to learn the subnets on the other side of the VPN tunnels. The BGP route propagated by the second (backup) IPsec tunnel is artificially elongated so traffic is routed per default over the first IP tunnel, as suggested by Amazon.

[...]IPSec Tunnel #1
================================================================================
[...]
#4: Border Gateway Protocol (BGP) Configuration:
[...]
BGP Configuration Options:
 - Customer Gateway ASN : YOUR-ASN-NUMBER (e.g., 64555)
 - Virtual Private Gateway ASN : 9059
 - Neighbor IP Address : 169.254.254.57
 - Neighbor Hold Time : 30
 [...]
 
IPSec Tunnel #2
================================================================================
[...]
 
#4: Border Gateway Protocol (BGP) Configuration:
[...]
BGP Configuration Options:
 - Customer Gateway ASN : 64555 
 - Virtual Private Gateway ASN : 9059
 - Neighbor IP Address : 169.254.254.61
 - Neighbor Hold Time : 30
 [...]
Step 3.1. Configure Routes to be Advertised via BGP

Only routes with the parameter Advertise set to yes will be propagated via BGP.

  1. Go to CONFIGURATION > Configuration Tree > Box > Network.
  2. Click Lock.
  3. (optional) To propagate the management network, set Advertise Route to yes.
  4. In the left menu, click on Routing.
  5. Double-click on the Routes you want to propagate, and set Advertise Route to yes.
  6. Click OK
  7. Click Send Changes and Activate.
Step 3.2 - Configure the BGP Routes

Configure the BGP setting for the BGP service on the firewall.

  1. Go to CONFIGURATION > Configuration Tree > Box > Virtual Servers > your virtual server > Assigned Services > OSPF-RIP-BGP-Service > OSPF/RIP/BGP Settings.
  2. Select yes from the Run BGP Router list.
  3. Select advertise-learn from the Operations Mode list. 
    BGP00.png
  4. In the left menu, click BGP Router Setup.
  5. Enter the AS Number (e.g., 64555).
  6. In the Networks table, add the local network(s)(e.g., 10.10.200.0/24 ).
    BGP01.png
  7. In the left menu, expand Configuration Mode and click Switch to Advanced Mode.
  8. Click the Set button for the Advanced Settings. The Advanced Settings window opens. 
  9. Set the Hold timer to 30 seconds.
  10. Set the Keep Alive Timer to 10 seconds.
  11. Click OK.
  12. Click Send Changes and Activate.
Step 3.3 - Add a BGP Neighbor for each IPsec Tunnel

To dynamically learn the routing of the neighboring network, set up a BGP neighbor for each VPN next-hop interface.

  1. In the left menu of the OSPF/RIP/BGP Settings page, click Neighbor Setup IPv4.
  2. Click Lock.
  3. For each IPsec tunnel, click the plus sign (+) next to the Neighbors table to add a new neighbor.
  4. Enter a Name for the neighbor. E.g., AWS1 and AWS2
  5. In the Neighbors window, configure the following settings in the Usage and IP section:
    • Neighbor IPv4 – Enter the inside IP Address of the Virtual Private Gateway (remote address for the VPN next hop interface on the CloudGen Firewall)  E.g., IPsec Tunnel 1: 169.254.254.57 and for IPsec Tunnel 2 169.254.254.61.
    • OSPF Routing Protocol Usage – Select no.
    • RIP Routing Protocol Usage – Select no.
    • BGP Routing Protocol Usage – Select yes.
  6. In the BGP Parameters section, configure the following settings:
    • AS Number: Enter the ASN for the remote network: 9059
    • Update Source: Select Interface
    • Update Source Interface: Enter the vpnr interface for the IPsec tunnels. E.g., IPsec Tunnel 1: vpnr10 and for IPsec Tunnel 2 vpnr11
      BGP02.png BGP03.png
  7. Click OK
  8. Click Send Changes and Activate.
Step 3.4 - Add an Access List for the Second IPsec Tunnel
  1. In the left menu of the OSPF/RIP/BGP Settings page, click Filter Setup IPv4.
  2. In the Access List IPv4 Filters section, click +.
  3. Enter a Name for the Access List. E.g., 2ndGWIP The Access List IPv4 windows opens. 

  4. Click + to add an access list Type. The Type window opens.

  5. Select permit from the Type dropdown.
  6. Enter the Inside IP for the Virtual Private Gateway for IPsec Tunnel #2. E.g., 169.254.254.62 to the Network Prefix field. 
  7. Click OK.
  8. Click OK.
Step 3.5 - Add a Filter Setup for the Second IPsec Tunnel

To make the route over the first IPsec tunnel the preferred route, we will lengthen the AS-Path of the second tunnel.

  1. In the left menu of the OSPF/RIP/BGP Settings page, click Filter Setup IPv4.
  2. Click Lock.

  3. In the Route Map IPv4 Filters section, click on +. The Route Maps IPv4 window opens.
  4. In the BGP Specific Conditions section, click +. The Route Map Entry window opens. 
  5. In the Route Map Entry window, specify the following settings: 
    • Sequence Number  Enter a unique sequence number (e.g., 1). This sequence number must be unique across all route maps. For additional entries, iterate the sequence numbers.
    • Type  Select permit.
    • Match Condition  Select Gateway_IP
    • Gateway IP (Access List) – Select the access list entry created in Step 3.4.
    • Set Action – Select AS_Path.
    • Set addition to AS-Path – Enter Amazons ASN number 9059.
  6. Click OK.
  7. Click OK.
  8. Click Send Changes and Activate.

Step 4. Create an Access Rule for VPN Traffic

To allow traffic to and from the VPN networks, a pass access rule is needed. You also need to set the Clear DF bit and Force Maximum Segment Size settings according to the Amazon configuration file in the advanced firewall rule settings. You also need to set Reverse Interface (Bi-directional) to Any to allow return traffic using a different VPN tunnel than was used to initiate the connection.

[...] 

IPSec ESP (Encapsulating Security Payload) inserts additional
headers to transmit packets. These headers require additional space, 
which reduces the amount of space available to transmit application data.
To limit the impact of this behavior, we recommend the following 
configuration on your Customer Gateway:
  - TCP MSS Adjustment       : 1387 bytes
  - Clear Don't Fragment Bit : enabled

[...]
  1. Create a Pass access rule:
    • Bi-Directional – Enable.
    • Source – Select the local network(s) you are propagating via BGP. 
    • Service – Select the service you want to have access to the remote network or ALL for complete access. 
    • Destination – Select the remote VPC subnet(s). 
    • Connection Method – Select Original Source IP.
    FW01.png
  2. In the left navigation, click on Advanced. 
  3. In the TCP Policy section, set Force MSS (Maximum Segment Size) to 1378.
    FW03.png
  4. In the Miscellaneous section, set Clear DF Bit to Yes
    FW02.png
  5. In the Dynamic Interface Handling section,
    1. Set Continue on Source Interface Missmatch to Yes.
    2. Set Reverse Interface (Bi-directional) to Any.

    3. Set Interface Checks after Session Creation to Disabled.

    FW04.png
  6. Click OK.
  7. Move the access rule up in the rule list, so that it is the first rule to match the firewall traffic.
  8. Click Send Changes and Activate.

You now have two IPsec VPN tunnels connecting your CloudGen Firewalls to the Amazon AWS cloud. Per default, the first IPsec tunnel is chosen. It may take some time for BGP to learn the new routes, in case of a failure.

If the TCP 179 connection is established via loopback IP, check which interface is used by the VPN IP.

IPsec Tunnels are Connected

finished01.png

BGP Configuration (CONTROL > NETWORK > BGP)

finished02.png

AWS VPN Status in the Amazon AWS Management Interface

finished03.png

Last updated on