AWS Specific Cloud Configuration Modifications

  1. Internet Key Exchange SA Configuration

    The address of the external interface for the customer gateway must be a static address. The customer gateway can reside behind a device performing Network Address Translation (NAT). To make sure that NAT traversal (NAT-T) functions correctly, add or update the firewall rule to allow UDP port 4500. Disable NAT-T if the customer gateway is not behind a NAT gateway.

    Use the following sample configuration files to set up an Internet key exchange SA configuration.
    • Authentication Method: Pre-shared Key
    • Pre-shard Key: LwYbARmDJmpFGAOrAbPGk2uQiWwvbmfU
    • Authentication Algorithm: sha1
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 28800 seconds
    • Phase 1 Negotiation Mode: main
    • Perfect Forward Secrecy: Diffie-Hellman Group 2

  2. IPsec Configuration
    Use the following sample configuration files to configure the IPsec. Modification of the sample configuration files may be need to take advantage of additionally supported IPsec parameters for encryption, such as AES256 and other DH groups like 2, 5, 14-18, 22, 23, and 24.
    • Protocol: esp
    • Authentication Algorithm: hmac-sha-96
    • Encryption Algorithm: aes-128-cbc
    • Lifetime: 3600 seconds
    • Mode: tunnel
    • Perfect Forward Secrecy: Diffie-Hellman Group2
    The IPsec Dead Peer Detection (DPD) is enabled on the AWS Specific Cloud endpoint. Configure the DPD on your endpoint as follows:
    • DPD interval: 10
    • DPD Retries: 3

    The IPsec Encapsulating Security Payload (ESP) inserts additional headers to transmit the packets. These headers require additional space, which reduces the amount of space available to transmit application data. The following configuration is recommended on the customer gateway to limit the impact of this behavior:

    • TCP MSS Adjustment: 1379 bytes
    • Clear Don't fragment Bit: enabled
    • Fragmentation: Before encryption

  3. Tunnel Interface Configuration

    Configure the customer gateway with a tunnel interface that associates with the IPsec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the virtual private gateway.

    The customer gate and the virtual private gateway each have two addresses that relate to this IPsec tunnel. Each one contains an outside address, where the encrypted traffic is exchanged. Both gateways also contain an inside address associated with the tunnel interface. The customer gateway outside IP address is provided upon creation of the customer gateway. To change the IP address of the customer gateway, create a new customer gateway. The customer gateway inside IP address must be configured on the interface tunnel.

    Outside IP Addresses:
    • Customer Gateway:
    • Virtual Private Gateway:

      The customer gateway IP address is the IP address of the firewall that the CloudEOS and vEOS instance in the DC with NAT behind.

      The virtual private gateway IP address is the external IP address of the AWS Specific Cloud.

    Inside IP Addresses
    • Customer Gateway:
    • Virtual Private Gateway:

    The virtual private gateway IP address is the tunnel IP address of the AWS Specific Cloud.

  4. Static Routing Configuration

    The router traffic between the internal network and the VPC an AWS Specific Cloud, add a static router to the CloudEOS and vEOS Router.

    Next Hop:

    Any subnet that requires a route to DC must have a route pointing to the AWS Specific Cloud tunnel IP address.

    For traffic destined to the Internet Network, add static routes on the VGW.