topic Re: site to site IPsec tunnel between PA and AWS in VM-Series in the Public Cloud

site to site IPsec tunnel between PA and AWS

R_Sharma — Wed, 01 Aug 2018 12:43:56 GMT

HI members

Has anyone had an experienced setting up a site to site tunnel between AWS and PA?

I have set up the IPSEC tunnel on my PA (we did use the parameters as per aws downloaded file). The issue is if I use the server's public IP (actual source) on AWS end as in proxy ID instead of private IP, the other end can't access my server. In our environment , the use of private ip is restricted. The private IP works fine.Appears that aws side the private is routable and not public ip.

how can we resolve it. I understand its the issue on AWS end configuration or set up.

Any guidance please AWS experts.

Re: site to site IPsec tunnel between PA and AWS

BatD — Wed, 01 Aug 2018 14:13:34 GMT

Hi @R_Sharma

You are correct, that routing can be changed for private, but not public IPs.

It is how AWS works. Public IP is, as the name suggests “Public”. It is not "your server’s" IP, but is rather an AWS owned IP address, which is NAT-ted by AWS to the private IP of your server. You cannot control the routing of traffic for public IPs and traffic will always be sent out to internet.

Re: site to site IPsec tunnel between PA and AWS

R_Sharma — Wed, 01 Aug 2018 14:21:57 GMT

Hi @BatD

I didn’t understand. I am using VPN peer obviously a public up but in the acl as in proxy ID I want to use public up too not private . How is it setup on Aws end do you know?

Re: site to site IPsec tunnel between PA and AWS

BatD — Wed, 01 Aug 2018 14:33:46 GMT

@R_Sharma You just can not use the Public IP as proxy-id, you need to use private. This is how AWS works.

Re: site to site IPsec tunnel between PA and AWS

R_Sharma — Wed, 01 Aug 2018 14:38:52 GMT

Okay! Thank you. Can I know how it’s set up on aws side which restricts the use of it, if you know.
Regards

Re: site to site IPsec tunnel between PA and AWS

Prakhar — Tue, 07 Aug 2018 15:41:12 GMT

R_sharma.- I think AWS VPNs are designed to use a proxy at their end. The remote interesting traffic (AWS side) is NAT or PATed or proxy device IP. AWS gives the proxy IP as the parameter for interesting traffic their side. So in Proxy ID filed we never use public IP, we use proxy IP (private) only. On local PA side we will NAT the AWS proxy IP.

Needless to say local/remote peer IPs will always be a public IP.