site to site IPsec tunnel between PA and AWS

L2 Linker

site to site IPsec tunnel between PA and AWS

HI members

 

Has anyone had an experienced setting up a site to site tunnel between AWS and PA?

I have set up the IPSEC tunnel on my PA (we did use the parameters as per aws downloaded file). The issue is if I use the server's public IP (actual source) on AWS end as  in proxy ID instead of private IP, the other end can't access my server. In our environment , the use of private ip is restricted. The private IP works fine.Appears that aws side the private is routable and not public ip.

 

 how can we resolve it. I understand its the issue on AWS end configuration or set up.

 

Any guidance please AWS experts.

L4 Transporter

Re: site to site IPsec tunnel between PA and AWS

Hi @R_Sharma

 

You are correct, that routing can be changed for private, but not public IPs.

It is how AWS works. Public IP is, as the name suggests “Public”. It is not "your server’s" IP, but is rather an AWS owned IP address, which is NAT-ted by AWS to the private IP of your server. You  cannot control the routing of traffic for public IPs and traffic will always be sent out to internet.  

L2 Linker

Re: site to site IPsec tunnel between PA and AWS

Hi @BatD

I didn’t understand. I am using VPN peer obviously a public up but in the acl as in proxy ID I want to use public up too not private . How is it setup on Aws end do you know?
L4 Transporter

Re: site to site IPsec tunnel between PA and AWS

@R_Sharma You just can not use the Public IP as proxy-id, you need to use private. This is how AWS works. 

L2 Linker

Re: site to site IPsec tunnel between PA and AWS

Okay! Thank you. Can I know how it’s set up on aws side which restricts the use of it, if you know.
Regards
L2 Linker

Re: site to site IPsec tunnel between PA and AWS

R_sharma.- I think  AWS  VPNs are designed to use a proxy at their end. The remote interesting traffic (AWS side) is NAT or PATed or  proxy device IP. AWS gives the proxy IP as the parameter  for interesting traffic their side. So in Proxy ID filed we never use public IP, we use proxy IP (private) only. On local PA side we will NAT the AWS proxy IP. 

Needless to say  local/remote peer IPs will always be a public IP. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!