Page 1 of 1

Amazon VPC - How to setup double VPN tunnels

Posted: 15 May 2014, 12:05
by Tomas
This How-to applies to:
  • Clavister Security Gateway 8.x - 10.x.
This document is a quick guide to setting up a VPN connection to Amazon VPC.

Table of contents
  • Objectives with this article
  • Configuring Amazon VPC VPN
Objectives with this article
How to setup double VPN tunnels to Amazon VPC.


Configuring Amazon VPC VPN

Create Address Book objects for the remote network and the two public IPs to Amazon's VPN gateways.
Create a PSK object in the Key Ring section with the PSK Amazon gave you.

Create two separate IPsec interfaces (tunnels) to the two public IPs you get from Amazon. Use the PSK they gave you.

Select "High" as Proposal lists for IKE and IPsec, IKE lifetime=28800 s, IPsec lifetime = 3600 s, Tunnel mode, IKE DH Group 2, PFS = None/Disabled, SA Per Net, Use DPD,
Disable the automatic route feature on the Advanced tab.

Create two routes, both to the remote network at Amazon. They should have the same Metric and enable Route Monitoring so the Clavister can detect which one currently is up.

Create an Interface Group, add the two IPsec interfaces to the group and Enable the Security/Transport Equivalent feature, which allows your established connections to operate over either tunnel, should it change.

Use the Interface Group in the IP Rules that you use for the traffic to/from Amazon's internal network.