-
BFW2AWSCloud
- Virtual Private Gateway – Select the virtual private gateway created in Step 1.
- Routing Options – Select Static.
-
Static Prefixes – Enter your local network (e.g.,
- Click Yes, Create.
- Click Download Configuration.
- Select generic vendor and platform settings for the configuration file:
-
Click Yes, Download, and save the
-
vpn-<YOUR-VPC-ID>.txt
Step 4. Configure the X-Series Firewall Site-to-Site VPN Connection
The Amazon VPN configuration file provides settings for two IPsec tunnels, but you must only configure IPsec tunnel #1.
-
Log into the X-Series Firewall.
-
Go to the VPN > Site-to-Site VPN page.
- In the Site-to-Site IPsec Tunnels section, click Add.
- Enter the Name for the IPsec VPN.
- Configure the Phase 1 settings, as specified in the Amazon configuration file:
- Encryption: AES
- Hash Method: SHA
- DH Group: Group 2
- Lifetime: 28800
- Configure the Phase 2 settings, as specified in the Amazon configuration file:
- Encryption: AES
- Hash Method: SHA
- DH Group: Group 2
- Lifetime: 3600
- Perfect Forward Secrecy – Select the check box.
- Configure the remaining settings:
- Local End – Select Active.
- Local Address – Select Dynamic.
-
Local Networks – Enter your local subnet.
- Remote Gateway – Enter the IP address for the Virtual Private Gateway supplied in the Amazon VPN configuration file.
- Remote Networks – Enter the remote VPC subnet.
- Authentication – Select Shared Passphrase.
- Passphrase – Enter the Pre-Shared Key supplied in the Amazon VPN configuration file.
- Enable Aggressive – Select No.
- Click Save.
Your X-Series Firewall now automatically connects to the Amazon virtual private gateway.
Step 5. Create a Pass Access Rule for the VPN Traffic
Create an access rule to allow traffic from your local network to the Amazon VPC subnet.
- Log into the X-Series Firewall.
-
Go to the FIREWALL > Firewall Rules page.
- Add an access rule:
- Type – Select ALLOW.
- Source – Enter your local network or select a network object containing only your local network (e.g.,
-
10.0.10.0/25
- Destination – Enter the remote VPC subnet (e.g.,
-
-
10.10.10.0/24
- Network Services – Select Any.
- Connection – Select No SNAT.
-
- Click Save.
- Place the firewall rule above the BLOCKALL rule.
- Click Save.
Monitoring
You can verify that the VPN tunnel is up by selecting your VPN connection in the Amazon VPC Management Console and clicking the Tunnel Details tab in the bottom pane.