How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway Print

  • Aws Site too site vpn
  • 0

If you are using the Amazon Virtual Private Cloud, you can transparently extend your local network to the cloud by connecting both networks with a site-to-site IPsec VPN tunnel. The Amazon virtual private gateway uses static routing and two parallel IPsec tunnels, of which only one tunnel is used when connecting with the Barracuda NextGen Firewall X-Series. Amazon also limits you to one local network. If multiple local networks require access to the cloud resources use routing and access rules on the X-Series Firewall to forward traffic from other local subnets to the VPN gateway.


Configure an Amazon Virtual Private Cloud (VPC). 

Step 1. Create a Virtual Private Gateway

The Amazon virtual private gateway is the VPN concentrator on the remote side of the IPsec VPN connection.

  1. Go to the Amazon VPC Management Console.
  2. In the left pane, click Virtual Private Gateways.
  3. Click Create Virtual Private Gateway.
  4. Enter the Nametag for the VPN gateway (e.g., 
  1. Techlib Virtual Private Gateway
  2. Click Yes, Create.
  3. Select the newly created virtual private gateway, and click Attach to VPC.
  4. Select your VPC from the VPC list, and click Yes, Attach.

The virtual private gateway is now available.


Step 2. Add Your Customer Gateway Configuration

The Amazon customer gateway is your X-Series Firewall on your end of the VPN connection. Specify your external IP address and routing type in the customer gateway configuration:

  1. Go to the Amazon VPC Management Console.
  2. In the left pane, click Customer Gateway. 
  3. Click Create Customer Gateway.
  4. Enter the connection information for your X-Series Firewall: 
    • Name Tag – Enter a name for your device (e.g., 
    • My Barracuda Firewall
    • Routing – Select Static
    • IP Address – Enter your external IP Address. To look up your external IP address, go to the NETWORK INTERFACES section on the NETWORK > Routing page of the X-Series Firewall. 
  1. Click Yes, Create.

Your X-Series Firewall is now configured in the AWS cloud and can be used to configure VPN connections.


Step 3. Create a VPN Connection

Create a VPN connection with the customer gateway and the virtual private gateway that you just created. Then download the VPN configuration file, because it contains all the necessary information for configuring the VPN connection on the X-Series Firewall.

The Amazon VPN configuration file is different for every VPN connection.

  1. Go to the Amazon VPC Management Console.
  2. In the left pane, click VPN Connections. 
  3. Click Create VPN Connection. 
  4. In the Create VPN Connection window, enter the configuration information for your VPN connection:
    • Name tag – Enter a name for your VPN connection (e.g., 
  • BFW2AWSCloud
  • Virtual Private Gateway – Select the virtual private gateway created in Step 1
  • Routing Options – Select Static.
  • Static Prefixes – Enter your local network (e.g., 


      If your local networks overlap with the address space reserved for the VPC add the on-premise networks by editing the VPN connections later.


  • Click Yes, Create
  • Click Download Configuration.
  • Select generic vendor and platform settings for the configuration file: 
    • Vendor – Select Generic
    • Platform – Select Generic.
    • Software – Select Vendor Agnostic.
  • Click Yes, Download, and save the 

  1. vpn-<YOUR-VPC-ID>.txt

Step 4. Configure the X-Series Firewall Site-to-Site VPN Connection

The Amazon VPN configuration file provides settings for two IPsec tunnels, but you must only configure IPsec tunnel #1.

  1. Log into the X-Series Firewall.

  2. Go to the VPN > Site-to-Site VPN page.

  3. In the Site-to-Site IPsec Tunnels section, click Add.
  4. Enter the Name for the IPsec VPN. 
  5. Configure the Phase 1 settings, as specified in the Amazon configuration file:
    • Encryption: AES
    • Hash Method: SHA
    • DH Group: Group 2
    • Lifetime: 28800
  6. Configure the Phase 2 settings, as specified in the Amazon configuration file:
    • Encryption: AES
    • Hash Method: SHA
    • DH Group: Group 2
    • Lifetime: 3600
    • Perfect Forward Secrecy – Select the check box.
  7. Configure the remaining settings:
    • Local End – Select Active.
    • Local Address – Select Dynamic
    • Local Networks – Enter your local subnet.

      Only enter one local subnet. Additional local subnets must use an additional firewall rule to connect the Amazon VPC subnet.

    • Remote Gateway – Enter the IP address for the Virtual Private Gateway supplied in the Amazon VPN configuration file.
    • Remote Networks – Enter the remote VPC subnet.
    • Authentication – Select Shared Passphrase.
    • Passphrase – Enter the Pre-Shared Key supplied in the Amazon VPN configuration file.
    • Enable Aggressive – Select No.
  8. Click Save.

Your X-Series Firewall now automatically connects to the Amazon virtual private gateway.


Step 5. Create a Pass Access Rule for the VPN Traffic

Create an access rule to allow traffic from your local network to the Amazon VPC subnet. 

  1. Log into the X-Series Firewall.
  2. Go to the FIREWALL > Firewall Rules page.

  3. Add an access rule: 
    • Type – Select ALLOW.
    • Source – Enter your local network or select a network object containing only your local network (e.g., 
  • Destination – Enter the remote VPC subnet (e.g., 
    • Network Services – Select Any.
    • Connection – Select No SNAT.
  1. Click Save
  2. Place the firewall rule above the BLOCKALL rule.
  3. Click Save.

For each additional subnet that must access the Amazon VPC through the VPN tunnel, create an additional ALLOW firewall rule:

  • Source – Enter the local network.
  • Destination – Enter the Amazon VPC subnet.

  • Connection– Select Default (SNAT).


You can verify that the VPN tunnel is up by selecting your VPN connection in the Amazon VPC Management Console and clicking the Tunnel Details tab in the bottom pane.


Was this answer helpful?

« Back