Site2Cloud IPsec VPN Instructions


Aviatrix supports connectivity between its Gateways in the cloud and on-premise routers using a feature called Site2Cloud, as shown below. This document outlines how to get connectivity established between an Aviatrix Gateway in AWS, Azure, or GCP and your on-premise router or firewall.


Configuration Workflow

Create Site2Cloud Connection

  1. Log in to your Aviatrix Controller.
  2. Select the Site2Cloud navigation item on the left navigation bar.
  3. Click on + Add New near the top of the Site2Cloud tab.
  4. Under Add a New Connection, enter the following:


If the Local Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.

Connection Type: Unmapped

For unmapped connections, the following two fields will be displayed:

Field Description
Remote Subnet Enter the CIDR representing the remote network.
Local Subnet The CIDR block of the local VPC/VNet subnet. If left blank, Aviatrix will use the full VPC/VNet CIDR.


The remote and local subnet fields can contain multiple values. Use a comma (,) to separate the values.

Connection Type: Mapped

For mapped connections, the following four fields will be displayed:

Field Description
Remote Subnet(Real) Enter the real CIDR of the remote network.
Remote Subnet(Virtual) Enter a virtual CIDR that will represent the real subnet.
Local Subnet(Real) The real CIDR block of the local VPC/VNet subnet. If left blank, Aviatrix will the full VPC/VNet CIDR.
Local Subnet(Virtual) Enter a virtual CIDR that will represent the real subnet.


The remote and local subnet fields can contain multiple values. Use a comma (,) to separate the values.


If you use multiple values for the real subnets, you must use an equal number of subnets in the virtual field.


1:1 mapping is supported if both sides are configured properly. For example, you can configure:

Remote Subnet(Real):
Remote Subnet(Virtual):

Local Subnet(Real):
Local Subnet(Virtual):
  1. Click OK.

Configuration Details

Remote Gateway Type

Type Description
Generic Use this option for most third-party routers and firewalls.
AWS VGW For terminating on an AWS Virtual Private Gateway, select this option.
Azure VPN For terminating on Azure VPN Services
Aviatrix When terminating on an Aviatrix CloudN on-premise gateway.


If the Algorithms checkbox is unmarked, the default values will be used. If it is checked, you can set any of the fields defined below.

Phase 1 Authentication
Phase 1 DH Groups
Phase 1 Encryption
Phase 2 Authentication
Phase 2 DH Groups
Phase 2 Encryption

Remote and Local Subnet(s)

Enter the subnet(s) using a comma to delimit more than one CIDR.

If you leave the local subnet field blank, the default value is the VPC/VNet CIDR. If you enter a value, make sure you include the VPC/VNet as well.

These Local Subnets are advertised to Remote Subnets that the site2cloud connection can reach.

You can change these settings later.

Edit Connection

Once a connection is created, you can download the configuration or edit parameters. To do this, select Site2Cloud from the navigation menu and select the connection you just created.

Download Configuration

You can generate remote site configuration template.

Select the remote site device from the dropdowns provided. If your remote site device is not listed in the dropdown menu, simply select an available one in the menu or use the Generic/Vendor Independent template.

This template file contains the gateway public IP address, VPC CIDR, pre-shared secret and encryption algorithm. Incorporate the information to your remote router/firewall configuration. If the remote gateway is an Aviatrix CloudN, go to Site2Cloud and simply import the downloaded configuration file and click OK.

Local Identifier

By default, Aviatrix configures gateway’s public IP as Local Identifier. User can adjust these settings to the gateway’s private IP.

Remote Identifier

By default, Aviatrix configures public IP of peer device as Remote Identifier. User can adjust these settings to the private IP of peer device.

Dead Peer Detection

This field is not applicable to Site2Cloud connection established by Transit Network workflow.

Dead Peer Detection (DPD) is a standard mechanism (RFC 3706) between IPsec tunnels to send periodic messages to ensure the remote site is up.

By default, DPD detection is enabled.

Field Value Description
Delay >= 1 Keepalive timer (in seconds)
Retry Delay >= 1 How long should the tunnel wait before declaring keep alive failed. (in seconds)
Maxfail >= 1 Number of tries before considering the peer is dead.

Active Active HA

Allow Site2Cloud gateways to support Active-Active mode where both tunnels are up and packets are routed to both gateways via respective VPC/VNet route tables.

To enable this, go to Site2Cloud, edit the connection on the Setup page, scroll down to Active Active HA, and click Enable.

Forward Traffic to Transit Gateway

This configuration option applies to a use case where an Aviatrix Spoke gateway connects to on-prem routers via Site2Cloud IPsec connections.

Event Triggered HA

Event Trigger HA is a new mechanism to reduce the convergence time. To configure, go to Site2Cloud > select a connection, click Edit. Scroll down to Event Triggered HA and click Enable.

Jumbo Frame

Jumbo Frame improves the performance between Aviatrix Transit gateway or an OCI Transit Gateway and CloudN. This feature is only supported for AWS and OCI; Azure and GCP do not support Jumbo frame. To configure, go to Site2Cloud > select a connection and click Edit. Scroll down to Jumbo Frame and click Enable.

Clear Sessions

Clear Session allows to reset all the active sessions on a selected Site2Cloud connection. To clear, go to Site2Cloud > select a connection and click Edit. Scroll down to Clear Sessions and click Clear.

Periodic Ping

In very rare cases Site2Cloud tunnels may fail to pass traffic if the tunnel is dormant for a long period of time. This is not an issue with the Aviatrix Gateways and can usually be traced to misconfigurations on the remote device. To compensate for this Periodic Ping was developed to maintain a steady flow of traffic across the tunnel.

For configuration steps read the full article here: Periodic Ping

Network Device Support

Aviatrix Site2Cloud supports all types of on-prem firewall and router devices that terminate VPN connection. Below are configuration examples to specific devices.

Additional Use Cases

Real-world use cases sometimes require a combination of Site2Cloud and other features, such as SNAT and DNAT.

Here are a few documents in the Tech Notes session that demonstrate how you can solve some of them.


To check a tunnel state, go to Site2Cloud. The tunnel status appears next to the connection.

Diagnostics and troubleshooting options are available in the Diagnostics tab. You must first select the connection, and then select an Action, followed by OK.