Building Site to Site IPsec VPN Connection

You can use Aviatrix gateways to connect one site to another. This solution requires one Aviatrix gateway in each location that needs to be connected. These on-premise gateways can be deployed as virtual machines on VMware, KVM or Hyper-V.

Environment Requirements

An Aviatrix Site to Site IPSEC tunnel is accomplished by one gateway initiating the session with the other gateway. For this to work at least one of the Aviatrix virtual appliances needs to be accessible via a public IP address. This can be accomplished by setting up the public IP address on the edge router in the on-premise network and configuring NAT from that public IP address to the Aviatrix VM with a 1-1 IP address NAT. The only ports that need to be forwarded from the edge router to the VM are UDP ports 500 and 4500.

On the other site, the second gateway does not need a public IP assigned to the Aviatrix gateway. This second gateway will reach outbound to the first Aviatrix GW (GW1).

The last requirement is to configure static routes in the internal routers (default gateway of the Aviatrix VM) in both sites. This static route should send traffic destined for the other site to the Aviatrix GW as the next hop.

Steps to Configure IPSec connectivity

Install an Aviatrix gateway in each site.
- Spoke Gateway
- Transit Gateway

Configure an external connection (Site2Cloud) in Gateway 1.

In the Aviatrix terminology, Site2Cloud is the name of the feature that enables connections from one site (or datacenter) to other sites (including cloud environments).

In CoPilot, go to Networking > Connectivity > External Connections (S2C) and click +External Connection to create a Site2Cloud connection using the values for one of the below options (for either you can select either PSK or certificate-based authentication).
- Static Route-Based (Unmapped)
- Static Policy-Based (Unmapped)

Use these table values:

Field	Description
Connect Public Cloud to	External Device: Static Route-Based (Unmapped) or Static Policy-Based (Unmapped)
Local Gateway	The Gateway 1 gateway created above
Local Subnet CIDR(s)	The CIDR(s) in the local site
Remote Gateway Type	Aviatrix
Remote Subnet CIDR(s)	The CIDR(s) of the other site
Pre-Shared Key	Can leave blank; will be pre-populated
Remote Gateway IP	The public IP of the other site

Field

Description

Connect Public Cloud to

External Device: Static Route-Based (Unmapped) or Static Policy-Based (Unmapped)

Local Gateway

The Gateway 1 gateway created above

Local Subnet CIDR(s)

The CIDR(s) in the local site

Remote Gateway Type

Aviatrix

Remote Subnet CIDR(s)

The CIDR(s) of the other site

Pre-Shared Key

Can leave blank; will be pre-populated

Remote Gateway IP

The public IP of the other site

Click Save. The connection is listed on the External Connections (S2C) tab.
Download the configuration.
Log in to Gateway 2’s CoPilot on the other site (GW2).
On the Networking > Connectivity > External Connections (S2C) tab, add a new connection using the downloaded configuration information above. This will start the IPsec negotiations between both gateways.

You can check the status of the connection at Diagnostics > Cloud Routes > External Connections.