Static Route-Based External Connection (ActiveMesh)

Static Route-Based ActiveMesh external connection uses IPsec tunneling protocol and static route configuration. This allows the Aviatrix gateway to establish secure connection to an on-premises router or firewall that supports route-based VPN with static configuration.

Static routing is typically used when BGP is not enabled on the remote device for connectivity and routes are manually configured to forward network traffic to specific remote IP addresses (CIDRs)

ActiveMesh enables full mesh peering from the primary and highly available (HA) gateway instances to the remote device for failover redundancy.

In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.

Supported Gateways

Transit Gateway in all clouds
Spoke Gateway with BGP enabled in AWS and Azure

External Connection Settings

For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.

Workflow

To set up a Static Route-Based (ActiveMesh) external connection:

In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.
From the + External Connection dropdown menu, select External Device.

In Create External Connection to External Device, provide the following information:

Field

Description

Name

A name for the connection.

Type

Select Static Routing over IPsec

Static Routing Type

Select ActiveMesh

Local Gateway

The Local Gateway on which you want to create an external connection to a remote device.

Spoke Gateways only display in this list if BGP is enabled for the Spoke Gateway.

Remote Subnet CIDR(s)

The remote network CIDR(s) to route traffic to the remote network destination.

In the IPsec Configuration section, provide the following information:

Field

Description

Attach Over

The underlying infrastructure of your network.

Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.
Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.

Algorithms

The encryption algorithm and protocol to use for authenticating the communication between the Aviatrix gateway and the on-premises device.

Default: The default Aviatrix-supported encryption algorithms.
Custom: Allows you to modify the algorithm default values.

Internet Key Exchange

Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.

IKEv1: Connects to the remote site using IKEv1 protocol.

If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.

In the Authentication section, provide the following information:

Field	Description
Authentication Method	The authentication method to use for the connection. Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional). Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

Field

Description

Authentication Method

The authentication method to use for the connection.

Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional).
Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

In the Tunnel Configuration section, provide the following information:

Field	Description
Remote Device Tunnel Destination IP	The remote device’s interface IP address.
Local Tunnel IP	The local tunnel inner CIDR range allowed to communicate over the tunnel.
Remote Tunnel IP	The remote tunnel inner CIDR range allowed to communicate over the tunnel.
Tunnel Source IP	(Edge Transit Gateway only) An Edge Transit Gateway can have multiple WAN interfaces. Use Tunnel Source IP to specify which WAN interface to use for this connection. For Transit Gateway, this setting defaults to the eth0 IP address.
Pre-Shared Key (Optional)	The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.
Remote Identifier SAN	If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

Field

Description

Remote Device Tunnel Destination IP

The remote device’s interface IP address.

Local Tunnel IP

The local tunnel inner CIDR range allowed to communicate over the tunnel.

Remote Tunnel IP

The remote tunnel inner CIDR range allowed to communicate over the tunnel.

Tunnel Source IP

(Edge Transit Gateway only) An Edge Transit Gateway can have multiple WAN interfaces. Use Tunnel Source IP to specify which WAN interface to use for this connection.

For Transit Gateway, this setting defaults to the eth0 IP address.

Pre-Shared Key (Optional)

The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.

Remote Identifier SAN

If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

To connect the gateway to another remote device, click +Remote Device and enter the remote device’s IP address and ASN information.

Click Save.

The new static route-based external connection appears in the table.