Static Route-Based External Connection (Mapped)

Connect overlapping networks between the cloud and on-prem from a Spoke Gateway or Speciality Gateway.

In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.

Supported Gateways

  • Spoke Gateway that is not BGP enabled in AWS, Azure, and GCP

  • Speciality Gateway (not applicable to Public Subnet Filtering Gateway)

External Connection Settings

For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.

Workflow

To set up a Static Route-Based (Mapped) external connection:

  1. In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.

  2. From the + External Connection dropdown menu, select External Device.

  3. In Create External Connection to External Device, provide the following information:

    Field Description

    Name

    A name for the connection.

    Type

    Select Static Routing over IPsec

    Static Routing Type

    Select Mapped NAT

    Custom Mapped

    Leave Custom Mapped toggle Off.

    Local Gateway

    The Local Gateway on which you want to create an external connection to a remote device.

    Real Local Subnet CIDR(s)

    Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

    If the Local Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.
    If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Local Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.

    Virtual Local Subnet CIDR(s)

    Specify a list of virtual local network CIDRs that map to the real local subnet (for example, for the real local subnet CIDRs listed above, you can have these virtual local subnets: 192.168.7.0/24, 192.168.8.0/24).

    Remote Device Type

    The remote device type.

    • Generic - Use this option for most third-party routers and firewalls.

    • Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

    Any other remote device types listed are only valid with Controller version 6.7 or lower. If using a higher Controller version, only select Generic or Aviatrix.

    Real Remote Subnet CIDR(s)

    Specify a list of the destination network CIDRs that will be encrypted (for example, 10.10.1.0/24, 10.10.2.0/24).

    Virtual Remote Subnet CIDR(s)

    Specify a list of virtual remote network CIDRs that map to the real remote subnet (for example, for the real CIDRs listed above, you can have these virtual remote subnets: 192.168.1.0/24, 192.168.2.0/24).

  4. In the IPsec Configuration section, provide the following information:

    Field Description

    Attach Over

    The underlying infrastructure of your network.

    • Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.

    • Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.

    Algorithms

    The encryption algorithm and protocol to use for authenticating the communication between the Local gateway and the remote device.

    • Default: Uses the Aviatrix-supported encryption algorithm default values.

    • Custom: Allows you to modify any of the fields defined below.

      • Phase 1 Authentication

      • Phase 1 DH Groups

      • Phase 1 Encryption

      • Phase 2 Authentication

      • Phase 2 DH Groups

      • Phase 2 Encryption

    Internet Key Exchange

    Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.

    • IKEv1: Connects to the remote site using IKEv1 protocol.

      If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

    • IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.

  5. In the Authentication section, provide the following information:

    Field Description

    Authentication Method

    The authentication method to use for the connection.

    • Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional).

    • Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

  6. In the Tunnel Configuration section, provide the following information:

    Field Description

    Single IP HA

    Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.

    Remote Device IP

    The remote device’s interface IP address.

    Local Gateway Instance

    The Local Gateway’s IP address.

    Pre-Shared Key (Optional)

    The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.

    Remote Identifier SAN

    If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

  7. Click Save.

    The new static route-based external connection appears in the table.