VPN configuration example: AWS VPC

This page provides more specific values for configuring a VPN connection between Skytap and an AWS VPC. It contains sample VPN configuration parameters to enter on the Skytap VPN page, as well as the configuration values to enter in your AWS account.

For general information about the configuration process for each side of the VPN connection, first see:

Contents

Sample VPN configuration

In your AWS account:

  1. Follow the instructions at Setting Up an AWS VPN Connection.

    • Use the following values for the Customer Gateway,

      • Routing: Static
      • IP address: Enter the static public IP address that is (or will be) associated with your Skytap VPN. This is either automatically assigned when you click Create VPN in Skytap, or you can manually select from the available static public IP addresses in your Skytap account.
    • Use the following values for the VPN connection:

      • Routing option: Static
      • Static IP prefixes: Enter the subnet range for the IP addresses you want to access in your Skytap account. This value must match the Skytap subnet range defined in your Skytap VPN configuration.
  2. Download the VPN configuration file. This contains the pre-shared key you’ll need to enter in the Skytap VPN configuration page.
  3. Note the Outside IP Address from the Tunnel Details tab for the VPN connection. This is the Remote Peer IP value for the Skytap VPN configuration.
  4. Edit your Route Tables and Security Groups to allow traffic from the VPN connection you set up. For example:

    1. Create a Route and set the following values:

      • Destination: One of the Skytap subnet ranges defined in the VPN Static IP prefixes field of the VPN connection.
      • Target: The AWS Virtual Private Gateway you created earlier.
    2. Create a Security Group and allows incoming traffic over all ports for IP addresses in the Skytap subnet ranges.

    Traffic cannot flow through the VPN unless it is explicitly allowed.

Skytap VPN configuration

Parameters to enter on your Skytap VPN page:

Parameter Name

Value to enter

Name

Name for your Skytap VPN

Example: aws-us-east-1-vpn

Remote Peer IP

Enter the Outside IP Address from the Tunnel Details tab of the AWS VPN connection.

Region

N/A. This is automatically populated when you select a public IP address for the Skytap peer IP field (see below).

Example: US-East

Skytap peer IP

An available public IP address in your Skytap account. Select a public IP address in the same region as the VMs you want to connect to.

Example: 199.199.199.199

This value is entered in the IP address field of the Remote Gateway in your AWS account.

Skytap subnet

This is the range of VM IP addresses in Skytap that sends and receives traffic through this VPN. This cannot overlap with the included remote subnet(s) defined below.

This must match the value in the Static IP prefixes field of the AWS VPN connection.

Apply NAT for Connected Networks

YES

Topology

Route-based

Phase 1 Encryption Algorithm

aes 256

Phase 1 Hash Algorithm

sha1

Phase 1 pre-shared Key

[SHARED SECRET KEY]

This must match the pre-shared key in the VPN configuration file you downloaded from AWS.

Phase 1 SA lifetime

28800

Phase 1 DH group

modp1024

Phase 2 encryption algorithm

aes 256

Phase 2 authentication algorithm

hmac_sha1

Phase 2 perfect forward secrecy (PFS)

Yes

Phase 2 PFS group

modp1024

Phase 2 SA lifetime

3600

SA policy level

require

Specify maximum segment size

Yes

Maximum segment size

1379

Dead peer detection

On

Included remote subnets

Enter the IP addresses and subnets on your AWS VPC that will send and receive traffic through this VPN.

Example: 10.1.15.0/24

The subnet(s) should be based on the traffic allowed by your AWS Route Tables and Security Groups.

Excluded remote subnets

Subset of IP addresses and subnets on the AWS VPC that should be excluded from using the VPN tunnel. This is used only to define exclusions for VPN traffic from larger included remote subnets (defined above).

Example: 10.1.15.17/32