Secure way to set up IPsec VPN between IBM Cloud and an AWS-managed VPN endpoint with static routing

The article covers the route based Site-to-Site VPN Tunnel configuration between AWS and IBM Cloud. This article will be helpful to organizations/engineers who are looking to incorporate multi-cloud architecture to have high availability setup. 

Prerequisite:

- Configure Virtual Private Cloud (VPC), subnets, route tables and its security groups/ACLs rules on IBM Cloud side.

- Configure Virtual Private Cloud (VPC), subnets, and routing on AWS side.

Architecture

Configuration on AWS side:

1. First, create a Site-to-Site VPN Connection on AWS because only AWS allows you to change the Customer Gateway IP later on. 

Note: You first need to create a “dummy” Customer Gateway, as you do not know the IP address of the IBM VPN gateway yet. You can specify pretty much anything you want, as you will later create a new Customer Gateway with the correct CGW IP and ASN.

2. Create a Virtual Private gateway in the AWS VPC console (and attach it to your VPC).

3. Create a site-to-site VPN connection in the AWS console by specifying the Customer gateway (created in step 1) and Virtual private gateway (Created in step 2). Make sure you have the Routing Options set to Static. 

Note: Under "Advanced Options for Tunnel 1" Enabling advanced encryption algorithms is optional. You can leave default.

4. While the VPN is being setup (takes a few minutes), you can download the configuration. You will need the information from that configuration file to setup the VPN tunnels on IBM side.

Configuration on IBM Cloud side:

5. The first thing in IBM side you need to create is a “IKE Policy (Phase-1 Parameters)” 

6. Create is a “IPsec Policy (Phase-2 Parameters)” 

7. Now you can create a new Site-to-Site VPN connection by specifying the IKE policy (created in step 5) and IPsec Policy (Created in step 6).

• In order to create a VPN connection on in IBM Cloud, you need a "Peer Gateway IP address" and "Pre-Shared Keys".  You can get these information from downloaded configuration file (downloaded in Step 4).
  

8. Once, VPN is created on IBM side, you will now see the Public IP address for the “Tunnel1”. In my case 169.63.177.120. With this you now need to go back to AWS and create a new Customer Customer Gateway.

Return to AWS console and configure VPN Gateway using downloaded configuration file ----------------------------------------------------------------------

9. In AWS go to the Customer Gateways and click on “Create Customer Gateway”

Note: For this gateway, use the primary IP Address (169.63.177.120) of the Oracle VPN (not the secondary IP)

10. Once the new Customer Gateway is created, go to the Site-to-Site VPN Connection and click on “Actions – > Modify VPN Connection”. Change the target type for the Customer Gateway, and select the newly created Customer Gateway (that is using the actual IBM VPN IP).

Note: AWS will update (modify) the VPN connection, this again takes a few minutes.

11. You are almost there! After AWS is done modifying the VPN Connection you should see on both sides that the tunnel is up.

AWS side Tunnel is UP:

IBM side Tunnel 1 is UP:

Bi-directional Connectivity test

12. Once your VPN tunnel between IBM and AWS is up, make sure you have the correct routing in place. By default SG on both ends (AWS & IBM) do no allow any traffic.

• In IBM make sure you configure the Security Groups and Network ACLs to allow the traffic between IBM and AWS. 
• In AWS configure the Network ACLs and Security Groups to allow the traffic you want to allow to flow between IBM and AWS. 

Ping test from AWS to IBM:

Ping test from IBM to AWS: