Policy based VPN in AWS
A customer wants to establish policy based VPN connectivity from AWS to their data center. I looked at various documentation and still cannot determine whether we can support this or not. Here are the links I’ve reviewed so far:
http://www.mycodingpains.com/establish-policy-based-vpn-connection-aws-hardware-vpn/ https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6
questions are:
Can we do this with AWS
What configuration setting makes the VPN setup policy based? Route based?
Thank you
- 新しい順
- 投票が多い順
- コメントが多い順
AWS Supports both Route based and Policy Based VPN (IPSec). If a customer wants to create Policy Based - that's perfectly fine, but there are some limitations.
We support 1 Security Association, customer needs to initiate the traffic (we are responder only), only one tunnel will be UP in Policy-Based.
Here you can find all the requirement: https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html#CGRequirements
you are limited to 1 unique Security Association (SA) pair per tunnel (1 inbound and 1 outbound), and therefore 2 unique SA pairs in total for 2 tunnels (4 SAs). Some devices use policy-based VPN and will create as many SAs as ACL entries. Therefore, you may need to consolidate your rules and then filter so you don't permit unwanted traffic.
What is the device that customer is using on a customer site?
Here is sample config for Policy-based VPN for Cisco ASA: https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
関連するコンテンツ
AWS公式更新しました 10ヶ月前- AWS公式更新しました 9ヶ月前
- AWS公式更新しました 1年前
