How do use AWS Site-to-Site VPN to create a certificate-based VPN?

3 minute read
1

I want to use AWS Site-to-Site VPN to build a certificate-based IP Security (IPsec) virtual private network (VPN).

Short description

AWS Site-to-Site VPN supports certificate-based authentication through integration with AWS Private Certificate Authority (AWS Private CA). Use digital certificates to build IPsec tunnels with static or dynamic customer gateway IP addresses instead of pre-shared keys for Internet Key Exchange (IKE) authentication.

Note: You can't use an external self-signed certificate for Site-to-Site VPN. For more information on certificate options, see Site-to-Site VPN tunnel authentication options.

Resolution

Install a root and subordinate private CA certificate

Create and install a root CA certificate and a subordinate CA certificate.

Request or create a private certificate

If you have an existing private certificate, then AWS Certificate Manager (ACM) can request the certificate to use as the identity certificate for your customer gateway device. If you don't have an existing private certificate, then create one.

Only the subordinate CA can issue the private certificate, and the subordinate CA must be in AWS Certificate Manager (ACM). If your subordinate CA isn't in ACM, then you can create a certificate signing request (CSR) and import the signed subordinate CA into ACM.

Create a customer gateway

Create a customer gateway for your VPN connection:

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. Choose Customer Gateways. Then, choose Create Customer Gateway.
  3. For Name, enter a name for your customer gateway.
  4. For Routing, select the routing type for your use case.
  5. If your customer gateway IP address is dynamic, then leave the IP Address field empty. If your customer gateway IP address is static, then you can choose to leave this field empty, or specify the IP address.
  6. For Certificate ARN, choose the certificate ARN for your private certificate.
  7. (Optional) For Device, enter a device name.
  8. Choose Create Customer Gateway.

Configure the Site-to-Site VPN

Configure the AWS Site-to-Site VPN connection with a virtual private gateway.

Copy certificates to the customer gateway device

Copy the private certificate, root CA certificate, and subordinate CA certificate to the customer gateway device.

Note: When the AWS VPN requests a certificate for authentication, the customer gateway device presents the private certificate. However, the customer gateway device must have all three certificates present. If the customer gateway device doesn't have all the certificates, then VPN authentication fails.

Related information

Requirements for your customer gateway device

Private certificate from AWS Private Certificate Authority

4 Comments

I see that an IP address is not required for the customer gateway in this setup. Does this mean that a connection can be made where the client is behind CGNAT? I need a site-to-site VPN from AWS VPN to a remote location where that remote location is using a cellular internet connection that uses CGNAT and isn't publicly addressable.

replied a year ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 10 months ago

Is it possible to use an external self-signed certificate for the Site-to-Site (S2S) VPN connection?

User921
replied 9 months ago

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
replied 9 months ago