How can I configure a managed route-based static VPN between AWS and IBM Cloud?

Resolution

To set up a Site-to-Site VPN connection between AWS and IBM Cloud, you must do the following:

• On the IBM side, configure a virtual private cloud (VPC), subnets, route tables, security groups, and access control list (ACL) rules.
• On the AWS side, configure a VPC, subnets, and routing.

AWS configuration

1. Open the Amazon VPC console, and then create a customer gateway. Because you don't know the IP address of the IBM VPN gateway yet, you can add any details that you like. Later, you can specify the correct customer gateway IP address and Autonomous System Number (ASN).

   Note: You must use AWS to create the customer gateway. The Amazon VPC console allows you to change your customer gateway after you configure it, and IBM Cloud doesn't.

2. Open the Amazon VPC console, create a virtual private gateway, and then attach it to your Amazon VPC.

3. Create a VPN connection. For Virtual private gateway, choose the name of the virtual private gateway that you created. For Customer gateway ID, choose the ID of the customer gateway that you created. For Routing Options, choose Static. (Optional) Under Advanced Options for Tunnel 1, turn on advanced encryption algorithms.

4. Download the generic Site-to-Site VPN configuration file. Use the information from this file to set up VPN tunnels in IBM Cloud.

IBM Cloud configuration

1. Open the IBM Cloud and use the instructions on the IBM website to create an IKE policy. Enter a name for your policy, and then enter the following details:

   Region: Washington DC
   IKE version: 2
   Authentication: sha1
   Encryption: aes128
   Diffie-Hellman Group: 2
   Key lifetime: 28800

2. Create an IPsec policy. Enter a name for your policy, and then enter the following details:

   Region: Washington DC
   IKE version: 2
   Authentication: sha1
   Perfect forward secrecy: Turned on
   Diffie-Hellman Group: 2
   Key lifetime: 3600

3. Create a Site-to-Site VPN connection in the IBM Cloud. Enter the details of the IKE and IPsec policies that you created. In order to create the VPN connection, you need the Peer Gateway IP address and Pre-Shared Keys from AWS. Note this information from the configuration file that you downloaded from AWS before you continue to configure your VPN.

4. After you create the Site-to-Site VPN on the IBM side, you can view the Public IP address for Tunnel1. Note the IP address to use in the following steps.

Configure VPN Gateway on the Amazon VPC console

1. Open the Amazon VPC console, and then create a customer gateway. For IP address, enter the IP address for the IBM VPN and not the secondary IP address.
2. Navigate to your Site-to-Site VPN connection. Choose Actions, and then choose Modify VPN Connection. Update the target type for the customer gateway. Choose the new customer gateway that uses the IBM VPN IP address.

Note: It takes a few minutes for AWS to modify and update the Site-to-Site VPN connection.

Confirm that the tunnel status is UP, and test the connection

1. After AWS finishes modifying the Site-to-Site VPN connection, confirm that the tunnel is UP. You must confirm this on both the AWS side and on the IBM side. Also, confirm that you have the correct routing. When the tunnel is up, both clouds don't allow traffic to flow by default.
2. On the IBM Cloud, configure the security groups and ACLs to allow traffic to flow between IBM and AWS.
3. On the Amazon VPC console, configure the network ACLs and security groups that are associated with your connection. This allows traffic to flow between AWS and IBM.
4. Perform a bidirectional connectivity test to check the tunnel connection between IBM and AWS. Be sure to do a ping test from AWS to IBM, and from IBM to AWS.