Configuration of Static Site-to-Site VPN with Single IP Encryption Domain: Seeking Feedback and Documentation

0

Dear Community,

We have received a request from a client to configure a static Site-to-Site VPN using static routes (not dynamic routes). They require that the encryption domain be limited to a single IP address on both our side and their side to meet their VPN connection configuration standards. Specifically, they wish to expose only one device on their end, which will connect to a remote IP address within our cloud infrastructure.

The client does not wish to use broader CIDR ranges for the Local IPv4 network or the Remote IPv4 CIDR parameters, such as:

  • set address VPC-SUBNET 10.0.0.0/16
  • set address LAN-SUBNET 192.168.0.0/16

We understand that it is possible to define a single IP address in the static routes of the Site-to-Site VPN configuration, and this option has been communicated to the client. However, they have insisted that their requirement for using a single IP address for the encryption domain is achievable.

Although no visible restrictions are apparent when setting these values through the web console or command line interface, we seek to understand if it is possible to comply with the client's request based on official AWS documentation, or any relevant Site-to-Site IPsec VPN documentation. Specifically, we are looking for information on whether this requirement can be met, or if it must adhere to certain prefix ranges, for example, subnet definitions within AWS Cloud that typically require a range from /16 to /28.

Additionally, we would like to confirm if it is feasible to define a single IP address in the static routes of the Site-to-Site VPN instead of using a broader encryption domain.

We appreciate your input and any official documentation or relevant resources you can provide on this matter.

Enter image description here

Kind regards,

2 Answers
3

For the VPN tunnel IP addresses you can use /30 CIDRs from the 169.254.0.0/16 range as described in the documentation under the Inside tunnel IPv4 CIDR section.

Regarding allowing communication over the the VPN tunnel only for specific /32 IP addresses. There is no such restriction, any CIDR range from /0 to /32 is allowed (the defaults for Local IPv4 Network CIDR and Remote IPv4 Network CIDR are 0.0.0.0/0 but it can be set to a specific a.b.c.d/32 IP address).

profile pictureAWS
EXPERT
answered 16 days ago
profile picture
EXPERT
reviewed 16 days ago
profile pictureAWS
EXPERT
reviewed 16 days ago
0

Hello,

I tested the environment you mentioned to see if it's actually feasible. To mimic the customer's environment, I created an instance in a VPC from a different region and installed Libreswan.

s2s

The Local IPv4 network CIDR of the configured environment is 192.168.0.35/32, and the Remote IPv4 network CIDR is 10.0.0.29/32.

I was able to establish the connection without any issues or restrictions in this environment, and the connection was successful.

result

profile picture
Sean
answered 16 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions