Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Certificate-based VPN using AWS Site-to-Site VPN where customer gateway is behind CGNAT

0

I see that an IP address is not required for the customer gateway when you make a site to site VPN that is certificate-based, as described here:

https://repost.aws/knowledge-center/vpn-certificate-based-site-to-site

Does this mean that a connection can be made where the client is behind CGNAT? I need a site-to-site VPN from AWS VPN to a remote location where that remote location is using a cellular internet connection that uses CGNAT and isn't publicly addressable.

I have read the post here, but the answer seems a unclear (it states that the IP is optional, but also says it must be static, and if it is behind NAT it must be the public facing IP of the NAT device... but it is optional, so I don't understand why those other requirements are even relevant to the question):

https://repost.aws/questions/QUGJ-vwDbMR9uI8cfIbeWRfA/site-to-site-vpn-with-dynamic-wan-address-lte-starlink-etc

Topics
Networking & Content Delivery
Tags
Amazon VPC
Language
English
asked 3 years ago227 views
1 Answer
0

From a technical perspective, the setup is feasible, and there are no inherent issues if the Site-to-Site VPN tunnel is initiated by the Customer Gateway (CGW) device. Given that the CGW is behind Carrier-Grade NAT (CGNAT), a few conditions must be met:

Initiation of Traffic: The CGW device must always initiate the VPN traffic due to its dynamic IP nature.

Port Accessibility: The carrier should allow traffic on UDP ports 500 and 4500. This is crucial because UDP ports 500 and 4500 are used for VPN negotiations and encapsulation.

If your CGW device does not support NAT Traversal (NAT-T), which involves converting to UDP port 4500 and encapsulating ESP packets within UDP port 4500 headers, then the carrier must permit traffic on UDP port 500 in addition to allowing the ESP protocol.

AWS
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content