How to Setup Transit Gateway + Site to Site VPN and NAT Gateway?
I have previously published two articles explaining the separate installation of Transit Gateway and IPSec.
They are here:
How to Setup IPSec Between 3 Linux Servers?
How to Enable Peering Between Multiple (Inter-Region) VPCs via Transit Gateway?
In this article, I’ll walk through establishing the transit gateway and site-to-site VPN together.
Using the tutorial and a little tweak to the configuration, I set up a Linux virtual machine on Digitalocean and installed Strongswan.
The start parameter will be set to add.
In IPsec, one side of the tunnel should initiate the connection. In this tutorial, the AWS side will establish the connection.
what’s the difference between auto=add, and auto=start?
Network configurations for instance in Digitalocean are as follows:
Public IP Address: 164.92.144.165
Private IP Address: 10.110.0.2
Subnet: 10.110.0.0/20
Create Customer Gateway and Transit Gateway
I’ll create a customer gateway:
Enter the public IP address of your pair and the name of the customer gateway:
The customer gateway will be available:
I’ll create a transit gateway:
Name your transit gateway:
The transit gateway will be available after a time;
Initiate the VPN Connection
We will be able to start the VPN connection using both the customer gateway and the transit gateway:
Fill in the VPN details:
Scroll down on the same page to add a random pre-shared key to the tunnels:
Click the Create VPN connection button.
The VPN connection will be created, and AWS will generate two tunnels with two distinct Public IP addresses:
Let’s examine the startup action:
The tunnel’s startup action is Default, which indicates add. As stated at the start of the article, the AWS side will initiate the VPN connection. Therefore, the startup action need to be set to start.
(what’s the difference between auto=add, and auto=start?)
Let’s change the tunnel’s configuration:
Select start:
The startup action will be changed:
Redirect the traffic from the VPC to the VPN
I have an EC2 instance operating on a private subnet.
Public IP Address: N/A
Private IP Address: 172.16.8.157
Private Subnet: 172.16.8.0/24
Network: 172.16.0.0/20
I am going to create another subnet to be utilized for the NAT Gateway: 192.0.11.0/20
What? Your network is 172.16.0.0/20, but will you create a subnet with 192.0.x.x?
Yes, I will add another CIDR to my VPC:
Add a new IPv4 CIDR:
Add 192.0.0.0/20:
Added:
Why not 192.168.x.x? Because it is restricted by AWS:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-cidr-blocks.html
Create a VPN subnet
Fill out the subnet form:
Click Create subnet.
The subnet gets created:
Let’s set up a NAT gateway utilizing this subnet:
It will become available after a while:
I will update the route table of the subnet of my EC2 instance;
Route table:
I will add the Digitalocean subnet (10.110.0.0/20) to the route table and select the NAT Gateway I created for the VPN:
Added:
Attach VPC To the Transit Gateway
We have not added the VPC to the transit gateway. However, when we choose Transit Gateway during VPN Creation, VPN is automatically added to the transit gateway.
Go to the Transit Gateway Attachments:
Add the VPC to the Transit Gateway:
Added:
Update Transit Gateway Route Table
Redirect all traffic that arrives at the transit gateway to the VPN:
Any traffic? I assumed just 10.110.0.0/20 would be forwarded to the VPN.
Correct. Please keep in mind that we routed the traffic (10.110.0.0/20) from our private subnet to Transit Gateway. So, any traffic arriving at TGW will be forwarded to the VPN.
So, in the future, if you want to access another subnet over VPN, you must change the route table in VPC. You do not need to modify TGW.
The route table was updated:
The route state seems to be a black hole as the VPN connection has not been established.
Return to the VPN subnet page and redirect all VPN subnet traffic to TGW.
Go to the VPN subnet’s route table:
Edit routes:
Redirect all traffic arriving on the VPN subnet to Transit Gateway:
The route table was updated:
I will update the IPsec configuration in Digitalocean:
root@digitalocean-vpn:~# cat /etc/ipsec.conf
config setup
uniqueids = yes
conn aws-digitalocean-adil
type=tunnel
auto=add
authby=secret
leftsubnet=10.110.0.0/20
left=164.92.144.165
right=34.246.150.189
rightsubnet=192.0.11.0/24And key;
root@digitalocean-vpn:~# cat /etc/ipsec.secrets
164.92.144.165 : PSK "add_some_long_string_here"The VPN connection is UP:
Route state is no longer a blackhole:
I setup a Nginx server on the Digitalocean VM. I’ll attempt to connect it from EC2:
IP configuration and traceroute output from EC2:
Remember that the IP address 192.0.11.111 is the IP address of NAT Gateway:
