0

I already searched through the Internet and read a lot of manuals but I cannot get a grip on the topic.

I want to create a VPN connection from my customers checkpoint to my server that is located within my AWS VPC. The connection should be between, I guess it is an Internet gateway on AWS site and my customers checkpoint router.

The customer uses a checkpoint router with a public ip address. What I already know so far is that I need to create a customer gateway with my customer`s public ip address - this is what I did.

Now I do not get it straight. Do I need the following setup:

VPC: which ip: public or private? instance: public or private ip? Internet gateway or virtual private gateway, and which ip (public or private) for IGW or VPG?

In reality I would need a router/gateway with NAT and then I can create a VPN from my customer`s checkpoint to my router. But I do not really understand how I have to configure it in AWS.

Maybe someone has an easy to follow setup tutorial or can describe me what to do exactly?

Thank you very much in advance

Bernd
  • 593
  • 2
  • 8
  • 31
  • What is a "checkpoint" in this context? – jordanm Mar 03 '23 at 19:28
  • The checkpoint is the customer`s router, and it is configured with a public ip. Now they want to establish a VPN tunnel to our instance that is located within our AWS, but I do not know what to use exactly: Internet Gateway?, IP address, etc. – Bernd Mar 03 '23 at 19:40
  • If the customer is in AWS, you can use VPC peering or privatelink without a VPN. If they are not in AWS, then it depends on what your customer has available. – jordanm Mar 03 '23 at 20:57

1 Answers1

1

If the customer is not already in AWS, there are multiple ways for VPN:

  1. AWS Direct Connect (which is like virtual LAN cable)
  2. AWS Site-To-Site VPN (IPSec)
  3. Custom Site-To-Site VPN

You say that you want the third option: A custom can be setup in various ways and is only partially related to AWS. But I think that "checkpoint is actually this device? If that is the case you can use AWS Site-To-Site VPN (which is IPSec based) and you should be able to connect it with this guide (AWS supports Checkpoint Gaia >=R80.10+).

Note that AWS Site-To-Site VPN is billed hourly when provisioned, even if not connected/used.

If you really need the third option, a custom Site-To-Site VPN, then you have to do the following:

  • Create VPC, with a Internet Gateway (IGW)
  • Place a EC2 Instance with an Elastic IP in the VPC (= static ip)
  • Install the custom VPN Software on the EC2 and configure it (details depend on the use-case and the VPN software)
Augunrik
  • 1,866
  • 1
  • 21
  • 28
  • Thank you very much for your detailed explanation! I just have on last question. I think I will go for the third option. They want to establish a connection between their checkpoint device and our Internet Gateway. Is this possible in this scenario or will the VPN connection between the EC2 instance and the checkpoint device? I am asking that rather silly question because they already provided me with a pre-shared key and maybe the Internet Gateway is not capable of handling this pre-shared key. Thank you very much! – Bernd Mar 04 '23 at 13:31
  • A internet gateway (IGW) can't create a VPN, it only provides internet access to a VPC. If they provided you with a pre-shared key, they have a specific solution in mind. Industry standard is IPSec. The Site-To-Site VPN link above also mentions pre-shared keys; but I'm no IPSec expert. – Augunrik Mar 04 '23 at 13:34
  • Okay, then I have to go for the second option you provided me: AWS Site-To-Site VPN (IPSec), because here we use a pre-shared key. The only thing I could not figure out is where do I get the public IP for our AWS site? I thought it must be at the Virtual Private Gateway but I was wrong. The I configured the customer gateway with the public IP from our customer, our VPW and so forth. But what I never could not figure out is how does the customer know to which public IP he must connect to? – Bernd Mar 04 '23 at 14:10
  • The AWS Site-To-Site VPN will have a custom IP when you configure it or you can assign one. At this point I guess you have to try it out and/or go through the linked docs; they provide deeper guidance than 500chars can. – Augunrik Mar 04 '23 at 14:19