How do I create a certificate-based VPN using AWS Site-to-Site VPN?

Last updated: 2020-03-13

I want to build a certificate-based IP Security (IPSec) VPN using AWS Site-to-Site VPN. How can I do this?

Short Description

AWS Site-to-Site VPN supports certificate-based authentication by integrating with AWS Certificate Manager Private Certificate Authority. Using digital certificates instead of pre-shared keys for IKE authentication, you can build IPSec tunnels with static or dynamic customer gateway IP addresses.

Resolution

Task 1: Create and install a root CA and a subordinate CA

The private certificate you'll create in task 2 must be issued by the subordinate CA. The subordinate CA must be in AWS Certificate Manager (ACM). If your CA is not in ACM, you can create a Certificate Signing Request (CSR) and import the signed subordinate CA into ACM.

Task 2: Create a private certificate to use as the identity certificate for your customer gateway
Note: You'll install this certificate in task 5.

Task 3: Create a customer gateway for your VPN connection

  1. Open the Amazon Virtual Private Cloud (Amazon VPC) console.
  2. Choose Customer Gateways, and then choose Create Customer Gateway.
  3. For Name, specify a name for your customer gateway.
  4. For Routing, select the routing type for your use case.
  5. Leave the IP Address field empty if your customer gateway IP address is dynamic. If your customer gateway IP address is static, you can leave this field empty, or you can specify the IP address.
  6. For Certificate ARN, choose the certificate ARN that you created in task 2.
  7. (Optional) For Device, specify a device name.
  8. Choose Create Customer Gateway.

Task 4: Configure the AWS Site-to-Site VPN connection with a virtual private gateway

Task 5: Copy the end entity certificate (the private certificate that you created in task 2), root CA certificate, and subordinate CA certificate to the customer gateway device

Note: The customer gateway presents the end entity certificate when requested by the AWS VPN endpoint for authentication. The customer gateway device must have all the certificates present (subordinate CA certificate and root CA certificate). If the customer gateway device doesn't have these certificates, VPN authentication fails when the AWS VPN endpoint presents its own certificate.


Did this article help you?

Anything we could improve?


Need more help?