(Unpublished) Configure Tunnels with AWS Native IPsec

❗️

INTERNAL DOCS TEAM NOTE

Unpublished this November 2022 because the SIGINT team discovered problems with this method. PM has decided it's not supported at this point. We can turn it back on if/when whatever work needs to be done gets completed.

Use the AWS native VPN gateway to establish tunnels to Umbrella. This configuration assumes that a VPC is already deployed.

Table of Contents

• Create the AWS Virtual Private Gateways
• Create Customer Gateways
• Create AWS Site-to-Site VPN Connection
• Update Route Tables
• Configure Umbrella Private Access Tunnel
• Appendices

Create the AWS Virtual Private Gateways

1. Navigate to VPC > Virtual private network (VPN) > Virtual private gateways > Create virtual private gateway.

2. Once configured, attach the Virtual private gateway to your VPC. Click the Actions drop-down and select Attach to VPC.

3. Select the VPC from the drop-down list.

Create Customer Gateways

1. Navigate to VPC > Virtual private network (VPN) > Customer gateway > Create customer gateway.
2. Configure BGP ASN to be the Umbrella ASN 36692.
3. Identify the nearest Umbrella DC IP address and enter the same in the IP address field.

Create AWS Site-to-Site VPN Connection

1. Navigate to VPC > Virtual private network (VPN) > Site-to-Site VPN Connections > Create VPN connection.

2. Once the VPN tunnel is configured, click Modify VPN tunnel options.

3. Select the egress IP address of the site-to-site VPN.

4. Copy the Pre-shared key and save it on your device.

5. Configure the VPN parameters as shown below:

6. Click Save Changes.

Update Route Tables

1. Navigate to VPC > Virtual private cloud > Route tables.
2. Click Add Route.
3. Enter 0.0.0.0/0 in the Destination field.
4. Select a Virtual Private Gateway from the dropdown list as created in the first section.

5. Click Save Changes.

Configure Umbrella Private Access Tunnel

1. Navigate to Deployments > Network Tunnels.
2. Click Add.
3. Enter the tunnel details.

4. Select the Service Type. Under Client Reachable Prefixes, enter all public and private address ranges used internally by your organization.

5. Select IP Address/Network as the Authentication Method.
6. Enter the Passphrase and confirm.
   Note: Passphrase is the Pre-shared key copied in step 4.
7. Click Save.

8. Navigate to Deployments > Core Identities > Network Tunnels to verify the tunnel status.

Appendices

• Azure site to site VPN configuration guide

  https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal

• Umbrella Cloud Firewall

  https://docs.umbrella.com/deployment-umbrella/v1.0.6/docs/manage-firewall
  https://docs.umbrella.com/umbrella-user-guide/docs/supported-ipsec-parameters

• Cisco Cloud Services Router (CSR) 1000V

  https://www.cisco.com/c/en/us/td/docs/routers/csr1000/software/azu/b_csr1000config-azure.html
  https://www.cisco.com/c/en/us/support/docs/ip/internet-key-exchange-ike/115934-technote-ikev2-00.html

---

Configure Tunnels with Cisco Router in AWS < Configure Tunnels with AWS Native IPsec > Configure Tunnels with Azure IPsec