Static Route-Based External Connection (Unmapped)

This document describes the workflow to create a Static Route-Based (Unmapped) connection.

Connect to a remote site that supports route-based VPN from a Spoke Gateway.

In this document, Local Gateway refers to the Aviatrix gateway that you want to connect to a remote device.

Supported Gateways

  • Spoke Gateway (not BGP enabled) in AWS, Azure, and GCP

  • Speciality Gateway

External Connection Settings

For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.

Workflow

To set up a Static Route-Based (Unmapped) external connection:

  1. In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.

  2. From the + External Connection dropdown menu, select External Device.

  3. In Create External Connection to External Device, provide the following information:

    Field

    Description

    Name

    A name for this connection.

    Type

    Select Static Routing over IPsec.

    Static Routing Type

    Select Unmapped NAT.

    Local Gateway

    The Local Gateway that you want to connect to a remote device.

    Local Subnet CIDR(s)

    The subnet CIDR range(s) for this local gateway.

    The Local Subnet field can contain multiple values. Use a comma to separate the values.

    If the Local Subnet CIDR(s) is outside of the gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Local Subnet network CIDR ranges.

    Remote Device Type

    The remote device type.

    • Generic - Use this option for most third-party routers and firewalls.

    • Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

    Any other remote devices listed here are only valid with Controller version 6.7 or lower. If using a higher Controller version, only select Generic or Aviatrix.

    Remote Subnet CIDR(s)

    The subnet CIDR range(s) for the remote device or the on-premises gateway you are connecting to the cloud.

    The Remote Subnet field can contain multiple values. Use a comma to separate the values.

  4. In the IPsec Configuration section, provide the following information:

    Field Description

    Attach Over

    The underlying infrastructure of your network.

    • Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.

    • Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.

    Algorithms

    The encryption algorithm and protocol to use for authenticating the communication between the Local gateway and the remote device.

    • Default: Uses the Aviatrix-supported encryption algorithm default values.

    • Custom: Allows you to modify any of the fields defined below.

      • Phase 1 Authentication

      • Phase 1 DH Groups

      • Phase 1 Encryption

      • Phase 2 Authentication

      • Phase 2 DH Groups

      • Phase 2 Encryption

    Internet Key Exchange

    Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.

    • IKEv1: Connects to the remote site using IKEv1 protocol.

      If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

    • IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.

  5. In the Authentication section, provide the following information:

    Field Description

    Authentication Method

    The authentication method to use for the connection.

    You can authenticate the connection using Pre-Shared Key or Certificate-Based authentication.

    • Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional).

    • Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

  6. In the Tunnel Configuration section, provide the following information:

    Field Description

    Single IP High Availability

    Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.

    Remote Device IP

    The remote device’s interface IP address.

    Pre-Shared Key (Optional)

    If Pre-Shared Key authentication is selected, enter the Pre-Shared Key configured on the remote device.

    If a Pre-Shared Key is not specified, the system auto-generates a key.

    Remote Identifier SAN

    If Certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

  7. Click Save.

    The new static route-based external connection appears in the table.