Static Route-Based External Connection (Custom Mapped)

Supported Gateways

Spoke Gateway that is not BGP enabled in AWS, Azure, and GCP

External Connection Settings

For information about the options that you can configure for a Site2Cloud (S2C) external connection, refer to About External Connection Settings.

Workflow

To set up a Static Route-Based (Mapped) external connection:

In Aviatrix CoPilot, go to Networking > Connectivity > External Connections (S2C) tab.
From the + External Connection dropdown menu, select External Device.

In Create External Connection to External Device, provide the following information:

Field	Description
Name	A name for the connection.
Type	Select Static Routing over IPsec
Static Routing Type	Select Mapped NAT
Custom Mapped	To create a Custom Mapped connection, click on the Custom Mapped toggle switch to turn it On.
Local Gateway	The Local Gateway on which you want to create an external connection to a remote device.
Local Gateway	The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.
Remote Device Type	Generic - Use this option for most third-party routers and firewalls. Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks. In the Local Initiated Traffic section, provide the following information:

Field

Description

Name

A name for the connection.

Type

Select Static Routing over IPsec

Static Routing Type

Select Mapped NAT

Custom Mapped

To create a Custom Mapped connection, click on the Custom Mapped toggle switch to turn it On.

Local Gateway

The Local Gateway on which you want to create an external connection to a remote device.

Local Gateway

The name of the local gateway. This is the gateway in the cloud that will connect to an on-prem gateway or device.

Remote Device Type

Generic - Use this option for most third-party routers and firewalls.
Aviatrix - When terminating on Aviatrix cloud gateways or for peering Controllers in different networks.

In the Local Initiated Traffic section, provide the following information:

Field

Description

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Virtual Source Subnet CIDR(s)

Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).

Real Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

Virtual Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

In the Remote Initiated Traffic section, provide the following information:

Field

Description

Real Source Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

Virtual Source Subnet CIDR(s)

Specify a list of virtual source network CIDRs that are mapped to the real source subnet (for example, for the real CIDRs listed above for the real source subnet, you can have these virtual source subnets: 192.168.7.0/24, 192.168.8.0/24).

Real Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Destination Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Destination Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Local Subnet fields can contain multiple values. If the Destination Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Destination Subnet network CIDR ranges.

Virtual Destination Subnet CIDR(s)

Specify a list of the source network CIDRs that will be encrypted. If left blank, the full CIDR is used. If you enter a value, make sure you include the VPC/VNet as well. These Local Subnets are advertised to Remote Subnets that the connection can reach. Examples of real local subnets are 172.16.1.0/24, 172.16.2.0/24.

If the Source Subnet field is outside of gateway VPC/VNet, you need to open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

If you enter multiple real subnets, you must configure an equal number of virtual subnets. One-to-one mapping is supported if both sides are configured properly. The Remote and Source Subnet fields can contain multiple values. If the Source Subnet field is outside the gateway VPC/VNet, you must open the gateway inbound security groups to allow the Source Subnet network CIDR ranges.

In the IPsec Configuration section, provide the following information:

Field

Description

Attach Over

The underlying infrastructure of your network.

Private Network: Your underlying infrastructure is a private network, such as AWS Direct Connect and Azure ExpressRoute. When this option is selected, BGP over IPsec runs over private IP addresses.
Public Network: Your underlying infrastructure is a public network or the internet. When this option is selected, BGP over IPsec runs over public IP addresses.

Algorithms

The encryption algorithm and protocol to use for authenticating the communication between the Local gateway and the remote device.

Default: Uses the Aviatrix-supported encryption algorithm default values.
Custom: Allows you to modify any of the fields defined below.
- Phase 1 Authentication
- Phase 1 DH Groups
- Phase 1 Encryption
- Phase 2 Authentication
- Phase 2 DH Groups
- Phase 2 Encryption

Internet Key Exchange

Internet Key Exchange (IKE) is the protocol used for authentication and encryption of packets between the Aviatrix gateway and the on-premises device.

IKEv1: Connects to the remote site using IKEv1 protocol.

If you configure IKEv1 in a connection that uses certificate-based authentication and is connecting to another Aviatrix device, you must add the intermediate CAs in addition to the root CA. When an intermediate CA is renewed and re-authentication is attempted, the connection will go down until you add the new certificate.

IKEv2: Connects to the remote site using IKEv2 protocol. This is the recommended protocol.

In the Authentication section, provide the following information:

Field	Description
Authentication Method	The authentication method to use for the connection. Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional). Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

Field

Description

Authentication Method

The authentication method to use for the connection.

Pre-Shared Key: If you select Pre-Shared Key (PSK) authentication, you can provide the PSK when prompted (this is optional).
Certificate: If you select certificate-based authentication, in the Remote CA Certificate field, select the certificate you uploaded from your remote device.

In the Tunnel Configuration section, provide the following information:

Field	Description
Single IP HA	Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.
Remote Device IP	The remote device’s interface IP address.
Local Gateway Instance	The Local Gateway’s IP address.
Pre-Shared Key (Optional)	The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.
Remote Identifier SAN	If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

Field

Description

Single IP HA

Enable this setting to set up High Availability (HA) instances for each new connection that can go up if the primary instance goes down. When active, each standby instance will use the same IP address as the remote connection.

Remote Device IP

The remote device’s interface IP address.

Local Gateway Instance

The Local Gateway’s IP address.

Pre-Shared Key (Optional)

The Pre-Shared Key configured on the remote device. If a Pre-Shared Key is not specified, the system auto-generates a key.

Remote Identifier SAN

If certificate-based authentication is selected, enter the Subject Alternative Name(SAN) of the remote CA Certificate.

Click Save.

The new static route-based external connection appears in the table.